Bug 223547

Summary: mail/roundcube: Update to 1.3.3, fixes security vulnerability (CVE-2017-16651)
Product: Ports & Packages Reporter: VK <vlad-fbsd>
Component: Individual Port(s)Assignee: Alex Dupre <ale>
Status: Closed FIXED    
Severity: Affects Many People CC: ale, dbaio, ports-secteam
Priority: Normal Keywords: patch, security
Version: LatestFlags: vlad-fbsd: maintainer-feedback+
dbaio: merge-quarterly+
Hardware: Any   
OS: Any   
URL: https://roundcube.net/news/2017/11/08/security-updates-1.3.3-1.2.7-and-1.1.10
See Also: https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=223557
Bug Depends on: 223557    
Bug Blocks:    
Attachments:
Description Flags
Update roundcube to 1.3.3 vlad-fbsd: maintainer-approval? (ale)

Description VK freebsd_triage 2017-11-08 23:42:47 UTC 
Created attachment 187870 [details]
Update roundcube to 1.3.3

A security vulnerability has been discovered in Roundcube, and "... is already being used by hackers to read Roundcube’s configuration files. It requires a valid username/password as the exploit only works with a valid session. More details will be published soon under CVE-2017-16651."

* https://roundcube.net/news/2017/11/08/security-updates-1.3.3-1.2.7-and-1.1.10

Attached is a version bump patch. Builds with Poudriere, 11.1, amd64.

VuXML entry pending.
Comment 1 commit-hook freebsd_committer freebsd_triage 2017-11-09 06:57:16 UTC 
A commit references this bug:

Author: ale
Date: Thu Nov  9 06:56:53 UTC 2017
New revision: 453797
URL: https://svnweb.freebsd.org/changeset/ports/453797

Log:
  Update to 1.3.3 release.

  Fix security vulnerability (CVE-2017-16651).

  PR:		223547
  Submitted by:	Vladimir Krstulja <vlad-fbsd@acheronmedia.com>

Changes:
  head/mail/roundcube/Makefile
  head/mail/roundcube/distinfo
Comment 2 VK freebsd_triage 2017-11-09 11:18:52 UTC 
Thanks for the commit, but please also merge quarterly.
Comment 3 Kubilay Kocak freebsd_committer freebsd_triage 2017-11-10 01:11:14 UTC 
Resolution depends on users being aware (VuXML)
Comment 4 commit-hook freebsd_committer freebsd_triage 2017-11-11 18:03:36 UTC 
A commit references this bug:

Author: dbaio
Date: Sat Nov 11 18:02:38 UTC 2017
New revision: 453983
URL: https://svnweb.freebsd.org/changeset/ports/453983

Log:
  MFH: r453797

  Update to 1.3.3 release.

  Fix security vulnerability (CVE-2017-16651).

  PR:		223547
  Submitted by:	Vladimir Krstulja <vlad-fbsd@acheronmedia.com>

  Approved by:	ports-secteam (swills)

Changes:
_U  branches/2017Q4/
  branches/2017Q4/mail/roundcube/Makefile
  branches/2017Q4/mail/roundcube/distinfo