Bug 209841 - mail/roundcube: 1.1.5 vulnerable to CVE-2016-5103
Summary: mail/roundcube: 1.1.5 vulnerable to CVE-2016-5103
Status: Closed FIXED
Alias: None
Product: Ports & Packages
Classification: Unclassified
Component: Individual Port(s) (show other bugs)
Version: Latest
Hardware: Any Any
: --- Affects Only Me
Assignee: Alex Dupre
URL: https://github.com/roundcube/roundcub...
Keywords: patch, security
Depends on:
Blocks:
 
Reported: 2016-05-29 19:44 UTC by VK
Modified: 2016-06-10 09:08 UTC (History)
3 users (show)

See Also:
bugzilla: maintainer-feedback? (ale)
junovitch: merge-quarterly+


Attachments
Patch roundcube against CVE-2016-5103 (1.07 KB, patch)
2016-05-29 19:44 UTC, VK
vlad-fbsd: maintainer-approval? (ale)
Details | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description VK freebsd_triage 2016-05-29 19:44:28 UTC
Created attachment 170808 [details]
Patch roundcube against CVE-2016-5103

The current version of Roundcube, v1.1.5, is vulnerable to CVE-2016-5103.

* Upstream Issue: https://github.com/roundcube/roundcubemail/issues/5240
* CVE assignment: http://seclists.org/oss-sec/2016/q2/414

The upstream has not yet released a version that would include the fix.

I don't know what changes against vuxml should be done in order to submit a patch myself.

I've attached a patch for Roundcube, in case the maintainer wants to apply it until the upstream releases a new version. Portlint pass. port test pass. Testing in production right now.
Comment 1 VK freebsd_triage 2016-05-29 19:47:18 UTC
CC ports-secteam@
Comment 2 VK freebsd_triage 2016-06-09 09:02:55 UTC
Seriously? No reply from anyone? Not even a vuxml entry? Is CC'ed secteam even receiving this?
Comment 3 Jason Unovitch freebsd_committer 2016-06-09 10:47:33 UTC
(In reply to Vladimir Krstulja from comment #2)
If the maintainer doesn't take action by tonight this will get updated under the secteam override.
Comment 4 commit-hook freebsd_committer 2016-06-10 01:15:17 UTC
A commit references this bug:

Author: junovitch
Date: Fri Jun 10 01:15:08 UTC 2016
New revision: 416647
URL: https://svnweb.freebsd.org/changeset/ports/416647

Log:
  Document cross-site scripting CVE in Roundcube

  PR:		209841
  Reported by:	Vladimir Krstulja <vlad-fbsd@acheronmedia.com>
  Security:	CVE-2016-5103
  Security:	https://vuxml.FreeBSD.org/freebsd/97e86d10-2ea7-11e6-ae88-002590263bf5.html

Changes:
  head/security/vuxml/vuln.xml
Comment 5 commit-hook freebsd_committer 2016-06-10 01:16:19 UTC
A commit references this bug:

Author: junovitch
Date: Fri Jun 10 01:15:58 UTC 2016
New revision: 416648
URL: https://svnweb.freebsd.org/changeset/ports/416648

Log:
  Apply patch from upstream for cross-site scripting vulnerability

  PR:		209841
  Reported by:	Vladimir Krstulja <vlad-fbsd@acheronmedia.com>
  Approved by:	maintainer timeout (2 weeks)
  Security:	CVE-2016-5103
  Security:	https://vuxml.FreeBSD.org/freebsd/97e86d10-2ea7-11e6-ae88-002590263bf5.html
  MFH:		2016Q2

Changes:
  head/mail/roundcube/Makefile
  head/mail/roundcube/files/patch-CVE-2016-5103
Comment 6 commit-hook freebsd_committer 2016-06-10 01:18:21 UTC
A commit references this bug:

Author: junovitch
Date: Fri Jun 10 01:17:31 UTC 2016
New revision: 416649
URL: https://svnweb.freebsd.org/changeset/ports/416649

Log:
  MFH: r414979 r416648

  Update to 1.1.5 release.

  Apply patch from upstream for cross-site scripting vulnerability

  PR:		209841
  Reported by:	Vladimir Krstulja <vlad-fbsd@acheronmedia.com>
  Approved by:	maintainer timeout (2 weeks)
  Security:	CVE-2016-5103
  Security:	https://vuxml.FreeBSD.org/freebsd/97e86d10-2ea7-11e6-ae88-002590263bf5.html

  Approved by:	ports-secteam (with hat)

Changes:
_U  branches/2016Q2/
  branches/2016Q2/mail/roundcube/Makefile
  branches/2016Q2/mail/roundcube/distinfo
  branches/2016Q2/mail/roundcube/files/patch-CVE-2016-5103
Comment 7 Jason Unovitch freebsd_committer 2016-06-10 01:22:02 UTC
In the interest of avoiding surprises to quarterly users the patch was applied to keep us on 1.1.X for the time being in quarterly and head.  I'll leave it to the maintainer to handle the testing for a 1.1.X -> 1.2.X version bump.

Vladimir, thanks for the patch, testing, and follow up.
Comment 8 VK freebsd_triage 2016-06-10 09:08:01 UTC
Thanks for taking care of this.

For the record, the upstream will continue supporting the 1.1.x branch despite it having released 1.2.x recently, so 1.1.6 is expected, with this fix.