Created attachment 170808 [details] Patch roundcube against CVE-2016-5103 The current version of Roundcube, v1.1.5, is vulnerable to CVE-2016-5103. * Upstream Issue: https://github.com/roundcube/roundcubemail/issues/5240 * CVE assignment: http://seclists.org/oss-sec/2016/q2/414 The upstream has not yet released a version that would include the fix. I don't know what changes against vuxml should be done in order to submit a patch myself. I've attached a patch for Roundcube, in case the maintainer wants to apply it until the upstream releases a new version. Portlint pass. port test pass. Testing in production right now.
CC ports-secteam@
Seriously? No reply from anyone? Not even a vuxml entry? Is CC'ed secteam even receiving this?
(In reply to Vladimir Krstulja from comment #2) If the maintainer doesn't take action by tonight this will get updated under the secteam override.
A commit references this bug: Author: junovitch Date: Fri Jun 10 01:15:08 UTC 2016 New revision: 416647 URL: https://svnweb.freebsd.org/changeset/ports/416647 Log: Document cross-site scripting CVE in Roundcube PR: 209841 Reported by: Vladimir Krstulja <vlad-fbsd@acheronmedia.com> Security: CVE-2016-5103 Security: https://vuxml.FreeBSD.org/freebsd/97e86d10-2ea7-11e6-ae88-002590263bf5.html Changes: head/security/vuxml/vuln.xml
A commit references this bug: Author: junovitch Date: Fri Jun 10 01:15:58 UTC 2016 New revision: 416648 URL: https://svnweb.freebsd.org/changeset/ports/416648 Log: Apply patch from upstream for cross-site scripting vulnerability PR: 209841 Reported by: Vladimir Krstulja <vlad-fbsd@acheronmedia.com> Approved by: maintainer timeout (2 weeks) Security: CVE-2016-5103 Security: https://vuxml.FreeBSD.org/freebsd/97e86d10-2ea7-11e6-ae88-002590263bf5.html MFH: 2016Q2 Changes: head/mail/roundcube/Makefile head/mail/roundcube/files/patch-CVE-2016-5103
A commit references this bug: Author: junovitch Date: Fri Jun 10 01:17:31 UTC 2016 New revision: 416649 URL: https://svnweb.freebsd.org/changeset/ports/416649 Log: MFH: r414979 r416648 Update to 1.1.5 release. Apply patch from upstream for cross-site scripting vulnerability PR: 209841 Reported by: Vladimir Krstulja <vlad-fbsd@acheronmedia.com> Approved by: maintainer timeout (2 weeks) Security: CVE-2016-5103 Security: https://vuxml.FreeBSD.org/freebsd/97e86d10-2ea7-11e6-ae88-002590263bf5.html Approved by: ports-secteam (with hat) Changes: _U branches/2016Q2/ branches/2016Q2/mail/roundcube/Makefile branches/2016Q2/mail/roundcube/distinfo branches/2016Q2/mail/roundcube/files/patch-CVE-2016-5103
In the interest of avoiding surprises to quarterly users the patch was applied to keep us on 1.1.X for the time being in quarterly and head. I'll leave it to the maintainer to handle the testing for a 1.1.X -> 1.2.X version bump. Vladimir, thanks for the patch, testing, and follow up.
Thanks for taking care of this. For the record, the upstream will continue supporting the 1.1.x branch despite it having released 1.2.x recently, so 1.1.6 is expected, with this fix.