Bug 223547 - mail/roundcube: Update to 1.3.3, fixes security vulnerability (CVE-2017-16651)
Summary: mail/roundcube: Update to 1.3.3, fixes security vulnerability (CVE-2017-16651)
Status: Closed FIXED
Alias: None
Product: Ports & Packages
Classification: Unclassified
Component: Individual Port(s) (show other bugs)
Version: Latest
Hardware: Any Any
: Normal Affects Many People
Assignee: Alex Dupre
URL: https://roundcube.net/news/2017/11/08...
Keywords: patch, security
Depends on: 223557
Blocks:
  Show dependency treegraph
 
Reported: 2017-11-08 23:42 UTC by VK
Modified: 2017-11-11 18:04 UTC (History)
3 users (show)

See Also:
vlad-fbsd: maintainer-feedback+
dbaio: merge-quarterly+


Attachments
Update roundcube to 1.3.3 (995 bytes, patch)
2017-11-08 23:42 UTC, VK
vlad-fbsd: maintainer-approval? (ale)
Details | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description VK freebsd_triage 2017-11-08 23:42:47 UTC
Created attachment 187870 [details]
Update roundcube to 1.3.3

A security vulnerability has been discovered in Roundcube, and "... is already being used by hackers to read Roundcube’s configuration files. It requires a valid username/password as the exploit only works with a valid session. More details will be published soon under CVE-2017-16651."

* https://roundcube.net/news/2017/11/08/security-updates-1.3.3-1.2.7-and-1.1.10

Attached is a version bump patch. Builds with Poudriere, 11.1, amd64.

VuXML entry pending.
Comment 1 commit-hook freebsd_committer 2017-11-09 06:57:16 UTC
A commit references this bug:

Author: ale
Date: Thu Nov  9 06:56:53 UTC 2017
New revision: 453797
URL: https://svnweb.freebsd.org/changeset/ports/453797

Log:
  Update to 1.3.3 release.

  Fix security vulnerability (CVE-2017-16651).

  PR:		223547
  Submitted by:	Vladimir Krstulja <vlad-fbsd@acheronmedia.com>

Changes:
  head/mail/roundcube/Makefile
  head/mail/roundcube/distinfo
Comment 2 VK freebsd_triage 2017-11-09 11:18:52 UTC
Thanks for the commit, but please also merge quarterly.
Comment 3 Kubilay Kocak freebsd_committer freebsd_triage 2017-11-10 01:11:14 UTC
Resolution depends on users being aware (VuXML)
Comment 4 commit-hook freebsd_committer 2017-11-11 18:03:36 UTC
A commit references this bug:

Author: dbaio
Date: Sat Nov 11 18:02:38 UTC 2017
New revision: 453983
URL: https://svnweb.freebsd.org/changeset/ports/453983

Log:
  MFH: r453797

  Update to 1.3.3 release.

  Fix security vulnerability (CVE-2017-16651).

  PR:		223547
  Submitted by:	Vladimir Krstulja <vlad-fbsd@acheronmedia.com>

  Approved by:	ports-secteam (swills)

Changes:
_U  branches/2017Q4/
  branches/2017Q4/mail/roundcube/Makefile
  branches/2017Q4/mail/roundcube/distinfo