223547 – mail/roundcube: Update to 1.3.3, fixes security vulnerability (CVE-2017-16651)

Bug 223547 - mail/roundcube: Update to 1.3.3, fixes security vulnerability (CVE-2017-16651)

Summary: mail/roundcube: Update to 1.3.3, fixes security vulnerability (CVE-2017-16651)

Status:	Closed FIXED

Alias:	None

Product:	Ports & Packages
Classification:	Unclassified
Component:	Individual Port(s) (show other bugs)
Version:	Latest
Hardware:	Any Any

Importance:	Normal Affects Many People
Assignee:	Alex Dupre

URL:	https://roundcube.net/news/2017/11/08...
Keywords:	patch, security

Depends on:	223557
Blocks:
	Show dependency tree / graph

Reported:	2017-11-08 23:42 UTC by VK
Modified:	2017-11-11 18:04 UTC (History)
CC List:	3 users (show)

See Also:	223557

Flags:	vlad-fbsd: maintainer-feedback+ dbaio: merge-quarterly+

Attachments
Update roundcube to 1.3.3 (995 bytes, patch) 2017-11-08 23:42 UTC, VK	vlad-fbsd: maintainer-approval? (ale)	Details \| Diff
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description VK 2017-11-08 23:42:47 UTC

Created attachment 187870 [details]
Update roundcube to 1.3.3

A security vulnerability has been discovered in Roundcube, and "... is already being used by hackers to read Roundcube’s configuration files. It requires a valid username/password as the exploit only works with a valid session. More details will be published soon under CVE-2017-16651."

* https://roundcube.net/news/2017/11/08/security-updates-1.3.3-1.2.7-and-1.1.10

Attached is a version bump patch. Builds with Poudriere, 11.1, amd64.

VuXML entry pending.

Comment 1 commit-hook freebsd_committer

2017-11-09 06:57:16 UTC

A commit references this bug:

Author: ale
Date: Thu Nov  9 06:56:53 UTC 2017
New revision: 453797
URL: https://svnweb.freebsd.org/changeset/ports/453797

Log:
  Update to 1.3.3 release.

  Fix security vulnerability (CVE-2017-16651).

  PR:		223547
  Submitted by:	Vladimir Krstulja <vlad-fbsd@acheronmedia.com>

Changes:
  head/mail/roundcube/Makefile
  head/mail/roundcube/distinfo

Comment 2 VK 2017-11-09 11:18:52 UTC

Thanks for the commit, but please also merge quarterly.

Comment 3 Kubilay Kocak freebsd_committer

2017-11-10 01:11:14 UTC

Resolution depends on users being aware (VuXML)

Comment 4 commit-hook freebsd_committer

2017-11-11 18:03:36 UTC

A commit references this bug:

Author: dbaio
Date: Sat Nov 11 18:02:38 UTC 2017
New revision: 453983
URL: https://svnweb.freebsd.org/changeset/ports/453983

Log:
  MFH: r453797

  Update to 1.3.3 release.

  Fix security vulnerability (CVE-2017-16651).

  PR:		223547
  Submitted by:	Vladimir Krstulja <vlad-fbsd@acheronmedia.com>

  Approved by:	ports-secteam (swills)

Changes:
_U  branches/2017Q4/
  branches/2017Q4/mail/roundcube/Makefile
  branches/2017Q4/mail/roundcube/distinfo