Bug 227476 - mail/roundcube: Update to 1.3.6 (a security update for CVE-2018-9846
Summary: mail/roundcube: Update to 1.3.6 (a security update for CVE-2018-9846
Status: Closed FIXED
Alias: None
Product: Ports & Packages
Classification: Unclassified
Component: Individual Port(s) (show other bugs)
Version: Latest
Hardware: Any Any
: --- Affects Some People
Assignee: Alex Dupre
URL: https://roundcube.net/news/2018/04/11...
Keywords: patch-ready, security
Depends on:
Reported: 2018-04-12 16:51 UTC by Mahdi Mokhtari
Modified: 2018-04-14 21:56 UTC (History)
4 users (show)

See Also:
bugzilla: maintainer-feedback? (ale)
mmokhi: maintainer-feedback? (ale)

patch-updates-port (905 bytes, patch)
2018-04-12 16:51 UTC, Mahdi Mokhtari
mmokhi: maintainer-approval? (ale)
Details | Diff
patch-updates-vuxml.diff (1.37 KB, patch)
2018-04-12 16:53 UTC, Mahdi Mokhtari
riggs: maintainer-approval+
Details | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description Mahdi Mokhtari freebsd_committer freebsd_triage 2018-04-12 16:51:56 UTC
Created attachment 192464 [details]

Roundcube had an important update in upstream.
including fixes for a recently discovered IMAP command injection vulnerability caused by insufficient input validation within the archive plugin (CVE-2018-9846)
Also back-porting some minor fixes from the master branch which improve PHP 7.2 compatibility as well as PGP signing and key handling for enigma-plugin.

The attached patch updates the port and also the other patch updates the vuxml entry.
Comment 1 Mahdi Mokhtari freebsd_committer freebsd_triage 2018-04-12 16:53:13 UTC
Created attachment 192465 [details]
Comment 2 commit-hook freebsd_committer 2018-04-13 07:19:48 UTC
A commit references this bug:

Author: ale
Date: Fri Apr 13 07:19:32 UTC 2018
New revision: 467213
URL: https://svnweb.freebsd.org/changeset/ports/467213

  Update to 1.3.6 release.

  PR:		227476
  Submitted by:	mmokhi

Comment 3 Thomas Zander freebsd_committer 2018-04-14 06:45:47 UTC
Comment on attachment 192465 [details]

This patch has already been committed.
@mmokhi you don't need explicit approval for vuxml updates. Please feel free to  commit on your own to after making sure vuln.xml passes the validation checks.
Comment 4 Mahdi Mokhtari freebsd_committer freebsd_triage 2018-04-14 21:56:23 UTC
(In reply to Thomas Zander from comment #3)
riggs@ Thanks for the point :) I now learned new things as well.