Your message dated Sat, 13 Dec 2008 17:47:04 +0000
with message-id <[email protected]>
and subject line Bug#508628: fixed in roundcube 0.1.1-9
has caused the Debian Bug report #508628,
regarding roundcube: remote code execution vuln in html2text.php, uses
preg_replace with "e".
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
508628: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=508628
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Package: roundcube
Version: 0.1.1-8
Severity: serious
Tags: security, fixed-upstream
Justification: user security hole
I was recently targeted by a spammer exploiting a hole in my roundcube
installation. I got help from Atomo64 to try to analyze this but
we where unable to find how html2text.php could be exploited. Today
Atomo64 notified me that someone else had reported this upstream and now
they have found the problem and fixed it.
See http://trac.roundcube.net/ticket/1485618
(No CVE identifier has yet been assigned as far as I'm aware.)
Now some google juice:
This is how my access.log looked like, and the upstream bug reported had
a similar looking access log.
my.host.name 200.171.152.187 - - [08/Dec/2008:18:36:54 +0100] "POST
//roundcube/bin/html2text.php HTTP/1.1" 200 83 "-" "Googlebot/2.1 (
http://www.google.com/bot.html)"
my.host.name 200.171.152.187 - - [08/Dec/2008:18:37:03 +0100] "POST
//roundcube/bin/html2text.php HTTP/1.1" 200 79 "-" "Googlebot/2.1 (
http://www.google.com/bot.html)"
my.host.name 200.171.152.187 - - [08/Dec/2008:18:37:29 +0100] "POST
//roundcube/bin/html2text.php HTTP/1.1" 200 88 "-" "Googlebot/2.1 (
http://www.google.com/bot.html)"
-- System Information:
Debian Release: 5.0
APT prefers unstable
APT policy: (300, 'unstable'), (100, 'experimental')
Architecture: amd64 (x86_64)
Kernel: Linux 2.6.26-1-amd64 (SMP w/1 CPU core)
Locale: LANG=en_US.UTF-8, LC_CTYPE=sv_SE.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/bash
Versions of packages roundcube depends on:
ii roundcube-core 0.1.1-8 skinnable AJAX based webmail solut
ii roundcube-mysql [roundcube-db 0.1.1-8 metapackage providing MySQL depend
roundcube recommends no packages.
roundcube suggests no packages.
Versions of packages roundcube-core depends on:
ii apache2-mpm-prefork 2.2.9-11 Apache HTTP Server - traditional n
ii dbconfig-common 1.8.40 common framework for packaging dat
ii debconf [debconf-2.0 1.5.24 Debian configuration management sy
ii libmagic1 4.26-2 File type determination library us
ii php-auth 1.6.1-1 PHP PEAR modules for creating an a
ii php-db 1.7.13-2 PHP PEAR Database Abstraction Laye
ii php-mail-mime 1.5.2-0.1 PHP PEAR module for creating MIME
ii php-net-smtp 1.3.1-1 PHP PEAR module implementing SMTP
ii php-net-socket 1.0.9-1 PHP PEAR Network Socket Interface
ii php5 5.2.6.dfsg.1-0.1 server-side, HTML-embedded scripti
ii php5-mcrypt 5.2.6.dfsg.1-0.1+b1 MCrypt module for php5
ii roundcube-mysql [rou 0.1.1-8 metapackage providing MySQL depend
ii tinymce2 2.1.3-1 platform independent web based Jav
ii ucf 3.0011 Update Configuration File: preserv
-- debconf information excluded
--- End Message ---
--- Begin Message ---
Source: roundcube
Source-Version: 0.1.1-9
We believe that the bug you reported is fixed in the latest version of
roundcube, which is due to be installed in the Debian FTP archive:
roundcube-core_0.1.1-9_all.deb
to pool/main/r/roundcube/roundcube-core_0.1.1-9_all.deb
roundcube-mysql_0.1.1-9_all.deb
to pool/main/r/roundcube/roundcube-mysql_0.1.1-9_all.deb
roundcube-pgsql_0.1.1-9_all.deb
to pool/main/r/roundcube/roundcube-pgsql_0.1.1-9_all.deb
roundcube-sqlite_0.1.1-9_all.deb
to pool/main/r/roundcube/roundcube-sqlite_0.1.1-9_all.deb
roundcube_0.1.1-9.diff.gz
to pool/main/r/roundcube/roundcube_0.1.1-9.diff.gz
roundcube_0.1.1-9.dsc
to pool/main/r/roundcube/roundcube_0.1.1-9.dsc
roundcube_0.1.1-9_all.deb
to pool/main/r/roundcube/roundcube_0.1.1-9_all.deb
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Vincent Bernat <[email protected]> (supplier of updated roundcube package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.8
Date: Sat, 13 Dec 2008 14:04:57 +0100
Source: roundcube
Binary: roundcube-core roundcube roundcube-mysql roundcube-pgsql
roundcube-sqlite
Architecture: source all
Version: 0.1.1-9
Distribution: unstable
Urgency: high
Maintainer: Debian Roundcube Maintainers
<[email protected]>
Changed-By: Vincent Bernat <[email protected]>
Description:
roundcube - skinnable AJAX based webmail solution for IMAP servers
roundcube-core - skinnable AJAX based webmail solution for IMAP servers
roundcube-mysql - metapackage providing MySQL dependencies for RoundCube
roundcube-pgsql - metapackage providing PostgreSQL dependencies for RoundCube
roundcube-sqlite - metapackage providing sqlite dependencies for RoundCube
Closes: 508628
Changes:
roundcube (0.1.1-9) unstable; urgency=high
.
* Fix a vulnerability in preg_replace() use. Thanks to Andreas
Henriksson for the report. Closes: #508628.
Checksums-Sha1:
a7130beb20a797f758a321c9f67e200cd8418bf1 1379 roundcube_0.1.1-9.dsc
ab5c4d09982db598f7644912026fac652e12f7dc 26562 roundcube_0.1.1-9.diff.gz
430b737df4d6a2b07bb29d79df962087644e6e98 579768 roundcube-core_0.1.1-9_all.deb
111c536175720f2feda75fa545a0011203babab0 13458 roundcube_0.1.1-9_all.deb
7e9448a1e4150eadac1b513a4138db6ac607048e 12792 roundcube-mysql_0.1.1-9_all.deb
0814da1165fae1002022b1bdb6b271c23058d64b 12796 roundcube-pgsql_0.1.1-9_all.deb
cefe4d2ac4e666f3a9c644b67c7b46a84038c2b8 12766 roundcube-sqlite_0.1.1-9_all.deb
Checksums-Sha256:
c184fa99c1db48019fc59f52578d66893e67bb313358960811906add45e4d18a 1379
roundcube_0.1.1-9.dsc
ad034ced6d3baa81a9063278ed58f7b1792f4ccd9cb6e97fd2de7e3e290d4c73 26562
roundcube_0.1.1-9.diff.gz
a3996bda0121595fd7b4684ec87942cf38ddc6519a12b52ab00299b21c36371d 579768
roundcube-core_0.1.1-9_all.deb
8d9b776263e5cbb7d9a09ea2048d16bc1d533229b264f470613aa2bc69fc6ca0 13458
roundcube_0.1.1-9_all.deb
bc94579c77145eb7fa1193a0239fca258713b5d7a0d732337d5c5f6dd509c3e9 12792
roundcube-mysql_0.1.1-9_all.deb
549932b6482472e8670727ed9ef60526ac18ad6e483c98b1acd46cd16df59457 12796
roundcube-pgsql_0.1.1-9_all.deb
74f3a3b92e5b37dd7863cb20bc6ae906e81d867080f1667052104fbc28d72b6a 12766
roundcube-sqlite_0.1.1-9_all.deb
Files:
0c57eb4fee5c248533f50636160f77b4 1379 web extra roundcube_0.1.1-9.dsc
79662e9dc5c5f2e11d75df0bb13c1c03 26562 web extra roundcube_0.1.1-9.diff.gz
24763af97e4000cf7c4d7806019a4320 579768 web extra
roundcube-core_0.1.1-9_all.deb
4b08dd2ea92be9556b8d00168f8632d7 13458 web extra roundcube_0.1.1-9_all.deb
392a02b8b5d2ba4a398b9a4f39103a1b 12792 web extra
roundcube-mysql_0.1.1-9_all.deb
a0d6669797fd7a3d868b2db8d6374a54 12796 web extra
roundcube-pgsql_0.1.1-9_all.deb
e955f1aac4915a443b98178fdc231eac 12766 web extra
roundcube-sqlite_0.1.1-9_all.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
iEYEARECAAYFAklD87MACgkQKFvXofIqeU5FqQCgjLZptMCuQqZCd6dCGsDJjki4
V/UAmwQ4oDgyuBovINdCYJe75htKKaPy
=EozQ
-----END PGP SIGNATURE-----
--- End Message ---
