Bug#847287: [Pkg-roundcube-maintainers] Bug#847287:
On Thu, 08 Dec 2016 at 19:46:32 +0100, Reiner Buehl wrote: > Sorry if I ask a stupid question, but do I understand correct, that if I > have 1.1.5+dfsg.1-1~bpo8+2 installed, then the fix is applied? That's correct, cf. https://anonscm.debian.org/cgit/pkg-roundcube/roundcube.git/commit/?h=debian/1.1.5%2bdfsg.1-1_bpo8%2b2=1a45de6cabae3124a8bcb3f72c0265de5ad10efc -- Guilhem. signature.asc Description: PGP signature
Bug#847287:
Sorry if I ask a stupid question, but do I understand correct, that if I have 1.1.5+dfsg.1-1~bpo8+2 installed, then the fix is applied? Best regards, Reiner
Bug#847287: roundcube: Roundcube 1.2.2: Remote command execution via malicious email composing
Hi, > What about wheezy / wheezy-backports? Are these packages affected too? Yes. Am updating wheezy now with my "LTS" hat on and issuing the corresponding DLA. :) Regards, -- ,''`. : :' : Chris Lamb `. `'` la...@debian.org / chris-lamb.co.uk `-
Bug#847287: roundcube: Roundcube 1.2.2: Remote command execution via malicious email composing
On Wed, 07 Dec 2016 12:16:14 +0100 Vincent Bernatwrote: > ⦠7 décembre 2016 12:08 +0100, Guilhem Moulin  : > > >> Is the tag for debian/1.1.5+dfsg.1-1_bpo8+1? The diff for it is pretty > >> big. > > > > 1.1.5+dfsg.1-1_bpo8+1 is the current version from jessie-backports (since > > April 29). The diff between 1.1.5+dfsg.1-1_bpo8+1 and 1.1.5+dfsg.1-1_bpo8+2 > > is merely the upstream fix > > > > > > https://anonscm.debian.org/cgit/pkg-roundcube/roundcube.git/diff/?id=debian/1.1.5%2bdfsg.1-1_bpo8%2b2=debian/1.1.5%2bdfsg.1-1_bpo8%2b1 > > I deleted the tag on my side, fetched it again and the diff is now > OK. I'll upload in the next hour. Wow. That was quick! Thanks to you all. What about wheezy / wheezy-backports? Are these packages affected too? Regards, - Darsha signature.asc Description: OpenPGP digital signature
Bug#847287: [Pkg-roundcube-maintainers] Bug#847287: roundcube: Roundcube 1.2.2: Remote command execution via malicious email composing
❦ 7 décembre 2016 12:08 +0100, Guilhem Moulin: >> Is the tag for debian/1.1.5+dfsg.1-1_bpo8+1? The diff for it is pretty >> big. > > 1.1.5+dfsg.1-1_bpo8+1 is the current version from jessie-backports (since > April 29). The diff between 1.1.5+dfsg.1-1_bpo8+1 and 1.1.5+dfsg.1-1_bpo8+2 > is merely the upstream fix > > > https://anonscm.debian.org/cgit/pkg-roundcube/roundcube.git/diff/?id=debian/1.1.5%2bdfsg.1-1_bpo8%2b2=debian/1.1.5%2bdfsg.1-1_bpo8%2b1 I deleted the tag on my side, fetched it again and the diff is now OK. I'll upload in the next hour. -- How apt the poor are to be proud. -- William Shakespeare, "Twelfth-Night" signature.asc Description: PGP signature
Bug#847287: [Pkg-roundcube-maintainers] Bug#847287: roundcube: Roundcube 1.2.2: Remote command execution via malicious email composing
On Wed, 07 Dec 2016 at 11:55:50 +0100, Vincent Bernat wrote: > ❦ 7 décembre 2016 11:27 +0100, Guilhem Moulin: > Unfortunately 1.2.x has many dependencies that aren't in jessie-backports yet. I personally don't have the time nor energy to maintain said dependencies, so we asked backports folks for an exception to stick to 1.1.x for the bpo version, exception which was rejected. I'm afraid the remaining alternative is to take remove the package from jessie-backports :-( >>> >>> Since the problem is quite serious, could you push the fix in bpo8+2 >>> nonetheless? Then wait a bit before asking for removal from backports to >>> let actual users get an updated version. It seems far better than just >>> leaving some people with vulnerable versions on their systems. >> >> Just tagged and pushed ‘debian/1.1.5+dfsg.1-1_bpo8+2’. Note that I >> moved jessie-backports's HEAD to its parent first as is was on >> debian/1.1.6+dfsg.1-1_bpo8+1 which didn't make it to bpo. Running >> >>git branch jessie-backports debian/1.1.5+dfsg.1-1_bpo8+1 >> >> before pull should fix this. Sorry for the inconvenience. > > Is the tag for debian/1.1.5+dfsg.1-1_bpo8+1? The diff for it is pretty > big. 1.1.5+dfsg.1-1_bpo8+1 is the current version from jessie-backports (since April 29). The diff between 1.1.5+dfsg.1-1_bpo8+1 and 1.1.5+dfsg.1-1_bpo8+2 is merely the upstream fix https://anonscm.debian.org/cgit/pkg-roundcube/roundcube.git/diff/?id=debian/1.1.5%2bdfsg.1-1_bpo8%2b2=debian/1.1.5%2bdfsg.1-1_bpo8%2b1 -- Guilhem. signature.asc Description: PGP signature
Bug#847287: [Pkg-roundcube-maintainers] Bug#847287: roundcube: Roundcube 1.2.2: Remote command execution via malicious email composing
❦ 7 décembre 2016 11:27 +0100, Guilhem Moulin: >>> Unfortunately 1.2.x has many dependencies that aren't in >>> jessie-backports yet. I personally don't have the time nor energy to >>> maintain said dependencies, so we asked backports folks for an exception >>> to stick to 1.1.x for the bpo version, exception which was rejected. >>> I'm afraid the remaining alternative is to take remove the package from >>> jessie-backports :-( >> >> Since the problem is quite serious, could you push the fix in bpo8+2 >> nonetheless? Then wait a bit before asking for removal from backports to >> let actual users get an updated version. It seems far better than just >> leaving some people with vulnerable versions on their systems. > > Just tagged and pushed ‘debian/1.1.5+dfsg.1-1_bpo8+2’. Note that I > moved jessie-backports's HEAD to its parent first as is was on > debian/1.1.6+dfsg.1-1_bpo8+1 which didn't make it to bpo. Running > > git branch jessie-backports debian/1.1.5+dfsg.1-1_bpo8+1 > > before pull should fix this. Sorry for the inconvenience. Is the tag for debian/1.1.5+dfsg.1-1_bpo8+1? The diff for it is pretty big. -- Follow each decision as closely as possible with its associated action. - The Elements of Programming Style (Kernighan & Plauger) signature.asc Description: PGP signature
Bug#847287: [Pkg-roundcube-maintainers] Bug#847287: roundcube: Roundcube 1.2.2: Remote command execution via malicious email composing
On Wed, 07 Dec 2016 at 07:46:06 +0100, Vincent Bernat wrote: > ❦ 7 décembre 2016 00:30 +0100, Guilhem Moulin: > >>> Version: 1.1.4+dfsg.1-1~bpo8+1 >>> […] >>> So probably it is important to update to upstream version 1.2.3 >> >> Unfortunately 1.2.x has many dependencies that aren't in >> jessie-backports yet. I personally don't have the time nor energy to >> maintain said dependencies, so we asked backports folks for an exception >> to stick to 1.1.x for the bpo version, exception which was rejected. >> I'm afraid the remaining alternative is to take remove the package from >> jessie-backports :-( > > Since the problem is quite serious, could you push the fix in bpo8+2 > nonetheless? Then wait a bit before asking for removal from backports to > let actual users get an updated version. It seems far better than just > leaving some people with vulnerable versions on their systems. Just tagged and pushed ‘debian/1.1.5+dfsg.1-1_bpo8+2’. Note that I moved jessie-backports's HEAD to its parent first as is was on debian/1.1.6+dfsg.1-1_bpo8+1 which didn't make it to bpo. Running git branch jessie-backports debian/1.1.5+dfsg.1-1_bpo8+1 before pull should fix this. Sorry for the inconvenience. -- Guilhem. signature.asc Description: PGP signature
Bug#847287: Security Update for roundcube -- planning
Hey, we are discussing how we should handle the security issue for roundcube. It has currently now CVE it is tracked as: TEMP-0847287-64604E on security.debian.org or #847287 on BTS Because we should not upload a new 1.1.X version to bpo, we thought to only push an update that fixes only this issue and afterwards request a removal from backports. Cause the version in backports is outdated and updates to this package are not allowed as discussed in debian-backpo...@lists.debian.org and splitting the upstream package to sec updates/not sec updates is work, we are not able to provide. Is this a way to go? Best Regards, sandro PS: maybe we should move the discussion to debian-backpo...@lists.debian.org. This inital mail should go to team, because the issue is a security issue and how to handle this, the other stuff can be handled later... signature.asc Description: This is a digitally signed message part.
Bug#847287: [Pkg-roundcube-maintainers] Bug#847287: roundcube: Roundcube 1.2.2: Remote command execution via malicious email composing
❦ 7 décembre 2016 00:30 +0100, Guilhem Moulin: >> Version: 1.1.4+dfsg.1-1~bpo8+1 >> […] >> So probably it is important to update to upstream version 1.2.3 > > Unfortunately 1.2.x has many dependencies that aren't in > jessie-backports yet. I personally don't have the time nor energy to > maintain said dependencies, so we asked backports folks for an exception > to stick to 1.1.x for the bpo version, exception which was rejected. > I'm afraid the remaining alternative is to take remove the package from > jessie-backports :-( Since the problem is quite serious, could you push the fix in bpo8+2 nonetheless? Then wait a bit before asking for removal from backports to let actual users get an updated version. It seems far better than just leaving some people with vulnerable versions on their systems. -- "Not Hercules could have knock'd out his brains, for he had none." -- Shakespeare signature.asc Description: PGP signature
Bug#847287: [Pkg-roundcube-maintainers] Bug#847287: roundcube: Roundcube 1.2.2: Remote command execution via malicious email composing
Hi, On Wed, Dec 07, 2016 at 12:30:42AM +0100, Guilhem Moulin wrote: > Hi, > > On Tue, 06 Dec 2016 at 23:05:59 +, Juan Rossi wrote: > > Version: 1.1.4+dfsg.1-1~bpo8+1 > > […] > > So probably it is important to update to upstream version 1.2.3 > > Unfortunately 1.2.x has many dependencies that aren't in > jessie-backports yet. I personally don't have the time nor energy to > maintain said dependencies, so we asked backports folks for an exception > to stick to 1.1.x for the bpo version, exception which was rejected. > I'm afraid the remaining alternative is to take remove the package from > jessie-backports :-( Upstream fix: https://github.com/roundcube/roundcubemail/commit/f84233785ddeed01445fc855f3ae1e8a62f167e1 Regards, Salvatore
Bug#847287:
Hi I guess if package 1.2.3 cannot be back ported to jessie due dependencies issues, and there is no exception that would leave jessie users to backport manually to 1.1.7 that includes the fix https://roundcube.net/news/2016/11/28/updates-1.2.3-and-1.1.7-released Issue it is quite severe, I wonder if they would reconsider the exception to stay on 1.1.X. Regards Juan.-
Bug#847287: [Pkg-roundcube-maintainers] Bug#847287: roundcube: Roundcube 1.2.2: Remote command execution via malicious email composing
Hi, On Tue, 06 Dec 2016 at 23:05:59 +, Juan Rossi wrote: > Version: 1.1.4+dfsg.1-1~bpo8+1 > […] > So probably it is important to update to upstream version 1.2.3 Unfortunately 1.2.x has many dependencies that aren't in jessie-backports yet. I personally don't have the time nor energy to maintain said dependencies, so we asked backports folks for an exception to stick to 1.1.x for the bpo version, exception which was rejected. I'm afraid the remaining alternative is to take remove the package from jessie-backports :-( -- Guilhem. signature.asc Description: PGP signature
Bug#847287: roundcube: Roundcube 1.2.2: Remote command execution via malicious email composing
Package: roundcube Version: 1.1.4+dfsg.1-1~bpo8+1 Severity: grave Tags: upstream security Justification: user security hole Dear Maintainer, I am reporting this as it is quite important as testing and unstable versions of roundcube are affected (and even all the backports offered, which hopefully will be updated via a bug report to the backport mailing list once the packages are upgraded or bug patch backported): "malicious user can execute arbitrary commands on the underlying operating system remotely, simply by writing an email in Roundcube 1.2.2 (>= 1.0)" "Requirements The vulnerability has the following requirements for exploitation: Roundcube must be configured to use PHP’s mail() function (by default, if no SMTP was specified 2 ) PHP’s mail() function is configured to use sendmail (by default, see sendmail_path 3 ) PHP is configured to have safe_mode turned off (by default, see safe_mode 4 ) An attacker must know or guess the absolute path of the webroot These requirements are not particular demanding which in turn means that there were a lot of vulnerable systems in the wild. " The usage of php mail function it is the default in the package. More details about this at: https://blog.ripstech.com/2016/roundcube-command-execution-via-email/#fn:1 So probably it is important to update to upstream version 1.2.3 Regards Juan.- -- System Information: Debian Release: 8.4 APT prefers stable APT policy: (500, 'stable') Architecture: i386 (i686) Kernel: Linux 4.4.32-rh33-20161115070633.xenU.i386 (SMP w/4 CPU cores) Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system) Versions of packages roundcube depends on: ii roundcube-core 1.1.4+dfsg.1-1~bpo8+1 roundcube recommends no packages. roundcube suggests no packages. Versions of packages roundcube-core depends on: ii dbconfig-common1.8.47+nmu3+deb8u1 ii debconf [debconf-2.0] 1.5.56 ii libapache2-mod-php55.6.19+dfsg-0+deb8u1 ii libmagic1 1:5.22+15-2+deb8u1 ii php-auth 1.6.4-1 ii php-mail-mime 1.8.9-1+deb8u1 ii php-mail-mimedecode1.5.5-2+deb8u1 ii php-net-smtp 1.6.2-2 ii php-net-socket 1.0.14-1 ii php5 5.6.19+dfsg-0+deb8u1 ii php5-cli 5.6.19+dfsg-0+deb8u1 ii php5-common5.6.19+dfsg-0+deb8u1 ii php5-intl 5.6.19+dfsg-0+deb8u1 ii php5-json 1.3.6-1 ii php5-mcrypt5.6.19+dfsg-0+deb8u1 ii roundcube-mysql1.1.4+dfsg.1-1~bpo8+1 ii ucf3.0030 Versions of packages roundcube-core recommends: ii apache2 [httpd-cgi] 2.4.10-10+deb8u4 ii apache2-mpm-prefork [httpd-cgi] 2.4.10-10+deb8u4 ii php-net-ldap31.0.3-1~bpo8+1 ii php-net-sieve1.3.2-4 ii php5-gd 5.6.19+dfsg-0+deb8u1 ii php5-pspell 5.6.19+dfsg-0+deb8u1 Versions of packages roundcube-core suggests: ii php-auth-sasl 1.0.6-1+deb8u1 pn php-crypt-gpg ii roundcube-plugins 1.1.4+dfsg.1-1~bpo8+1 -- debconf information excluded