Mageia alert MGASA-2015-0400 (roundcubemail)

From:
    	     
 
Mageia Updates <buildsystem-daemon@mageia.org> 
To:
    	     
 
updates-announce@ml.mageia.org 
Subject:
    	     
 
[updates-announce] MGASA-2015-0400: Updated roundcubemail package fixes security vulnerabilities 
Date:
    	     
 
Wed, 14 Oct 2015 22:28:49 +0200
Message-ID:
    	     
 
<20151014202849.D7911409F1@valstar.mageia.org>
MGASA-2015-0400 - Updated roundcubemail package fixes security vulnerabilities

Publication date: 14 Oct 2015
URL: http://advisories.mageia.org/MGASA-2015-0400.html
Type: security
Affected Mageia releases: 5
CVE: CVE-2015-2180,
     CVE-2015-2181,
     CVE-2015-5382

Description:
Multiple security issues in the DBMail driver for the password plugin,
including buffer overflows (CVE-2015-2181) and the ability for a remote
attacker to execute arbitrary shell commands as root (CVE-2015-2180).

An authenticated user can download arbitrary files from the web server
that the web server process has read access to, by uploading a vCard with
a specially crafted POST (CVE-2015-5382).

The roundcubemail package has been updated to version 1.0.6, fixing these
issues and several other bugs, however the installer is currently known
to be broken.

References:
- https://bugs.mageia.org/show_bug.cgi?id=16249
- https://bugs.mageia.org/show_bug.cgi?id=13056
- http://openwall.com/lists/oss-security/2015/07/07/2
- http://trac.roundcube.net/ticket/1490261
- https://github.com/roundcube/roundcubemail/releases/tag/1...
- http://lists.opensuse.org/opensuse-updates/2015-06/msg000...
- http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-2180
- http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-2181
- http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5382

SRPMS:
- 5/core/roundcubemail-1.0.6-1.1.mga5