Bug 483426
Summary: | There is a remote shell vulnerability in roundcubemail 0.1.1 | ||||||
---|---|---|---|---|---|---|---|
Product: | [Fedora] Fedora EPEL | Reporter: | Gordon Messmer <gordon.messmer> | ||||
Component: | roundcubemail | Assignee: | Gwyn Ciesla <gwync> | ||||
Status: | CLOSED NEXTRELEASE | QA Contact: | Fedora Extras Quality Assurance <extras-qa> | ||||
Severity: | urgent | Docs Contact: | |||||
Priority: | low | ||||||
Version: | el5 | CC: | gwync, orion, rdieter | ||||
Target Milestone: | --- | ||||||
Target Release: | --- | ||||||
Hardware: | All | ||||||
OS: | Linux | ||||||
URL: | http://sourceforge.net/forum/forum.php?forum_id=898542 | ||||||
Whiteboard: | |||||||
Fixed In Version: | Doc Type: | Bug Fix | |||||
Doc Text: | Story Points: | --- | |||||
Clone Of: | Environment: | ||||||
Last Closed: | 2009-03-17 19:07:15 UTC | Type: | --- | ||||
Regression: | --- | Mount Type: | --- | ||||
Documentation: | --- | CRM: | |||||
Verified Versions: | Category: | --- | |||||
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||
Cloudforms Team: | --- | Target Upstream Version: | |||||
Embargoed: | |||||||
Attachments: |
|
Description
Gordon Messmer
2009-02-01 06:23:45 UTC
0.2 will not work in RHEL5 or earlier due to the PHP version. I'll see if I can fix or craft a patch. To be clear, are you referring to the html2text and quota vulnerabilities? Yes, I am. I can build but not effectively test for EL-5. Would you be willing to test an uploaded rpm, or would you prefer a srpm? Ping? I can test either. I'd be curious enough to review the patch, as well, so a src.rpm would be welcome. I've successfully tested the attached patch. It merely replaces html2text.inc with the version of html2text.php released to fix the bug in 0.2. Please publish an updated package ASAP. This is actively being exploited in the wild. Created attachment 335298 [details] Patch to fix CVE-2008-5619 Built for EL-5 and EL-4, sent request for push to epel-signers. Thanks very much for the patch and testing. Sorry for the delay, I've been extraordinarily busy of late. This still hasn't been pushed. I'm going to try to ping the epel-signers. Just got hit by this yesterday. |