Bug 541558 (CVE-2009-4076, CVE-2009-4077)
Summary: | CVE-2009-4076 CVE-2009-4077 RoundCube Webmail: Multiple CSRF flaws | ||
---|---|---|---|
Product: | [Other] Security Response | Reporter: | Jan Lieskovsky <jlieskov> |
Component: | vulnerability | Assignee: | Nobody <nobody> |
Status: | ASSIGNED --- | QA Contact: | |
Severity: | medium | Docs Contact: | |
Priority: | medium | ||
Version: | unspecified | CC: | gwync |
Target Milestone: | --- | Keywords: | Security |
Target Release: | --- | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | Doc Type: | Bug Fix | |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | Type: | --- | |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: | |||
Bug Depends On: | 541963 | ||
Bug Blocks: |
Description
Jan Lieskovsky
2009-11-26 10:26:50 UTC
Jon, regarding the updates: --------------------------- 1, While in Fedora 11, 12 and rawhide we already ship 0.3-* based versions of RoundCube Webmail, in F10 latest version is roundcubemail-0.2.2-2.fc10. 2, Above References records are poor wrt to providing more information about patches needed. The only track about CSRF issues I found in [A] Release 0.3-RC1 ... * Use request tokens to protect POST requests from CSRF [A] http://trac.roundcube.net/wiki/Changelog 3, When searched SVN log for "Release 0.3-RC1" for CSRF related commits, found these three: i, r2755 | thomasb | 2009-07-15 11:49:35 +0200 (Wed, 15 Jul 2009) | 1 line Use request tokens to protect POST requests from CSFR ii, r2758 | thomasb | 2009-07-16 17:01:05 +0200 (Thu, 16 Jul 2009) | 1 line Force ajax calls to protect from CSRF iii, r2779 | thomasb | 2009-07-21 18:13:42 +0200 (Tue, 21 Jul 2009) | 1 line Also protect GET request from CSRF which projected into commits gives these URLs: i, http://trac.roundcube.net/changeset/2755 ii, http://trac.roundcube.net/changeset/2758 iii, http://trac.roundcube.net/changeset/2779 And these three seem to be applicable to the latest version of RoundCube Webmail, as shipped with Fedora 10. Assuming newer versions (present in F11, F12 and rawhide) will already contain them. Didn't check the versions of RoundCube Webmail, as shipped within Extra Packages for Enterprise Linux 4 (EPEL-4) and 5 (EPEL-5) projects (these are yet RoundCube Webmail 0.1.1 based), but it's possible some of the above changes is applicable against them too. Jon, long story short, could you schedule F10 RoundCube Webmail update with above three commits? Thanks, Jan. See: https://admin.fedoraproject.org/updates/roundcubemail-0.2.2-4.fc10?_csrf_token=5d306bc36ec390a9824e793d7dc8511cb0055e61 I'll have a look at EL-5. RC isn't in EL-4, as it needs PHP5. roundcubemail-0.1.1-6.el5 has been pushed to the Fedora EPEL 5 stable repository. If problems still persist, please make note of it in this bug report. roundcubemail-0.2.2-4.fc10 has been pushed to the Fedora 10 stable repository. If problems still persist, please make note of it in this bug report. |