Bug 690456 (CVE-2011-1491, CVE-2011-1492)
Summary: | CVE-2011-1491 CVE-2011-1492 roundcubemail: v0.5.1 two security fixes | ||
---|---|---|---|
Product: | [Other] Security Response | Reporter: | Jan Lieskovsky <jlieskov> |
Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> |
Status: | CLOSED ERRATA | QA Contact: | |
Severity: | low | Docs Contact: | |
Priority: | low | ||
Version: | unspecified | CC: | christoph.wickert, gwync, mhlavink |
Target Milestone: | --- | Keywords: | Security |
Target Release: | --- | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | Doc Type: | Bug Fix | |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2017-01-31 10:24:43 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: | |||
Bug Depends On: | 690457, 690458 | ||
Bug Blocks: |
Description
Jan Lieskovsky
2011-03-24 11:58:25 UTC
This issues affect the versions of the roundcubemail package, as shipped with Fedora release of 13 and 14. This issue affect the version of the roundcubemail package, as present within EPEL-6 repository. Please schedule an update. Created roundcubemail tracking bugs for this issue Affects: fedora-all [bug 690457] Affects: epel-6 [bug 690458] Ugh. I can't even go higher than 0.3.1 on F-13, F-14, or EPEL-6 because of the available version of php-pear-MDB2. I'll get 0.5.1 to rawhide and F-15 after testing, then work on backporting. . . The CVE-2011-1491 and CVE-2011-1492 identifiers have been assigned (http://www.openwall.com/lists/oss-security/2011/04/04/50) to these issues (quoting exact reply from Josh to be visible at first sight, which id was assigned to which issue / patch): =============================================== Subject: Re: CVE request: roundcube < 0.5.1 CSRF Thanks for sorting this Jan. > > http://trac.roundcube.net/wiki/Changelog > > > > two cross site request forgery, one additional issue fixed in 0.5.1: > > > > "Security: add optional referer check to prevent CSRF in GET > > requests > > Looks this one being just security hardening with the patches: > [1] http://trac.roundcube.net/changeset/4503 > [2] http://trac.roundcube.net/changeset/4504 > > For the CSRF flaws: > > > Security: protect login form submission from CSRF > Patch: [3] http://trac.roundcube.net/changeset/4490 Use CVE-2011-1491 for the above. > > > Security: prevent from relaying malicious requests through > > modcss.inc" > Patch: [4] http://trac.roundcube.net/changeset/4488 > Use CVE-2011-1492 for the above. Thanks. -- JB |