Common Vulnerabilities and Exposures assigned an identifier CVE-2009-4076 to the following vulnerability: Cross-site request forgery (CSRF) vulnerability in Roundcube Webmail 0.2.2 and earlier allows remote attackers to hijack the authentication of unspecified users for requests that modify user information via unspecified vectors, a different vulnerability than CVE-2009-4077. References: ---------- http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-4076 http://trac.roundcube.net/wiki/Changelog http://jvn.jp/en/jp/JVN72974205/index.html http://jvndb.jvn.jp/ja/contents/2009/JVNDB-2009-000071.html http://www.osvdb.org/59661 http://secunia.com/advisories/37235 Common Vulnerabilities and Exposures assigned an identifier CVE-2009-4077 to the following vulnerability: Cross-site request forgery (CSRF) vulnerability in Roundcube Webmail 0.2.2 and earlier allows remote attackers to hijack the authentication of unspecified users for requests that send arbitrary emails via unspecified vectors, a different vulnerability than CVE-2009-4076. References: ----------- http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-4077 http://trac.roundcube.net/wiki/Changelog http://jvn.jp/en/jp/JVN75694913/index.html http://jvndb.jvn.jp/ja/contents/2009/JVNDB-2009-000072.html http://www.osvdb.org/59661 http://secunia.com/advisories/37235
Jon, regarding the updates: --------------------------- 1, While in Fedora 11, 12 and rawhide we already ship 0.3-* based versions of RoundCube Webmail, in F10 latest version is roundcubemail-0.2.2-2.fc10. 2, Above References records are poor wrt to providing more information about patches needed. The only track about CSRF issues I found in [A] Release 0.3-RC1 ... * Use request tokens to protect POST requests from CSRF [A] http://trac.roundcube.net/wiki/Changelog 3, When searched SVN log for "Release 0.3-RC1" for CSRF related commits, found these three: i, r2755 | thomasb | 2009-07-15 11:49:35 +0200 (Wed, 15 Jul 2009) | 1 line Use request tokens to protect POST requests from CSFR ii, r2758 | thomasb | 2009-07-16 17:01:05 +0200 (Thu, 16 Jul 2009) | 1 line Force ajax calls to protect from CSRF iii, r2779 | thomasb | 2009-07-21 18:13:42 +0200 (Tue, 21 Jul 2009) | 1 line Also protect GET request from CSRF which projected into commits gives these URLs: i, http://trac.roundcube.net/changeset/2755 ii, http://trac.roundcube.net/changeset/2758 iii, http://trac.roundcube.net/changeset/2779 And these three seem to be applicable to the latest version of RoundCube Webmail, as shipped with Fedora 10. Assuming newer versions (present in F11, F12 and rawhide) will already contain them. Didn't check the versions of RoundCube Webmail, as shipped within Extra Packages for Enterprise Linux 4 (EPEL-4) and 5 (EPEL-5) projects (these are yet RoundCube Webmail 0.1.1 based), but it's possible some of the above changes is applicable against them too. Jon, long story short, could you schedule F10 RoundCube Webmail update with above three commits? Thanks, Jan.
See: https://admin.fedoraproject.org/updates/roundcubemail-0.2.2-4.fc10?_csrf_token=5d306bc36ec390a9824e793d7dc8511cb0055e61 I'll have a look at EL-5. RC isn't in EL-4, as it needs PHP5.
EL-5 fixed. https://admin.fedoraproject.org/updates/roundcubemail-0.1.1-6.el5?_csrf_token=143a1c4c6f12358ec4b015dd59105cdf4c613206
roundcubemail-0.1.1-6.el5 has been pushed to the Fedora EPEL 5 stable repository. If problems still persist, please make note of it in this bug report.
roundcubemail-0.2.2-4.fc10 has been pushed to the Fedora 10 stable repository. If problems still persist, please make note of it in this bug report.