690456 – (CVE-2011-1491, CVE-2011-1492) CVE-2011-1491 CVE-2011-1492 roundcubemail: v0.5.1 two security fixes

Bug 690456 (CVE-2011-1491, CVE-2011-1492) - CVE-2011-1491 CVE-2011-1492 roundcubemail: v0.5.1 two security fixes

Summary: CVE-2011-1491 CVE-2011-1492 roundcubemail: v0.5.1 two security fixes

Keywords:
Status:	CLOSED ERRATA
Alias:	CVE-2011-1491, CVE-2011-1492
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	low
Severity:	low
Target Milestone:	---
Assignee:	Red Hat Product Security
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:	690457 690458
Blocks:
TreeView+	depends on / blocked

Reported:	2011-03-24 11:58 UTC by Jan Lieskovsky
Modified:	2019-09-29 12:43 UTC (History)
CC List:	3 users (show)
Fixed In Version:
Clone Of:
Environment:
Last Closed:	2017-01-31 10:24:43 UTC
Embargoed:

Attachments	(Terms of Use)

Description Jan Lieskovsky 2011-03-24 11:58:25 UTC

Roundcube Webmail upstream has released v0.5.1 version:
[1] http://trac.roundcube.net/wiki/Changelog

which adds one security hardening:
1), Security: add optional referer check to prevent CSRF in GET requests
    Relevant patches:
    [2] http://trac.roundcube.net/changeset/4503
    [3] http://trac.roundcube.net/changeset/4504

and fixes two security flaws:
2), Security: protect login form submission from CSRF
    Relevant patch:
    [4] http://trac.roundcube.net/changeset/4490
3), Security: prevent from relaying malicious requests through modcss.inc
    Relevant patch:
    [5] http://trac.roundcube.net/changeset/4488

References:
[6] http://www.openwall.com/lists/oss-security/2011/03/24/3
    (CVE Request)
[7] http://roundcube.net/news
[8] http://sourceforge.net/news/?group_id=139281&id=297236

Comment 1 Jan Lieskovsky 2011-03-24 12:00:32 UTC

This issues affect the versions of the roundcubemail package,
as shipped with Fedora release of 13 and 14.

This issue affect the version of the roundcubemail package,
as present within EPEL-6 repository.

Please schedule an update.

Comment 2 Jan Lieskovsky 2011-03-24 12:02:11 UTC

Created roundcubemail tracking bugs for this issue

Affects: fedora-all [bug 690457]
Affects: epel-6 [bug 690458]

Comment 3 Gwyn Ciesla 2011-03-24 15:23:55 UTC

Ugh.  I can't even go higher than 0.3.1 on F-13, F-14, or EPEL-6 because of the available version of php-pear-MDB2.  I'll get 0.5.1 to rawhide and F-15 after testing, then work on backporting. . .

Comment 4 Jan Lieskovsky 2011-04-06 10:31:45 UTC

The CVE-2011-1491 and CVE-2011-1492 identifiers have been assigned
(http://www.openwall.com/lists/oss-security/2011/04/04/50) to these
issues (quoting exact reply from Josh to be visible at first sight,
which id was assigned to which issue / patch):
===============================================

Subject: Re: CVE request: roundcube < 0.5.1 CSRF

Thanks for sorting this Jan.

> > http://trac.roundcube.net/wiki/Changelog
> >
> > two cross site request forgery, one additional issue fixed in 0.5.1:
> >
> > "Security: add optional referer check to prevent CSRF in GET
> > requests
> 
> Looks this one being just security hardening with the patches:
> [1] http://trac.roundcube.net/changeset/4503
> [2] http://trac.roundcube.net/changeset/4504
> 
> For the CSRF flaws:
> 
> > Security: protect login form submission from CSRF
> Patch: [3] http://trac.roundcube.net/changeset/4490

Use CVE-2011-1491 for the above.

> 
> > Security: prevent from relaying malicious requests through
> > modcss.inc"
> Patch: [4] http://trac.roundcube.net/changeset/4488
> 

Use CVE-2011-1492 for the above.

Thanks.

-- 
    JB

Note You need to log in before you can comment on or make changes to this bug.