Package: roundcube Version: 1.1.4+dfsg.1-1~bpo8+1 Severity: grave Tags: upstream security Justification: user security hole
Dear Maintainer, I am reporting this as it is quite important as testing and unstable versions of roundcube are affected (and even all the backports offered, which hopefully will be updated via a bug report to the backport mailing list once the packages are upgraded or bug patch backported): "malicious user can execute arbitrary commands on the underlying operating system remotely, simply by writing an email in Roundcube 1.2.2 (>= 1.0)" "Requirements The vulnerability has the following requirements for exploitation: Roundcube must be configured to use PHP’s mail() function (by default, if no SMTP was specified 2 ) PHP’s mail() function is configured to use sendmail (by default, see sendmail_path 3 ) PHP is configured to have safe_mode turned off (by default, see safe_mode 4 ) An attacker must know or guess the absolute path of the webroot These requirements are not particular demanding which in turn means that there were a lot of vulnerable systems in the wild. " The usage of php mail function it is the default in the package. More details about this at: https://blog.ripstech.com/2016/roundcube-command-execution-via-email/#fn:1 So probably it is important to update to upstream version 1.2.3 Regards Juan.- -- System Information: Debian Release: 8.4 APT prefers stable APT policy: (500, 'stable') Architecture: i386 (i686) Kernel: Linux 4.4.32-rh33-20161115070633.xenU.i386 (SMP w/4 CPU cores) Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system) Versions of packages roundcube depends on: ii roundcube-core 1.1.4+dfsg.1-1~bpo8+1 roundcube recommends no packages. roundcube suggests no packages. Versions of packages roundcube-core depends on: ii dbconfig-common 1.8.47+nmu3+deb8u1 ii debconf [debconf-2.0] 1.5.56 ii libapache2-mod-php5 5.6.19+dfsg-0+deb8u1 ii libmagic1 1:5.22+15-2+deb8u1 ii php-auth 1.6.4-1 ii php-mail-mime 1.8.9-1+deb8u1 ii php-mail-mimedecode 1.5.5-2+deb8u1 ii php-net-smtp 1.6.2-2 ii php-net-socket 1.0.14-1 ii php5 5.6.19+dfsg-0+deb8u1 ii php5-cli 5.6.19+dfsg-0+deb8u1 ii php5-common 5.6.19+dfsg-0+deb8u1 ii php5-intl 5.6.19+dfsg-0+deb8u1 ii php5-json 1.3.6-1 ii php5-mcrypt 5.6.19+dfsg-0+deb8u1 ii roundcube-mysql 1.1.4+dfsg.1-1~bpo8+1 ii ucf 3.0030 Versions of packages roundcube-core recommends: ii apache2 [httpd-cgi] 2.4.10-10+deb8u4 ii apache2-mpm-prefork [httpd-cgi] 2.4.10-10+deb8u4 ii php-net-ldap3 1.0.3-1~bpo8+1 ii php-net-sieve 1.3.2-4 ii php5-gd 5.6.19+dfsg-0+deb8u1 ii php5-pspell 5.6.19+dfsg-0+deb8u1 Versions of packages roundcube-core suggests: ii php-auth-sasl 1.0.6-1+deb8u1 pn php-crypt-gpg <none> ii roundcube-plugins 1.1.4+dfsg.1-1~bpo8+1 -- debconf information excluded
