Vulmon Recent Vulnerabilities Research Posts Trends Blog About Contact

roundcube: CVE-2017-8114: security issue in virtualmin and sasl drivers

Related Vulnerabilities: CVE-2017-8114  

Source

Debian Bug report logs - #861388
roundcube: CVE-2017-8114: security issue in virtualmin and sasl drivers

version graph

Package: src:roundcube; Maintainer for src:roundcube is Debian Roundcube Maintainers <pkg-roundcube-maintainers@lists.alioth.debian.org>;

Reported by: Salvatore Bonaccorso <carnil@debian.org>

Date: Fri, 28 Apr 2017 10:27:01 UTC

Severity: grave

Tags: security, upstream

Found in version roundcube/1.2.3+dfsg.1-3

Fixed in version roundcube/1.2.3+dfsg.1-4

Done: Guilhem Moulin <guilhem@guilhem.org>

Bug is archived. No further changes may be made.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox

Report forwarded to debian-bugs-dist@lists.debian.org, carnil@debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Debian Roundcube Maintainers <pkg-roundcube-maintainers@lists.alioth.debian.org>:
Bug#861388; Package src:roundcube. (Fri, 28 Apr 2017 10:27:03 GMT) (full text, mbox, link).

Acknowledgement sent to Salvatore Bonaccorso <carnil@debian.org>:
New Bug report received and forwarded. Copy sent to carnil@debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Debian Roundcube Maintainers <pkg-roundcube-maintainers@lists.alioth.debian.org>. (Fri, 28 Apr 2017 10:27:03 GMT) (full text, mbox, link).

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Salvatore Bonaccorso <carnil@debian.org>
To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: roundcube: CVE-2017-8114: security issue in virtualmin and sasl drivers
Date: Fri, 28 Apr 2017 12:25:02 +0200
Source: roundcube
Version: 1.2.3+dfsg.1-3
Severity: grave
Tags: upstream security

Hi,

the following vulnerability was published for roundcube.

CVE-2017-8114[0]:
security issue in virtualmin and sasl drivers

The security tracker contains the commit references for 1.2.x, 1.1.x
and 1.0.x.

If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2017-8114
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-8114

Regards,
Salvatore

Information forwarded to debian-bugs-dist@lists.debian.org, Debian Roundcube Maintainers <pkg-roundcube-maintainers@lists.alioth.debian.org>:
Bug#861388; Package src:roundcube. (Mon, 01 May 2017 22:03:04 GMT) (full text, mbox, link).

Acknowledgement sent to Guilhem Moulin <guilhem@guilhem.org>:
Extra info received and forwarded to list. Copy sent to Debian Roundcube Maintainers <pkg-roundcube-maintainers@lists.alioth.debian.org>. (Mon, 01 May 2017 22:03:04 GMT) (full text, mbox, link).

Message #10 received at 861388@bugs.debian.org (full text, mbox, reply):

From: Guilhem Moulin <guilhem@guilhem.org>
To: 861388@bugs.debian.org
Subject: Re: [Pkg-roundcube-maintainers] Bug#861388: roundcube: CVE-2017-8114: security issue in virtualmin and sasl drivers
Date: Mon, 1 May 2017 23:57:17 +0200
[Message part 1 (text/plain, inline)]
Control: tag -1 pending

On Fri, 28 Apr 2017 at 12:25:02 +0200, Salvatore Bonaccorso wrote:
> the following vulnerability was published for roundcube.
> 
> CVE-2017-8114[0]:
> security issue in virtualmin and sasl drivers

Thanks, pushed.  Sandro, Vincent, would you mind tagging & uploading?

-- 
Guilhem.

[signature.asc (application/pgp-signature, inline)]

Added tag(s) pending. Request was from Guilhem Moulin <guilhem@guilhem.org> to 861388-submit@bugs.debian.org. (Mon, 01 May 2017 22:03:04 GMT) (full text, mbox, link).

Information forwarded to debian-bugs-dist@lists.debian.org, Debian Roundcube Maintainers <pkg-roundcube-maintainers@lists.alioth.debian.org>:
Bug#861388; Package src:roundcube. (Tue, 02 May 2017 07:00:05 GMT) (full text, mbox, link).

Acknowledgement sent to Vincent Bernat <bernat@debian.org>:
Extra info received and forwarded to list. Copy sent to Debian Roundcube Maintainers <pkg-roundcube-maintainers@lists.alioth.debian.org>. (Tue, 02 May 2017 07:00:05 GMT) (full text, mbox, link).

Message #17 received at 861388@bugs.debian.org (full text, mbox, reply):

From: Vincent Bernat <bernat@debian.org>
To: Guilhem Moulin <guilhem@guilhem.org>
Cc: 861388@bugs.debian.org
Subject: Re: Bug#861388: [Pkg-roundcube-maintainers] Bug#861388: roundcube: CVE-2017-8114: security issue in virtualmin and sasl drivers
Date: Tue, 02 May 2017 08:56:15 +0200
[Message part 1 (text/plain, inline)]
 ❦  1 mai 2017 23:57 +0200, Guilhem Moulin <guilhem@guilhem.org> :

>> the following vulnerability was published for roundcube.
>> 
>> CVE-2017-8114[0]:
>> security issue in virtualmin and sasl drivers
>
> Thanks, pushed.  Sandro, Vincent, would you mind tagging & uploading?

Done. Thanks!
-- 
10.0 times 0.1 is hardly ever 1.0.
            - The Elements of Programming Style (Kernighan & Plauger)

[signature.asc (application/pgp-signature, inline)]

Reply sent to Guilhem Moulin <guilhem@guilhem.org>:
You have taken responsibility. (Tue, 02 May 2017 07:06:06 GMT) (full text, mbox, link).

Notification sent to Salvatore Bonaccorso <carnil@debian.org>:
Bug acknowledged by developer. (Tue, 02 May 2017 07:06:06 GMT) (full text, mbox, link).

Message #22 received at 861388-close@bugs.debian.org (full text, mbox, reply):

From: Guilhem Moulin <guilhem@guilhem.org>
To: 861388-close@bugs.debian.org
Subject: Bug#861388: fixed in roundcube 1.2.3+dfsg.1-4
Date: Tue, 02 May 2017 07:03:52 +0000
Source: roundcube
Source-Version: 1.2.3+dfsg.1-4

We believe that the bug you reported is fixed in the latest version of
roundcube, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 861388@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Guilhem Moulin <guilhem@guilhem.org> (supplier of updated roundcube package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Format: 1.8
Date: Mon, 01 May 2017 23:37:14 +0200
Source: roundcube
Binary: roundcube-core roundcube roundcube-mysql roundcube-pgsql roundcube-sqlite3 roundcube-plugins
Architecture: source all
Version: 1.2.3+dfsg.1-4
Distribution: unstable
Urgency: high
Maintainer: Debian Roundcube Maintainers <pkg-roundcube-maintainers@lists.alioth.debian.org>
Changed-By: Guilhem Moulin <guilhem@guilhem.org>
Description:
 roundcube  - skinnable AJAX based webmail solution for IMAP servers - metapack
 roundcube-core - skinnable AJAX based webmail solution for IMAP servers
 roundcube-mysql - metapackage providing MySQL dependencies for RoundCube
 roundcube-pgsql - metapackage providing PostgreSQL dependencies for RoundCube
 roundcube-plugins - skinnable AJAX based webmail solution for IMAP servers - plugins
 roundcube-sqlite3 - metapackage providing SQLite dependencies for RoundCube
Closes: 861388
Changes:
 roundcube (1.2.3+dfsg.1-4) unstable; urgency=high
 .
   * Backport fix for CVE-2017-8114: Roundcube Webmail allows arbitrary
     password resets by authenticated users. This affects versions before
     1.0.11, 1.1.x before 1.1.9, and 1.2.x before 1.2.5. The problem is caused
     by an improperly restricted exec call in the virtualmin and sasl drivers
     of the password plugin. (Closes: #861388).
Checksums-Sha1:
 f8b9104bd9b595c1664f0a2b22be7d9f6c54928b 2470 roundcube_1.2.3+dfsg.1-4.dsc
 38ad3916e5540e78fd6e8152cb16a2e29d0ab73c 4442288 roundcube_1.2.3+dfsg.1-4.debian.tar.xz
 cd797aa74c556f713ddc3d8f484d797347122be2 2112032 roundcube-core_1.2.3+dfsg.1-4_all.deb
 eef06728f4bdc44e5fe3fbddd480a1a094ae334b 70792 roundcube-mysql_1.2.3+dfsg.1-4_all.deb
 f1c6f05cd818213cbf4acd88301d7830b0a4cfd2 70762 roundcube-pgsql_1.2.3+dfsg.1-4_all.deb
 d33c91b60014e4cf2fd2dd92b8d93b58d56c35e2 661566 roundcube-plugins_1.2.3+dfsg.1-4_all.deb
 e5a6270708485e91872e816ac95e7cf28fc1a2c1 70742 roundcube-sqlite3_1.2.3+dfsg.1-4_all.deb
 ecbb7a98c41d1fab3dbefc399a61fa1e92374cb0 1376 roundcube_1.2.3+dfsg.1-4_all.deb
 f02ac4289fc687d5c5fec13f04952482fe291ea3 9011 roundcube_1.2.3+dfsg.1-4_amd64.buildinfo
Checksums-Sha256:
 bc98b29226e77b6dc5f70eb4826e8539536cb341604f90ba81aa8deef53b6a83 2470 roundcube_1.2.3+dfsg.1-4.dsc
 6e640a46f38dedd6e36015e66522a6756258878a04a047b39758a84ba97f1f57 4442288 roundcube_1.2.3+dfsg.1-4.debian.tar.xz
 28b5b8e4eab62b8e3c867712966761328a13087b072cdb356259be44e00a96fa 2112032 roundcube-core_1.2.3+dfsg.1-4_all.deb
 85542ab7d75edfa00777608143d3c34d14084cc3097bd58167aade05766bda7b 70792 roundcube-mysql_1.2.3+dfsg.1-4_all.deb
 edae5116e73a82e90bab72b23f587008516bd2d3d6b349682d840b09ae4e405f 70762 roundcube-pgsql_1.2.3+dfsg.1-4_all.deb
 cfbfbe5fae682b737a6dbcd409eaa80b8cf149c125d7076878fc5207846a3c00 661566 roundcube-plugins_1.2.3+dfsg.1-4_all.deb
 30d6618508a4fd3e8d421d957947ef5a2e363ff597242389aa27315a2dad021c 70742 roundcube-sqlite3_1.2.3+dfsg.1-4_all.deb
 fb7947238ca8f3911dd4bb7e63e3547556790fb19f9dddb8e79243d80db9e6dd 1376 roundcube_1.2.3+dfsg.1-4_all.deb
 25c0ac6b662053bb53c1a5ac59497a42974e48913b824c7b996cbb343d6a0e26 9011 roundcube_1.2.3+dfsg.1-4_amd64.buildinfo
Files:
 95edba2cd2fd2ee74ea6a23e1266cb19 2470 web extra roundcube_1.2.3+dfsg.1-4.dsc
 bce551459aa0b891f3d1ee68cde57606 4442288 web extra roundcube_1.2.3+dfsg.1-4.debian.tar.xz
 c0750a8ce0aa51feb4cc39ee0b65520a 2112032 web extra roundcube-core_1.2.3+dfsg.1-4_all.deb
 a989b155bb2c78c688f38554ad7aced3 70792 web extra roundcube-mysql_1.2.3+dfsg.1-4_all.deb
 a19f53f75e32a3bb66b8e9c47e1b9920 70762 web extra roundcube-pgsql_1.2.3+dfsg.1-4_all.deb
 e05867a0eaedaa7b44bd6146159ded2f 661566 web extra roundcube-plugins_1.2.3+dfsg.1-4_all.deb
 f1955a0c56344976ddb5d5fd047aeca6 70742 web extra roundcube-sqlite3_1.2.3+dfsg.1-4_all.deb
 0db063f0794cdf98ef7e7bce5d9f66c6 1376 web extra roundcube_1.2.3+dfsg.1-4_all.deb
 47b76dc81996fdb00b9d84b2634d2170 9011 web extra roundcube_1.2.3+dfsg.1-4_amd64.buildinfo

-----BEGIN PGP SIGNATURE-----

iQJEBAEBCAAuFiEErvI0h4bzccaJpzYAlaQv6DU1JfkFAlkILDQQHGJlcm5hdEBs
dWZmeS5jeAAKCRCVpC/oNTUl+UZ8EACJ91rtToMbMzWAY/BN2QVEpHmi8vIibpg9
8Hg9vdAQUFYpmFOMVUyKpcJAa+Mq0uNMm6QED0G2Rv1aQ80d2TsilZuKjWumjzDE
7rT1yhB3YtbXhfaXJwXJvl9MR1WF8znZ5reK+lJS92QHwERR8OQvHzZRrDVWlNEs
KJtS94zkLrzLHyRp2E5sbjWlcuvPlV70iTdVyDx74WNs2rbsOqsm/yybyy5UWO/Z
TelDI4/ai4cYYEQ8xERkv2ykNkkhqaoFgvfhc+1zLbjlx7h8SrxBelDwXFMZ/3ja
dZfh8VU9BEiIwF1C1uIpOTKx8+agUScOYxEVm4psXK9ckf23w5yPvY/vzhdJAqY6
5OwVXpEx4kABI/TbiRhbCHSobFRQ6EizJxFoUQt9z3H9vqrSLTSHKCTqFOM/tG1O
qTWnUF4WKzvWrpmCDvONkbmz5DDgwQ9E343Z7d1d2+USuzRAt8jC4sXH0HLELvxW
FAnBDWKsz/zQTeK0y4WZlqmY4DSiG6h4r7c6uqKQZRkOV/+ny+9/AdUGVJsygP3V
86QXWB3wZvancqI5TO9Lz7eL+3FFx4lu1hrMqGEqR4TzW8yH3/OGG5BU89TJiKkX
xcLlR2xG+EzIoNpvdKGw2zbFD3EOrlHRQP/Mw8/LWDx3Z1nFXtl8XcG3Ig5pLpvD
Jgkt0+FBGw==
=ubiT
-----END PGP SIGNATURE-----

Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Fri, 09 Jun 2017 07:29:33 GMT) (full text, mbox, link).

Send a report that this bug log contains spam.

Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Wed Jun 19 16:59:13 2019; Machine Name: beach

Debian Bug tracking system

Debbugs is free software and licensed under the terms of the GNU Public License version 2. The current version can be obtained from https://bugs.debian.org/debbugs-source/.

Copyright © 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson, 2005-2017 Don Armstrong, and many other contributors.

Vulmon Search

Vulmon Search is a vulnerability search engine. It gives comprehensive vulnerability information through a very simple user interface.

About

Home Recent Vulnerabilities Research Posts Trends Blog About Contact

Products

Vulmon Search Vulmon Research Vulmon Alerts Vulmap

Connect

Twitter Reddit Linkedin Facebook

Vulnerability Notification Service
You don’t have to wait for vulnerability scanning results
Get Started