You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
gentoo-overlay/metadata/glsa/glsa-201612-44.xml

54 lines
1.9 KiB

This file contains ambiguous Unicode characters!

This file contains ambiguous Unicode characters that may be confused with others in your current locale. If your use case is intentional and legitimate, you can safely ignore this warning. Use the Escape button to highlight these characters.

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd">
<glsa id="201612-44">
<title>Roundcube: Arbitrary code execution</title>
<synopsis>A vulnerability in Roundcube could potentially lead to arbitrary
code execution.
</synopsis>
<product type="ebuild">roundcube</product>
<announced>2016-12-24</announced>
<revised count="1">2016-12-24</revised>
<bug>601410</bug>
<access>remote</access>
<affected>
<package name="mail-client/roundcube" auto="yes" arch="*">
<unaffected range="ge">1.2.3</unaffected>
<vulnerable range="lt">1.2.3</vulnerable>
</package>
</affected>
<background>
<p>Free and open source webmail software for the masses, written in PHP.</p>
</background>
<description>
<p>Roundcube, when no SMTP server is configured and the sendmail program is
enabled, does not properly restrict the use of custom envelope-from
addresses on the sendmail command line.
</p>
</description>
<impact type="normal">
<p>An authenticated remote attacker could possibly execute arbitrary code
with the privileges of the process, or cause a Denial of Service
condition.
</p>
</impact>
<workaround>
<p>Dont use a MTA (Mail Transfer Agent) in conjunction with Roundcube
which implements sendmails “-O” or “-X” parameter, or
configure Roundcube to use a SMTP server as recommended by upstream.
</p>
</workaround>
<resolution>
<p>All Roundcube users should upgrade to the latest version:</p>
<code>
# emerge --sync
# emerge --ask --oneshot --verbose "&gt;=mail-client/roundcube-1.2.3"
</code>
</resolution>
<references>
<uri link="https://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-9920">CVE-2016-9920</uri>
</references>
<metadata tag="requester" timestamp="2016-12-23T15:26:48Z">whissi</metadata>
<metadata tag="submitter" timestamp="2016-12-24T06:42:27Z">whissi</metadata>
</glsa>