Bug#727668: marked as done (roundcube: CVE-2013-6172: vulnerability in handling _session argument of utils/save-prefs)

[Debian Bug Tracking System]

Your message dated Thu, 31 Oct 2013 21:20:29 +0000
with message-id <e1vbzfj-0004ki...@franck.debian.org>
and subject line Bug#727668: fixed in roundcube 0.9.4-1.1
has caused the Debian Bug report #727668,
regarding roundcube: CVE-2013-6172: vulnerability in handling _session argument 
of utils/save-prefs
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
727668: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=727668
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

--- Begin Message ---

Package: roundcube
Severity: grave
Tags: security upstream patch fixed-upstream

Hi,

the following vulnerability was published for roundcube.

CVE-2013-6172[0]:
vulnerability in handling _session argument of utils/save-prefs

See [1] for further information.

If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-6172
    http://security-tracker.debian.org/tracker/CVE-2013-6172
[1] http://roundcube.net/news/2013/10/21/security-updates-095-and-087/
[2] http://trac.roundcube.net/ticket/1489382

Please adjust the affected versions in the BTS as needed (not yet
verified if also roundcube in oldstable/squeeze is affected).

Do you have a chance to prepare packages also for wheezy-security (and
squeeze-security if affected)?

Regards,
Salvatore

--- End Message ---

--- Begin Message ---

Source: roundcube
Source-Version: 0.9.4-1.1

We believe that the bug you reported is fixed in the latest version of
roundcube, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 727...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Salvatore Bonaccorso <car...@debian.org> (supplier of updated roundcube package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Sat, 26 Oct 2013 21:47:22 +0200
Source: roundcube
Binary: roundcube-core roundcube roundcube-mysql roundcube-pgsql 
roundcube-sqlite3 roundcube-plugins
Architecture: source all
Version: 0.9.4-1.1
Distribution: unstable
Urgency: high
Maintainer: Debian Roundcube Maintainers 
<pkg-roundcube-maintain...@lists.alioth.debian.org>
Changed-By: Salvatore Bonaccorso <car...@debian.org>
Description: 
 roundcube  - skinnable AJAX based webmail solution for IMAP servers - metapack
 roundcube-core - skinnable AJAX based webmail solution for IMAP servers
 roundcube-mysql - metapackage providing MySQL dependencies for RoundCube
 roundcube-pgsql - metapackage providing PostgreSQL dependencies for RoundCube
 roundcube-plugins - skinnable AJAX based webmail solution for IMAP servers - 
plugins
 roundcube-sqlite3 - metapackage providing SQLite dependencies for RoundCube
Closes: 727668
Changes: 
 roundcube (0.9.4-1.1) unstable; urgency=high
 .
   * Non-maintainer upload.
   * Add CVE-2013-6172.patch patch.
     CVE-2013-6172: An attacker can overwrite configuration settings using
     user preferences. This can result in random file access and manipulated
     SQL queries. (Closes: #727668)
Checksums-Sha1: 
 feaa3c532eff7241bcd732a67ff15380071b9c5a 2279 roundcube_0.9.4-1.1.dsc
 3344189166c5a78fa466b04df25d9adc08b23350 55135 
roundcube_0.9.4-1.1.debian.tar.gz
 827cb0c6b2199e494cd425b0e778d10a841c85f1 1102746 
roundcube-core_0.9.4-1.1_all.deb
 4427386f86f2e79c705a0d24a49e9aa56c443559 28846 roundcube_0.9.4-1.1_all.deb
 d9f89037d9366aa558e875085783d616b41a9e0a 28760 
roundcube-mysql_0.9.4-1.1_all.deb
 9d9b16f42ab9924876e39d1dcfd004ec94bcc460 28764 
roundcube-pgsql_0.9.4-1.1_all.deb
 4b42867038352b3baf8cd6203aa7d2bc62b53d05 28728 
roundcube-sqlite3_0.9.4-1.1_all.deb
 112ad91aa61defb763c8875f5399f8778eda031d 485870 
roundcube-plugins_0.9.4-1.1_all.deb
Checksums-Sha256: 
 d06b74771ba5440e13f2a876b6726d39259567c58402131dd65d8df264f9847c 2279 
roundcube_0.9.4-1.1.dsc
 9b8a56c84b95b7546675f1b3aafee3d4b81c314dfc8978eaee1c740943185880 55135 
roundcube_0.9.4-1.1.debian.tar.gz
 f892a980b7cfd3ca09d65c0762f98dc71bb38d4ce7468c61feafeb485b315802 1102746 
roundcube-core_0.9.4-1.1_all.deb
 1792fad4b81d39da48007be26b293ef6350fc2c0cb2b894f03e72b714c67af55 28846 
roundcube_0.9.4-1.1_all.deb
 44a6033e6e9a5055d7c60f3ec4b72d7dd20fefb5a390dcc5299ecc451f4f8614 28760 
roundcube-mysql_0.9.4-1.1_all.deb
 a61677c1cabc00f5d575a303c29513f95bd799e91c1f06d47428c94855da88f5 28764 
roundcube-pgsql_0.9.4-1.1_all.deb
 48599d7057fa7a3f8d2cc5ff89f3713e64c7e6c8ee92b5f098ee592ff1a581b4 28728 
roundcube-sqlite3_0.9.4-1.1_all.deb
 569e92cda1d8d4cdefb14d89efe3d99f11a6c501b79fad0a33a75b614c4522a7 485870 
roundcube-plugins_0.9.4-1.1_all.deb
Files: 
 02010924d770e63626ee9e63a38d4b65 2279 web extra roundcube_0.9.4-1.1.dsc
 25331f807399129b62b14cec14840262 55135 web extra 
roundcube_0.9.4-1.1.debian.tar.gz
 5a0dcd13c3a58b9546655ccebae3fa9e 1102746 web extra 
roundcube-core_0.9.4-1.1_all.deb
 7910a2a76a184374ef27af0950d67554 28846 web extra roundcube_0.9.4-1.1_all.deb
 1e1a34ff4ac405ed14dfbfd78b80d77e 28760 web extra 
roundcube-mysql_0.9.4-1.1_all.deb
 d6e526610bc1254f82adc83c47dfc91d 28764 web extra 
roundcube-pgsql_0.9.4-1.1_all.deb
 77d5d36e97f7c0db56d2dfd6176bed01 28728 web extra 
roundcube-sqlite3_0.9.4-1.1_all.deb
 fe69c011bb91ee5a31ea016136fd0c91 485870 web extra 
roundcube-plugins_0.9.4-1.1_all.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.15 (GNU/Linux)

iQIcBAEBCgAGBQJSbCIAAAoJEAVMuPMTQ89ECn4P/Rv50ZNOoVItbb44iRiTjOUt
u7BrFCC6mynt//ssRT+MuwUdxiK6Jn42Ehkh8CKbrfv0tr+FBFeKld2y3Wr2ZJGG
EjhY3h3Q6Fa+zuCG5ZIIDxXtvLjYrYl+l5xRgc+rFW9WkyPbQVxp3ZI2bCvtnB1+
dS5nmrFEq+842aCMnpmUPINQYhM6Ukn+1t570aBaYGskXIyYdJhfC7iFEdf2viYK
tMlNQ65fppKIG0tRBHY9n2UaERj0hB4rNIKpQyO4IDXKvktpOinFhtT+PyBG4tZO
Aiv3ov4pwcpOLn+eIzNgzqCD16xjoNnsJIDsVJZOJolfaofaGriSNJ9w3faIl3wF
JTaMHe9ldNJYwk28QIig+gLWZRWjjRHeXYaiZOLKF5lXEYdjk1pRDGlew3syB2N6
tqBD/hxiUx11V37iYj8spa82GzSfYrWpcnMIWmgtW746fAabWkSCWLIZ4Wil93WI
g4q1W/2V6wkZnhgs+NgawG4qdp/rg+dOh8+w7F6QHw2RIcGPzHEZ1+r0GzeqtFK+
XkTBPeP+1C6LEfWEzOfBGrgpfNA1cN744wYBWZIYR9JiOs95EkjJ7EjSJGoJ43N7
0pRjQ3QSfW7elG4Pan4rf3bnmb5a7Ix75VAzoiHxKjewRIlNcpGS4e1h38XZmOzr
3GNTDxuPU+0QDpG8Dq/B
=HtX8
-----END PGP SIGNATURE-----

--- End Message ---