+ Includes fix for CVE-2018-9846: When the archive plugin enabled andĬonfigured, it's possible to exploit the unsanitized, user-controlled Roundcube (1.3.6+dfsg.1-1) unstable urgency=medium Roundcube-sqlite3 - metapackage providing SQLite dependencies for RoundCube Roundcube-plugins - skinnable AJAX based webmail solution for IMAP servers - plugins Roundcube-pgsql - metapackage providing PostgreSQL dependencies for RoundCube
Roundcube-mysql - metapackage providing MySQL dependencies for RoundCube Roundcube-core - skinnable AJAX based webmail solution for IMAP servers Roundcube - skinnable AJAX based webmail solution for IMAP servers - metapack Maintainer: Debian Roundcube Maintainers (This message was generated automatically at their request if youīelieve that there is a problem with it please contact the archiveĪdministrators by mailing PGP SIGNED MESSAGE-īinary: roundcube-core roundcube roundcube-mysql roundcube-pgsql roundcube-sqlite3 roundcube-plugins Guilhem Moulin (supplier of updated roundcube package) Have further comments please address them to the maintainer will reopen the bug report if appropriate. Thank you for reporting the bug, which will now be closed. Roundcube, which is due to be installed in the Debian FTP archive.Ī summary of the changes between this version and the previous one is We believe that the bug you reported is fixed in the latest version of must be writeable for the user who runs PHP process (Apache user if mod_php is being used)īut 1.3.3+dfsg.1-2 doesn't have the fix, we need to wait for the nextĭate: Sat, 19:22:14 +0000 Source: roundcube Note that you can configure the temporary folder with $config. > You can close the bug, or add an exception for this kind of situations (that > So the file was created in /tmp instead. > /var/lib/roundcube/temp on my server did not allow writing for the PHP user. > After more digging, it appears that the permissions on Roundcube/reconfigure-webserver: apache2, lighttpdĭate: Tue, 22:25:57 +0100 Control: retitle -1 Better handling of temp_dir misconfiguration Roundcube/missing-db-package-error: abort
#ROUNDCUBE WEBMAIL INSTALLER EXPLOIT PASSWORD#
* roundcube/pgsql/authmethod-user: password
* roundcube/db/app-user: roundcube/pgsql/authmethod-admin: ident Versions of packages roundcube-core suggests: Versions of packages roundcube-core recommends: Versions of packages roundcube-core depends on: Versions of packages roundcube depends on: Locale: LANG=fr_FR.UTF-8, LC_CTYPE=fr_FR.UTF-8 (charmap=UTF-8), LANGUAGE=fr_FR.UTF-8 (charmap=UTF-8) Kernel: Linux 4.9.0-4-amd64 (SMP w/4 CPU cores) In the Roundcube configured temp dir (/var/lib/roundcube/temp), roundcube removes it.Ĭonfiguring the temp_dir variable to /tmp/ solves the issue: So, the problem is that the temp file is created in /tmp, and, since it's not I get the following error in my log files :ĭec 5 20:17:59 xxxxxxxx roundcube: PHP Error: toto can't read /tmp/rcmAttmntjoFOF5 (not in temp_dir) in /usr/share/roundcube/plugins/filesystem_attachments/filesystem_attachments.php on line 216 (POST /roundcube/?_task=mail&_unlock=loading1512501479300&_lang=fr&_framed=1&_action=send) *** End of the template - remove these template lines *** The attachment is not on the sent message, neither on theĪttachement sent and stored in the sent folder. * What exactly did you do (or not do) that was effective (or *** Reporter, please consider answering these questions, where appropriate ***
0 kommentar(er)
