Author Topic: Security updates 0.8.6 and 0.7.3  (Read 5930 times)

Offline SKaero

  • Administrator
  • Hero Member
  • *****
  • Posts: 5,517
    • http://SKaero.com/
Security updates 0.8.6 and 0.7.3
« on: March 27, 2013, 06:38:04 PM »
We just published new releases which fix a recently reported vulnerability that allows an attacker to access files on the server. Please update your installations with the new versions or patch them with the fix which is also published in the downloads section or our sourceforge.net page.

Download the latest version from http://roundcube.net/download

Patch for 0.9.x: http://ow.ly/jtQD0
Patch for 0.8.x: http://ow.ly/jtQHM
Patch for 0.7.x: http://ow.ly/jtQK0
Patch for 0.6: http://ow.ly/jtQNd

In order to find out whether one of your users has vulnerable preferences, you can run the following query on the Roundcube user database:

SELECT * FROM users WHERE preferences LIKE '%generic_message_footer%'

If this returns any results, you should block that user because he or she most likely tried to exploit your system.

And here's some background about the vulnerability: http://lists.roundcube.net/pipermail/dev/2013-March/022328.html

Source: http://sourceforge.net/news/?group_id=139281&id=310497
Get it Now: http://roundcube.net/download

Offline pinemail11

  • Jr. Member
  • **
  • Posts: 16
Re: Security updates 0.8.6 and 0.7.3
« Reply #1 on: March 29, 2013, 07:03:49 AM »
Thanks SKaero for the patches.

All,

I tried to patch my 8.4 &  7.2 versions, 8.4 patched well without any issue but  using 7.x patch & I am facing following problem.

patch --dry-run -p1 < /root/save_prefs_vulnerability_fix_0.7.patch
patching file program/include/rcube_plugin.php
patching file program/include/rcube_plugin_api.php
patching file program/steps/mail/sendmail.inc
patching file program/steps/utils/save_pref.inc
Hunk #2 FAILED at 14.
1 out of 3 hunks FAILED -- saving rejects to file program/steps/utils/save_pref.inc.rej

Could some one can please help in resolving the issue.

Thanks in advance for the help!

Regards,

PineMailAdmin

Offline pinemail11

  • Jr. Member
  • **
  • Posts: 16
Re: Security updates 0.8.6 and 0.7.3
« Reply #2 on: March 29, 2013, 07:23:33 AM »

Look like we are able to fix it, just got into more details and found in program/steps/utils/save_pref.inc

line 18  has following code <$Id: save_pref.inc 4410 2011-01-12 18:25:02Z thomasb $> whereas patch file was looking for <$Id$>.

Since patch file is removing this line, I thought of replacing original code with expected code from patch file and it worked well.

I hope this should work well.


I have one old live server with 5.3 version, one quick question - will 6.x patch work on roundcube 5.3 version

thanks in advance.

Regards,

PineMailAdmin 

Offline SKaero

  • Administrator
  • Hero Member
  • *****
  • Posts: 5,517
    • http://SKaero.com/
Re: Security updates 0.8.6 and 0.7.3
« Reply #3 on: March 29, 2013, 10:42:24 AM »
I have one old live server with 5.3 version, one quick question - will 6.x patch work on roundcube 5.3 version
The basic's of the patch should work, but you may have to do it manually.

Offline blubcube

  • Jr. Member
  • **
  • Posts: 16
Re: Security updates 0.8.6 and 0.7.3
« Reply #4 on: March 30, 2013, 07:10:11 AM »
How too implement this patch?
Didnt find a docu to this

Offline SKaero

  • Administrator
  • Hero Member
  • *****
  • Posts: 5,517
    • http://SKaero.com/
Re: Security updates 0.8.6 and 0.7.3
« Reply #5 on: March 30, 2013, 07:43:18 AM »
If you don't know how or can't use the patch command just do a standard RoundCube upgrade.