Release Support > Requests

CVE-2021-29472 Vulnerability in Cents7 (7.6.1810)

(1/1)

round_mania:
Hi,
As you know CVE-2021-29472 Vulnerability has published and I did not find related description whether roundcube is vulnereable or not?

JohnDoh:

--- Quote ---The impact to Composer users directly is limited as the composer.json file is typically under their own control
--- End quote ---
So, no. Just make sure you've updated your version of Composer.

round_mania:
As my server is in datacenter and soes not internet access , I can not update composer. considering this condition, Is it vulnerable if I dont update composer?

JohnDoh:
As I understand the vulnerability it relates to the download of packages from VCS repositories. Roundcube does not include any VCS repos in its default composer.json file and as far as I can see none of the packages it does require mention any VCS repos. So unless you added one of your own....

Any way if you are not using composer for package management on your server why would you even have it installed?

If you want to know more about the Composer vulnerability then try the Composer community.

Navigation

[0] Message Index