Author Topic: RoundCube News: Security update 0.5.4 is out  (Read 10231 times)

Offline bpat1434

  • Administrator
  • Hero Member
  • *****
  • Posts: 673
RoundCube News: Security update 0.5.4 is out
« on: August 12, 2011, 04:11:02 PM »
We just published a new release which fixes a recently reported XSS vulnerability as an update to the stable 0.5 branch. Please update your installations with this new version or patch them with the fix which is also published in the downloads section or our sourceforge.net page.

More...
 
  

Offline OHosNL

  • Newbie
  • *
  • Posts: 4
RoundCube News: Security update 0.5.4 is out
« Reply #1 on: August 12, 2011, 05:22:31 PM »
A hasty release perhaps?

Code: [Select]
Call to undefined function rcube_label_exists() in (...)
Code: [Select]

# grep -R  rcube_label_exists roundcubemail-0.5.4/*
roundcubemail-0.5.4/program/include/rcube_json_output.php:            if (rcube_label_exists($message)) {
roundcubemail-0.5.4/program/include/rcube_template.php:            if (rcube_label_exists($message)) {
#

sk_illed

  • Guest
RoundCube News: Security update 0.5.4 is out
« Reply #2 on: August 12, 2011, 07:19:02 PM »
anyone else having this issue? or NOT having the issue?

Offline m4lvin

  • Newbie
  • *
  • Posts: 2
RoundCube News: Security update 0.5.4 is out
« Reply #3 on: August 12, 2011, 08:24:00 PM »
I don't have this issue. But:
1) some actions bring up a red error popup "internal server error" on top, though they still happen / work. example: packing folders / purging.
2) logout is not working. /rcmail/?_task=logout is a white page and the session is still open.
so long, i better keep the old version and would like to do that patch manually... where can i find instructions?
greets and thanks for this otherwise awesome piece of software!

Offline SKaero

  • Administrator
  • Hero Member
  • *****
  • Posts: 5,876
    • SKaero - Custom Roundcube development
RoundCube News: Security update 0.5.4 is out
« Reply #4 on: August 12, 2011, 09:04:18 PM »
This is the fix Changeset 5037

Offline jonabbey

  • Newbie
  • *
  • Posts: 4
RoundCube News: Security update 0.5.4 is out
« Reply #5 on: August 12, 2011, 09:05:15 PM »
Yes, this was a hasty release.  The rcube_label_exists function is not defined in the tar ball, and is not created by the patch.  It is the source of that "Internal Server Error" popup.

Offline jonabbey

  • Newbie
  • *
  • Posts: 4
RoundCube News: Security update 0.5.4 is out
« Reply #6 on: August 12, 2011, 09:11:36 PM »
Even if you fix the rcube_label_exists() issue by adding that function to main.inc.php from the subversion trunk, there are other functions missing.

Looks like this release should be pulled.

Offline Schmatze

  • Jr. Member
  • **
  • Posts: 31
RoundCube News: Security update 0.5.4 is out
« Reply #7 on: August 13, 2011, 05:36:48 AM »
I also have this issue. I've got this errors after an upgrade from 5.2 to 5.4:

PHP Fatal error:  Call to undefined function rcube_label_exists() in /.../program/include/rcube_json_output.php on line 172

and

PHP Fatal error:  Call to undefined function rcube_label_exists() in /.../program/include/rcube_template.php on line 252

EDIT: here are some lines of my /.../program/include/main.inc file:

Quote

...

/**
 * Get localized text in the desired language
 * It's a global wrapper for rcmail::gettext()
 *
 * @param mixed Named parameters array or label name
 * @return string Localized text
 * @see rcmail::gettext()
 */
function rcube_label($p, $domain=null)
{
  return rcmail::get_instance()->gettext($p, $domain);
}


/**
 * Overwrite action variable
 *
 * @param string New action value
 */
function rcmail_overwrite_action($action)
  {
  $app = rcmail::get_instance();
  $app->action = $action;
  $app->output->set_env('action', $action);
  }

...


If I compare this with this one: https://svn.roundcube.net/trunk/roundcubemail/program/include/main.inc there is something missing:

Quote
/**
 * Global wrapper of rcmail::text_exists()
 * to check whether a text label is defined
 *
 * @see rcmail::text_exists()
 */
function rcube_label_exists($name, $domain=null)
{
  return rcmail::get_instance()->text_exists($name, $domain);
}


EDIT2: I've inserted these lines but it seems that more strange things are going on. I've downgraded again.
« Last Edit: August 13, 2011, 05:57:28 AM by Schmatze »

Offline JohnDoh

  • Global Moderator
  • Hero Member
  • *****
  • Posts: 2,845
RoundCube News: Security update 0.5.4 is out
« Reply #8 on: August 13, 2011, 07:32:46 AM »
a corrected package is now available for download from roundcube.net, see RoundCube Mailing Lists for more info.
Roundcube Plugins: Contextmenu, SpamAssassin Prefs, and moreā€¦

Offline Schmatze

  • Jr. Member
  • **
  • Posts: 31
RoundCube News: Security update 0.5.4 is out
« Reply #9 on: August 13, 2011, 11:13:46 AM »
You should also check the checksums on this page: Downloading Roundcube webmail