Roundcube Community Forum

Release Support => Requests => Topic started by: round_mania on May 08, 2021, 03:06:14 AM

Title: CVE-2021-29472 Vulnerability in Cents7 (7.6.1810)
Post by: round_mania on May 08, 2021, 03:06:14 AM

Hi,
As you know CVE-2021-29472 Vulnerability has published and I did not find related description whether roundcube is vulnereable or not?

Title: Re: CVE-2021-29472 Vulnerability in Cents7 (7.6.1810)
Post by: JohnDoh on May 09, 2021, 03:39:33 AM

Quote

The impact to Composer users directly is limited as the composer.json file is typically under their own control

So, no. Just make sure you've updated your version of Composer.

Title: Re: CVE-2021-29472 Vulnerability in Cents7 (7.6.1810)
Post by: round_mania on May 09, 2021, 08:05:31 AM

As my server is in datacenter and soes not internet access , I can not update composer. considering this condition, Is it vulnerable if I dont update composer?

Title: Re: CVE-2021-29472 Vulnerability in Cents7 (7.6.1810)
Post by: JohnDoh on May 09, 2021, 10:03:39 AM

As I understand the vulnerability it relates to the download of packages from VCS repositories. Roundcube does not include any VCS repos in its default composer.json file and as far as I can see none of the packages it does require mention any VCS repos. So unless you added one of your own....

Any way if you are not using composer for package management on your server why would you even have it installed?

If you want to know more about the Composer vulnerability then try the Composer community.