Closed stephdl closed 2 weeks ago
QA
we expect to upgrade to roundcubemail to 1.6.8 for both NS7 and NS8
test1 on NS8 Install openldap and mail Install ns8-roundcubemail:2.0.2 (stable version) Configure roundcubemail create some emails and also some contacts (we upgrade mysql to a minor version 10.11.9 from 10.11.5, we want to test the upgrade) upgrade to ghcr.io/nethserver/roundcubemail:2.0.3-dev.1 no error expected in logs or in the UI, previous contacts must be there
test2 on NS8 Install openldap and mail Install ghcr.io/nethserver/roundcubemail:2.0.3-dev.1 (testing version) Configure roundcubemail create some emails and also some contacts no error expected in logs or in the UI
test3 on NS7
Install openldap
Install nethserver-roundcubemail-next
Configure roundcubemail
create some emails and also some contacts
upgrade to nethserver-roundcubemail-next testing
yum install http://packages.nethserver.org/nethserver/7.9.2009/testing/x86_64/Packages/nethserver-roundcubemail-next-1.5.7-1.2.gb07db48.ns7.noarch.rpm
no error expected in logs or in the UI
test4 on NS7
Install openldap
install nethserver-roundcubemail-next testing
yum install http://packages.nethserver.org/nethserver/7.9.2009/testing/x86_64/Packages/nethserver-roundcubemail-next-1.5.7-1.2.gb07db48.ns7.noarch.rpm
Configure roundcubemail
create some emails and also some contacts
no error expected in logs or in the UI
Test 1 on NS8 (upgrade)> OK Test 2 on NS8 (install)> OK Test 3 on NS7 (upgrade)> OK Test 4 on NS7 (install)> OK
released as ghcr.io/nethserver/roundcubemail:2.0.3 released as nethserver-roundcubemail-next-1.5.8-1.ns7.noarch.rpm
set closed
A Cross-Site Scripting vulnerability in rcmail_action_mail_get->run() in Roundcube through 1.5.7 and 1.6.x through 1.6.7 allows a remote attacker to steal and send emails of a victim via a malicious e-mail attachment served with a dangerous Content-Type header.
Proposed solution
To address this vulnerability, it is essential to upgrade to Roundcube version 1.6.8, where the issue has been resolved.
Alternative solutions
no much ways, we cannot fix this CVE without upgrading
Additional context
we use actually roundcubemail:1.6.6-apache, we have subtasks
See also
https://mattermost.nethesis.it/nethesis/pl/ro981m1d43guje3rcpu4d7ay8e
https://www.cve.org/CVERecord?id=CVE-2024-42008
thank nick