search

mail-in-a-box / mailinabox

Mail-in-a-Box helps individuals take back control of their email by defining a one-click, easy-to-deploy SMTP+everything else server: a mail server in a box.
https://mailinabox.email/
Creative Commons Zero v1.0 Universal
14.05k stars 1.44k forks source link

Roundcube flaws allow easy email account compromise (CVE-2024-42009, CVE-2024-42008) #2430

Open henningwerner opened 3 months ago

henningwerner commented 3 months ago

Thanks for your awesome project! Can you please push new Roundcube version to the repo to close both CVEs.

myfirstnameispaul commented 3 months ago

PR submitted 3 days after the new versions were announced:

https://github.com/mail-in-a-box/mailinabox/pull/2422

For future reference, you can find open PRs here:

https://github.com/mail-in-a-box/mailinabox/pulls

dmitridb commented 3 months ago

https://github.com/roundcube/roundcubemail/releases/tag/1.6.7

Yet it was back in May with some of these patches

I am now in the process of convincing my clients to switch mailserver solutions since they can't expect something like this to be maintained. I know you even say you don't care about NSA-grade security but these are email servers and the threat model is different here. These are flaws that someone as dumb as a malicious child or even some indiscriminate bot can and will exploit and you've failed to patch in releases like three times now

matidau commented 3 months ago

Just a suggestion, you can fork the current version and merge any of the security updates against the fork, such as this one.

Then on the server change to your fork with git and run mailinabox.

When Josh releases a new version with these included then switch back with git.

dmitridb commented 3 months ago

thanks this has been patched in #2422

I got a little tripped up at the step where getting that hash is necessary - if anything only because I have access to production mailservers that it would be less than fun to be playing with potentially buggy scripts on. Is that just a sha256sum of the roundcubemail tar.gz file? Seems like there should be a better way of doing that somehow. They provide an asc file for verification instead for example.

JJJ commented 3 months ago

v70 was tagged August 15 and appears to include this.

See: https://github.com/mail-in-a-box/mailinabox/releases/tag/v70

Recommend to close this issue and PR at #2422.

matidau commented 3 months ago

2422 is already closed (merged)

FUADMOHAMED022 commented 1 month ago

Thanks for your awesome project! Can you please push new Roundcube version to the repo to close both CVEs.