Advisories » MGASA-2017-0409

Updated roundcubemail packages fix security vulnerability

Publication date: 16 Nov 2017
Modification date: 16 Nov 2017
Type: security
Affected Mageia releases : 5 , 6
CVE: CVE-2017-16651

Description

It was discovered that roundcubemail contained a zero-day file disclosure
vulnerability caused by insuficient input validation which was currently
being exploited by hackers to read roundcube's configuration files and
steal its database credentials (CVE-2017-16651).
                

References

• https://bugs.mageia.org/show_bug.cgi?id=22005
• https://roundcube.net/news/2017/11/08/security-updates-1.3.3-1.2.7-and-1.1.10
• https://www.debian.org/security/2017/dsa-4030
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-16651

SRPMS

5/core

• roundcubemail-1.0.11-1.1.mga5

6/core

• roundcubemail-1.2.5-1.1.mga6