Fedora 25 : roundcubemail (2017-ede53aa845)

2017-05-09T00:00:00
ID FEDORA_2017-EDE53AA845.NASL
Type nessus
Reporter Tenable
Modified 2018-02-02T00:00:00

Description

Roundcube Webmail 1.2.5

This is a security update to the stable version 1.2. It primarily fixes a recently discovered vulnerability in the virtualmin and sasl drivers of the password plugin plus adds a few cherry-picked bug fixes from upstream versions. A detailed list of changes is shown below.

It's considered stable and we recommend to update all productive installations of Roundcube with this version. Please do backup your data before updating!

CHANGELOG

  • Password: Fix security issue in virtualmin and sasl drivers [CVE-2017-8114]

  • Fix re-positioning of the fixed header of messages list in Chrome when using minimal mode toggle and About dialog (#5711)

  • Fix so settings/upload.inc could not be used by plugins (#5694)

  • Fix regression in LDAP fuzzy search where it always used prefix search instead (#5713)

  • Fix bug where namespace prefix could not be truncated on folders list if show_real_foldernames=true (#5695)

  • Fix bug where base_dn setting was ignored inside group_filters (#5720)

Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

                                        
                                            #
# (C) Tenable Network Security, Inc.
#
# The descriptive text and package checks in this plugin were  
# extracted from Fedora Security Advisory FEDORA-2017-ede53aa845.
#

include("compat.inc");

if (description)
{
  script_id(100034);
  script_version("$Revision: 3.3 $");
  script_cvs_date("$Date: 2018/02/02 14:59:06 $");

  script_cve_id("CVE-2017-8114");
  script_xref(name:"FEDORA", value:"2017-ede53aa845");

  script_name(english:"Fedora 25 : roundcubemail (2017-ede53aa845)");
  script_summary(english:"Checks rpm output for the updated package.");

  script_set_attribute(
    attribute:"synopsis", 
    value:"The remote Fedora host is missing a security update."
  );
  script_set_attribute(
    attribute:"description", 
    value:
"**Roundcube Webmail 1.2.5**

This is a security update to the stable version 1.2. It primarily
fixes a recently discovered vulnerability in the virtualmin and sasl
drivers of the password plugin plus adds a few cherry-picked bug fixes
from upstream versions. A detailed list of changes is shown below.

It's considered stable and we recommend to update all productive
installations of Roundcube with this version. Please do backup your
data before updating!

CHANGELOG

  - Password: Fix security issue in virtualmin and sasl
    drivers [CVE-2017-8114]

  - Fix re-positioning of the fixed header of messages list
    in Chrome when using minimal mode toggle and About
    dialog (#5711)

  - Fix so settings/upload.inc could not be used by plugins
    (#5694)

  - Fix regression in LDAP fuzzy search where it always used
    prefix search instead (#5713)

  - Fix bug where namespace prefix could not be truncated on
    folders list if show_real_foldernames=true (#5695)

  - Fix bug where base_dn setting was ignored inside
    group_filters (#5720)

Note that Tenable Network Security has extracted the preceding
description block directly from the Fedora update system website.
Tenable has attempted to automatically clean and format it as much as
possible without introducing additional issues."
  );
  script_set_attribute(
    attribute:"see_also",
    value:"https://bodhi.fedoraproject.org/updates/FEDORA-2017-ede53aa845"
  );
  script_set_attribute(
    attribute:"solution", 
    value:"Update the affected roundcubemail package."
  );
  script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:S/C:P/I:P/A:P");
  script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H");

  script_set_attribute(attribute:"plugin_type", value:"local");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:fedoraproject:fedora:roundcubemail");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:fedoraproject:fedora:25");

  script_set_attribute(attribute:"patch_publication_date", value:"2017/05/08");
  script_set_attribute(attribute:"plugin_publication_date", value:"2017/05/09");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_copyright(english:"This script is Copyright (C) 2017-2018 Tenable Network Security, Inc.");
  script_family(english:"Fedora Local Security Checks");

  script_dependencies("ssh_get_info.nasl");
  script_require_keys("Host/local_checks_enabled", "Host/RedHat/release", "Host/RedHat/rpm-list");

  exit(0);
}


include("audit.inc");
include("global_settings.inc");
include("rpm.inc");


if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
release = get_kb_item("Host/RedHat/release");
if (isnull(release) || "Fedora" >!< release) audit(AUDIT_OS_NOT, "Fedora");
os_ver = eregmatch(pattern: "Fedora.*release ([0-9]+)", string:release);
if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, "Fedora");
os_ver = os_ver[1];
if (! ereg(pattern:"^25([^0-9]|$)", string:os_ver)) audit(AUDIT_OS_NOT, "Fedora 25", "Fedora " + os_ver);

if (!get_kb_item("Host/RedHat/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING);


cpu = get_kb_item("Host/cpu");
if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Fedora", cpu);


flag = 0;
if (rpm_check(release:"FC25", reference:"roundcubemail-1.2.5-1.fc25")) flag++;


if (flag)
{
  security_report_v4(
    port       : 0,
    severity   : SECURITY_WARNING,
    extra      : rpm_report_get()
  );
  exit(0);
}
else
{
  tested = pkg_tests_get();
  if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
  else audit(AUDIT_PACKAGE_NOT_INSTALLED, "roundcubemail");
}