ALT Linux Team

Branch sisyphus update on 2018-05-23

2018-05-23

ALT-BU-2018-3263-1

Branch sisyphus update bulletin.

ALT-PU-2018-1778-1

Package roundcube updated to version 1.3.6-alt1 for branch sisyphus in task 206783.

Closed vulnerabilities

Published: 2018-03-13
Modified: 2024-11-21

CVE-2018-1000071

roundcube version 1.3.4 and earlier contains an Insecure Permissions vulnerability in enigma plugin that can result in exfiltration of gpg private key. This attack appear to be exploitable via network connectivity.

Severity: HIGH (7.5) Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
References:
Published: 2018-04-08
Modified: 2024-11-21

CVE-2018-9846

In Roundcube from versions 1.2.0 to 1.3.5, with the archive plugin enabled and configured, it's possible to exploit the unsanitized, user-controlled "_uid" parameter (in an archive.php _task=mail&_mbox=INBOX&_action=plugin.move2archive request) to perform an MX (IMAP) injection attack by placing an IMAP command after a %0d%0a sequence. NOTE: this is less easily exploitable in 1.3.4 and later because of a Same Origin Policy protection mechanism.

Severity: HIGH (8.8) Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
References:

ALT-PU-2018-1785-1

Package alterator-l10n updated to version 2.9.40-alt1 for branch sisyphus in task 206511.

Closed bugs

Bug #16762

«Вернуть» на «Отменить»

VKontakte | Telegram | YouTube | Forum | GitHub | Bugzilla
Version: 2.1.0
Back to top