[Pkg-roundcube-maintainers] Bug#897014: roundcube: CVE-2018-1000071

Salvatore Bonaccorso carnil at debian.org
Fri Apr 27 06:50:30 BST 2018

Source: roundcube
Version: 1.3.6+dfsg.1-1
Severity: normal
Tags: security upstream
Forwarded: https://github.com/roundcube/roundcubemail/issues/6173

Hi Guilhem,

The following vulnerability was published for roundcube, filling just
a bug in the BTS to keep a BTS reference for it, as discussed enigma
plugin is not working out of the box on its own currently.

| roundcube version 1.3.4 and earlier contains an Insecure Permissions
| vulnerability in enigma plugin that can result in exfiltration of gpg
| private key. This attack appear to be exploitable via network
| connectivity.

If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2018-1000071
[1] https://github.com/roundcube/roundcubemail/issues/6173


More information about the Pkg-roundcube-maintainers mailing list