[Pkg-roundcube-maintainers] Bug#897014: roundcube: CVE-2018-1000071
Salvatore Bonaccorso
carnil at debian.org
Fri Apr 27 06:50:30 BST 2018
Source: roundcube
Version: 1.3.6+dfsg.1-1
Severity: normal
Tags: security upstream
Forwarded: https://github.com/roundcube/roundcubemail/issues/6173
Hi Guilhem,
The following vulnerability was published for roundcube, filling just
a bug in the BTS to keep a BTS reference for it, as discussed enigma
plugin is not working out of the box on its own currently.
CVE-2018-1000071[0]:
| roundcube version 1.3.4 and earlier contains an Insecure Permissions
| vulnerability in enigma plugin that can result in exfiltration of gpg
| private key. This attack appear to be exploitable via network
| connectivity.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2018-1000071
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1000071
[1] https://github.com/roundcube/roundcubemail/issues/6173
Regards,
Salvatore
More information about the Pkg-roundcube-maintainers
mailing list