Opened 2 years ago

Closed 2 years ago

#11305 closed Task/To do item (fixed)

Roundcube upgrade (1.1.4)

Reported by: https://id.mayfirst.org/srevilak Owned by: https://id.mayfirst.org/srevilak
Priority: Medium Component: Tech
Keywords: roundcube Cc:
Sensitive: no

Description

There's a new version of roundcube -- we should upgrade.

Date: Sat, 26 Dec 2015 14:37:07 +0100
From: Thomas Bruederli <thomas@roundcube.net>
To: Roundcube Announce List <announce@lists.roundcube.net>
Cc: Roundcube Users List <users@lists.roundcube.net>, Roundcube Dev List
        <dev@lists.roundcube.net>
Subject: [Roundcube Announce] Security Updates 1.1.4 and 1.0.8 released
Message-ID: <CAO3naw5XbSSY-UOWWmkiHReN8ouVzrinz7qdXm7STYz=jEsVZw@mail.gmail.com>

Dear Roundcube users

We just published updates to both stable versions 1.0 and 1.1
delivering important bug fixes one of which seals a potential path
traversal vulnerability [1] recently reported by High-Tech Bridge
Security Research Lab. Although the vulnerability is not fully
disclosed yet, the attack scenario requires an active Roundcube
account as well as write privileges on the same host Roundcube is
served from (without open_basedir protection).

A second security improvement adds some measures against brute-force attacks.
See the full changelog here:
http://trac.roundcube.net/wiki/Changelog#RELEASE1.1.4

Both versions are considered stable and we recommend to update all
productive installations of Roundcube with either of these versions.
Download them from https://roundcube.net/download

If you prefer to patch your installation for the path traversal
vulnerability only, we also published patches on our download mirrors
for versions 1.0 [2] and 1.1 [3].

As usual, don't forget to backup your data before updating!

Thanks for all your support and happy new year!

Thomas

[1] https://www.htbridge.com/advisory/HTB23283
[2] https://sourceforge.net/projects/roundcubemail/files/roundcubemail/1.0.8/
[3] https://sourceforge.net/projects/roundcubemail/files/roundcubemail/1.1.4/

Change History (4)

comment:1 Changed 2 years ago by https://id.mayfirst.org/srevilak

  • Owner set to https://id.mayfirst.org/srevilak
  • Status changed from new to assigned

comment:2 Changed 2 years ago by https://id.mayfirst.org/srevilak

code prep

0 sunny:roundcube$ git fetch gmo
0 sunny:roundcube$ git branch
  backup-20141005
  mfpl-release-1.0
* mfpl-release-1.1
0 sunny:roundcube$ git merge gmo/mfpl-release-1.1
Already up-to-date.
0 sunny:roundcube$ git fetch origin
remote: Counting objects: 248, done.
remote: Compressing objects: 100% (25/25), done.
remote: Total 248 (delta 151), reused 144 (delta 144), pack-reused 77
Receiving objects: 100% (248/248), 205.01 KiB | 0 bytes/s, done.
Resolving deltas: 100% (165/165), completed with 66 local objects.
From https://github.com/roundcube/roundcubemail
   97aa984..b4fc297  master     -> origin/master
   e7d1a80..2c0a550  release-1.0 -> origin/release-1.0
   b6b92c0..772e08f  release-1.1 -> origin/release-1.1
 * [new tag]         1.0.8      -> 1.0.8
 * [new tag]         1.1.4      -> 1.1.4

0 sunny:roundcube$ git merge 1.1.4

Composer

0 sunny:roundcube$ diff composer.json composer.json-dist 
26c26
<         "pear-pear.php.net/net_smtp": "~1.6.3",
---
>         "pear-pear.php.net/net_smtp": "~1.7.1",

127 sunny:roundcube$ git add composer.json
0 sunny:roundcube$ git commit -m "composer.json update.  net_smtp 1.6.3 -> 1.7.1"
[mfpl-release-1.1 7168a1b] composer.json update.  net_smtp 1.6.3 -> 1.7.1
 1 file changed, 1 insertion(+), 1 deletion(-)

0 sunny:roundcube$ php composer.phar self-update
Updating to version 72cd6afdfce16f36a9fd786bc1b2f32b851e764f.
    Downloading: 100%         
Use composer self-update --rollback to return to version c9501a4cc164b176de48e44b239e619cfd5f14e5

# updates to 72cd6afdfce16f36a9fd786bc1b2f32b851e764f
$ php composer.phar --self-update
$ git add composer.phar
$ git commit

Here's what's changed since the last upgrade

0 sunny:roundcube$ git log --oneline --graph roundcube-1.1.3-mfpl5..HEAD
* 8371aac composer.phar => 72cd6afdfce16f36a9fd786bc1b2f32b851e764f
* 7168a1b composer.json update.  net_smtp 1.6.3 -> 1.7.1
* 8fbe0d4 Merge tag '1.1.4' into mfpl-release-1.1
* 772e08f Fix mail view scaling on iOS (#1490551)
* f2ff464 Bump version to 1.1.4; update Changelog
* ded453c Fix .htaccess rewrite rules to not block .well-known URIs (#1490615)
* 7d0099f Fix so drag-n-drop of text (e.g. recipient addresses) on compose page actually works (#1490619)
* 89a5dcb Fix path traversal vulnerability in setting a skin (#1490620)
* 9fbabc4 Add INBOX to the list of folders only if no filter and no prefix was specified
* c67e7e8 Fix PDF support detection in Firefox > 19 (#1490610)
* c82d09a Fix handling of message/rfc822 attachments on replies and forwards (#1490607)
* 6e71c95 Fix also charset encoding of message/rfc822 part bodies (#1490606)
* 2382c6e Fix regression in displaying contents of message/rfc822 parts (#1490606)
* b6b92c0 Optionally throw 404 error when contact photo wasn't found
* 5143c47 Fix rcube_utils::words_match() to work with mixed/invalid/binary content (T844)
* 818b78a Fix invalid LDAP query in ACL user autocompletion (#1490591)
* 78a9870 Remove redundant .gitignore files
* 62ee427 Improve directory protection for Apache 2.4
* 9953d5c Add workaround for https://bugs.php.net/bug.php?id=70757 (#1490582)
* c7c09f8 Fix HTML sanitizer to skip <!-- node type X --> in output (#1490583)
* 2c3634d Update changelog
* 8e7f32f Small improvements in HTML to text conversion.
* 9e80894 Update changelog
* a04a16c Make sure list page is never set to 0 (#1490458)
* 72be745 Fix redundant blank lines when using HTML and top posting (#1490576)
* 6ee039e Bump Net_SMTP version in composer config (#1490569)
* 5de338e Update changelog
* 7094208 After failed login wait a second to slow down brute-force attacks (#1490549)
* 280395a Fix bug where HTML messages with invalid/excessive css styles couldn't be displayed (#1490539)
* c5acbc6 Fix bug where message preview was unintentionally reset on check-recent action (#1490563)
* 5e6f6ac Fix responses list update issue after response name change (#1490555)
* ba48318 Fix so database_attachments::cleanup() does not remove attachments from other sessions (#1490542)
* 3d9798d Make brute force attacks harder by re-generating security token on every failed login (#1490549)
* 7d9a29c Remove also old .htaccess file that is not used anymore (#1489980)
* c2269df Require PHP5
* 0596f79 Require PHP5
$ git tag -s roundcube-1.1.4-mfpl1

0 sunny:roundcube$ git tag -v roundcube-1.1.4-mfpl1
object 8371aacf845bde504f64cdbcece7fefde54177d0
type commit
tag roundcube-1.1.4-mfpl1
tagger Steve Revilak <steve@...> 1451756109 -0500

MFPL tag corresponding to roundcube 1.1.4
gpg: Signature made Sat 02 Jan 2016 12:35:42 PM EST
gpg:                using RSA key 0x3EB22DE4E594DCF2
gpg: Good signature from "Steve Revilak <steve@...>" [ultimate]
gpg:                 aka "Steve Revilak <srevilak@...>" [ultimate]
0 sunny:roundcube$ git push gmo mfpl-release-1.1
Counting objects: 205, done.
Delta compression using up to 4 threads.
Compressing objects: 100% (102/102), done.
Writing objects: 100% (205/205), 45.53 KiB | 0 bytes/s, done.
Total 205 (delta 144), reused 153 (delta 103)
remote: To git-roundcube@moses.mayfirst.org:/srv/git/roundcube
remote:    3866416..8371aac  mfpl-release-1.1 -> mfpl-release-1.1
To ssh://gitosis@git.mayfirst.org/mfpl/roundcube
   3866416..8371aac  mfpl-release-1.1 -> mfpl-release-1.1

0 sunny:roundcube$ git push gmo --tags
Counting objects: 68, done.
Delta compression using up to 4 threads.
Compressing objects: 100% (24/24), done.
Writing objects: 100% (68/68), 8.62 KiB | 0 bytes/s, done.
Total 68 (delta 54), reused 56 (delta 44)
remote: To git-roundcube@moses.mayfirst.org:/srv/git/roundcube
remote:  * [new tag]         1.0.8 -> 1.0.8
remote:  * [new tag]         1.1.4 -> 1.1.4
remote:  * [new tag]         roundcube-1.1.4-mfpl1 -> roundcube-1.1.4-mfpl1
To ssh://gitosis@git.mayfirst.org/mfpl/roundcube
 * [new tag]         1.0.8 -> 1.0.8
 * [new tag]         1.1.4 -> 1.1.4
 * [new tag]         roundcube-1.1.4-mfpl1 -> roundcube-1.1.4-mfpl1

comment:3 Changed 2 years ago by https://id.mayfirst.org/srevilak

roundcube.dev.mayfirst.org

0 roundcube-dev@stallman:~$ pg_dump -b -C roundcube-dev | gzip -v9 > roundcube-dev.$(date +%F).sql.gz

0 roundcube-code@stallman:/srv/roundcube-dev$ git remote update
Fetching gmo
remote: Counting objects: 268, done.
remote: Compressing objects: 100% (65/65), done.
remote: Total 211 (delta 147), reused 208 (delta 145)
Receiving objects: 100% (211/211), 30.81 KiB, done.
Resolving deltas: 100% (147/147), completed with 50 local objects.
From git://git.mayfirst.org/mfpl/roundcube
   3866416..8371aac  mfpl-release-1.1 -> gmo/mfpl-release-1.1
 * [new tag]         roundcube-1.1.4-mfpl1 -> roundcube-1.1.4-mfpl1
From git://git.mayfirst.org/mfpl/roundcube
 * [new tag]         1.1.4      -> 1.1.4

0 roundcube-code@stallman:/srv/roundcube-dev$ git checkout roundcube-1.1.4-mfpl1
Previous HEAD position was 3866416... cp composer.json-dist composer.json
HEAD is now at 8371aac... composer.phar => 72cd6afdfce16f36a9fd786bc1b2f32b851e764f
1 roundcube-dev@stallman:/srv/roundcube-dev$ php bin/update.sh 
What version are you upgrading from? Type '?' if you don't know.
?
Executing database schema update.
WARNING: unable to update composer.json!
Please replace the 'require' section in your composer.json with the following:
    "require": {
        "php": ">=5.3.7",
        "roundcube/plugin-installer": "~0.1.6",
        "pear-pear.php.net/auth_sasl": "~1.0.6",
        "pear-pear.php.net/net_idna2": "~0.1.1",
        "pear-pear.php.net/net_sieve": "~1.3.4",
        "pear-pear.php.net/mail_mime": "~1.9.0",
        "pear-pear.php.net/net_smtp": "~1.7.1",
        "patchwork/utf8": "~1.2.3"
    }

NOTE: Update dependencies by running `php composer.phar update --no-dev`
This instance of Roundcube is up-to-date.
Have fun!

The require stanza shown in the warning matches the require stanza in composer.json. I think the warning is just noise.

0 roundcube-dev@stallman:/srv/roundcube-dev$ php bin/indexcontacts.sh 
Indexing contacts for user 1...done.
Indexing contacts for user 2...done.
Indexing contacts for user 4...done.
Indexing contacts for user 5...done.
  ...
Indexing contacts for user 61...done.
Indexing contacts for user 62...done.
Indexing contacts for user 63...done.
0 roundcube-dev@stallman:/srv/roundcube-dev$

0 roundcube-dev@stallman:/srv/roundcube-dev$  php bin/gc.sh 
0 roundcube-dev@stallman:/srv/roundcube-dev$ 

Did some testing with roundcube.dev.mayfirst.org (reading and sending messages, attaching files, saving drafts). Things seem okay. Will upgrade roundcube.m.o tomorrow.

comment:4 Changed 2 years ago by https://id.mayfirst.org/srevilak

  • Resolution set to fixed
  • Status changed from assigned to closed

roundcube.mayfirst.org

backup

0 roundcube@stallman:~$ pg_dump -v -b -C roundcube | gzip -v9 >
roundcube.$(date +%F).sql.gz

deploy new code

0 roundcube-code@stallman:/srv/roundcube$ git fetch gmo
remote: Counting objects: 268, done.
remote: Compressing objects: 100% (65/65), done.
remote: Total 211 (delta 147), reused 208 (delta 145)
Receiving objects: 100% (211/211), 30.81 KiB, done.
Resolving deltas: 100% (147/147), completed with 50 local objects.
From git://git.mayfirst.org/mfpl/roundcube
   3866416..8371aac  mfpl-release-1.1 -> gmo/mfpl-release-1.1
 * [new tag]         roundcube-1.1.4-mfpl1 -> roundcube-1.1.4-mfpl1
From git://git.mayfirst.org/mfpl/roundcube
 * [new tag]         1.1.4      -> 1.1.4

0 roundcube-code@stallman:/srv/roundcube$ git checkout roundcube-1.1.4-mfpl1
Previous HEAD position was abcf7fff...  Missing ^%%$^^&*!#!#@ comma.  Sigh
HEAD is now at 8371aac... composer.phar => 72cd6afdfce16f36a9fd786bc1b2f32b851e764f

Update scripts

0 roundcube@stallman:/srv/roundcube$ php bin/update.sh 
What version are you upgrading from? Type '?' if you don't know.
?
Executing database schema update.
WARNING: unable to update composer.json!
Please replace the 'require' section in your composer.json with the following:
    "require": {
        "php": ">=5.3.7",
        "roundcube/plugin-installer": "~0.1.6",
        "pear-pear.php.net/auth_sasl": "~1.0.6",
        "pear-pear.php.net/net_idna2": "~0.1.1",
        "pear-pear.php.net/net_sieve": "~1.3.4",
        "pear-pear.php.net/mail_mime": "~1.9.0",
        "pear-pear.php.net/net_smtp": "~1.7.1",
        "patchwork/utf8": "~1.2.3"
    }

NOTE: Update dependencies by running `php composer.phar update --no-dev`
This instance of Roundcube is up-to-date.
Have fun!

Re-index contacts

0 roundcube@stallman:/srv/roundcube$ php bin/indexcontacts.sh 
Indexing contacts for user 1...done.
Indexing contacts for user 2...done.
 ...
Indexing contacts for user 1841...done.
Indexing contacts for user 1842...done.
Indexing contacts for user 1844...done.
Indexing contacts for user 1845...done.

gc

0 roundcube@stallman:/srv/roundcube$ php bin/gc.sh

Please login to add comments to this ticket.

Note: See TracTickets for help on using tickets.