GLSA-201612-44 : Roundcube: Arbitrary code execution
Medium Nessus Plugin ID 96124
SynopsisThe remote Gentoo host is missing one or more security-related patches.
DescriptionThe remote host is affected by the vulnerability described in GLSA-201612-44 (Roundcube: Arbitrary code execution)
Roundcube, when no SMTP server is configured and the sendmail program is enabled, does not properly restrict the use of custom envelope-from addresses on the sendmail command line.
An authenticated remote attacker could possibly execute arbitrary code with the privileges of the process, or cause a Denial of Service condition.
Don’t use a MTA (Mail Transfer Agent) in conjunction with Roundcube which implements sendmail’s “-O” or “-X” parameter, or configure Roundcube to use a SMTP server as recommended by upstream.
SolutionAll Roundcube users should upgrade to the latest version:
# emerge --sync # emerge --ask --oneshot --verbose '>=mail-client/roundcube-1.2.3'