{"id":"MGASA-2015-0400","summary":"Updated roundcubemail package fixes security vulnerabilities","details":"Multiple security issues in the DBMail driver for the password plugin,\nincluding buffer overflows (CVE-2015-2181) and the ability for a remote\nattacker to execute arbitrary shell commands as root (CVE-2015-2180).\n\nAn authenticated user can download arbitrary files from the web server\nthat the web server process has read access to, by uploading a vCard with\na specially crafted POST (CVE-2015-5382).\n\nThe roundcubemail package has been updated to version 1.0.6, fixing these\nissues and several other bugs, however the installer is currently known\nto be broken.\n","modified":"2026-04-16T06:23:17.759655236Z","published":"2015-10-14T20:28:21Z","upstream":["CVE-2015-2180","CVE-2015-2181","CVE-2015-5382"],"references":[{"type":"ADVISORY","url":"https://advisories.mageia.org/MGASA-2015-0400.html"},{"type":"REPORT","url":"https://bugs.mageia.org/show_bug.cgi?id=16249"},{"type":"REPORT","url":"https://bugs.mageia.org/show_bug.cgi?id=13056"},{"type":"WEB","url":"http://openwall.com/lists/oss-security/2015/07/07/2"},{"type":"WEB","url":"http://trac.roundcube.net/ticket/1490261"},{"type":"WEB","url":"https://github.com/roundcube/roundcubemail/releases/tag/1.0.6"},{"type":"WEB","url":"http://lists.opensuse.org/opensuse-updates/2015-06/msg00062.html"}],"affected":[{"package":{"name":"roundcubemail","ecosystem":"Mageia:5","purl":"pkg:rpm/mageia/roundcubemail?arch=source&distro=mageia-5"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"1.0.6-1.1.mga5"}]}],"ecosystem_specific":{"section":"core"},"database_specific":{"source":"https://advisories.mageia.org/MGASA-2015-0400.json"}}],"schema_version":"1.7.5","credits":[{"name":"Mageia","contact":["https://wiki.mageia.org/en/Packages_Security_Team"],"type":"COORDINATOR"}]}