Security update for roundcubemail SUSE Patch security@suse.de SUSE Security Team openSUSE-SU-2017:1263-1 Final 1 1 2017-05-15T13:10:00Z current 2017-05-15T13:10:00Z 2017-05-15T13:10:00Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z Security update for roundcubemail This update for roundcubemail fixes one security issues and two bugs. The following vulnerability was fixed: - CVE-2017-8114: Authenticated users may have reset arbitrary passwords (boo#1036955) The following upstream bugs were fixed: - Fix regression in LDAP fuzzy search where it always used prefix search instead - Fix bug where base_dn setting was ignored inside group_filters The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) https://lists.opensuse.org/opensuse-updates/2017-05/msg00039.html E-Mail link for openSUSE-SU-2017:1263-1 https://www.suse.com/support/security/rating/ SUSE Security Ratings openSUSE Leap 42.1 openSUSE Leap 42.2 roundcubemail-1.1.9-17.6.1 roundcubemail-1.1.9-17.6.1 as a component of openSUSE Leap 42.1 roundcubemail-1.1.9-17.6.1 as a component of openSUSE Leap 42.2 Roundcube Webmail allows arbitrary password resets by authenticated users. This affects versions before 1.0.11, 1.1.x before 1.1.9, and 1.2.x before 1.2.5. The problem is caused by an improperly restricted exec call in the virtualmin and sasl drivers of the password plugin. CVE-2017-8114 openSUSE Leap 42.1:roundcubemail-1.1.9-17.6.1 openSUSE Leap 42.2:roundcubemail-1.1.9-17.6.1 moderate Please Install the update. https://lists.opensuse.org/opensuse-updates/2017-05/msg00039.html https://www.suse.com/security/cve/CVE-2017-8114.html CVE-2017-8114 https://bugzilla.suse.com/1036955 SUSE Bug 1036955