1

Topic: Security fix in Roundcube: Disable DNS prefetching. (CVE-2010-0464)

Hi, all.

Vulnerability description

Roundcube 0.3.1 and earlier does not request that the web browser avoid DNS prefetching of domain names contained in e-mail messages, which makes it easier for remote attackers to determine the network location of the webmail user by logging DNS requests.

References
Affected iRedMail versions
  • iRedMail-0.4.0 (Roundcube-0.2-stable)

  • iRedMail-0.5.0 (Roundcube-0.2.1)

  • iRedMail-0.5.1 (Roundcube-0.2.1)

Steps to fix it
  • Please confirm you are using Roundcube-0.2-stable, 0.2.1, 0.2.2 before we go further.

  • Download patch for roundcube-0.2-stable,  0.2.1:

# cd /root
# wget http://iredmail.googlecode.com/hg/extra/patches/roundcube/roundcube-CVE-2010-0464.patch
  • Change current directory to roundcube installation directory and use patch command with '--dry-run' option to test patch.  If command output doesn't show succeeded, please do NOT try further steps, and post a new topic in this forum.

# ---- RHEL/CentOS ----
# cd /var/www/roundcubemail/

# ---- Debian/Ubuntu ----
# cd /usr/share/apache2/roundcubemail/

# ---- Test the patch ----
# patch --dry-run -p0 < /root/roundcube-CVE-2010-0464.patch
patching file program/include/rcube_shared.inc
patching file program/steps/mail/get.inc
Hunk #1 succeeded at 43 (offset 1 line).
Hunk #2 succeeded at 59 (offset -9 lines).
  • Patch it

# patch -p0 < /root/roundcube-CVE-2010-0464.patch
  • (This step is NOT required but is recommended.) Restart Apache web server to make it work.

# ---- On RHEL/CentOS ----
# /etc/init.d/httpd restart

# ---- On Debian/Ubuntu ----
# /etc/init.d/apache2 restart

2

Re: Security fix in Roundcube: Disable DNS prefetching. (CVE-2010-0464)

Hello  ZhangHuangbin,

I use iRedMail-0.5.1 (Roundcube-0.2.1); setup over your upgrade tutorial from the formerly iRedMail-0.5.0 incl. all hotfixes.

Here the unequal output from test patch command:

# patch --dry-run -p0 < /root/roundcube-CVE-2010-0464.patch 
patching file program/include/rcube_shared.inc
patching file program/steps/mail/get.inc
Hunk #1 succeeded at 41 (offset -1 lines).
Hunk #2 succeeded at 67 (offset -1 lines).

And additional, the correct roundcube path for Ubuntu is:

# ---- Debian/Ubuntu ----
# cd /usr/share/apache2/roundcubemail/

3

Re: Security fix in Roundcube: Disable DNS prefetching. (CVE-2010-0464)

Bronko wrote:

Hunk #1 succeeded at 41 (offset -1 lines).
Hunk #2 succeeded at 67 (offset -1 lines).

If it shows succeeded, it's SAFE to apply the patch.

Bronko wrote:

And additional, the correct roundcube path for Ubuntu is: /usr/share/apache2/roundcubemail/

Fixed, Thanks smile

4

Re: Security fix in Roundcube: Disable DNS prefetching. (CVE-2010-0464)

Here is my dry run result

patch --dry-run -p0 < /root/roundcube-CVE-2010-0464.patch
patching file program/include/rcube_shared.inc
patching file program/steps/mail/get.inc
Hunk #1 succeeded at 41 (offset -1 lines).