Topic: Security fix in Roundcube: Disable DNS prefetching. (CVE-2010-0464)
Hi, all.
Vulnerability description
Roundcube 0.3.1 and earlier does not request that the web browser avoid DNS prefetching of domain names contained in e-mail messages, which makes it easier for remote attackers to determine the network location of the webmail user by logging DNS requests.
References
Affected iRedMail versions
iRedMail-0.4.0 (Roundcube-0.2-stable)
iRedMail-0.5.0 (Roundcube-0.2.1)
iRedMail-0.5.1 (Roundcube-0.2.1)
Steps to fix it
Please confirm you are using Roundcube-0.2-stable, 0.2.1, 0.2.2 before we go further.
Download patch for roundcube-0.2-stable, 0.2.1:
# cd /root
# wget http://iredmail.googlecode.com/hg/extra/patches/roundcube/roundcube-CVE-2010-0464.patchChange current directory to roundcube installation directory and use patch command with '--dry-run' option to test patch. If command output doesn't show succeeded, please do NOT try further steps, and post a new topic in this forum.
# ---- RHEL/CentOS ----
# cd /var/www/roundcubemail/
# ---- Debian/Ubuntu ----
# cd /usr/share/apache2/roundcubemail/
# ---- Test the patch ----
# patch --dry-run -p0 < /root/roundcube-CVE-2010-0464.patch
patching file program/include/rcube_shared.inc
patching file program/steps/mail/get.inc
Hunk #1 succeeded at 43 (offset 1 line).
Hunk #2 succeeded at 59 (offset -9 lines).Patch it
# patch -p0 < /root/roundcube-CVE-2010-0464.patch(This step is NOT required but is recommended.) Restart Apache web server to make it work.
# ---- On RHEL/CentOS ----
# /etc/init.d/httpd restart
# ---- On Debian/Ubuntu ----
# /etc/init.d/apache2 restart----
Spider Email Archiver: On-Premises, lightweight email archiving software developed by iRedMail team. Supports Amazon S3 compatible storage and custom branding.