Topic: Security fix in Roundcube: Disable DNS prefetching. (CVE-2010-0464)
Roundcube 0.3.1 and earlier does not request that the web browser avoid DNS prefetching of domain names contained in e-mail messages, which makes it easier for remote attackers to determine the network location of the webmail user by logging DNS requests.
Affected iRedMail versions
Steps to fix it
Please confirm you are using Roundcube-0.2-stable, 0.2.1, 0.2.2 before we go further.
Download patch for roundcube-0.2-stable, 0.2.1:
# cd /root # wget http://iredmail.googlecode.com/hg/extra/patches/roundcube/roundcube-CVE-2010-0464.patch
Change current directory to roundcube installation directory and use patch command with '--dry-run' option to test patch. If command output doesn't show succeeded, please do NOT try further steps, and post a new topic in this forum.
# ---- RHEL/CentOS ---- # cd /var/www/roundcubemail/ # ---- Debian/Ubuntu ---- # cd /usr/share/apache2/roundcubemail/ # ---- Test the patch ---- # patch --dry-run -p0 < /root/roundcube-CVE-2010-0464.patch patching file program/include/rcube_shared.inc patching file program/steps/mail/get.inc Hunk #1 succeeded at 43 (offset 1 line). Hunk #2 succeeded at 59 (offset -9 lines).
# patch -p0 < /root/roundcube-CVE-2010-0464.patch
(This step is NOT required but is recommended.) Restart Apache web server to make it work.
# ---- On RHEL/CentOS ---- # /etc/init.d/httpd restart # ---- On Debian/Ubuntu ---- # /etc/init.d/apache2 restart