主题: 修正 Roundcube 安全隐患:Disable DNS prefetching. (CVE-2010-0464)

Hi, all.

在 Roundcube 中发现安全隐患。

弱点描述

Roundcube 0.3.1 and earlier does not request that the web browser avoid DNS prefetching of domain names contained in e-mail messages, which makes it easier for remote attackers to determine the network location of the webmail user by logging DNS requests.

参考链接
受影响的 iRedMail 版本
  • iRedMail-0.4.0 (Roundcube-0.2-stable)

  • iRedMail-0.5.0 (Roundcube-0.2.1)

  • iRedMail-0.5.1 (Roundcube-0.2.1)

修正步骤
  • 请选确认您使用的是 Roundcube-0.2-stable, 0.2.1, 0.2.2

  • 下载补丁:

# cd /root
# wget http://iredmail.googlecode.com/hg/extra/patches/roundcube/roundcube-CVE-2010-0464.patch
  • 进入 Roundcube 安装目录,并使用 patch 命令及 '--dry-run' 参数进行测试。如果你看到的命令输出不是显示 succeeded,请不要执行后续的操作。

# ---- RHEL/CentOS ----
# cd /var/www/roundcubemail/

# ---- Debian/Ubuntu ----
# cd /usr/share/apache2/roundcubemail/

# ---- 测试补丁 ----
# patch --dry-run -p0 < /root/roundcube-CVE-2010-0464.patch
patching file program/include/rcube_shared.inc
patching file program/steps/mail/get.inc
Hunk #1 succeeded at 43 (offset 1 line).
Hunk #2 succeeded at 59 (offset -9 lines).
  • 打补丁

# patch -p0 < /root/roundcube-CVE-2010-0464.patch
  • (这一步不是必须的,但是建议大家执行)重启 Apache 服务

# ---- On RHEL/CentOS ----
# /etc/init.d/httpd restart

# ---- On Debian/Ubuntu ----
# /etc/init.d/apache2 restart

回复: 修正 Roundcube 安全隐患:Disable DNS prefetching. (CVE-2010-0464)

iredmail 0.3.2的版本受影响不呀?

回复: 修正 Roundcube 安全隐患:Disable DNS prefetching. (CVE-2010-0464)

检查你的 Roundcube 版本是否在受影响的版本之列。