http://bugzilla.opensuse.org/show_bug.cgi?id=1082822
http://bugzilla.opensuse.org/show_bug.cgi?id=1082822#c6
Eric Schirra
(In reply to Eric Schirra from comment #4)
This is no security risc, because with root:root you can not use this plugin. Apache must have write rights to save and generate keys. With root:root apache can not do this.
Are you sure? The vulnerability is about remote attackers reading confidential files due to them being web readable and in the web tree, which is the case here.
In devel, factory (Tumbleweed) and Leap 15.0 there is: # RW need for PGP plugin %attr(0700, wwwrun, root) %dir %{roundcubepath}/plugins/enigma/home So. Only wwwrun can rwx. And without this rights, the enigma-plugin can not be use. I think this is secure enough. And you can change the dir manuell to other location. We can put only this plugin outside the normal roundcube path. But why? And this will be not clearly and logical, because all other plugins are under roundcubepath. -- You are receiving this mail because: You are on the CC list for the bug.