Skip to main content

CPANEL-43459 - CVE-2023-5631 Roundcube XSS vulnerability

Comments

24 comments

  • cPRex Jurassic Moderator
    Hey hey! We have case CPANEL-43459 open with our team to get this fixed. I'll post as soon as I have an update!
    0
  • groque
    Hey hey! We have case CPANEL-43459 open with our team to get this fixed. I'll post as soon as I have an update!

    Hi. Has there been any update on this?
    0
  • cPRex Jurassic Moderator
    I know it's getting backported to 110 and 114, but I'm not sure when the fix will be released. It looks like it's going through QA at the moment.
    0
  • cPanelJamyn
    The following builds were published to resolve this vulnerability (
    0
  • Corey Kretsinger
    What about older versions of WHM/cPanel? How do I update Roundcube?
    0
  • Lolfust
    The following builds were published to resolve this vulnerability (
    0
  • cPRex Jurassic Moderator
    What about older versions of WHM/cPanel? How do I update Roundcube?

    Any version older than 110 is not supported, and would not receive this update.
    0
  • Corey Kretsinger
    Any version older than 110 is not supported, and would not receive this update.

    I have
    0
  • Wallu
    Hi, I have updated old servers to 110.0.14 and new ones to 114.0.10 What exactly is the output supposed to be from: rpm -q "changelog cpanel-roundcubemail | grep -E 'CVE-2023-43770|CVE-2023-5631' My output is zero, nada. Old 110 has cpanel-roundcubemail-1.6.0.19-2.cp110~el7.noarch and new 114 has cpanel-roundcubemail-1.6.0.19-2.cp110~el8.noarch Are those patched packages or am I missing the updates? - Wallu
    0
  • Wallu
    What exactly is the output supposed to be from: rpm -q "changelog cpanel-roundcubemail | grep -E 'CVE-2023-43770|CVE-2023-5631' My output is zero, nada.

    Just quoting myself here, obviously that should output those CVEs, but it's not. Are the patches actually out yet? @cPRex - Wallu
    0
  • xml
    I dont use Roundcube, actually I am using third party email service, do I have to update my build?
    0
  • Matt.R
    [QUOTE] Just quoting myself here, obviously that should output those CVEs, but it's not. Are the patches actually out yet? @cPRex
    Same here, we're on 110.0.14 but those updated CVE's are not showing. Roundcube still on 1.6.0 when I suspect it should be 1.6.3 or 1.6.4
    0
  • ifbtech
    For those like me that were running the following command and getting no output even though you are on 110.0.14 and cpanel-roundcubemail-1.6.0.19-2.cp110~el7.noarch rpm -q -changelog cpanel-roundcubemail | grep -E 'CVE-2023-43770|CVE-2023-5631' I had to delete the - in front of changelog and add my own dash. The one given above and in the announcement has a long dash which caused the command to return "package "changelog is not installed" to grep.
    0
  • Wallu
    I had no output or errors, but when I typed the whole damn thing myself, I got: [root@whm08 ~]# rpm -q -changelog cpanel-roundcubemail | grep -E 'CVE-2023-43770|CVE-2023-5631' - Add patch for CVE-2023-43770 - Add patch for CVE-2023-5631 So patches done. The long dash came from the link on that e-mail notification and copy&paste. Anyways, check spelling and you should get that output. Thanks @ifbtech for noticing that. - Wallu
    0
  • Corey Kretsinger
    So 1.6.0.19-2.cp110~el7 is where we want to be, correct?
    0
  • Wallu
    So 1.6.0.19-2.cp110~el7 is where we want to be, correct?

    I believe so, but I'm hoping @cPRex still confirms this. And next time they send out notices, they'd be more clear about these things :) . Just "Additionally, we strongly recommend that you also verify the new Roundcube RPMs were successfully installed." is kinda vague. With automatic updates it's a bit hard to find out what was there before updates and what version the new package should be, right? - Wallu
    0
  • ITHKBO
    I believe so, but I'm hoping @cPRex still confirms this. And next time they send out notices, they'd be more clear about these things :) . Just "Additionally, we strongly recommend that you also verify the new Roundcube RPMs were successfully installed." is kinda vague. With automatic updates it's a bit hard to find out what was there before updates and what version the new package should be, right? - Wallu

    1.6.0.17-1.cp110 was the version when I made this thread and was the last version unpatched for 114.0.8 release and for current 1.6.0.19-1.cp110 If you look add the changelog without the CVE grep you will see the comments listing the following rpm -q --changelog cpanel-roundcubemail
    [quote] * Thu Oct 26 2023 Travis Holloway - 1.6.0.19-2.cp110~el8- Add patch for CVE-2023-43770 - Fix cross-site scripting (XSS) vulnerability in handling of linkrefs in plain text messages - Add patch for CVE-2023-5631 - Fix cross-site scripting (XSS) vulnerability in handling of SVG in HTML messages
    So we are safe again.
    0
  • cPRex Jurassic Moderator
    I'm not seeing any issues with the copy/paste commands from the Roundcube Stored XSS (CVE-2023-5631, CVE-2023-43770) | cPanel Newsroom link as they worked for me on patched systems. But yes, as long as you have automatic updates running or as long as you've manually updated to the mentioned versions, you're all set.
    0
  • quietFinn
    I'm not seeing any issues with the copy/paste commands from the
    0
  • cPRex Jurassic Moderator
    Well that's fun - I must not have seen the typoed version. Long-dash happens when text editors think they are smarter than you and "--" gets autocorrected into a long dash. It's incredibly annoying, especially for us tech people.
    0
  • Wallu
    Well that's fun - I must not have seen the typoed version. Long-dash happens when text editors think they are smarter than you and "--" gets autocorrected into a long dash. It's incredibly annoying, especially for us tech people.

    Yeah, that was,... kinda confusing :) "The shorter en dash (") is used to mark ranges and with the meaning "to" in phrases like "Dover"Calais crossing." The longer em dash (") is used to separate extra information or mark a break in a sentence." All good now, and at least I learned to check for that spelling in the future.. - Wallu
    0
  • Vedhan
    Anyone Please Reply Just I want To Know ( Using This Command) rpm -q --changelog cpanel-roundcubemail | grep -E 'CVE-2023-43770|CVE-2023-5631' ( Getting Below Result in Red color) " Add patch for CVE-2023-43770 " Add patch for CVE-2023-5631 That' Means Already Patch Done?
    0
  • Wallu
    Anyone Please Reply Just I want To Know ( Using This Command) rpm -q --changelog cpanel-roundcubemail | grep -E 'CVE-2023-43770|CVE-2023-5631' ( Getting Below Result in Red color) " Add patch for CVE-2023-43770 " Add patch for CVE-2023-5631 That' Means Already Patch Done?

    Yes, you are set. - Wallu
    0
  • Vedhan
    Yes, you are set. - Wallu

    Thank You
    0

Please sign in to leave a comment.