Skip to main content

Roundcube Update to 1.6.8 and 1.5.8

Answered

Comments

16 comments

  • NDC

    I would also like information on this, after searching the web there doesnt seem to be alot of information.

    Will the check_cpanel_pkgs script update and fix this? or is a systemwide yum update needed?

    PS: Im still on the old 110.0.10-version.

     

    Thanks in advance!

    0
  • ITHKBO

    You can check your version by simply opening webmail and clicking on the ? About in the webmail interface

    For 120.0.15 it is on 1.6.6 though do note that cPanel uses their own versioning number for the actual packages, so you're not going to see it as such if you do a grep on 120.0.15 you will see
    cpanel-roundcubemail-plugins-cpanel-1.1.8-2.cp120~el8.noarch
    cpanel-roundcubemail-1.6.6.6-1.cp120~el8.noarch

    Either way, we are not yet secure against the CVE's  for both 120 and 110. There have been no update releases created after the alerts from Sonar’s Vulnerability Research Team. which is on 5th of August while last update cPanel release is of 1st of August

    In this case, the less public information there is on the internet about it, the less I am worried, but this and especially CVE-2024-42009 are nonetheless a high security concern. 

     

    Normally, I would disable Roundcube and temporarily enforce the other MUA until the vendor resolved it. Unfortunately, Horde is even less safe (and now gone), so that option flew out of the window as the temporary mitigation strategy.

    cPRex, William Del Piero is there an internal Case known?

    1
  • cPRex Jurassic Moderator

    These were all just released within the last 3 days, so we don't have any updates on our end just yet, but our devs are working on this through case HB-7822!

    2
  • Gabor

    Hi
    Patches are available for a week. This is a high security concern. Any updates?
    Thanks

    0
  • cPRex Jurassic Moderator

    The updates have been built and are being tested right now so I'd expect them to be released this week.

    0
  • scub200820

    It is really important that this update is released as soon as possible.

    0
  • Gabor

    A strange situation has arisen, as a serious vulnerability has been left unpatched for more than a week, despite the vendor fix being available. Some of the cpanel providers turned off the Roundcube service, leaving customers without webmail, others did not turn it off leaving customer data easily stolen. Are there plans to officially support Snappymail or other alternative webmail solutions in cpanel for such future cases?

    0
  • cPRex Jurassic Moderator

    We're always evaluating webmail clients - if you'd like to submit a feature request at features.cpanel.net I'll be sure to bring it up with the team!

    0
  • Leonardo Almeida

    It is a critical security breach, needs to be patched in 1 or 2 days!

     
    0
  • Loic Dreux

    Hello,

    Any news about the availability of roundcube 1.6.8 update ?

    0
  • cPRex Jurassic Moderator

    Not just yet - it's still going through our testing.

    0
  • cPRex Jurassic Moderator

    Update - this will be included in 120.0.16 when that is released.  I would expect that to happen within a week.

    -1
  • scub200820

    Within a week?? Thats 2 weeks since the release of the CVE's? Its critial cve, 2 weeks is very long. It is a almost non interactive leak. What if the PoC code for exploit will be released before then?

    0
  • Customer

    Hi, after update we cannot open webmail, there is error to many redirections.

    "

    The page isn’t redirecting properly"

    Regards

    0
  • cPRex Jurassic Moderator

    Customer - that is a separate issue from the one discussed in this thread.  Can you start a new post with details from your local logs so we can get more information?

    0
  • cPRex Jurassic Moderator

    UPDATE - this has been released to Stable, Release, and Current, so this is resolved at this point.

    2

Please sign in to leave a comment.