New RoundCube Vulnerabilities & How to Upgrade

cPFence

The following vulnerabilities in RoundCube were recently discovered, and updating to the latest version 1.6.9 is advised to mitigate these risks:

CVE-2024-42009
CVE-2024-42008
CVE-2024-42010

To upgrade ;

# Log in as the RoundCube user:

su - webmail_1

# Download the latest RoundCube version:

wget https://github.com/roundcube/roundcubemail/releases/download/1.6.9/roundcubemail-1.6.9-complete.tar.gz

# Extract the files:

tar -xvzf roundcubemail-1.6.9-complete.tar.gz

cd roundcubemail-1.6.9

# Run the installer:

bin/installto.sh -y ../public_html

# Clean up after installation:

rm -rf ~/roundcubemail-1.6.9*

For each mail server in your Enhance cluster, repeat the process using roundcubelocal as the user. (su - roundcubelocal)

Tip: Ensure that the "system" and "escapeshellarg" functions are not included in your disable_functions list, as they are required for the upgrade.

8Dweb

cPFence Thank you.

kyzoeadmin

Thanks worked like a Charm.

DracoBlue

Doesn't Enhance perform updates automatically?

cPFence

DracoBlue Doesn't Enhance perform updates automatically?

My understanding is that Enhance only updates RoundCube when a new version of Enhance is released. To check your current RoundCube version, log into your email and click 'About' in the menu. Ours was 1.6.7 on some servers.

ecknz

DracoBlue Doesn't Enhance perform updates automatically?

I thought the same thing, so everything apart from the control panel is not updated unless there is a panel update or manually updated?

kyzoeadmin

cPFence i had also 1.6.7 on our servers.

DracoBlue

cPFence kyzoeadmin ecknz i have 1.6.9.
The enhance panel updates only the central mail; it does not update the mail accessible through website links.

cosmoshosting

Excellent instructions @cPFence, really appreciated .

Come on Enhance, cut your losses on this huge 12.x update (which many will hold off installing right away) and give us an incremental update with security updates and all the minor low risk updates you've been working on. We should not need to be hacking apart our installs manually updating packages like RoundCube and OLS or running mystery community provided scripts to fix common issues. It's a liability for everyone and a mongrel for you to validate when rolling out future updates.

cPFence

cosmoshosting

You're welcome. Honestly, our team is a bit paranoid when it comes to security updates, and we’re not fans of old-fashioned outdated panels. I’d say Enhance has a solid and up-to-date foundation, using the latest software and security techniques, something I believe every modern control panel should have. This isn't just my opinion; I remember Rack911 mentioning the same on WHT, even though they haven't fully tested Enhance yet.

The one thing I'd suggest is adding a way to get the latest sub-versions of PHP. Hoping they make that possible soon. Also, having some built-in scripts for updating Roundcube, OLS, etc., would be nice.

pratik_asabe

cosmoshosting Come on Enhance, cut your losses on this huge 12.x update (which many will hold off installing right away) and give us an incremental update with security updates and all the minor low risk updates you've been working on. We should not need to be hacking apart our installs manually updating packages like RoundCube and OLS or running mystery community provided scripts to fix common issues. It's a liability for everyone and a mongrel for you to validate when rolling out future updates.

Careful! there are some oversmart kids around the block who target and gets emotionally voilated in strange way when we raise genuine concerns! They are about to make it there life's purpose real soon i guess...

btw, thank you @cPFence for providing such critical update and patching information, really appreciate it!

cPFence

DracoBlue

Yes, I noticed that on some clusters, the main control panel was on the secure version 1.6.8, while others were still on the vulnerable 1.6.7. I haven’t seen 1.6.9 on any clusters we work with, so I’m not sure how or when updates are handled on the main control panel.

Shaijee

cPFence DracoBlue Mine is Roundcube Webmail 1.6.2. It's a local mail service (mail.example.com). It seems Enhance does not update Roundcube.

Enhance should have service feature and provide regular updates like RunCloud.

Nickske00

My central mail was already on 1.6.9, not sure for how long though...
Local mail (eg mail.customerdomain.com) is not up to date.

DracoBlue

Shaijee At the moment, I'm only updating the central mail, not the local one.