Security: Upgrade Roundcube to 1.6.11

Adam

Roundcube recently released 1.6.11 which mitigates a security issue that could allow arbitrary code execution. As I understand it, a valid mailbox login is required for the exploit to work.

https://roundcube.net/news/2025/06/01/security-updates-1.6.11-and-1.5.10

Enhance automatically updates any central Roundcube installations running on your control panel server.

The per-server Roundcube that runs on each mail server to provide webmail at mail.customerdomain.com needs to be updated manually. To do this, run on each mail server:

su - roundcubelocal
wget https://github.com/roundcube/roundcubemail/releases/download/1.6.11/roundcubemail-1.6.11-complete.tar.gz
tar -xzf roundcubemail-1.6.11-complete.tar.gz
cd roundcubemail-1.6.11
./bin/installto.sh ../public_html

blackpoint

Adam
and after ./bin/installto.sh ../public_html you should do an
cd .. rm -rf roundcubemail-1.6.11 roundcubemail-1.6.11-complete.tar.gz
to clean up.
best regards,
Dirk

eilko

Adam Enhance automatically updates any central Roundcube installations running on your control panel server.
The per-server Roundcube that runs on each mail server to provide webmail at mail.customerdomain.com needs to be updated manually.

can anyone explain why Enhance can update the one CP server but not on the mail server?

asmdot

Will an update for the per-server Roundcube installations be rolled into the broader automated update process in time?

MarkD

asmdot Yes I would have expected any mail role server to be updated in the same way that the central mail server is updated.

PDudeP

I'm getting this error, although I removed all disabled functions on php settings (Settings > Service > Application).
What should I do?

ERROR: PHP system() function is required. Check disable_functions in php.ini.

Adam

PDudeP

Is it possible the server previously had the application role installed and disable_functions was configured at that point? If so, the setting would remain after the role was uninstalled.

If you can't get it to work please send a support ticket.

PDudeP

Actually, the error is only happening on one mail server. The other one upgraded just fine.
Any tips?

iotivedo

Check if you have disabled that function in the server settings application role -> php -> disabled_functions

PDudeP

iotivedo thanks for the tip, but these are mail servers only, no application role.

PDudeP

Adam Yes, most probably yes. I remembered that and reinstalled the app role. I tried removing all disabled functions on the cluster, but it didn't do the trick.
So, i guess I'll open a ticket.

Thanks

PDudeP

Adam solved it. Thank you all, guys.

AdamR

Just to make sure I'm understanding this correctly, we only perform this on the Mail server, and then apt update && apt upgrade on the remaining servers with different roles to upgrade Enhance to 12.6.2?

mrEckendonk

Thank You @Adam , all working fine.

Kosta

eilko good question

slimx

Update worked fine on my end.

Kosta

Approximately when we can see?
Update buttons within Enhance regarding:
Enhance
Web apps
Database apps
Mail apps
With notifications from cp server when update is available to our inboxes and within the dashboard..
Etc.
@Adam

mendozal

Kosta I think most services: web servers, databases, and email services like Postfix and Dovecot, usually get updated with a regular apt update and apt upgrade. But other stuff like Roundcube might not be included and could need more attention/automation.

Kosta

mendozal I hope everything to get automated