Issue Roundcube 1.3.6 security update

[prprtl]

Yesterday Roundcube 1.3.6 was released with an important security update. Plesk, please update your included Roundcube packages for Plesk 12.5 and Onyx. Currently you are providing an insecure version of Roundcube bundled with Plesk.

From roundcube/roundcubemail

This is a security update to the stable version 1.3. It primarily fixes a recently discovered IMAP command injection vulnerability caused by insufficient input validation within the archive plugin. Details about the vulnerability are published under CVE-2018-9846.

Additionally, we back-ported some minor fixes from the master branch which improve PHP 7.2 compatibility as well as PGP signing and key handling for those who use the Enigma plugin. See the complete changelog below.

We strongly recommend to update all productive installations of Roundcube.
Please do backup your data before updating!

 

[prprtl]

Update for the LTS 1.2 version is now also available with the fixes. See roundcube/roundcubemail

 

[IgorG]

Updated Roundcube to version 1.3.6.

Change Log for Plesk

 

[learning_curve]

What will happen to Roundcube in 17.5.3 please? Currently, it's
Name : plesk-roundcube
Version : 1.2.7
Release : cos7.build1705171115.16
And this wasn't updated in the last update (#47) like 17.8.11 (#7) was

 

[IgorG]

And this wasn't updated in the last update (#47) like 17.8.11 (#7) was

All new updates and features we release for latest Plesk version first. After that, later, these updates may be released for older versions.

 

[learning_curve]

.....these updates may be released for older versions

"may be" We'll keep a look out for it then! We've not moved over to 17.8.11 as there still appears to be a few small issues to be solved yet, so we've switched to "Late adopter release" for a while.