• If you are still using CentOS 7.9, it's time to convert to Alma 8 with the free centos2alma tool by Plesk or Plesk Migrator. Please let us know your experiences or concerns in this thread:
    CentOS2Alma discussion

Resolved Roundcube 1.6.4 is released. When will plesk upgrade to it?

D

dlabsnl

New Pleskian
Hello,
Roundcube 1.6.4 is released to provide a fix see below.

Roundcube Webmail 1.6.4 Latest
This is a security update to the stable version 1.6 of Roundcube Webmail.
It provides a fix to a recently reported XSS vulnerability:
  • Fix cross-site scripting (XSS) vulnerability in handling of SVG in HTML messages (#9168) reported separately by Matthieu Faou (ESET) and Denys Klymenko.
This version is considered stable and we recommend to update all productive installations of Roundcube 1.6.x with it. Please do backup your data before updating!

When can we expect an update for it?
 
Hmm, well, for Plesk maybe not. It was only 12 days ago that we updated to Roundcube 1.6.3. I have no ETA yet for an update to 1.6.4.
 
Plesk has plans to upgrade Roundcube to 1.6.4 and - where applicable due to operating system limits - 1.4.15 in the next release which will probably be published in the middle of November.
 
Mid-November?

This is a security vulnerability that is already being exploited!

What's wrong with you?

You should fix / roll this out in a few hours!

With little understanding
Stephan Schröder
 
Peter Debik said:
Plesk has plans to upgrade Roundcube to 1.6.4 and - where applicable due to operating system limits - 1.4.15 in the next release which will probably be published in the middle of November.
Click to expand...

That is better then I initially expected but since we are seeing active exploits mid November is not good enough. I'll raise a ticket now to increase urgency.
 
I'm surprised how fast an exploit can make the front page of Arstechnica :( Plesk is very quick at patching CVEs. I'm sure they are aware of the issue now that it's made front page of the tech news sites.
 
We're currently planning to deliver the fix with a micro update 18.0.56 #2, which will be published sooner than the next regular update.
 
I've been using Horde because of this vulnerability and subsequent exploit. It'll be good to get back onto roundcube.
 
470rent said:
I've been using Horde because of this vulnerability and subsequent exploit. It'll be good to get back onto roundcube.
Click to expand...
Yes, it is kind of a temporary workaround till the security update be available.

I also would like to suggest everyone to give a try SOGo Webmail if you do not have dependencies or requirements to use exactly Roundcube.
 
The Roundcube update is available in 18.0.56#2.
Install it via: Tools & Settings -> Updates

docs.plesk.com

Change Log for Plesk Obsidian

Find out about changes, additions and updates to Plesk Obsidian on an iteration to iteration basis.
docs.plesk.com docs.plesk.com

Plesk Obsidian 18.0.56 Update 2​

Changes in Third-Party Components​

Linux
  • Updated Roundcube to version 1.6.4.
  • Updated Roundcube to version 1.4.15.
Click to expand...
 
Last edited:
You must log in or register to reply here.

Similar threads

M
Resolved Security update for Roundcube 1.6.5 is available
Replies
0
Views
700
Maarten.
M
Hangover2
Input Plesk Obsidian 18.0.59 - stable enough for live deployment?
Replies
5
Views
713
Bod
Bod
L
Resolved Problem receiving mails and with Roundcube since Debian and Plesk upgrade
Replies
5
Views
1K
LaurentR2D2
L
futureweb
Resolved Older Plesk Versions + Let's Encrypt Asynchronous Order Finalization
Replies
6
Views
996
futureweb
futureweb
W-Bench
Resolved All websites are giving a 504 Timeout when Nginx Proxy is enabled
Replies
15
Views
8K
W-Bench
W-Bench
Back
Top