• We value your experience with Plesk during 2024
    Plesk strives to perform even better in 2025. To help us improve further, please answer a few questions about your experience with Plesk Obsidian 2024.
    Please take this short survey:

    https://pt-research.typeform.com/to/AmZvSXkx
  • The Horde webmail has been deprecated. Its complete removal is scheduled for April 2025. For details and recommended actions, see the Feature and Deprecation Plan.

Resolved Roundcube 1.6.4 is released. When will plesk upgrade to it?

dlabsnl

New Pleskian
Hello,
Roundcube 1.6.4 is released to provide a fix see below.

Roundcube Webmail 1.6.4 Latest
This is a security update to the stable version 1.6 of Roundcube Webmail.
It provides a fix to a recently reported XSS vulnerability:
  • Fix cross-site scripting (XSS) vulnerability in handling of SVG in HTML messages (#9168) reported separately by Matthieu Faou (ESET) and Denys Klymenko.
This version is considered stable and we recommend to update all productive installations of Roundcube 1.6.x with it. Please do backup your data before updating!

When can we expect an update for it?
 
Hmm, well, for Plesk maybe not. It was only 12 days ago that we updated to Roundcube 1.6.3. I have no ETA yet for an update to 1.6.4.
 
Plesk has plans to upgrade Roundcube to 1.6.4 and - where applicable due to operating system limits - 1.4.15 in the next release which will probably be published in the middle of November.
 
Mid-November?

This is a security vulnerability that is already being exploited!

What's wrong with you?

You should fix / roll this out in a few hours!

With little understanding
Stephan Schröder
 
Plesk has plans to upgrade Roundcube to 1.6.4 and - where applicable due to operating system limits - 1.4.15 in the next release which will probably be published in the middle of November.

That is better then I initially expected but since we are seeing active exploits mid November is not good enough. I'll raise a ticket now to increase urgency.
 
I'm surprised how fast an exploit can make the front page of Arstechnica :( Plesk is very quick at patching CVEs. I'm sure they are aware of the issue now that it's made front page of the tech news sites.
 
We're currently planning to deliver the fix with a micro update 18.0.56 #2, which will be published sooner than the next regular update.
 
I've been using Horde because of this vulnerability and subsequent exploit. It'll be good to get back onto roundcube.
 
I've been using Horde because of this vulnerability and subsequent exploit. It'll be good to get back onto roundcube.
Yes, it is kind of a temporary workaround till the security update be available.

I also would like to suggest everyone to give a try SOGo Webmail if you do not have dependencies or requirements to use exactly Roundcube.
 
The Roundcube update is available in 18.0.56#2.
Install it via: Tools & Settings -> Updates


Plesk Obsidian 18.0.56 Update 2​

Changes in Third-Party Components​

Linux
  • Updated Roundcube to version 1.6.4.
  • Updated Roundcube to version 1.4.15.
 
Last edited:
Back
Top