Resolved Roundcube CVE 2024 - when does Plesk release an update?

[smaxxx]

Server operating system version

AlmaLinux 8

Plesk version and microupdate number

18.0.62.2

Hi,

the current Roundcube version 1.6.7 has severe CVEs, see Release Roundcube Webmail 1.6.8 · roundcube/roundcubemail

When does Plesk update Roundcube to 1.6.8? Did not find anything in the Plesk KB about this issue.

 

[learning_curve]

For whatever reason, Plesk seem to always be way behind with Roundcube updates (see my own thread here, on a different Roundcube matter, but there's previous threads to this too, again, all related to Roundcube / Plesk) This, despite Roundcube perhaps being, the most popular e-mail service for Plesk users. Good to see that you've posted this @smaxxx and looking forwards to a swift reply from Plesk, which hopefully, really should be; Plesk supporting Roundcube 1.6.8, on PHP 8.3, on the next Obsdian release, but with legacy support for older OS / older Roundcube releases - all of the latter, at user's own risk.

 

[Sebahat.hadzhi]

Hello, everyone. Our team is already actively working on updating RoundCube to 1.6.8. We are planning to release the hotfix in the upcoming week. We would like to thank you in advance for your patience in the meantime.

 

[Flashdown]

For those like me who cannot wait, here are all the 3 fixes for the CVE's to fix on your own risk, as always..hf!

• Fix XSS vulnerability in post-processing of sanitized HTML content [CVE-2024-42009]

Fix XSS vulnerability in post-processing of sanitized HTML content [C… · roundcube/roundcubemail@68af7c8

…VE-2024-42009] Credits to Oskar Zeino-Mahmalat (https://www.sonarsource.com)

github.com

• Fix XSS vulnerability in serving of attachments other than HTML or SVG [CVE-2024-42008]

- Fix XSS vulnerability in serving of attachments other than HTML or … · roundcube/roundcubemail@89c8fe9

…SVG [CVE-2024-42008] Credits to Oskar Zeino-Mahmalat (Sonar) https://www.sonarsource.com

github.com

• Fix information leak (access to remote content) via insufficient CSS filtering [CVE-2024-42010]

Fix information leak (access to remote content) via insufficient CSS … · roundcube/roundcubemail@602d0f5

…filtering [CVE-2024-42010] Credits to Oskar Zeino-Mahmalat (Sonar) https://www.sonarsource.com

github.com

 

[Flashdown]

Adding: and I guess you don't want to miss the Regression/follow-up for CVE-2024-42008 as well Fix regression where printing/scaling/rotating image attachments was … · roundcube/roundcubemail@32fed15

 

[Maarten]

Hello, everyone. Our team is already actively working on updating RoundCube to 1.6.8. We are planning to release the hotfix in the upcoming week. We would like to thank you in advance for your patience in the meantime.

Please release a hotfix for Plesk Obsidian 18.0.63 and Plesk Obsidian 18.0.62. We don't want to install 18.0.63 yet, as it's just been released.

 

[Sebahat.hadzhi]

Hello, everyone. I just wanted to inform you that we released a hotfix with RoundCube vulnerability patches and version update to 1.6.8. Plesk Obsidian 18.0.63 Update 1:

• Updated Roundcube to version 1.6.8.
• Updated Roundcube 1.4.15 to fix the CVE-2024-42008, CVE-2024-42009 and CVE-2024-42010 vulnerabilities.

We understand that some of you are still using Plesk 18.0.62 given that the new version was recently released. However, after thorough consideration and taking into account that we have not observed any major issues with Plesk Obsidian 18.0.63, the hotfix was released only for the current version and we would advise to upgrade.

 

[Bitpalast]

Has the case Question - Problems on Roundcube v1.67 after upgrade been checked and can you confirm that there are no issues on the Plesk side with an upgrade to 18.0.63 in combination with a Roundcube update?

 

[Kaspar@Plesk]

Has the case Question - Problems on Roundcube v1.67 after upgrade been checked and can you confirm that there are no issues on the Plesk side with an upgrade to 18.0.63 in combination with a Roundcube update?

According to user, his issue was related to mod security. As far as I can see there are currently no issues related to Roundcube known to us. (FWIW I have been using v1.67 without any issues in production for about 3 months now).