• Our team is looking to connect with folks who use email services provided by Plesk, or a premium service. If you'd like to be part of the discovery process and share your experiences, we invite you to complete this short screening survey. If your responses match the persona we are looking for, you'll receive a link to schedule a call at your convenience. We look forward to hearing from you!
  • We are looking for U.S.-based freelancer or agency working with SEO or WordPress for a quick 30-min interviews to gather feedback on XOVI, a successful German SEO tool we’re looking to launch in the U.S.
    If you qualify and participate, you’ll receive a $30 Amazon gift card as a thank-you. Please apply here. Thanks for helping shape a better SEO product for agencies!
  • The BIND DNS server has already been deprecated and removed from Plesk for Windows.
    If a Plesk for Windows server is still using BIND, the upgrade to Plesk Obsidian 18.0.70 will be unavailable until the administrator switches the DNS server to Microsoft DNS. We strongly recommend transitioning to Microsoft DNS within the next 6 weeks, before the Plesk 18.0.70 release.
  • The Horde component is removed from Plesk Installer. We recommend switching to another webmail software supported in Plesk.

Resolved Roundcube CVE 2024 - when does Plesk release an update?

For whatever reason, Plesk seem to always be way behind with Roundcube updates (see my own thread here, on a different Roundcube matter, but there's previous threads to this too, again, all related to Roundcube / Plesk) This, despite Roundcube perhaps being, the most popular e-mail service for Plesk users. Good to see that you've posted this @smaxxx and looking forwards to a swift reply from Plesk, which hopefully, really should be; Plesk supporting Roundcube 1.6.8, on PHP 8.3, on the next Obsdian release, but with legacy support for older OS / older Roundcube releases - all of the latter, at user's own risk.
 
Hello, everyone. Our team is already actively working on updating RoundCube to 1.6.8. We are planning to release the hotfix in the upcoming week. We would like to thank you in advance for your patience in the meantime.
 
For those like me who cannot wait, here are all the 3 fixes for the CVE's to fix on your own risk, as always..hf!
  • Fix XSS vulnerability in post-processing of sanitized HTML content [CVE-2024-42009]
github.com

Fix XSS vulnerability in post-processing of sanitized HTML content [C… · roundcube/roundcubemail@68af7c8

…VE-2024-42009] Credits to Oskar Zeino-Mahmalat (https://www.sonarsource.com)
github.com github.com
  • Fix XSS vulnerability in serving of attachments other than HTML or SVG [CVE-2024-42008]
github.com

- Fix XSS vulnerability in serving of attachments other than HTML or … · roundcube/roundcubemail@89c8fe9

…SVG [CVE-2024-42008] Credits to Oskar Zeino-Mahmalat (Sonar) https://www.sonarsource.com
github.com github.com
  • Fix information leak (access to remote content) via insufficient CSS filtering [CVE-2024-42010]
github.com

Fix information leak (access to remote content) via insufficient CSS … · roundcube/roundcubemail@602d0f5

…filtering [CVE-2024-42010] Credits to Oskar Zeino-Mahmalat (Sonar) https://www.sonarsource.com
github.com github.com
 
Sebahat.hadzhi said:
Hello, everyone. Our team is already actively working on updating RoundCube to 1.6.8. We are planning to release the hotfix in the upcoming week. We would like to thank you in advance for your patience in the meantime.
Click to expand...

Please release a hotfix for Plesk Obsidian 18.0.63 and Plesk Obsidian 18.0.62. We don't want to install 18.0.63 yet, as it's just been released.
 
Hello, everyone. I just wanted to inform you that we released a hotfix with RoundCube vulnerability patches and version update to 1.6.8. Plesk Obsidian 18.0.63 Update 1:

Click to expand...

We understand that some of you are still using Plesk 18.0.62 given that the new version was recently released. However, after thorough consideration and taking into account that we have not observed any major issues with Plesk Obsidian 18.0.63, the hotfix was released only for the current version and we would advise to upgrade.
 
You must log in or register to reply here.

Similar threads

Linulex
Issue roundcube upgrade fails from 18.0.63 to 18.0.64 when mariadb 10.11.9 is installed
Replies
4
Views
865
Linulex
Linulex
learning_curve
Resolved Plesk Updates - Expected in 18.0.65 - Now Overdue
Replies
15
Views
2K
Sebahat.hadzhi
Sebahat.hadzhi
V
Issue Roundcube permission denied caused by SELinux
Replies
8
Views
994
Sebahat.hadzhi
Sebahat.hadzhi
K
Issue Roundcube webmail not working after upgrade
Replies
4
Views
640
Kaspar
K
learning_curve
Question Roundcube 1.6.7 is on PHP 8.2 but, Obsidian 18.0.61 is on PHP 8.3 - Why the delay in moving Roundcube on to PHP 8.3?
Replies
8
Views
2K
Kaspar
K
Back
Top