Resolved Roundcube not up-to-date on Plesk 12.5

[Visnet]

Plesk 12.5 is using Roundcube 1.2.1, which was last updated on 15 August 2016.

An important security update for Roundcube has been released as 1.2.5, see Release Roundcube Webmail 1.2.5 · roundcube/roundcubemail · GitHub

Could this update be applied and released for Plesk 12.5 (and up)?

 

[Visnet]

I noticed the Roundcube 1.2.4 update has been applied with the latest Plesk 12.5 MU 67: Change Log for Plesk

As mentioned above, version 1.2.5 released on April 28 contains an important security update.
Could this update be applied and released for Plesk 12.5?

Thank you.

 

[IgorG]

CVE-2017-8114 does not affect Plesk, because Roundcube configured by Plesk does not use virtualmin and sasl password drivers (it uses poppassd driver):

[root@a10-52-46-30 ~]# cat /usr/share/psa-roundcube/plugins/password/config.inc.php
<?php
 
// Poppassd Driver options
// -----------------------
// The host which changes the password
$config['password_driver'] = 'poppassd';
$config['password_pop_host'] = 'localhost';
 
// TCP port used for poppassd connections
$config['password_pop_port'] = 106;

CVE-2017-6820 was fixed in Roundcube 1.2.4

 

[Visnet]

CVE-2017-8114 does not affect Plesk, because Roundcube configured by Plesk does not use virtualmin and sasl password drivers (it uses poppassd driver):

[...]

CVE-2017-6820 was fixed in Roundcube 1.2.4

Thank you for indicating, IgorG. Informative and useful.