DOC: How to update Roundcube to version 1.6.15 (fixes 1 security vulnerability and 2 regressions)

Community Support Mail
1

Hi,

Today, March 29h, 2026 has been released Roundcube 1.6.15 and it fixes 1 security vulnerability and 2 regressions.

Security fixes

  • Fix regression where mail search would fail on non-ascii search criteria (#10121)
  • Fix regression where some data url images could get ignored/lost (#10128)
  • Fix SVG Animate FUNCIRI Attribute Bypass — Remote Image Loading via fill/filter/stroke

More info about the release:

I’ve created this PR to bump Roundcube version to 1.6.15:

If you want to update Roundcube now, you can do it manually using below steps.

Disclaimer: it should work fine BUT use this procedure at your own risk!

Note: I assume your Roundcube current installed version is 1.6.14.

0.- BACKUP, always backup… just in case :wink:

Note: If you use MySQL instead of MariaDB, replace mariadb-dump with mysqldump.

mariadb-dump --defaults-file=/usr/local/hestia/conf/.mysql.localhost --single-transaction --routines -B roundcube > /tmp/roundcube_1.6.14.sql
tar zcf /tmp/roundcube_1.6.14_backup_before_upgrade_1.6.15.tar.gz /etc/roundcube /var/lib/roundcube /tmp/roundcube_1.6.14.sql
rm /tmp/roundcube_1.6.14.sql

Now save to another place the backup file located here /tmp/roundcube_1.6.14_backup_before_upgrade_1.6.15.tar.gz

Example:

mv /tmp/roundcube_1.6.14_backup_before_upgrade_1.6.15.tar.gz /backup/

1.- Modify upgrade.conf file so the Roundcube version is 1.6.15 instead of 1.6.14:

sed -E -i "s/^rc_v='1.*/rc_v='1.6.15'/" /usr/local/hestia/install/upgrade/upgrade.conf

2.- Upgrade roundcube using below Hestia’s command. It will detect that roundcube is installed, will detect the new version and will update it:

If you have disabled php functions system and proc_open in PHP CLI, you won’t receive errors but Roundcube won’t update to version 1.6.15, it will remain in version 1.6.14 so to avoid this problem, before continue, remove both functions for your current PHP CLI version. These two commands will remove the functions from your current PHP CLI version (version is detected automatically).

sed -i -E 's/(^disable_functions.*),proc_open(.*$)/\1\2/' /etc/php/$(php -v | head -n1 | grep -o '[0-9]\.[0-9]')/cli/php.ini
sed -i -E 's/(^disable_functions.*),system(.*$)/\1\2/' /etc/php/$(php -v | head -n1 | grep -o '[0-9]\.[0-9]')/cli/php.ini

Now you can proceed with the upgrade;

v-add-sys-roundcube

3.- Update composer packages used by roundcube:

cd /var/lib/roundcube/
COMPOSER_ALLOW_SUPERUSER=1 composer -n update

If composer is not in your path, you should use the full path to composer utility, if you don’t know even whether you have it installed or how to install it, just install it for admin user.

v-add-user-composer admin

If it is not installed, the command will install it for the admin user and if you had it already installed, you will be informed. So, now that it is installed you can update composer packages using the full path to composer.

cd /var/lib/roundcube/
COMPOSER_ALLOW_SUPERUSER=1 /home/admin/.composer/composer -n update

Hope it helps. Take care.

6 Likes
2

Thank you! :clinking_beer_mugs:

2 Likes
3

Thanks for the update @sahsanu! It seems something is off in my install. Could you have a look? Thanks in advance.

root@host:~# cd /var/lib/roundcube/
root@host:/var/lib/roundcube# COMPOSER_ALLOW_SUPERUSER=1 composer -n update
Composer could not detect the root package (roundcube/roundcubemail) version, defaulting to '1.0.0'. See https://getcomposer.org/root-version
Loading composer repositories with package information
Updating dependencies
Your requirements could not be resolved to an installable set of packages.

  Problem 1
    - Root composer.json requires phpunit/phpunit ^4.8.36 || ^5.7.21 || ^6 || ^7, found phpunit/phpunit[4.8.36, 5.7.21, ..., 5.7.27, 6.0.0, ..., 6.5.14, 7.0.0, ..., 7.5.20] but these were not loaded, because they are affected by security advisories ("PKSA-z3gr-8qht-p93v"). Go to https://packagist.org/security-advisories/ to find advisory details. To ignore the advisories, add them to the audit "ignore" config. To turn the feature off entirely, you can set "block-insecure" to false in your "audit" config.
4

You’re welcome :wink:

Show the version of composer:

COMPOSER_ALLOW_SUPERUSER=1 composer -V

Also your composer.json and the list of /var/lib/roundcube/:

cat /var/lib/roundcube/composer.json
ls -la /var/lib/roundcube/
5 
root@host:/var/lib/roundcube# COMPOSER_ALLOW_SUPERUSER=1 composer -V
Composer version 2.9.5 2026-01-29 11:40:53
PHP version 8.4.19 (/usr/bin/php8.4)
Run the "diagnose" command to get more detailed diagnostics output.
root@host:/var/lib/roundcube#

root@host:/var/lib/roundcube# cat /var/lib/roundcube/composer.json
{
    "name": "roundcube/roundcubemail",
    "description": "The Roundcube Webmail suite",
    "license": "GPL-3.0-or-later",
    "repositories": [
        {
            "type": "composer",
            "url": "https://plugins.roundcube.net"
        }
    ],
    "require": {
        "php": ">=7.3.0",
        "pear/pear-core-minimal": "~1.10.1",
        "pear/auth_sasl": "~1.1.0",
        "pear/mail_mime": "~1.10.0",
        "pear/net_smtp": "~1.10.0",
        "pear/crypt_gpg": "~1.6.3",
        "pear/net_sieve": "~1.4.5",
        "roundcube/plugin-installer": "~0.3.1",
        "roundcube/rtf-html-php": "~2.1",
        "masterminds/html5": "~2.7.0",
        "bacon/bacon-qr-code": "^2.0.0",
        "guzzlehttp/guzzle": "^7.3.0",
        "mlocati/ip-lib": "^1.22.0",
        "kolab/net_ldap3": "~1.1.4"
    },
    "suggest": {
        "bjeavons/zxcvbn-php": "^1.0 required for Zxcvbn password strength driver"
    },
    "config": {
        "allow-plugins": {
            "roundcube/plugin-installer": true
        }
    }
}
root@host:/var/lib/roundcube#

root@host:/var/lib/roundcube# ls -la /var/lib/roundcube/
total 416
drwxr-xr-x 13 www-data www-data   4096 Apr  1 00:15 .
drwxr-xr-x 65 root     root       4096 Apr  1 00:15 ..
-rwxr-xr-x  1 www-data www-data 219316 Mar 29 11:48 CHANGELOG.md
-rwxr-xr-x  1 www-data www-data  12714 Mar 29 11:48 INSTALL
-rwxr-xr-x  1 www-data www-data  35147 Mar 29 11:48 LICENSE
-rwxr-xr-x  1 www-data www-data   3853 Mar 29 11:48 README.md
-rwxr-xr-x  1 www-data www-data   1049 Mar 29 11:48 SECURITY.md
drwxr-xr-x  7 www-data www-data   4096 Mar 29 11:48 SQL
-rwxr-xr-x  1 www-data www-data   4657 Mar 29 11:48 UPGRADING
drwxr-xr-x  2 www-data www-data   4096 Mar 29 11:48 bin
-rwxr-xr-x  1 www-data www-data   1031 Mar 29 11:48 composer.json
-rwxr-xr-x  1 www-data www-data   1123 Mar 29 11:48 composer.json-dist
-rwxr-xr-x  1 www-data www-data  59320 Mar 29 11:48 composer.lock
drwxr-xr-x  2 www-data www-data   4096 Apr  1 00:25 config
-rwxr-xr-x  1 www-data www-data  11209 Mar 29 11:48 index.php
drwxr-xr-x  3 www-data www-data   4096 Mar 29 11:48 installer
drwxrwxr-x  2 www-data www-data   4096 Mar 29 11:48 logs
drwxr-xr-x 37 www-data www-data   4096 Mar 29 11:48 plugins
drwxr-xr-x  8 www-data www-data   4096 Mar 29 11:48 program
drwxr-xr-x  3 www-data www-data   4096 Mar 29 11:48 public_html
drwxr-xr-x  3 www-data www-data   4096 Mar 29 11:48 skins
drwxrwxr-x  2 www-data www-data   4096 Mar 29 11:48 temp
drwxr-xr-x 15 www-data www-data   4096 Mar 29 11:48 vendor
root@host:/var/lib/roundcube#

I think i was able to fix it (partly?) with AI, what should the group and owner be?

6

Ok, I see you changed owner and group to www-data, bad decision :stuck_out_tongue:

chown -R hestiamail:www-data /var/lib/roundcube/

Regarding composer, you should use this:

COMPOSER_ALLOW_SUPERUSER=1 composer -n update --no-dev
1 Like
7

Thanks a lot @sahsanu!!

root@host:~# ls -la /var/lib/roundcube/
total 416
drwxr-xr-x 13 hestiamail www-data   4096 Apr  1 00:15 .
drwxr-xr-x 65 root       root       4096 Apr  1 00:15 ..
-rwxr-xr-x  1 hestiamail www-data 219316 Mar 29 11:48 CHANGELOG.md
-rwxr-xr-x  1 hestiamail www-data  12714 Mar 29 11:48 INSTALL
-rwxr-xr-x  1 hestiamail www-data  35147 Mar 29 11:48 LICENSE
-rwxr-xr-x  1 hestiamail www-data   3853 Mar 29 11:48 README.md
-rwxr-xr-x  1 hestiamail www-data   1049 Mar 29 11:48 SECURITY.md
drwxr-xr-x  7 hestiamail www-data   4096 Mar 29 11:48 SQL
-rwxr-xr-x  1 hestiamail www-data   4657 Mar 29 11:48 UPGRADING
drwxr-xr-x  2 hestiamail www-data   4096 Mar 29 11:48 bin
-rwxr-xr-x  1 hestiamail www-data   1031 Mar 29 11:48 composer.json
-rwxr-xr-x  1 hestiamail www-data   1123 Mar 29 11:48 composer.json-dist
-rwxr-xr-x  1 hestiamail www-data  59320 Mar 29 11:48 composer.lock
drwxr-xr-x  2 hestiamail www-data   4096 Apr  1 00:25 config
-rwxr-xr-x  1 hestiamail www-data  11209 Mar 29 11:48 index.php
drwxr-xr-x  3 hestiamail www-data   4096 Mar 29 11:48 installer
drwxrwxr-x  2 hestiamail www-data   4096 Mar 29 11:48 logs
drwxr-xr-x 37 hestiamail www-data   4096 Mar 29 11:48 plugins
drwxr-xr-x  8 hestiamail www-data   4096 Mar 29 11:48 program
drwxr-xr-x  3 hestiamail www-data   4096 Mar 29 11:48 public_html
drwxr-xr-x  3 hestiamail www-data   4096 Mar 29 11:48 skins
drwxrwxr-x  2 hestiamail www-data   4096 Mar 29 11:48 temp
drwxr-xr-x 15 hestiamail www-data   4096 Mar 29 11:48 vendor
root@host:~# cd /var/lib/roundcube
root@host:/var/lib/roundcube# COMPOSER_ALLOW_SUPERUSER=1 composer -n update --no-dev
Composer could not detect the root package (roundcube/roundcubemail) version, defaulting to '1.0.0'. See https://getcomposer.org/root-version
Loading composer repositories with package information
Updating dependencies
Lock file operations: 0 installs, 1 update, 0 removals
  - Upgrading symfony/deprecation-contracts (v2.5.4 => v3.6.0)
Writing lock file
Installing dependencies from lock file
Package operations: 0 installs, 1 update, 0 removals
  - Upgrading symfony/deprecation-contracts (v2.5.4 => v3.6.0): Extracting archive
Package pear/console_commandline is abandoned, you should avoid using it. No replacement was suggested.
Package pear/net_socket is abandoned, you should avoid using it. No replacement was suggested.
Generating autoload files
5 packages you are using are looking for funding.
Use the `composer fund` command to find out more!
No security vulnerability advisories found.
root@host:/var/lib/roundcube#
1 Like
8

Thanks a lot @sahsanu!!

root@host:~# ls -la /var/lib/roundcube/
total 416
drwxr-xr-x 13 hestiamail www-data   4096 Apr  1 00:15 .
drwxr-xr-x 65 root       root       4096 Apr  1 00:15 ..
-rwxr-xr-x  1 hestiamail www-data 219316 Mar 29 11:48 CHANGELOG.md
-rwxr-xr-x  1 hestiamail www-data  12714 Mar 29 11:48 INSTALL
-rwxr-xr-x  1 hestiamail www-data  35147 Mar 29 11:48 LICENSE
-rwxr-xr-x  1 hestiamail www-data   3853 Mar 29 11:48 README.md
-rwxr-xr-x  1 hestiamail www-data   1049 Mar 29 11:48 SECURITY.md
drwxr-xr-x  7 hestiamail www-data   4096 Mar 29 11:48 SQL
-rwxr-xr-x  1 hestiamail www-data   4657 Mar 29 11:48 UPGRADING
drwxr-xr-x  2 hestiamail www-data   4096 Mar 29 11:48 bin
-rwxr-xr-x  1 hestiamail www-data   1031 Mar 29 11:48 composer.json
-rwxr-xr-x  1 hestiamail www-data   1123 Mar 29 11:48 composer.json-dist
-rwxr-xr-x  1 hestiamail www-data  59320 Mar 29 11:48 composer.lock
drwxr-xr-x  2 hestiamail www-data   4096 Apr  1 00:25 config
-rwxr-xr-x  1 hestiamail www-data  11209 Mar 29 11:48 index.php
drwxr-xr-x  3 hestiamail www-data   4096 Mar 29 11:48 installer
drwxrwxr-x  2 hestiamail www-data   4096 Mar 29 11:48 logs
drwxr-xr-x 37 hestiamail www-data   4096 Mar 29 11:48 plugins
drwxr-xr-x  8 hestiamail www-data   4096 Mar 29 11:48 program
drwxr-xr-x  3 hestiamail www-data   4096 Mar 29 11:48 public_html
drwxr-xr-x  3 hestiamail www-data   4096 Mar 29 11:48 skins
drwxrwxr-x  2 hestiamail www-data   4096 Mar 29 11:48 temp
drwxr-xr-x 15 hestiamail www-data   4096 Mar 29 11:48 vendor
root@host:~# cd /var/lib/roundcube
root@host:/var/lib/roundcube# COMPOSER_ALLOW_SUPERUSER=1 composer -n update --no-dev
Composer could not detect the root package (roundcube/roundcubemail) version, defaulting to '1.0.0'. See https://getcomposer.org/root-version
Loading composer repositories with package information
Updating dependencies
Lock file operations: 0 installs, 1 update, 0 removals
  - Upgrading symfony/deprecation-contracts (v2.5.4 => v3.6.0)
Writing lock file
Installing dependencies from lock file
Package operations: 0 installs, 1 update, 0 removals
  - Upgrading symfony/deprecation-contracts (v2.5.4 => v3.6.0): Extracting archive
Package pear/console_commandline is abandoned, you should avoid using it. No replacement was suggested.
Package pear/net_socket is abandoned, you should avoid using it. No replacement was suggested.
Generating autoload files
5 packages you are using are looking for funding.
Use the `composer fund` command to find out more!
No security vulnerability advisories found.
root@host:/var/lib/roundcube#
1 Like
9

I did everything step by step, and still showing 1.6.14.

image
image604×133 2.37 KB

10

Show all the steps and the outputs.

11

service php8.3-fpm restart

Try running this command. It might help.