DOC: How to update Roundcube to version 1.6.8 (fixes 6 security bugs)

Update to 1.8…12 and the issue should be solved aswell!

Hi,

If you are using Hestia 1.8.11 and installed Roundcube, you should have the version 1.6.5. Four months ago, Roundcube released the version 1.6.6 (just a service release so not too much important) but three days ago, appeared a new Roundcube version 1.6.7 and this is a security release that fixes three vulnerabilities:

• Fix cross-site scripting (XSS) vulnerability in handling SVG animate attributes.
• Fix cross-site scripting (XSS) vulnerability in handling list columns from user preferences.
• Fix command injection via crafted im_convert_path/im_identify_path on Windows.

Here the release notes for version 1.6.7.

Update 2024-Aug-05: @heart1010 noticed a new Rouncube version 1.6.8 has been released and it also fixes 3 security issues (@heart1010, thanks for sharing):

• Fix XSS vulnerability in post-processing of sanitized HTML content [CVE-2024-42009]
• Fix XSS vulnerability in serving of attachments other than HTML or SVG [CVE-2024-42008]
• Fix information leak (access to remote content) via insufficient CSS filtering [CVE-2024-42010]

So, I’ve modified this doc to update to version 1.6.8 instead of 1.6.7.

Note: If you already updated from version 1.6.5 to 1.6.7, you can follow the same instructions, just replace 1.6.5 by 1.6.7 in all the commands.

Here the release notes for version 1.6.8.

I think it is interesting to update our Roundcube installations so here this mini doc explaining how to do it manually. Keep in mind that this doc will work using Hestia 1.8.11 and Roundcube 1.6.5.

Disclaimer: it should work fine BUT use this procedure at your own risk!

0.- BACKUP, always backup… just in case

mysqldump --defaults-file=/usr/local/hestia/conf/.mysql.localhost --single-transaction --routines -B roundcube > /tmp/roundcube_1.6.5.sql
tar zcf /tmp/roundcube_1.6.5_backup_before_upgrade_1.6.8.tar.gz /etc/roundcube /var/lib/roundcube /tmp/roundcube_1.6.5.sql
rm /tmp/roundcube_1.6.5.sql

Now save to another place the backup file located here /tmp/roundcube_1.6.5_backup_before_upgrade_1.6.8.tar.gz

1.- Modify upgrade.conf file so the Roundcube version is 1.6.8 instead of 1.6.5:

sed -Ei "s/^rc_v='1.6.5'/rc_v='1.6.8'/" /usr/local/hestia/install/upgrade/upgrade.conf

2.- Upgrade roundcube using below Hestia’s command. It will detect that roundcube is installed, will detect the new version and will update it:

Edit: if you have disabled php functions system and proc_open in PHP CLI, you won’t receive errors but Roundcube won’t update to version 1.6.8, it will remain in version 1.6.5 so to avoid this problem, before continue, remove both functions for your current PHP CLI version. These two commands will remove the functions from your current PHP CLI version (version is detected automatically).

sed -i -E 's/(^disable_functions.*),proc_open(.*$)/\1\2/' /etc/php/$(php -v | head -n1 | grep -o '[0-9]\.[0-9]')/cli/php.ini
sed -i -E 's/(^disable_functions.*),system(.*$)/\1\2/' /etc/php/$(php -v | head -n1 | grep -o '[0-9]\.[0-9]')/cli/php.ini

Now you can proceed with the upgrade;

v-add-sys-roundcube

3.- Update composer packages used by roundcube:

cd /var/lib/roundcube/
COMPOSER_ALLOW_SUPERUSER=1 composer -n update

If composer is not in your path, you should use the full path to composer utility, if you don’t know even whether you have it installed or how to install it, just install it for admin user.

v-add-user-composer admin

If it is not installed, the command will install it for the admin user and if you had it already installed, you will be informed. So, now that it is installed you can update composer packages using the full path to composer.

cd /var/lib/roundcube/
COMPOSER_ALLOW_SUPERUSER=1 /home/admin/.composer/composer -n update

Hope it helps. Take care.

Cheers,
sahsanu

Thanks for sharing!

@sahsanu Does apt update not include roundcube updates?

Hestia doesn’t use roundcube apt package.

Perfect - thanks @sahsanu

When i run composer update i get this error

Composer could not detect the root package (roundcube/roundcubemail) version, defaulting to ‘1.0.0’. See Troubleshooting - Composer

Upon check in the index.php file it still shows 1.6.5 instead of 1.6.7

Show all the commands and outputs for all the steps.

sed -Ei “s/^rc_v=‘1.6.5’/rc_v=‘1.6.7’/” /usr/local/hestia/install/upgrade/upgrade.conf

v-add-sys-roundcube

cd /var/lib/roundcube/

COMPOSER_ALLOW_SUPERUSER=1 /home/admin/.composer/composer -n update

root@ox:/var/lib/roundcube COMPOSER_ALLOW_SUPERUSER=1 /home/admin/.composer/composer -n update
Composer could not detect the root package (roundcube/roundcubemail) version, defaulting to ‘1.0.0’. See Troubleshooting - Composer
Loading composer repositories with package information
Updating dependencies
Nothing to modify in lock file
Installing dependencies from lock file (including require-dev)
Nothing to install, update or remove
Generating autoload files
4 packages you are using are looking for funding.
Use the composer fund command to find out more!
No security vulnerability advisories found.

Those quotes are not the right ones, don’t know if you executed that command or is because the forum converting the quotes.

Show the output of these commands:

grep rc_v /usr/local/hestia/install/upgrade/upgrade.conf
grep -o -E '[0-9]\.[0-9]\.[0-9]+' /var/lib/roundcube/index.php

rc_v=‘1.6.7’ I actually use nano to verify it was correct

and for the index php file it shows

1.6.5

Then v-add-sys-roundcube is not updating it:

Check if you can download the roundcube package:

cd /tmp/
wget "https://github.com/roundcube/roundcubemail/releases/download/1.6.7/roundcubemail-1.6.7-complete.tar.gz" --retry-connrefused
ls -lh /tmp/roundcubemail-1.6.7-complete.tar.gz

Yes it downloaded no issue…

I like to view the outputs.

Anyway, then you should debug the reason v-add-sys-roundcube is not updating roundcube.

bash -x /usr/local/hestia/bin/v-add-sys-roundcube

The output of above command will be too large. If you want to share it, use a external web service like pastebin, gist from github, etc.

The problem is that system function is disabled in your php cli version so you must enable it (to avoid issues updating composer packages, enable proc_open function too).

To enable system and proc_open functions for your current php cli version, execute these commands:

sed -i -E 's/(^disable_functions.*),proc_open(.*$)/\1\2/' /etc/php/$(php -v | head -n1 | grep -o '[0-9]\.[0-9]')/cli/php.ini
sed -i -E 's/(^disable_functions.*),system(.*$)/\1\2/' /etc/php/$(php -v | head -n1 | grep -o '[0-9]\.[0-9]')/cli/php.ini

Once done, execute again:

v-add-sys-roundcube
cd /var/lib/roundcube/
COMPOSER_ALLOW_SUPERUSER=1 /home/admin/.composer/composer -n update

And now it should be updated.

Same error, however when i go into the GUI under configure php there is the disabled functions;

disable_functions = pcntl_alarm,pcntl_fork,pcntl_waitpid,pcntl_wait,pcntl_wifexited,pcntl_wifstopped,pcntl_wifsignaled,pcntl_wifcontinued,pcntl_wexitstatus,pcntl_wtermsig,pcntl_wstopsig,pcntl_signal,pcntl_signal_dispatch,pcntl_get_last_error,pcntl_strerror,pcntl_sigprocmask,pcntl_sigwaitinfo,pcntl_sigtimedwait,pcntl_exec,pcntl_getpriority,pcntl_setpriority,exec,system,passthru,shell_exec,popen

I removed system, still not working. Im not sure why your sed did not work.

After running

grep -o -E '[0-9]\.[0-9]\.[0-9]+' /var/lib/roundcube/index.php

it shows 1.6.7 ? i guess its updated already then?

Not sure why i get this error when running composer

Composer could not detect the root package (roundcube/roundcubemail) version, defaulting to ‘1.0.0’. See Troubleshooting - Composer

It’s more a warning than an error.

Yes, indeed the sed commands worked, keep in mind that the commands I shared are modifying the php.ini for the PHP CLI version and from the Web UI you are viewing the conf for PHP FPM version so you should add again proc_open and system functions to the disable_functions directive for the FPM version.

Yes, its updated.

You can try this:

cd /var/lib/roundcube/
COMPOSER_ALLOW_SUPERUSER=1 COMPOSER_ROOT_VERSION=1.6.7 /home/admin/.composer/composer update

Thanks, worked without any problem.

Perhaps this justifies a minor hestiacp update. It would help to automatically update servers of those not reading this thread.