Roundcube security update just released

Just got this.

Correct me if I am wrong but doesnt Hestia install roundcube from source and currently uses 1.6.10

thanks

1 Like

Hestia is installed from source: hestiacp/bin/v-add-sys-roundcube at main Ā· hestiacp/hestiacp Ā· GitHub

I wasnt able to find where we determine the version due to limited time. But maybe someone else can enlight us :).

1 Like

It seems roundcube upgrades are handled by apt-packages.

lol. here ya go.

$rc_v is defined here

and yes the roundcube is installed by source on my up to date hestia install. Possibly at one time in the past hestia used the package manager version. Not now. not on mine

apt list --installed| grep roundcube does not return a package

I was sorta disappointed that Roundcube didn’t give a severity nor a CVE. When I looked at recent commits it didnt jump out at me either.

thanks for all the work on hestia

2 Likes

I dont have a /usr/share/roundcube. It appears you might if you have an old installation of hestia that has been updated over time. On a fresh, current install of hestia, roundcube is installed by source

Hi @jperkins

Thanks for sharing this update. As it fixes a security bug:

Fix Post-Auth RCE via PHP Object Deserialization reported by firs0v.

That basically means the vulnerability is an RCE (Remote Code Execution) and requires valid credentials to be exploited (i.e., it’s post-auth). Even though a user must be logged in to take advantage of this vulnerability, I strongly recommend updating Roundcube immediately.

I’ve created this PR to bump Roundcube to version 1.6.11.

I already wrote a mini doc to update Rouncube but just in case here is an updated doc to update from version 1.6.10 to version 1.6.11.

Disclaimer: it should work fine BUT use this procedure at your own risk!

0.- BACKUP, always backup… just in case :wink:

Note: If you are using MySQL instead of MariaDB use mysqldump instead of mariadb-dump

mariadb-dump --defaults-file=/usr/local/hestia/conf/.mysql.localhost --single-transaction --routines -B roundcube > /tmp/roundcube_1.6.10.sql
tar zcf /tmp/roundcube_1.6.10_backup_before_upgrade_1.6.11.tar.gz /etc/roundcube /var/lib/roundcube /tmp/roundcube_1.6.10.sql
rm /tmp/roundcube_1.6.10.sql

Now save to another place the backup file located here /tmp/roundcube_1.6.10_backup_before_upgrade_1.6.11.tar.gz

1.- Modify upgrade.conf file so the Roundcube version is 1.6.11 instead of 1.6.10:

sed -i -E "s/^rc_v='1.6.10'/rc_v='1.6.11'/" /usr/local/hestia/install/upgrade/upgrade.conf

2.- Upgrade roundcube using below Hestia’s command. It will detect that roundcube is installed, will detect the new version and will update it:

Note: if you have disabled php functions system and proc_open in PHP CLI, you won’t receive errors but Roundcube won’t update to version 1.6.11, it will remain in version 1.6.10 so to avoid this problem, before continue, remove both functions for your current PHP CLI version. These two commands will remove the functions from your current PHP CLI version (version is detected automatically).

sed -i -E 's/(^disable_functions.*),proc_open(.*$)/\1\2/' /etc/php/$(php -v | head -n1 | grep -o '[0-9]\.[0-9]')/cli/php.ini
sed -i -E 's/(^disable_functions.*),system(.*$)/\1\2/' /etc/php/$(php -v | head -n1 | grep -o '[0-9]\.[0-9]')/cli/php.ini

Now you can proceed with the upgrade;

v-add-sys-roundcube

3.- Update composer packages used by roundcube:

cd /var/lib/roundcube/
COMPOSER_ALLOW_SUPERUSER=1 composer -n update

If composer is not in your path, you should use the full path to composer utility, if you don’t know even whether you have it installed or how to install it, just install it for administrator user (replace admin with the actual administrator if you use another admin user).

v-add-user-composer admin

If it is not installed, the command will install it for the admin user and if you had it already installed, you will be informed. So, now that it is installed you can update composer packages using the full path to composer (replace admin with the actual administrator if you use another admin user).

cd /var/lib/roundcube/
COMPOSER_ALLOW_SUPERUSER=1 /home/admin/.composer/composer -n update

That’s all.

9 Likes

Yes, that’s correct.

@sahsanu Thanks so much for the quick response. I was guessing it had to be a valid user to run the exploit but wasnt sure.

This write up was exactly what I was looking for.
I’m gonna wait till some other users attempt the manual update as my hestia is on bare metal and I havent setup an easy way to roll back changes. On the other hand I am the only user

I do have a question about the php functions system and proc_open. are you saying that they should be enabled or disabled ? initially is is written that the update wont work if they are disabled but then it talks about removing both functions. My quess is you need them enabled after looking at the sed script. and you are talking about removing the functions from the disabled section. -edited

You’re welcome.

For what it’s worth, I’ve done it on 3 servers.

They should be enabled.

Yes, because you’re removing them from the disable_functions directive, so by doing that, you’re actually enabling them :wink:

Thanks I got mine updated. Had a little user error but I got it. thanks so much for your quick response

1 Like

So, if I am the only System Administrator and no one else can access the Server, does that mean I am not involved? I manage the Servers of a Public Administration, one of which is dedicated exclusively to the users’ email. However, users can only access via Roundcube Webmail. Thanks in advance for your help.

If users can access to Roundcube, they could exploit the security bug, you must update your Roundcube.

Ah, ok! I understood that, in order to exploit the bug, it was necessary to have access to the server via terminal and not only from Roundcube Webmail. At this point, I should definitely proceed with the update. Thanks for the information.

1 Like