Roundcube security update just released

jperkins · June 1, 2025, 1:23pm

Just got this.

Correct me if I am wrong but doesnt Hestia install roundcube from source and currently uses 1.6.10

thanks

Raphael · June 1, 2025, 2:24pm

Hestia is installed from source: hestiacp/bin/v-add-sys-roundcube at main · hestiacp/hestiacp · GitHub

I wasnt able to find where we determine the version due to limited time. But maybe someone else can enlight us :).

nu01 · June 1, 2025, 2:59pm

It seems roundcube upgrades are handled by apt-packages.

github.com/hestiacp/hestiacp

func/upgrade.sh

8bc495800


      
          upgrade_roundcube() {
          	if [ -n "$(echo "$WEBMAIL_SYSTEM" | grep -w 'roundcube')" ]; then
          		if [ -d "/usr/share/roundcube" ]; then
          			echo "[ ! ] Roundcube: Updates are currently managed using the apt package manager"

jperkins · June 1, 2025, 4:32pm

lol. here ya go.

$rc_v is defined here

github.com/hestiacp/hestiacp

install/upgrade/upgrade.conf

8bc495800


      
          
          # Check if update is required by matching versions if version != current version run update
          # Set version of phpMyAdmin to install during upgrade if not already installed
          pma_v='5.2.2'
          
          # Set version of phppgadmin to install during upgrade if not already installed
          pga_v='7.14.6'
          
          # Set version of RoundCube (Webmail) to update during upgrade if not already installed
          # Note: only applies to "non-apt installs >= 1.4.0 or manually phased out"
          rc_v='1.6.10'
          
          # Set version of SnappyMail (Webmail) to update during upgrade if not already installed
          sm_v='2.38.2'
          
          # Update the File Manager or it's configuration file
          # Check if Filegator requires an update based on current version and setting below
          # UPGRADE_UPDATE_FILEMANAGER_CONFIG: Updates only the configuration file if changes are made but now new issue has been issued!
          UPGRADE_UPDATE_FILEMANAGER_CONFIG='false'
          # Set version of File manager to update during upgrade if not already installed
          fm_v='7.13.0'

and yes the roundcube is installed by source on my up to date hestia install. Possibly at one time in the past hestia used the package manager version. Not now. not on mine

apt list --installed| grep roundcube does not return a package

I was sorta disappointed that Roundcube didn’t give a severity nor a CVE. When I looked at recent commits it didnt jump out at me either.

thanks for all the work on hestia

jperkins · June 1, 2025, 4:35pm

I dont have a /usr/share/roundcube. It appears you might if you have an old installation of hestia that has been updated over time. On a fresh, current install of hestia, roundcube is installed by source

sahsanu · June 1, 2025, 5:25pm

Hi @jperkins

Thanks for sharing this update. As it fixes a security bug:

Fix Post-Auth RCE via PHP Object Deserialization reported by firs0v.

That basically means the vulnerability is an RCE (Remote Code Execution) and requires valid credentials to be exploited (i.e., it’s post-auth). Even though a user must be logged in to take advantage of this vulnerability, I strongly recommend updating Roundcube immediately.

I’ve created this PR to bump Roundcube to version 1.6.11.

I already wrote a mini doc to update Rouncube but just in case here is an updated doc to update from version 1.6.10 to version 1.6.11.

Disclaimer: it should work fine BUT use this procedure at your own risk!

0.- BACKUP, always backup… just in case

Note: If you are using MySQL instead of MariaDB use mysqldump instead of mariadb-dump

mariadb-dump --defaults-file=/usr/local/hestia/conf/.mysql.localhost --single-transaction --routines -B roundcube > /tmp/roundcube_1.6.10.sql
tar zcf /tmp/roundcube_1.6.10_backup_before_upgrade_1.6.11.tar.gz /etc/roundcube /var/lib/roundcube /tmp/roundcube_1.6.10.sql
rm /tmp/roundcube_1.6.10.sql

Now save to another place the backup file located here /tmp/roundcube_1.6.10_backup_before_upgrade_1.6.11.tar.gz

1.- Modify upgrade.conf file so the Roundcube version is 1.6.11 instead of 1.6.10:

sed -i -E "s/^rc_v='1.6.10'/rc_v='1.6.11'/" /usr/local/hestia/install/upgrade/upgrade.conf

2.- Upgrade roundcube using below Hestia’s command. It will detect that roundcube is installed, will detect the new version and will update it:

Note: if you have disabled php functions system and proc_open in PHP CLI, you won’t receive errors but Roundcube won’t update to version 1.6.11, it will remain in version 1.6.10 so to avoid this problem, before continue, remove both functions for your current PHP CLI version. These two commands will remove the functions from your current PHP CLI version (version is detected automatically).

sed -i -E 's/(^disable_functions.*),proc_open(.*$)/\1\2/' /etc/php/$(php -v | head -n1 | grep -o '[0-9]\.[0-9]')/cli/php.ini
sed -i -E 's/(^disable_functions.*),system(.*$)/\1\2/' /etc/php/$(php -v | head -n1 | grep -o '[0-9]\.[0-9]')/cli/php.ini

Now you can proceed with the upgrade;

v-add-sys-roundcube

3.- Update composer packages used by roundcube:

cd /var/lib/roundcube/
COMPOSER_ALLOW_SUPERUSER=1 composer -n update

If composer is not in your path, you should use the full path to composer utility, if you don’t know even whether you have it installed or how to install it, just install it for administrator user (replace admin with the actual administrator if you use another admin user).

v-add-user-composer admin

If it is not installed, the command will install it for the admin user and if you had it already installed, you will be informed. So, now that it is installed you can update composer packages using the full path to composer (replace admin with the actual administrator if you use another admin user).

cd /var/lib/roundcube/
COMPOSER_ALLOW_SUPERUSER=1 /home/admin/.composer/composer -n update

That’s all.

sahsanu · June 1, 2025, 5:28pm

Yes, that’s correct.

jperkins · June 1, 2025, 6:31pm

@sahsanu Thanks so much for the quick response. I was guessing it had to be a valid user to run the exploit but wasnt sure.

This write up was exactly what I was looking for.
I’m gonna wait till some other users attempt the manual update as my hestia is on bare metal and I havent setup an easy way to roll back changes. On the other hand I am the only user

I do have a question about the php functions system and proc_open. are you saying that they should be enabled or disabled ? initially is is written that the update wont work if they are disabled but then it talks about removing both functions. My quess is you need them enabled after looking at the sed script. and you are talking about removing the functions from the disabled section. -edited

sahsanu · June 1, 2025, 8:28pm

You’re welcome.

For what it’s worth, I’ve done it on 3 servers.

They should be enabled.

Yes, because you’re removing them from the disable_functions directive, so by doing that, you’re actually enabling them

jperkins · June 1, 2025, 11:11pm

Thanks I got mine updated. Had a little user error but I got it. thanks so much for your quick response

Anthony · June 7, 2025, 10:26am

So, if I am the only System Administrator and no one else can access the Server, does that mean I am not involved? I manage the Servers of a Public Administration, one of which is dedicated exclusively to the users’ email. However, users can only access via Roundcube Webmail. Thanks in advance for your help.

sahsanu · June 7, 2025, 10:28am

If users can access to Roundcube, they could exploit the security bug, you must update your Roundcube.

Anthony · June 7, 2025, 4:44pm

Ah, ok! I understood that, in order to exploit the bug, it was necessary to have access to the server via terminal and not only from Roundcube Webmail. At this point, I should definitely proceed with the update. Thanks for the information.