Just got this.
Correct me if I am wrong but doesnt Hestia install roundcube from source and currently uses 1.6.10
thanks
Just got this.
Correct me if I am wrong but doesnt Hestia install roundcube from source and currently uses 1.6.10
thanks
Hestia is installed from source: hestiacp/bin/v-add-sys-roundcube at main Ā· hestiacp/hestiacp Ā· GitHub
I wasnt able to find where we determine the version due to limited time. But maybe someone else can enlight us :).
It seems roundcube upgrades are handled by apt-packages.
lol. here ya go.
$rc_v is defined here
and yes the roundcube is installed by source on my up to date hestia install. Possibly at one time in the past hestia used the package manager version. Not now. not on mine
apt list --installed| grep roundcube
does not return a package
I was sorta disappointed that Roundcube didnāt give a severity nor a CVE. When I looked at recent commits it didnt jump out at me either.
thanks for all the work on hestia
I dont have a /usr/share/roundcube. It appears you might if you have an old installation of hestia that has been updated over time. On a fresh, current install of hestia, roundcube is installed by source
Hi @jperkins
Thanks for sharing this update. As it fixes a security bug:
Fix Post-Auth RCE via PHP Object Deserialization reported by firs0v.
That basically means the vulnerability is an RCE
(Remote Code Execution) and requires valid credentials to be exploited (i.e., itās post-auth). Even though a user must be logged in to take advantage of this vulnerability, I strongly recommend updating Roundcube immediately.
Iāve created this PR to bump Roundcube to version 1.6.11
.
I already wrote a mini doc to update Rouncube but just in case here is an updated doc to update from version 1.6.10
to version 1.6.11
.
Disclaimer: it should work fine BUT use this procedure at your own risk!
0.- BACKUP, always backup⦠just in case
Note: If you are using MySQL instead of MariaDB use mysqldump
instead of mariadb-dump
mariadb-dump --defaults-file=/usr/local/hestia/conf/.mysql.localhost --single-transaction --routines -B roundcube > /tmp/roundcube_1.6.10.sql
tar zcf /tmp/roundcube_1.6.10_backup_before_upgrade_1.6.11.tar.gz /etc/roundcube /var/lib/roundcube /tmp/roundcube_1.6.10.sql
rm /tmp/roundcube_1.6.10.sql
Now save to another place the backup file located here /tmp/roundcube_1.6.10_backup_before_upgrade_1.6.11.tar.gz
1.- Modify upgrade.conf
file so the Roundcube version is 1.6.11
instead of 1.6.10
:
sed -i -E "s/^rc_v='1.6.10'/rc_v='1.6.11'/" /usr/local/hestia/install/upgrade/upgrade.conf
2.- Upgrade roundcube using below Hestiaās command. It will detect that roundcube is installed, will detect the new version and will update it:
Note: if you have disabled php functions system
and proc_open
in PHP CLI, you wonāt receive errors but Roundcube wonāt update to version 1.6.11
, it will remain in version 1.6.10
so to avoid this problem, before continue, remove both functions for your current PHP CLI version. These two commands will remove the functions from your current PHP CLI version (version is detected automatically).
sed -i -E 's/(^disable_functions.*),proc_open(.*$)/\1\2/' /etc/php/$(php -v | head -n1 | grep -o '[0-9]\.[0-9]')/cli/php.ini
sed -i -E 's/(^disable_functions.*),system(.*$)/\1\2/' /etc/php/$(php -v | head -n1 | grep -o '[0-9]\.[0-9]')/cli/php.ini
Now you can proceed with the upgrade;
v-add-sys-roundcube
3.- Update composer packages used by roundcube:
cd /var/lib/roundcube/
COMPOSER_ALLOW_SUPERUSER=1 composer -n update
If composer is not in your path, you should use the full path to composer utility, if you donāt know even whether you have it installed or how to install it, just install it for administrator user (replace admin
with the actual administrator if you use another admin user).
v-add-user-composer admin
If it is not installed, the command will install it for the admin user and if you had it already installed, you will be informed. So, now that it is installed you can update composer packages using the full path to composer (replace admin
with the actual administrator if you use another admin user).
cd /var/lib/roundcube/
COMPOSER_ALLOW_SUPERUSER=1 /home/admin/.composer/composer -n update
Thatās all.
Yes, thatās correct.
@sahsanu Thanks so much for the quick response. I was guessing it had to be a valid user to run the exploit but wasnt sure.
This write up was exactly what I was looking for.
Iām gonna wait till some other users attempt the manual update as my hestia is on bare metal and I havent setup an easy way to roll back changes. On the other hand I am the only user
I do have a question about the php functions system and proc_open. are you saying that they should be enabled or disabled ? initially is is written that the update wont work if they are disabled but then it talks about removing both functions. My quess is you need them enabled after looking at the sed script. and you are talking about removing the functions from the disabled section. -edited
Youāre welcome.
For what itās worth, Iāve done it on 3 servers.
They should be enabled.
Yes, because youāre removing them from the disable_functions
directive, so by doing that, youāre actually enabling them
Thanks I got mine updated. Had a little user error but I got it. thanks so much for your quick response
So, if I am the only System Administrator and no one else can access the Server, does that mean I am not involved? I manage the Servers of a Public Administration, one of which is dedicated exclusively to the usersā email. However, users can only access via Roundcube Webmail. Thanks in advance for your help.
If users can access to Roundcube, they could exploit the security bug, you must update your Roundcube.
Ah, ok! I understood that, in order to exploit the bug, it was necessary to have access to the server via terminal and not only from Roundcube Webmail. At this point, I should definitely proceed with the update. Thanks for the information.