Hi @jperkins
Thanks for sharing this update. As it fixes a security bug:
Fix Post-Auth RCE via PHP Object Deserialization reported by firs0v.
That basically means the vulnerability is an RCE (Remote Code Execution) and requires valid credentials to be exploited (i.e., it’s post-auth). Even though a user must be logged in to take advantage of this vulnerability, I strongly recommend updating Roundcube immediately.
I’ve created this PR to bump Roundcube to version 1.6.11.
I already wrote a mini doc to update Rouncube but just in case here is an updated doc to update from version 1.6.10 to version 1.6.11.
Disclaimer: it should work fine BUT use this procedure at your own risk!
0.- BACKUP, always backup… just in case 
Note: If you are using MySQL instead of MariaDB use mysqldump instead of mariadb-dump
mariadb-dump --defaults-file=/usr/local/hestia/conf/.mysql.localhost --single-transaction --routines -B roundcube > /tmp/roundcube_1.6.10.sql
tar zcf /tmp/roundcube_1.6.10_backup_before_upgrade_1.6.11.tar.gz /etc/roundcube /var/lib/roundcube /tmp/roundcube_1.6.10.sql
rm /tmp/roundcube_1.6.10.sql
Now save to another place the backup file located here /tmp/roundcube_1.6.10_backup_before_upgrade_1.6.11.tar.gz
1.- Modify upgrade.conf file so the Roundcube version is 1.6.11 instead of 1.6.10:
sed -i -E "s/^rc_v='1.6.10'/rc_v='1.6.11'/" /usr/local/hestia/install/upgrade/upgrade.conf
2.- Upgrade roundcube using below Hestia’s command. It will detect that roundcube is installed, will detect the new version and will update it:
Note: if you have disabled php functions system and proc_open in PHP CLI, you won’t receive errors but Roundcube won’t update to version 1.6.11, it will remain in version 1.6.10 so to avoid this problem, before continue, remove both functions for your current PHP CLI version. These two commands will remove the functions from your current PHP CLI version (version is detected automatically).
sed -i -E 's/(^disable_functions.*),proc_open(.*$)/\1\2/' /etc/php/$(php -v | head -n1 | grep -o '[0-9]\.[0-9]')/cli/php.ini
sed -i -E 's/(^disable_functions.*),system(.*$)/\1\2/' /etc/php/$(php -v | head -n1 | grep -o '[0-9]\.[0-9]')/cli/php.ini
Now you can proceed with the upgrade;
v-add-sys-roundcube
3.- Update composer packages used by roundcube:
cd /var/lib/roundcube/
COMPOSER_ALLOW_SUPERUSER=1 composer -n update
If composer is not in your path, you should use the full path to composer utility, if you don’t know even whether you have it installed or how to install it, just install it for administrator user (replace admin with the actual administrator if you use another admin user).
v-add-user-composer admin
If it is not installed, the command will install it for the admin user and if you had it already installed, you will be informed. So, now that it is installed you can update composer packages using the full path to composer (replace admin with the actual administrator if you use another admin user).
cd /var/lib/roundcube/
COMPOSER_ALLOW_SUPERUSER=1 /home/admin/.composer/composer -n update
That’s all.