Roundcube 1.3.3 released

unihostbrasil

Verified User
Joined
Nov 23, 2009
Messages
210
Location
São Paulo - Brazil
We just published updates to all stable versions from 1.1.x onwards delivering fixes for a recently discovered file disclosure vulnerability in Roundcube Webmail.

Apparently this zero-day exploit is already being used by hackers to read Roundcube’s configuration files. It requires a valid username/password as the exploit only works with a valid session. More
details will be published soon under CVE-2017-16651.

The Roundcube series 1.0.x is not affected by this vulnerability but we nevertheless back-ported the fix in order to protect from yet unknown exploits.

See the full changelog for the according version in the release notes on the Github download pages:

https://github.com/roundcube/roundcubemail/releases/tag/1.3.3
https://github.com/roundcube/roundcubemail/releases/tag/1.2.7
https://github.com/roundcube/roundcubemail/releases/tag/1.1.10
https://github.com/roundcube/roundcubemail/releases/tag/1.0.12

We strongly recommend to update all productive installations of Roundcube with either one of these versions.

In order to check whether your Roundcube installation has been compromised check the access logs for requests like

?_task=settings&_action=upload-display&_from=timezone

As mentioned above, the file disclosure only works for authenticated users and by finding such requests in the logs you should also be able to identify the account used for this unauthorized access. For mitigation we recommend to change the all credentials to external services like database or LDAP address books and preferably also the 'des_key' option in your config.
 
The checksum on files* is different against the roundcube downloads page:

sha256 roundcubemail-1.3.3.tar.gz
SHA256(roundcubemail-1.3.3.tar.gz)= 2f65521c822bde98eb18d8a978b8933d77cec35cca1adca52d64f3fc9943609e

Just curious: are changes made by DA staff for compatibly?
 
Are we the only ones who run into problems after Roundcube has been updated?

Code:
Fatal error: Unknown: Failed opening required '/var/www/html/roundcube/index.php' (include_path='.:/usr/local/php56/lib/php') in Unknown on line 0

We had a similar problem with the last release. The solution is to restart php-fpm but that shouldn't be needed.
 
Are we the only ones who run into problems after Roundcube has been updated?

Code:
Fatal error: Unknown: Failed opening required '/var/www/html/roundcube/index.php' (include_path='.:/usr/local/php56/lib/php') in Unknown on line 0

We had a similar problem with the last release. The solution is to restart php-fpm but that shouldn't be needed.

Just to confirm, you're not the only one. We had this as well on nginx + apache servers with php-fpm. Not sure what caused this, but the restart of php-fpm did indeed fix it for us as well.
 
It's probably due to opCache? Do you have opCache enabled for PHP? Then it explains why PHP-FPM restart was required.
 
That would depend on your opcache settings. In most cases opcache isn't set to cache for an indefinite time on shared servers. Why doesn't it recover automatically and why is the restart not automated if this is required?
 
That's my guess. I did not test it to confirm. I faced this issue only once.
 
Back
Top