Author Topic: roundcube CVE-2023-5631  (Read 1241 times)

0 Members and 1 Guest are viewing this topic.

Offline
*
roundcube CVE-2023-5631
« on: October 31, 2023, 08:09:20 PM »
CVE-2023-5631 - https://nvd.nist.gov/vuln/detail/CVE-2023-5631

Is an update planned?
Manual update fail, bad php version etc. Does anyone have version 1.4.15 of Roundcube?

Offline
*
Re: roundcube CVE-2023-5631
« Reply #1 on: November 05, 2023, 07:52:59 PM »
Roundcubemail has long been unsupported in cwp.  Now this is a security risk.  Each of my domains allows access to rouncubemail via the /webmail suffix. 

How will it turn off along with the whole roundube? 

Have you tried installing version 1.5.6?  I haven't tried it yet, but the 1.5.x series works for me, the php problem is from 1.6.x.

Edit:
I followed this guide, just change the version from 1.5.4 to 1.5.6 everywhere and it works:
https://www.alphagnu.com/topic/33-update-cwp-roundcube-mail-version-154-%E2%80%93-control-web-panel/
« Last Edit: November 05, 2023, 08:36:47 PM by tomkolp »

Offline
*****
Re: roundcube CVE-2023-5631
« Reply #2 on: November 06, 2023, 03:55:52 PM »
As far as I know, Sandeep's post there is the last semi-official word on roundcube under CWP. So that's where I have things -- 1.5.6.