Author Topic: Roundcube big security issue.  (Read 4134 times)

0 Members and 1 Guest are viewing this topic.

Offline
*
Re: Roundcube big security issue.
« Reply #15 on: February 04, 2024, 07:24:10 PM »
My production versions where I found this issue initially were

AlmaLinux release 8.8
CWPpro version: 0.9.8.1160

Current versions
Distro Name: AlmaLinux release 8.9 (Midnight Oncilla)
CWPpro version: 0.9.8.1174

I will apply update on one of these server, let's see if the issue is fixed or not.

Offline
*****
Re: Roundcube big security issue.
« Reply #16 on: February 04, 2024, 08:58:31 PM »
Let us know.

I'm testing on AL 8.9 with CWPpro 0.9.8.1174

Offline
*****
Re: Roundcube big security issue.
« Reply #17 on: February 05, 2024, 03:41:30 AM »
@Vinayak If you haven't updated your AlmaLinux servers in awhile, you had mentioned 8.8.

You will need to install the new AlmaLinux GPG Keys first: https://almalinux.org/blog/2023-12-20-almalinux-8-key-update/

Offline
*
Re: Roundcube big security issue.
« Reply #18 on: February 05, 2024, 05:40:24 AM »
As I mentioned in my previous post, on my production servers AlmaLinux is updated to release 8.9 (Midnight Oncilla)
 & CWPpro version to 0.9.8.1174. I update my servers on regular basis.

For AlmaLinux GPG Keys, below is the result of command "rpm -q gpg-pubkey-ced7258b-6525146f"

gpg-pubkey-ced7258b-6525146f

This shows latest GPG Keys are installed & trusted.




Offline
*
Re: Roundcube big security issue.
« Reply #19 on: February 08, 2024, 09:04:14 PM »
As I am still trying to fix this, I am wondering whether cwpsrv/nginx is blocking access to these log and other crucial files or not.

Any idea where to check the configuration/directives for cwpsrv/nginx to make sure on this issue?

Or some other mechanism is in use to secure such files and path?

Offline
***
Re: Roundcube big security issue.
« Reply #20 on: April 26, 2024, 06:32:48 PM »
Yes, ModSecurity.
I have Como rules installed with ModSecurity, and it is blocking these access.

Regards,
Netino

Offline
*****
Re: Roundcube big security issue.
« Reply #21 on: April 26, 2024, 07:38:17 PM »
We are running ModSecurity with Comodo ruleset 1.241 with no problems.

Not a ModSecurity and/or Comodo issue.