1

Topic: Zero day vulnerability found in Roundcubemail-0.8.5 and older releases

Dear all,

There's a zero day vulnerability found in Roundcubemail-0.8.5 and older releases, please upgrade your running Roundcube webmail to the latest roundcubemail-0.8.6 immediately. Here's upgrade tutorial:
http://iredmail.org/wiki/index.php?titl … be.Webmail

About the zero day vulnerability, please refer to this thread:
http://lists.roundcube.net/pipermail/de … 22328.html

P.S. I re-packed iRedMail-0.8.4 with roundcubemail-0.8.6, so if you're going to setup a new iRedMail server, you don't need to worry about this vulnerability.
https://bitbucket.org/zhb/iredmail/downloads

----

Spider Email Archiver: On-Premises, lightweight email archiving software developed by iRedMail team. Supports Amazon S3 compatible storage and custom branding.

2

Re: Zero day vulnerability found in Roundcubemail-0.8.5 and older releases

Thank you for this. Running through the instructions I noticed a couple of things (Ubuntu 12.04):

  1. All the roundcube files had a user 501 group 80, which I haven't had before, I wonder if there was a missed chown command in your instructions?

  2. I believe your sentence "If the installer reports your server misses some required packages or PHP modules, please install them manually to fix them." should be moved to immediately below "Access Roundcube installer with this URL: httpS://your_server/mail/installer , it will validate required packages, PHP modules and database structure.". Maybe it was just me, but I assumed that I should run the installer at that first line.

Lastly, I couldn't remember which plugins I was using, beyond the standard password and managesieve. Assuming all the plugins have a config.inc.php, I found a simple find to be useful - might be worth adding at the bottom of the instructions, for those unfamiliar with find:

# find /usr/share/apache2/roundcubemail-0.8.5/plugins/ -name config.inc.php

3

Re: Zero day vulnerability found in Roundcubemail-0.8.5 and older releases

chrisjrob wrote:

All the roundcube files had a user 501 group 80, which I haven't had before, I wonder if there was a missed chown command in your instructions?

Bug in wiki tutorial, fixed moment ago.
Roundcube files should be owned by Apache daemon user/group, a "chown -R" is required.

chrisjrob wrote:

I believe your sentence "If the installer reports your server misses some required packages or PHP modules, please install them manually to fix them." should be moved to immediately below "Access Roundcube installer with this URL: httpS://your_server/mail/installer , it will validate required packages, PHP modules and database structure.". Maybe it was just me, but I assumed that I should run the installer at that first line.

Fixed. No installer anymore.

chrisjrob wrote:

Lastly, I couldn't remember which plugins I was using

The best way is checking old config file "config/main.inc.php", option "plugins" has all enabled plugin names. For example:

$rcmail_config['plugins'] = array("password", "managesieve");

4

Re: Zero day vulnerability found in Roundcubemail-0.8.5 and older releases

How you gonna update the roundcubemail config files without the installer?

This is what i get from the roundcubemail's wiki

Download your config/main.inc.php and config/db.inc.php files and place them in your config folder so you will not have to copy them over later.

Be sure to check config/main.inc.php.dist and config/db.inc.php.dist to make sure you have any new settings that may have appeared in the new version! Some people may prefer to copy the new .dist files and recreate their needed changes, but preferred way is to use installer (or update.sh script).

5

Re: Zero day vulnerability found in Roundcubemail-0.8.5 and older releases

Copy sample files from new version of Roundcube, then sync settings from old version.

6

Re: Zero day vulnerability found in Roundcubemail-0.8.5 and older releases

ZhangHuangbin wrote:

Copy sample files from new version of Roundcube, then sync settings from old version.

sync using diff to compare the different of both new and old config files?
can you give me an example on how to do it?

7

Re: Zero day vulnerability found in Roundcubemail-0.8.5 and older releases

Just check new and old config files manually in your favorite text editor.

8

Re: Zero day vulnerability found in Roundcubemail-0.8.5 and older releases

I've upgraded Roundcube to 0.9.1, all config synced.
I have only one problem with managesieve filter that doesn't work.
It appear in RoundCube - Filter, but I'm unable to click on it or view the vacation filter.
Any idea?

Thank you

9

Re: Zero day vulnerability found in Roundcubemail-0.8.5 and older releases

ZhangHuangbin wrote:

Just check new and old config files manually in your favorite text editor.

using the installer to update the config files also work, right?

10

Re: Zero day vulnerability found in Roundcubemail-0.8.5 and older releases

hata_ph wrote:

using the installer to update the config files also work, right?

It should be fine, but i suggest you check the config file generated by installer.

11

Re: Zero day vulnerability found in Roundcubemail-0.8.5 and older releases

ZhangHuangbin wrote:
hata_ph wrote:

using the installer to update the config files also work, right?

It should be fine, but i suggest you check the config file generated by installer.

thanks for the clarification