Roundcube vulnerability

Happy New Year :slight_smile:

My server appears to have been hit by this…


Can you pop that into the Bug Tracker? I suspect Jamie may want to know so he can expedite an updated copy of that.


I’ve added this to the bug tracker, but its screwed up the formatting as I posted a link…



For those updating to version 0.2 - save yourself sometime and make sure that you have PHP 5.2 installed, as this is now the minimum PHP version to use it.



Is there an updated install (upgrade) script coming?


There’s some details here:

But, the new RoundCube will be available in the next Virtualmin version.

To upgrade sooner, you can go into the "Upgrade to Un-Supported version" section of the Install Scripts, and enter "0.2-stable" for the RoundCube version to use.

The script fails because the SQL init/upgrade files have been renamed.

Is it enough to just restrict access to Roundcube with .htaccess?

Jamie has provided an amended script available here: