Situation
Roundcube issued a vulnerability alert on 11-09-2017: CVE-2017-16651
Impact
Roundcube Webmail before 1.1.10, 1.2.x before 1.2.7, and 1.3.x before 1.3.3 allows unauthorized access to arbitrary files on the host's filesystem, including configuration files, as exploited in the wild in November 2017.
Call to Action
Roundcube was updated from version 1.2.5 to 1.2.7 in Plesk Onyx, please consider an upgrade as soon as possible:
For the earlier versions it's recommended to use Horde webmail instead.
Note: Roundcube may not work after the update. Please refer to Roundcube is unable to send attachments in emails after the latest update for a workaround.
Comments
5 comments
Fixes for Plesk Onyx are available: https://docs.plesk.com/release-notes/onyx/change-log/#1753-mu29
Great, now we cannot add attachments to emails in Roundcube. Nice fix...
@Robin, Hi!
This issue has already been fixed in Plesk 17.5 update #30 and Plesk 17.0 update #41 which are already available for installation.
@Bulat Yeah, I noticed later... After I updated all of our shared servers...
Though there is no changelog yet for update 30 here https://docs.plesk.com/release-notes/onyx/change-log/
@Robin
That is correct, the changelog has not been updated yet. It is going to be updated at the nearest time.
Please sign in to leave a comment.