roundcubemail: upgrade to 1.6.8

[stephdl]

A Cross-Site Scripting vulnerability in rcmail_action_mail_get->run() in Roundcube through 1.5.7 and 1.6.x through 1.6.7 allows a remote attacker to steal and send emails of a victim via a malicious e-mail attachment served with a dangerous Content-Type header.

Proposed solution

To address this vulnerability, it is essential to upgrade to Roundcube version 1.6.8, where the issue has been resolved.

Alternative solutions

no much ways, we cannot fix this CVE without upgrading

Additional context

we use actually roundcubemail:1.6.6-apache, we have subtasks

• [x] upgrade ns8-roundcubemail (minor upgrade of mariadb dependency)
• [x] upgrade ns8-roundcubemail-next

See also

https://mattermost.nethesis.it/nethesis/pl/ro981m1d43guje3rcpu4d7ay8e

https://www.cve.org/CVERecord?id=CVE-2024-42008

---

thank nick

[stephdl]

QA

we expect to upgrade to roundcubemail to 1.6.8 for both NS7 and NS8

• test1 on NS8 Install openldap and mail Install ns8-roundcubemail:2.0.2 (stable version) Configure roundcubemail create some emails and also some contacts (we upgrade mysql to a minor version 10.11.9 from 10.11.5, we want to test the upgrade) upgrade to ghcr.io/nethserver/roundcubemail:2.0.3-dev.1 no error expected in logs or in the UI, previous contacts must be there

• test2 on NS8 Install openldap and mail Install ghcr.io/nethserver/roundcubemail:2.0.3-dev.1 (testing version) Configure roundcubemail create some emails and also some contacts no error expected in logs or in the UI

• test3 on NS7 Install openldap Install nethserver-roundcubemail-next Configure roundcubemail create some emails and also some contacts upgrade to nethserver-roundcubemail-next testing yum install http://packages.nethserver.org/nethserver/7.9.2009/testing/x86_64/Packages/nethserver-roundcubemail-next-1.5.7-1.2.gb07db48.ns7.noarch.rpm no error expected in logs or in the UI

• test4 on NS7 Install openldap install nethserver-roundcubemail-next testing yum install http://packages.nethserver.org/nethserver/7.9.2009/testing/x86_64/Packages/nethserver-roundcubemail-next-1.5.7-1.2.gb07db48.ns7.noarch.rpm Configure roundcubemail create some emails and also some contacts no error expected in logs or in the UI

[lucagasparini]

Test 1 on NS8 (upgrade)> OK Test 2 on NS8 (install)> OK Test 3 on NS7 (upgrade)> OK Test 4 on NS7 (install)> OK

[stephdl]

released as ghcr.io/nethserver/roundcubemail:2.0.3 released as nethserver-roundcubemail-next-1.5.8-1.ns7.noarch.rpm

set closed