Roundcube flaws allow easy email account compromise (CVE-2024-42009, CVE-2024-42008)

[henningwerner]

Thanks for your awesome project! Can you please push new Roundcube version to the repo to close both CVEs.

[myfirstnameispaul]

PR submitted 3 days after the new versions were announced:

https://github.com/mail-in-a-box/mailinabox/pull/2422

For future reference, you can find open PRs here:

https://github.com/mail-in-a-box/mailinabox/pulls

[dmitridb]

https://github.com/roundcube/roundcubemail/releases/tag/1.6.7

Yet it was back in May with some of these patches

I am now in the process of convincing my clients to switch mailserver solutions since they can't expect something like this to be maintained. I know you even say you don't care about NSA-grade security but these are email servers and the threat model is different here. These are flaws that someone as dumb as a malicious child or even some indiscriminate bot can and will exploit and you've failed to patch in releases like three times now

[matidau]

Just a suggestion, you can fork the current version and merge any of the security updates against the fork, such as this one.

Then on the server change to your fork with git and run mailinabox.

When Josh releases a new version with these included then switch back with git.

[dmitridb]

thanks this has been patched in #2422

I got a little tripped up at the step where getting that hash is necessary - if anything only because I have access to production mailservers that it would be less than fun to be playing with potentially buggy scripts on. Is that just a sha256sum of the roundcubemail tar.gz file? Seems like there should be a better way of doing that somehow. They provide an asc file for verification instead for example.

[JJJ]

v70 was tagged August 15 and appears to include this.

See: https://github.com/mail-in-a-box/mailinabox/releases/tag/v70

Recommend to close this issue and PR at #2422.

[matidau]

2422 is already closed (merged)