When are we going to see about updating for this Roundcube 0-Day?

1 Like

Thank you for pointing it out.
Probably we should fix the following packages:

@stephdl would you mind take a look?


please test the upgrade to roundcubemail 1.5.5

the rpm is at bump to roundcubemail 1.5.5 by stephdl · Pull Request #8 · NethServer/nethserver-roundcubemail-next · GitHub

yum install http://packages.nethserver.org/nethserver/7.9.2009/autobuild/x86_64/Packages/nethserver-roundcubemail-next-1.5.4-1.3.pr8.gcc2af59.ns7.noarch.rpm


Update worked well as expected. :+1:


relevant to install and test roundcubemail

yum install http://packages.nethserver.org/nethserver/7.9.2009/autobuild/x86_64/Packages/nethserver-roundcubemail-1.5.1-2.4.pr23.g29b8793.ns7.noarch.rpm http://packages.nethserver.org/nethserver/7.9.2009/autobuild/x86_64/Packages/roundcubemail-1.4.15-1.2.pr6.gaf0f020.ns7.noarch.rpm


As regards 1.6.4 I encountered some issues but I need to check if it’s testserver related…
I can test again in the evening…

Send mail not possible:

After the update on another server the webmail page shows:


true, confirmed :confused:

The “File not found” error was because the skin was set to larry. Changing it to elastic solved the issue.

config setprop roundcubemail skin elastic
signal-event nethserver-roundcubemail-next-update

I can confirm the “authentication failed” issue on another server too.


we need to change configuration file to go to 1.6, for now we need to test the upgrade to 1.5.5 and start an analysis of what configuration must be changed, I updated my first post

1 Like

Fresh install of 1.5.5 on a test vm worked.

Sending mail worked.

Both skins larry and elastic worked.


hello mates, we have two issues to test relevant to a zero day security fix of roundcubemail

if you can add your tests


I don’t have an active lab right now so I snapshot a production server, tried to upgrade 1.4.13 and failed.
I couldn’t remember how to update from the testing repo and ended up with a blank screen instead of roundcube, at that point I had to restore,
It’s been too long since I’ve had time to work on this kind of stuff. I’ll try to go through my notes and the forum to figure out the steps to do this and try again tomorrow.

Really looking forward to NS8’s architecture. /s

Rushing for install an update happened to me. Without a staging/scapegoat server is always a no go for me.
Some posts reports how to install, otherwise… waiting is scary yet sometimes necessary. Bad update sometimes is worse than no update.

Assuming that email server (dovecot+postfix+sieve+more tools like antispam and antivirus) and webmail/groupware (Webtop currently) will be on different containers…

I’m at a loss here.
I saw the update available for roundcube on another production server I have, so I snapshot it and fired off the upgrade. Post update I was presented with a blank screen for roundcube. After rebooting for giggles, I was still presented with a blank page for roundcube. Just like when I tried to use the test repo on another production server. So I restored the snapshot and am back to dot 13 for roundcube.
I note that in the updates for NS7 thread the post references roundcubemail-1.4.14-1.ns7.noarch but remarks on 1.4.15.

What am I missing here? @stephdl

normally the version should follow the version of roundcubemail but it doesn’t
roundcubemail 1.4.14
use the version 1.4.15

to use this version of roundcubemail we need to trigger the event signal-event nethserver-roundcubemail-update manually or by installing a new rpm of nethserver-roundcubemail because we need to expand configuration files : https://github.com/NethServer/nethserver-roundcubemail/blob/master/nethserver-roundcubemail.spec#L3
I did a mess on the release of nethserver-roundcubemail and probably you were too fast and just installed roundcubemail

to install correctly either

yum update nethserver-roundcubemail roundcubemail
yum install http://packages.nethserver.org/nethserver/7.9.2009/updates/x86_64/Packages/nethserver-roundcubemail-1.5.2-1.ns7.noarch.rpm http://packages.nethserver.org/nethserver/7.9.2009/updates/x86_64/Packages/roundcubemail-1.4.14-1.ns7.noarch.rpm

you need to test it again, I am going to fire a VM and do it myself too

1 Like

just tested a fresh install, everything is ok

[root@NS1 ~]# rpm -qa | grep roundcubemail

In the github issue you have test case 1 signal-event nethserver-rouncubemail-update with a dash, here you do not have the dash, that is what I did with the first server and seemed like nothing happened, here you do not have a connecting dash, which is correct?

Importantly, the production server I tried to update last night was updated in the normal update method from the software center and it ended up with a blank page for roundcube, then a blank page for roundcube after a reboot, at that point I had to get it back online and restored the snapshot so it’s back to .13.

1 Like

giving a new chance on a VM, sorry I use roundcubemail-next on my real server, so 1.5.5

first installing old version

yum install http://packages.nethserver.org/nethserver/7.9.2009/updates/x86_64/Packages/nethserver-roundcubemail-1.5.1-1.ns7.noarch.rpm http://packages.nethserver.org/nethserver/7.9.2009/updates/x86_64/Packages/roundcubemail-1.4.13-1.ns7.noarch.rpm

[root@NS1 ~]# rpm -qa | grep roundcubemail

doing a yum update after

[root@NS1 ~]# rpm -qa | grep roundcubemail

no issue so far, maybe you need to clean the web cache of your browser

Other can validate or claim for a valid issue ?

@stephdl maybe it’s in the 2fa addin?
Roundcube log shows PHP Parse error: syntax error, unexpected '?' in /usr/share/roundcubemail/plugins/twofactor_gauthenticator/twofactor_gauthenticator.php on line 101 during attempts.
and this is what I see in that file…

1 Like

Try to upgrade the 2fa plugin manually. Do we bundle it for Nethserver or do you install it yourself ?