Dear Roundcube users
We just published updates to both stable versions 1.0 and 1.1
delivering important bug fixes one of which seals a potential path
traversal vulnerability [1] recently reported by High-Tech Bridge
Security Research Lab. Although the vulnerability is not fully
disclosed yet, the attack scenario requires an active Roundcube
account as well as write privileges on the same host Roundcube is
served from (without open_basedir protection).
A second security improvement adds some measures against brute-force attacks.
See the full changelog here:
http://trac.roundcube.net/wiki/Changelog#RELEASE1.1.4
Both versions are considered stable and we recommend to update all
productive installations of Roundcube with either of these versions.
Download them from https://roundcube.net/download
If you prefer to patch your installation for the path traversal
vulnerability only, we also published patches on our download mirrors
for versions 1.0 [2] and 1.1 [3].
As usual, don't forget to backup your data before updating!
Thanks for all your support and happy new year!
Thomas
[1] https://www.htbridge.com/advisory/HTB23283
[2] https://sourceforge.net/projects/roundcubemail/files/roundcubemail/1.0.8/
[3] https://sourceforge.net/projects/roundcubemail/files/roundcubemail/1.1.4/
