We just published security updates to the 1.7 and 1.6 LTS versions of Roundcube Webmail. They both contain fixes for recently reported security vulnerabilities.
Security fixes:
by stafra.
session-injected username, reported by Glendaenri and peppersghost.
attachment-validation warning page [CVE-2026-54432], reported by Bohdan Kurinnoy, Samsung R&D Institute Ukraine (SRUKR).
reported by Leenear.
reported by Bohdan Kurinnoy, Samsung R&D Institute Ukraine (SRUKR).
file, reported by h0rk1p.
See the full changelogs in the release notes on the Github download pages for the updated versions.
https://github.com/roundcube/roundcubemail/releases/tag/1.7.2 https://github.com/roundcube/roundcubemail/releases/tag/1.6.17
We strongly recommend to update all productive installations of Roundcube 1.6.x and 1.7.x with this new versions.
On 05/07/2026 21:29, Aleksander Machniak via Users wrote:
We just published security updates to the 1.7 and 1.6 LTS versions of Roundcube Webmail. They both contain fixes for recently reported security vulnerabilities.
Hmm...
$ sudo ./bin/installto.sh /xyz/roundcube PHP Fatal error: Uncaught Error: Call to undefined function mb_internal_encoding() in /aaa/Install/roundcubemail-1.7.2/program/lib/Roundcube/bootstrap.php:82 Stack trace: #0 /aaa/Install/roundcubemail-1.7.2/program/include/iniset.php(71): require_once() #1 /aaa/Install/roundcubemail-1.7.2/program/include/clisetup.php(25): require_once('...') #2 /aaa/Install/roundcubemail-1.7.2/bin/installto.sh(24): require_once('...') #3 {main} thrown in /aaa/Install/roundcubemail-1.7.2/program/lib/Roundcube/bootstrap.php on line 82 Fatal error: Please check the Roundcube error log and/or server error logs for more information.
Nothing in the logs, of course.
I know I could just do an install into a new directory, copy over the configuration, and point /xyz/roundcube at that, but it would be good if updating worked.
Cheers,
Gary b-)
On 2026-07-05 22:38:00, Gary R. Schmidt via Users wrote:
On 05/07/2026 21:29, Aleksander Machniak via Users wrote:
We just published security updates to the 1.7 and 1.6 LTS versions of Roundcube Webmail. They both contain fixes for recently reported security vulnerabilities.
Hmm...
$ sudo ./bin/installto.sh /xyz/roundcube PHP Fatal error: Uncaught Error: Call to undefined function mb_internal_encoding() in
Missing PHP mbstring extension? It's not a requirement for the rest of Roundcube AFAIK but that's what provides that function.
On 06/07/2026 01:27, Michael Orlitzky wrote:
On 2026-07-05 22:38:00, Gary R. Schmidt via Users wrote:
On 05/07/2026 21:29, Aleksander Machniak via Users wrote:
We just published security updates to the 1.7 and 1.6 LTS versions of Roundcube Webmail. They both contain fixes for recently reported security vulnerabilities.
Hmm...
$ sudo ./bin/installto.sh /xyz/roundcube PHP Fatal error: Uncaught Error: Call to undefined function mb_internal_encoding() in
Missing PHP mbstring extension? It's not a requirement for the rest of Roundcube AFAIK but that's what provides that function.
Yep.
I hate how PHP updates don't flag or preserve ini file changes.
Cheers,
Gary B-)
Am 06.07.26 um 02:20 schrieb Gary R. Schmidt via Users:
On 06/07/2026 01:27, Michael Orlitzky wrote:
On 2026-07-05 22:38:00, Gary R. Schmidt via Users wrote:
On 05/07/2026 21:29, Aleksander Machniak via Users wrote:
We just published security updates to the 1.7 and 1.6 LTS versions of Roundcube Webmail. They both contain fixes for recently reported security vulnerabilities.
Hmm...
$ sudo ./bin/installto.sh /xyz/roundcube PHP Fatal error: Uncaught Error: Call to undefined function mb_internal_encoding() in
Missing PHP mbstring extension? It's not a requirement for the rest of Roundcube AFAIK but that's what provides that function.
Yep.
I hate how PHP updates don't flag or preserve ini file changes
in 25 years no php update touched any ini file