Page 1 of 1
Roundcube Security Vulnerability prior v1.2.3
Posted: Thu Dec 08, 2016 5:44 pm
by canoodle
is this an issue? and is it fixed? :-D
if not: how can i disable / uninstall coundcube i am not using it... thanks!
https://github.com/roundcube/roundcube ... elease-123
heise Security
08.12.2016 17:58 Uhr
https://www.heise.de/newsticker/meldung ... itrag.atom
Re: Roundcube Security Vulnerability prior v1.2.3
Posted: Thu Dec 08, 2016 7:17 pm
by ScIT
To use this security breach you will need to have a local email account - so it is not a big problem like it is written on heise.de. As soon, as the new package is published (roundcube-core), you can install it over system upgrade (apt-get upgrade / yum update).
VestaCP does not provide an own roundcube version, if you want to disable roundcube, you can to this for example by removing the /webmail alias from the system:
Code: Select all
rm /etc/apache2/conf.d/roundcube.conf
service apache2 restart
if you want to re-enable it, you can create again the symlink:
Code: Select all
ln -s /etc/roundcube/apache.conf /etc/apache2/conf.d/roundcube.conf
service apache2 restart
This will work for Ubuntu and Debian, should be a similar way for CentOS/Redhat systems.
Re: Roundcube Security Vulnerability prior v1.2.3
Posted: Fri Dec 09, 2016 8:47 am
by ScIT
There seems to be no security issue with exim4 and VestaCP, the needed switches (-X and -O) will be ignored from exim4 sendmail. Source:
https://www.heise.de/forum/heise-Securi ... 5767/show/
Re: Roundcube Security Vulnerability prior v1.2.3
Posted: Fri Dec 09, 2016 1:35 pm
by canoodle
Thank you for your fast and competent answers :)
(Y) *thumbs*up*