Roundcube CVE-2023-43770 (Mail-in-a-Box version 64 and earlier)

If your still on Ubuntu 18.04 LTS (like me) a word of warning…


It looks like its possible to manually patch this: I only found the program/lib/Roundcube/rcube_string_replacer.php under /usr/local/lib/roundcubemail/program/lib/Roundcube/rcube_string_replacer.php and made edits to the file directly.

I did not find tests/Framework/StringReplacer.php

Anyone able to check my rationale here? I can’t upgrade Ubuntu 18 → 22 and (miab version) at this time.

I think it’s best and easiest for you to update the complete roundcube. Then you have all the security updates included, and no mess with editing individual files.

Start by editing the file setup/ in the mail in a box folder. Then change VERSION to 1.5.6 (it should be on 1.5.2 or so)
Once you run sudo setup/ you’ll get an error on mismatching hash. Use the hash there to update HASH= variable in the sh file. Run sudo setup/ again to really install roundcube.

If it does not work you can roll back by reversing the changes to the sh file and running it again.

1 Like

That might be a good approach

I’ve already modified the actual file, but this would bring me from 1.5.2 to 1.5.6 which probably has other enhancements. If I’m reading this correctly. You can just jump from one to the other?

Looking at the release notes, 1.5.3 has a number of fixes while 1.5.4 through 1.5.6 are security updates. That means no breaking changes are foreseen, and you can indeed jump these versions.
But it’s good you mention this, to be sure, you can backup the database, stored under /home/user-data/mail/roundcube.

Your suggestion worked perfectly.

Thanks so much!


Thanks to both of you - that worked great and was pretty quick.

I need to pull by finger out and upgrade. Was having troubles with the restore time and need to just let it run over a weekend or something

1 Like