It’s the first time I’ve been aware of a vulnerability prior to the update coming out so I want to watch the process and understand what’s going on with it.
Being that I know we use Roundcube for our webmail through Mail-in-a-Box I ran “apt-cache policy roundcube” and these were my results:
roundcube:
Installed: (none)
Candidate: 1.3.6+dfsg.1-1
Version table:
1.3.6+dfsg.1-1 500
Does that mean Roundcube is installed via a different method? When I run apt update and apt upgrade is that mainly updating packages specific to Ubuntu and not MIAB?
We install Roundcube from source files because Ubuntu’s packaging is often very out of date. The current version in Mail-in-a-Box is 1.4.2 (you can see in our changelog or from the Mail-in-a-Box source code on github), so it is vulnerable to this.
However, IMO, the risk of harm is very low (“attack can cause an authenticated user to be logged out”), so I think we’re fine. We’ll update to the latest Roundcube in the next version of Mail-in-a-Box.