Roundcube Vulnerability: What is the path from bug -> implementation of the fix in MIAB

Hey All! Recently joined a security email list for Debian and got an email this morning about a Roundcube vulnerability in CVE-2020-12626:

Ubuntu Tracker
Debian Tracker

It’s the first time I’ve been aware of a vulnerability prior to the update coming out so I want to watch the process and understand what’s going on with it.

Being that I know we use Roundcube for our webmail through Mail-in-a-Box I ran “apt-cache policy roundcube” and these were my results:

Installed: (none)
Candidate: 1.3.6+dfsg.1-1
Version table:
1.3.6+dfsg.1-1 500

Does that mean Roundcube is installed via a different method? When I run apt update and apt upgrade is that mainly updating packages specific to Ubuntu and not MIAB?

1 Like

Thanks for posting!

We install Roundcube from source files because Ubuntu’s packaging is often very out of date. The current version in Mail-in-a-Box is 1.4.2 (you can see in our changelog or from the Mail-in-a-Box source code on github), so it is vulnerable to this.

However, IMO, the risk of harm is very low (“attack can cause an authenticated user to be logged out”), so I think we’re fine. We’ll update to the latest Roundcube in the next version of Mail-in-a-Box.


Thanks for the explanation and quick response @JoshData! Love the entire package of software. So slick to set up and manage.