This affects versions including 1.6.5, which is the current version of my Mail-in-a-Box. The exploit allows for remote code execution via a crafted email, making it especially critical for systems exposed to the internet.
I attempted to run the Mail-in-a-Box upgrade script (sudo mailinabox) hoping it would bring Roundcube up to the patched version (1.6.11), but after the update, the system still shows Roundcube 1.6.5.
Could the maintainers please advise on one of the following:
Is an update to Roundcube planned in the next Mail-in-a-Box release?
Is there a recommended temporary workaround or manual patch we can apply to secure our installations?
Would it be possible to implement an auto-update mechanism for Roundcube in the future, given how critical webmail vulnerabilities can be?
There are already a number of upgrades available for you, including Roundcube 1.6.11. The reason you’re not getting them is that you are using an incorrect command to upgrade the box. To upgrade the box, execute curl -s https://mailinabox.email/setup.sh | sudo bash as the same user that you used to install the box.
The mailinabox command is (only) used to rerun the current installation, without upgrading.
I just did the update. My first MiaB update since my install.
I run ALL updates over SSH under “screen -L”. If something happens to my SSH connection, I can first check the log file, and if needed, reconnect to the screen session. Lots of years ago, I had an SSH session break during a kernel rebuild and toasted the system. Since then, always screen unless I am sitting at the system console.
my customization to spamassasin local.cf came through. Everything else looks good.
Kudos to those that built MiaB and made sure that updates work!
Though, I do recommend you recommend doing updates within “screen”.
So we do have it set to automatically upgrade Ubuntu-provided packages with security updates automatically. But Roundcube and many other packages are installed separately because Ubuntu is very out of date for these.
For the custom things we install like that, making an automatic update is hard to do in a way that isn’t going to mistakenly break things.
Roundcube ≤ 1.6.10 Post-Auth RCE via PHP Object Deserialization [CVE-2025-49113]