This morning Roundcube webmail posted a security update (version 1.3.3) that allows logged-in mail users to access local filesystem files.
I’ve posted v0.25 (changelog) which updates us to the fixed version of Roundcube, and corrects another small bug in Mail-in-a-Box related to DNS.
You can update existing boxes by running the same command you used to install.
Folks have been seeing some installer errors (like this one) that we haven’t yet fixed. Running our setup command twice seems to fix the problem. If you run into this or other issues upgrading, please post a reply here below.