https://roundcube.net/news/2025/06/01/security-updates-1.6.11-and-1.5.10
A Post-Auth RCE was announced and fixed in the latest release. https://roundcube.net/news/2025/06/01/security-updates-1.6.11-and-1.5.10 Files in core/updates_testing: roundcubemail-1.6.11-1.mga9.noarch.rpm SRPM: roundcubemail-1.6.11-complete.tar.gz
Assignee: mageia => qa-bugs
*** Bug 34334 has been marked as a duplicate of this bug. ***
CC: (none) => nicolas.salguero
CVE: (none) => CVE-2025-49113
https://www.openwall.com/lists/oss-security/2025/06/02/1 https://www.openwall.com/lists/oss-security/2025/06/02/3
Debian has issued an advisory on June 2: https://lists.debian.org/debian-security-announce/2025/msg00098.html
Keywords: (none) => advisory
MGA9-64 Plasma Wayland on Compaq H000SB No initial installation problems. In the list of updates there is no link to the previous updates, annoying. Found the QA procedure, but it is not clear to me if dovecot is really needed or not, but it is certainly not included in the dependencies. Made changes as indicated on /etc/roundcubemail/config.inc.php with the remark that there is no 'default_host', it seems to be 'imap_host'. Run the installation script for mysql in phpmyadmin, seems to work OK. Then used http://localhost/roundcubemail/installer and got twp problems: 1. Connection to mysql not found. The link to the manuals told me that php-pdo_mysql was missing. Installed that one, refresh the page and this error is gone. 2. php extension Ctype: NOT OK(See https://www.php.net/manual/en/book.ctype.php), but the manual tells me that "This extension is enabled by default. " And that's it ....
CC: (none) => herman.viaene
@Herman: I can see, if I can add those dependencies, but I must see, if this can be done easily, as this package is in noarch
fixed requirements: roundcubemail-1.6.11-2.mga9.src.rpm
Source RPM: riundcubemail => roundcubemail
CC: (none) => mageia
Installed and tested three days without issues. Tested with: - Apache, PHP-FPM, MariaDB and Dovecot; - PHP 8.4.7 from the backport repositories; - Large email accounts, with GiB of emails; - 2FA enabled using a 3rd party plugin: roundcubemail-plugin-twofactor_gauthenticator All OK. System: Mageia 9, x86_64, Intel(R) Core(TM) i5-4590 CPU @ 3.30GHz. $ uname -a Linux marte 6.6.92-server-1.mga9 #1 SMP PREEMPT_DYNAMIC Thu May 22 19:00:17 UTC 2025 x86_64 GNU/Linux $ rpm -qa | grep roundcubemail roundcubemail-1.6.11-2.mga9 $ php --version PHP 8.4.7 (cli) (built: May 20 2025 21:37:25) (ZTS) Copyright (c) The PHP Group Zend Engine v4.4.7, Copyright (c) Zend Technologies with Zend OPcache v8.4.7, Copyright (c), by Zend Technologies with Xdebug v3.4.1, Copyright (c) 2002-2025, by Derick Rethans
(In reply to Herman Viaene from comment #5) If you are happy with the new package, we can validate
OK, go on.
With Herman and my OK, giving it the OK for x86_64.
Whiteboard: (none) => MGA9-64-OK
Validating.
Keywords: (none) => validated_updateCC: (none) => andrewsfarm, sysadmin-bugs
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2025-0185.html
Status: NEW => RESOLVEDResolution: (none) => FIXED