Nation State Hackers Exploiting Zero-Day in Roundcube Webmail Software

[mikedibella]

https://thehackernews.com/2023/10/natio ... -zero.html

[palinka]

Is there a patch yet?

[mats]

Is there a patch yet?

Yes since about 10 days ago

[mikedibella]

Details here:
https://roundcube.net/news/2023/10/16/s ... 4-released
https://roundcube.net/news/2023/10/16/s ... and-1.4.15

[RvdH]

https://github.com/roundcube/roundcubem ... /tag/1.6.5

Roundcube Webmail 1.6.5

Code: Select all

This is a security update to the stable version 1.6 of Roundcube Webmail. It provides a fix to a recently reported XSS vulnerability:

Fix cross-site scripting (XSS) vulnerability in setting Content-Type/Content-Disposition for attachment preview/download reported by Rene Rehme (rehme.infosec).
This version is considered stable and we recommend to update all productive installations of Roundcube 1.6.x with it. Please do backup your data before updating!

For Roundcube Webmail 1.5.6 version, see:
https://github.com/roundcube/roundcubemail/releases

[danieldummer]

Anyone knows if the latest version of HMailServer ( 5.6.8 ) is compatible with the latest version of RoundCube ( 1.6.5 )?

Thanks

[gotspatel]

It has nothing to do with the roundcube version with hmailserver version since roundcube is just a mail client.

you can use any roundcube version with any version of hamilserver

Regards

[danieldummer]

It has nothing to do with the roundcube version with hmailserver version since roundcube is just a mail client.

you can use any roundcube version with any version of hamilserver

Regards

Thank you

[RvdH]

https://nextcloud.com/blog/open-source- ... nextcloud/

Can't they pickup hMailServer development as well?

[palinka]

https://nextcloud.com/blog/open-source- ... nextcloud/

Can't they pickup hMailServer development as well?

Linux only!

[mattg]

https://nextcloud.com/blog/open-source- ... nextcloud/

Can't they pickup hMailServer development as well?

Linux only!

Don't think so.
It is written in PHP.

I'm a long term user of Nextcloud - love it.
They already have a web mail client called Snappy Mail that is an app inclusion, but exciting to see them get a hold of roundcube too.

Nextcloud is an offshoot or OwnCloud

[palinka]

https://nextcloud.com/blog/open-source- ... nextcloud/

Can't they pickup hMailServer development as well?

Linux only!

Don't think so.
It is written in PHP.

I'm a long term user of Nextcloud - love it.
They already have a web mail client called Snappy Mail that is an app inclusion, but exciting to see them get a hold of roundcube too.

Nextcloud is an offshoot or OwnCloud

Its not just php. You need to install docker on windows to run it, and also reverse proxy it if you have a webserver already running. It used to be php only and ran on windows + xampp. I did try it out many years ago. But at some point they gave up development for windows.

I've been using filerun, which is amazing. Very lightweight, fast, works well with webdav + nextcloud client. But they ended their free license so there will be no more updates unless you pay and the price is crazy - enterprise pricing. I would absolutely pay for 2 or 3 users if the price were reasonable. So I'm keeping my eye on nextcloud and owncloud.