Yep, though it's a relatively easy patch to fix it. In program/include/session.inc the second setcookie() call needs to be changed to:
setcookie(session_name(), $random, $lifetime, $cookie['path'], $cookie['domain'], $cookie['secure']);
Then (assuming you're using Apache with roundcube at servername/rcube), add to your Apache conf:
php_value session.cookie_secure 1
php_value session.cookie_path /rcube
It would be nice for Roundcube itself to set secure cookies by default, though the above works for now.