Print Page - Version 1.4.16 and CVE-2024-42008, CVE-2024-42009, CVE-2024-42010

Title: Version 1.4.16 and CVE-2024-42008, CVE-2024-42009, CVE-2024-42010
Post by: beckerr on August 08, 2024, 07:18:56 AM

Is version 1.4.16 affected by any of CVE-2024-42008, CVE-2024-42009, CVE-2024-42010?

Title: Re: Version 1.4.16 and CVE-2024-42008, CVE-2024-42009, CVE-2024-42010
Post by: beckerr on August 12, 2024, 03:15:59 AM

In case anyone has the same question:

Roundcube 1.4.16 is most likely affected as it has reached its EOL and is no longer receiving any patches.

The information posted here in incorrect:
https://endoflife.date/roundcube

Here is the statement of a developer:
https://github.com/roundcube/roundcubemail/issues/9255#issuecomment-2126425311

Although I am a member of all relevant mailing lists, I don't remember receiving any official notification that Roundcube 1.4.x is no longer receiving security patches.

My solution:
I did a manual GIT rebase of all our patches from 1.4.16 to 1.5.8, as the two versions are quite similar. Together with some customisation, final testing and deployment to the production cluster, the upgrade took about a day.

Roundcube Community Forum

News and Announcements => General Discussion => Topic started by: beckerr on August 08, 2024, 07:18:56 AM