Version 1.4.16 and CVE-2024-42008, CVE-2024-42009, CVE-2024-42010

[beckerr]

Is version 1.4.16 affected by any of CVE-2024-42008, CVE-2024-42009, CVE-2024-42010?

[beckerr]

In case anyone has the same question:

Roundcube 1.4.16 is most likely affected as it has reached its EOL and is no longer receiving any patches.


The information posted here in incorrect:
https://endoflife.date/roundcube


Here is the statement of a developer:
https://github.com/roundcube/roundcubemail/issues/9255#issuecomment-2126425311


Although I am a member of all relevant mailing lists, I don't remember receiving any official notification that Roundcube 1.4.x is no longer receiving security patches.

My solution:
I did a manual GIT rebase of all our patches from 1.4.16 to 1.5.8, as the two versions are quite similar. Together with some customisation, final testing and deployment to the production cluster, the upgrade took about a day.