Ubuntu
roundcube package

security related update for 22.04

Asked by MPE License Team

Hello

given this https://roundcube.net/news/updates/

 how can I get roundcube 1.6.x on 22.4? Currently stuck on 1.5.0

# lsb_release -d
Description: Ubuntu 22.04.3 LTS
# dpkg -l | grep roundc
ii roundcube 1.5.0+dfsg.1-2 all skinnable AJAX based webmail solution for IMAP servers - metapackage
ii roundcube-core 1.5.0+dfsg.1-2 all skinnable AJAX based webmail solution for IMAP servers
ii roundcube-pgsql 1.5.0+dfsg.1-2 all metapackage providing PostgreSQL dependencies for RoundCube
# apt list --upgradable
Listing... Done

Thanks in advance
Antonello

Question information

Language:
English Edit question
Status:
Answered
For:
Ubuntu roundcube Edit question
Assignee:
No assignee Edit question
Last query:
Last reply:
Revision history for this message
actionparsnip (andrew-woodhead666) said : 		#1

Could try this:
https://github.com/mail-in-a-box/mailinabox/blob/main/setup/webmail.sh

Use at your own risk. If you report a bug and the bug and security fixes in the new version are significant then the package will be updated sooner rather than later. The LTS releases of Ubuntu (Like 22.04 (Not 22.4 as you said)) concentrate on stability which also includes stability in package version numbers.

Revision history for this message
MPE License Team (licenceubuntu) said : 		#2

yes, I meant 22.04 (typo). But my point is that LTS are supposed to provide security updates during their lifetime and roundcube is affected since a while by at least one serious vulnerability, so why is not 22.04 getting its security updates for roundcube?

Revision history for this message
actionparsnip (andrew-woodhead666) said : 		#3

Absolutely, report the bug and mark it as a security bug and it'll be noticed sooner rather than later

Revision history for this message
Achim Bohnet (allee) said : 		#4

Bug reports related to roundcube CVE already exist:

  https://bugs.launchpad.net/ubuntu/+source/roundcube/+bugs?field.has_cve=on

+ CVE-2023-5631 released Oct 18th and well present in all IT related media
+ Launchpad bug report Nov 22nd
+ CVE reference added Dec 7th
+ Tag community-security added right now (Dec 14th)

we'll see when status changes to 'in progress' ;-)

Can you help with this problem?

Provide an answer of your own, or ask MPE License Team for more information if necessary.

To post a message you must log in.