EPEL5 currently distributes roundcubemail-0.1.1-6. According to the RPM changelog several CVE security vulnerabilities have been fixed, but I did not find a mention of CVE-2010-0464 being fixed: http://www.cvedetails.com/cve/CVE-2008-5620/ According to http://www.cvedetails.com/vulnerability-list/vendor_id-8905/product_id-15709/version_id-66544/Roundcube-Roundcube-Webmail-0.1.1.html Roundcube 0.1.1 is vulnerable. Fixes for the roundcubemail package in Fedora 11 and 12 seem to have gone out though: https://bugzilla.redhat.com/show_bug.cgi?id=560142
I'll look into upgrading to a higher version using the php53 stack.
This seems not to be immediately feasible, a patch might be faster. Do you know if a patch for this against 0.1.1 exists?
I don't know if a patch against 0.1.1 exists.
Found one, working on it.
roundcubemail-0.1.1-7.el5 has been submitted as an update for Fedora EPEL 5. https://admin.fedoraproject.org/updates/roundcubemail-0.1.1-7.el5
Package roundcubemail-0.1.1-7.el5: * should fix your issue, * was pushed to the Fedora EPEL 5 testing repository, * should be available at your local mirror within two days. Update it with: # su -c 'yum update --enablerepo=epel-testing roundcubemail-0.1.1-7.el5' as soon as you are able to. Please go to the following url: https://admin.fedoraproject.org/updates/FEDORA-EPEL-2012-13519/roundcubemail-0.1.1-7.el5 then log in and leave karma (feedback).
roundcubemail-0.1.1-7.el5 has been pushed to the Fedora EPEL 5 stable repository. If problems still persist, please make note of it in this bug report.