Roundcube has released a bug fix version of their new 0.8.x line. Contains a bug fix for "a recently reported vulnerability that allows an attacker to access files on the server." (Attacker in this case is a user of your mail system, not a random joe from anywhere.) I haven't tried yet, but usually just renaming the last ebuild is all roundcube needs to be updated. Reproducible: Always Security issue, so I'm going to mark critical. Let me know if I shouldn't have.
I just noticed that we've added 0.9 beta & RC1 to the tree. It looks like they've released 0.9 RC2 to address this.
Arches please stabilize: =mail-client/roundcube-0.8.6
amd64 stable
ppc stable
x86 stable
Ready for vote, I vote NO.
arm stable
GLSA vote: no. Closing noglsa.