Roundcube has released a bug fix version of their new 0.8.x line. Contains a bug fix for "a recently reported vulnerability that allows an attacker to access files on the server." (Attacker in this case is a user of your mail system, not a random joe from anywhere.)
I haven't tried yet, but usually just renaming the last ebuild is all roundcube needs to be updated.
Security issue, so I'm going to mark critical. Let me know if I shouldn't have.
I just noticed that we've added 0.9 beta & RC1 to the tree. It looks like they've released 0.9 RC2 to address this.
Arches please stabilize:
Ready for vote, I vote NO.
GLSA vote: no.