We just published another update to the both stable versions 1.2 and
1.1 delivering important bug fixes and improvements which we picked
from the upstream branch.
Included is a fix for a recently revealed security issue when using
PHP's mail() function. It has been discovered and kindly reported by
Robin Peraglie using the static code analyzer RIPS  and more
details along with a CVE number will be published shortly.
See the full changelog for 1.2.3 in the wiki . Version 1.1.7 is a
security update fixing the mail() issue and thus only relevant to
Roundcube installations not having an SMTP server configured for mail
Both versions are considered stable and we recommend to update all
productive installations of Roundcube with either of these versions.
Download them from GitHub via https://roundcube.net/download.
As usual, don't forget to backup your data before updating!