Skip to content

@thomascube thomascube released this Sep 27, 2020 · 518 commits to master since this release

This is a service update to the stable version 1.4 of Roundcube Webmail.
It contains fixes and general improvements from our issue tracker, mainly related to email composition and UI oddities in Elastic skin and with the TinyMCE richtext editor. See the full changelog below.

This version is considered stable and we recommend to update all productive installations of Roundcube with it.
Please do backup your data before updating!

CHANGELOG

  • Fix HTML editor in latest Chrome 85.0.4183.102, update to TinyMCE 4.9.11 (#7615)
  • Add missing localization for some label/legend elements in userinfo plugin (#7478)
  • Fix importing birthday dates from Gmail vCards (BDAY:YYYYMMDD)
  • Fix restoring Cc/Bcc fields from local storage (#7554)
  • Fix jstz.min.js installation, bump version to 1.0.7
  • Fix incorrect PDO::lastInsertId() use in sqlsrv driver (#7564)
  • Fix link to closure compiler in bin/jsshrink.sh script (#7567)
  • Fix bug where some parts of a message could have been missing in a reply/forward body (#7568)
  • Fix empty space on mail printouts in Chrome (#7604)
  • Fix empty output from HTML5 parser when content contains XML tag (#7624)
  • Fix scroll jump on key press in plain text mode of the HTML editor (#7622)
  • Fix so autocompletion list does not hide on scroll inside it (#7592)
Assets 8

@thomascube thomascube released this Aug 10, 2020 · 518 commits to master since this release

This is a service and security update to the stable version 1.4 of Roundcube Webmail.
It contains fixes for recently reported security vulnerabilities as well a small number of general improvements from our issue tracker. See the full changelog below.

Security fixes

  • Fix potential XSS issue in HTML editor of the identity signature input
  • Fix cross-site scripting (XSS) via HTML messages with malicious svg content [CVE-2020-16145]
  • Fix cross-site scripting (XSS) via HTML messages with malicious math content

Credits for the latter two findings go to Łukasz Pilorz from Pentesters.

This version is considered stable and we recommend to update all productive installations of Roundcube with it.
Please do backup your data before updating!

CHANGELOG

  • Managesieve: Fix too-small input field in Elastic when using custom headers (#7498)
  • Fix support for an error as a string in message_before_send hook (#7475)
  • Elastic: Fix redundant scrollbar in plain text editor on mail reply (#7500)
  • Elastic: Fix deleted and replied+forwarded icons on messages list (#7503)
  • Managesieve: Allow angle brackets in out-of-office message body (#7518)
  • Fix bug in conversion of email addresses to mailto links in plain text messages (#7526)
  • Fix format=flowed formatting on plain text part derived from the HTML content (#7504)
  • Fix incorrect rewriting of internal links in HTML content (#7512)
  • Fix handling links without defined protocol (#7454)
  • Fix paging of search results on IMAP servers with no SORT capability (#7462)
  • Fix detecting special folders on servers with both SPECIAL-USE and LIST-STATUS (#7525)
  • Security: Fix potential XSS issue in HTML editor of the identity signature input (#7507)
  • Security: Fix cross-site scripting (XSS) via HTML messages with malicious svg content [CVE-2020-16145]
  • Security: Fix cross-site scripting (XSS) via HTML messages with malicious math content
Assets 8

@thomascube thomascube released this Aug 10, 2020 · 2592 commits to master since this release

This is a security update to the LTS version 1.3.
It fixes two recently reported cross-site scripting (XSS) vulnerabilities via HTML messages with malicious svg and math contents.

Credits for these findings go to Łukasz Pilorz from Pentesters.

This version in considered stable and we strongly recommend to update all productive installations of Roundcube 1.3.x with it.
Please do backup your data before updating!

Assets 8

@thomascube thomascube released this Aug 10, 2020 · 3151 commits to master since this release

This is a security update to the LTS version 1.2.
It fixes two recently reported cross-site scripting (XSS) vulnerabilities via HTML messages with malicious svg and math contents.

Credits for these findings go to Łukasz Pilorz from Pentesters.

We strongly recommend to update all productive installations of Roundcube 1.2.x if you cannot upgrade to a more recent version.
Please do backup your data before updating!

Assets 8

@thomascube thomascube released this Jul 5, 2020 · 518 commits to master since this release

This is a service and security update to the stable version 1.4 of Roundcube Webmail.
It contains a fix for recently reported security vulnerability as well a small number of general improvements from our issue tracker. See the full changelog below.

Security fix

Prevent cross-site scripting (XSS) via HTML messages with malicious svg/namespace (CVE-2020-15562)

Credits for this finding go to SSD Secure Disclosure.

This version is considered stable and we recommend to update all productive installations of Roundcube with it. Please do backup your data before updating!

CHANGELOG

  • Fix bug where subfolders of special folders could have been duplicated on folder list
  • Increase maximum size of contact jobtitle and department fields to 128 characters
  • Fix missing newline after the logged line when writing to stdout (#7418)
  • Elastic: Fix context menu (paste) on the recipient input (#7431)
  • Fix problem with forwarding inline images attached to messages with no HTML part (#7414)
  • Fix problem with handling attached images with same name when using database_attachments/redundant_attachments (#7455)
  • Security: Fix cross-site scripting (XSS) via HTML messages with malicious svg/namespace
Assets 8

@thomascube thomascube released this Jul 5, 2020 · 2592 commits to master since this release

This is a security update to the LTS version 1.3.
It fixes a recently reported cross-site scripting (XSS) vulnerability via HTML messages with malicious svg/namespace (CVE-2020-15562).

Credits for this finding go to SSD Secure Disclosure.

This version in considered stable and we strongly recommend to update all productive
installations of Roundcube 1.3.x with it. Please do backup your data before updating!

Assets 8

@thomascube thomascube released this Jul 5, 2020 · 3151 commits to master since this release

This is a security update to the LTS version 1.2.
It fixes a recently reported cross-site scripting (XSS) vulnerability via HTML messages with malicious svg/namespace (CVE-2020-15562).

Credits for this finding go to SSD Secure Disclosure.

We strongly recommend to update all productive installations of Roundcube 1.2.x
if you cannot upgrade to a more recent version. Please do backup your data before updating!

Assets 8

@thomascube thomascube released this Jun 7, 2020 · 518 commits to master since this release

This is a follow-up release to the recently published version 1.4.5 of Roundcube Webmail.

It contains a single fix for the installer's test step which was broken with the last release. The update is therefore only relevant for new installations which use the installer to set up Roundcube.

CHANGELOG

  • Installer: Fix regression in SMTP test section (#7417)
Assets 8

@thomascube thomascube released this Jun 7, 2020 · 2592 commits to master since this release

This is a follow-up release to the recently published version 1.3.12 of Roundcube Webmail.

It contains a single fix for the installer's test step which was broken with the last release. The update is therefore only relevant for new installations which use the installer to set up Roundcube.

CHANGELOG

  • Installer: Fix regression in SMTP test section (#7417)
Assets 8

@thomascube thomascube released this Jun 2, 2020 · 2592 commits to master since this release

This is a service and security update to the LTS version 1.3 of Roundcube Webmail.
It contains four fixes for recently reported security vulnerabilities as well a
small number of general improvements backported from the latest stable version.
See the full changelog below.

Security fixes

  • Fix XSS issue in template object 'username' (#7406)
  • Fix cross-site scripting (XSS) via malicious XML attachment
  • Fix a couple of XSS issues in Installer (#7406)
  • Better fix for CVE-2020-12641

The latter two vulnerabilities again are related to public access to the Roundcube installer
and are therefore classified minor.

This version in considered stable and we recommend to update all productive installations
of Roundcube 1.3.x with it. Please do backup your data before updating!

CHANGELOG

  • Security: Better fix for CVE-2020-12641
  • Security: Fix XSS issue in template object 'username' (#7406)
  • Security: Fix couple of XSS issues in Installer (#7406)
  • Security: Fix cross-site scripting (XSS) via malicious XML attachment
Assets 8
You can’t perform that action at this time.