Pre-release

@thomascube thomascube released this Aug 25, 2018 · 37 commits to master since this release

Assets 8

This is a beta release of the next major version 1.4 of Roundcube webmail.
With this milestone we introduce some new features:

  • New responsive skin with mobile support
  • Email Resent (Bounce) feature
  • Improved Mailvelope integration
  • Support for Redis cache
  • Support for SMTPUTF8

Because the new responsive skin is not yet fully completed, it's not enabled
by default. In order to make it the default for your users, change your
config.inc.php accordingly:

$config['skin'] = 'elastic';

Although it still needs some polishing, the new skin solves the urgent need
to enable access to Roundcube for mobile devices. The plugin elastic4mobile
makes it the default for mobile devices while keeping the configured default
for desktop browsers.

The Elastic skin is built with LESS and of course the sources are included.
They allow a certain degree of customization by adjusting some color variables.
All you need is to compile your very own customized skin with lessc.

In case you're running Roundcube directly from source or if you're not using
the complete package, you need to install 3rd party javascript modules
by executing the following install script:

$ bin/install-jsdeps.sh

This is a beta release and we recommend to test it on a separate environment.
And don't forget to backup your data before installing it.

CHANGELOG

  • Added new skin with mobile support - the Elastic
  • Support Redis cache
  • Email Resent (Bounce) feature (#4985)
  • Improved Mailvelope integration
    • Added private key listing and generating to identity settings
    • Enable encrypt & sign option if Mailvelope supports it
  • Allow contacts without an email address (#5079)
  • Support SMTPUTF8 and relax email address validation to support unicode in local part (#5120)
  • Support for IMAP folders that cannot contain both folders and messages (#5057)
  • Update to jQuery-3.3.1
  • Update to jQuery-minicolors 2.2.6
  • Update to TinyMCE 4.7.13
  • Remove sample PHP configuration from .htaccess and .user.ini files (#5850)
  • Extend skin_logo setting to allow per skin logos (#6272)
  • Use Masterminds/HTML5 parser for better HTML5 support (#5761)
  • Add More actions button in Contacts toolbar with Copy/Move actions (#6081)
  • Display an error when clicking disabled link to register protocol handler (#6079)
  • Add option trusted_host_patterns (#6009, #5752)
  • Support additional connect parameters in PostgreSQL database wrapper
  • Use UI dialogs instead of confirm() and alert() where possible
  • Display value of the SMTP message size limit in the error message (#6032)
  • Show message flagged status in message view (#5080)
  • Skip redundant INSERT query on successful logon when using PHP7
  • Replace display_version with display_product_version (#5904)
  • Extend disabled_actions config so it accepts also button names (#5903)
  • Handle remote stylesheets the same as remote images, ask the user to allow them (#5994)
  • Add Message-ID to the sendmail log (#5871)
  • Add option to hide folders in share/other-user namespace or outside of the personal namespace root (#5073)
  • Archive: Fix archiving by sender address on cyrus-imap
  • Archive: Style Archive folder also on folder selector and folder manager lists
  • Archive: Add Thunderbird compatible Month option (#5623)
  • Archive: Create archive folder automatically if it's configured, but does not exist (#6076)
  • Enigma: Add button to send mail unencrypted if no key was found (#5913)
  • Enigma: Add options to set PGP cipher/digest algorithms (#5645)
  • Enigma: Multi-host support
  • Managesieve: Add ability to disable filter sets and other actions (#5496, #5898)
  • Managesieve: Add option managesieve_forward to enable settings dialog for simple forwarding (#6021)
  • Managesieve: Support filter action with custom IMAP flags (#6011)
  • Managesieve: Support 'mime' extension tests - RFC5703 (#5832)
  • Managesieve: Support GSSAPI authentication with krb_authentication plugin (#5779)
  • Managesieve: Support enabling the plugin for specified hosts only (#6292)
  • Password: Support host variables in password_db_dsn option (#5955)
  • Password: Automatic virtualmin domain setting, removed password_virtualmin_format option (#5759)
  • Password: Added password_username_format option (#5766)
  • subscriptions_option: show \Noselect folders greyed out (#5621)
  • zipdownload: Added option to define size limit for multiple messages download (#5696)
  • vcard_attachments: Add possibility to send contact vCard from Contacts toolbar (#6080)
  • Changed defaults for smtp_user (%u), smtp_pass (%p) and smtp_port (587)
  • Composer: Fix certificate validation errors by using packagist only (#5148)
  • Add --get and --extract arguments and CACHEDIR env-variable support to install-jsdeps.sh (#5882)
  • Support _filter and _scope as GET arguments for opening mail UI (#5825)
  • Various improvements for templating engine and skin behaviours
    • Support conditional include
    • Support for 'link' objects
    • Support including files with path relative to templates directory
    • Use instead of for submit button on logon screen
  • Support skin localization (#5853)
  • Reset onerror on images if placeholder does not exist to prevent from requests storm
  • Unified and simplified code for loading content frame for responses and identities
  • Display contact import and advanced search in popup dialogs
  • Display a dialog for mail import with supported format description and upload size hint
  • Make possible to set (some) config options from a skin
  • Added optional checkbox selection for the list widget
  • Make 'compose' command always enabled
  • Add .log suffix to all log file names, add option log_file_ext to control this (#313)
  • Return "401 Unauthorized" status when login fails (#5663)
  • Support both comma and semicolon as recipient separator, drop recipients_separator option (#5092)
  • Plugin API: Added 'show_bytes' hook (#5001)
  • Add option to not indent quoted text on top-posting reply (#5105)
  • Removed global $CONFIG variable
  • Removed debug_level setting
  • Support AUTHENTICATE LOGIN for IMAP connections (#5563)
  • Support LDAP GSSAPI authentication (#5703)
  • Localized timezone selector (#4983)
  • Use 7bit encoding for ISO-2022-* charsets in sent mail (#5640)
  • Handle inline images also inside multipart/mixed messages (#5905)
  • Allow style tags in HTML editor on composed/reply messages (#5751)
  • Use Github API as a fallback to fetch js dependencies to workaround throttling issues (#6248)
  • Show confirm dialog when moving folders using drag and drop (#6119)
  • Fix bug where new_user_dialog email check could have been circumvented by deleting / abandoning session (#5929)
  • Fix skin extending for assets (#5115)
  • Fix handling of forwarded messages inside of a TNEF message (#5632)
  • Fix bug where attachment size wasn't visible when the filename was too long (#6033)
  • Fix checking table columns when there's more schemas/databases in postgres/mysql (#6047)
  • Fix css conflicts in user interface and e-mail content (#5891)
  • Fix duplicated signature when using Back button in Chrome (#5809)
  • Fix touch event issue on messages list in IE/Edge (#5781)
  • Fix so links over images are not removed in plain text signatures converted from HTML (#4473)
  • Fix various issues when downloading files with names containing non-ascii chars, use RFC 2231 (#5772)
  • Fix PHP warnings on dummy QUOTA responses in Courier-IMAP 4.17.1 (#6374)
  • Fix so fallback from BINARY to BODY FETCH is used also on [PARSE] errors in dovecot 2.3 (#6383)
  • Enigma: Fix deleting keys with authentication subkeys (#6381)
  • Fix invalid regular expressions that throw warnings on PHP 7.3 (#6398)
  • Fix so Classic skin splitter does not escape out of window (#6397)

@thomascube thomascube released this Jul 27, 2018 · 1493 commits to master since this release

Assets 8

This is a service release to update the stable version 1.3 of Roundcube Webmail. It contains fixes to several bugs backported from the master branch including a security fix mitigating the EFAIL issue recently discovered in OpenPGP. See the complete changelog below.

This version in considered stable and we recommend to update all productive installations
of Roundcube with it. Please do backup your data before updating!

CHANGELOG

  • Fix PHP Warning: Use of undefined constant IDNA_DEFAULT on systems without php-intl (#6244)
  • Fix bug where some parts of quota information could have been ignored (#6280)
  • Fix bug where some escape sequences in html styles could bypass security checks
  • Fix bug where some forbidden characters on Cyrus-IMAP were not prevented from use in folder names
  • Fix bug where only attachments with the same name would be ignored on zip download (#6301)
  • Fix bug where unicode contact names could have been broken/emptied or caused DB errors (#6299)
  • Fix bug where after "mark all folders as read" action message counters were not reset (#6307)
  • Enigma: [EFAIL] Don't decrypt PGP messages with no MDC protection (#6289)
  • Fix bug where some HTML comments could have been malformed by HTML parser (#6333)

@thomascube thomascube released this Apr 29, 2018 · 2052 commits to master since this release

Assets 8

This is a follow-up to the recent security update for the stable version 1.2. It fixes a regression that sneaked in with the IMAP command injection protection which unintentionally disabled actions that operate on all selected messages (e.g. mark all as junk).

We recommend to update all productive installations of Roundcube 1.2.8.
Please do backup your data before updating!

CHANGELOG

  • Fix regression where IMAP commands with '*' uidset argument wasn't working

@thomascube thomascube released this Apr 29, 2018 · 2663 commits to master since this release

Assets 8

This is a follow-up to the recent security update for the stable version 1.1. It fixes a regression that sneaked in with the IMAP command injection protection which unintentionally disabled actions that operate on all selected messages (e.g. mark all as junk).

We recommend to update all productive installations of Roundcube 1.1.11.
Please do backup your data before updating!

CHANGELOG

  • Fix regression where IMAP commands with '*' uidset argument wasn't working

@thomascube thomascube released this Apr 18, 2018 · 2663 commits to master since this release

Assets 8

This is a security update to the stable version 1.2. It fixes a recently reported vulnerability allowing IMAP command injection via a GET parameters. More details about this are published under CVE-2018-9846.

The second fix is about a missed remote content blocking on HTML messages with specially crafted image and style tags.

We strongly recommend to update all productive installations of Roundcube 1.1.x.
Please do backup your data before updating!

CHANGELOG

  • Don't ignore (global) userlogins/sendmail logs in per_user_logging mode
  • Fix security issue in remote content blocking on HTML image and style tags (#6178)
  • Fix check_request() bypass in places using get_uids() [CVE-2018-9846] (#6238)
  • Fix possible IMAP command injection vulnerability [CVE-2018-9846] (#6229)

@thomascube thomascube released this Apr 17, 2018 · 2052 commits to master since this release

Assets 8

This is a security update to the stable version 1.2. It fixes a recently reported vulnerability allowing IMAP command injection via a GET parameters. More details about this are published under CVE-2018-9846.

The second fix is about a missed remote content blocking on HTML messages with specially crafted image and style tags.

We strongly recommend to update all productive installations of Roundcube 1.2.x.
Please do backup your data before updating!

CHANGELOG

  • Fix check_request() bypass in places using get_uids() [CVE-2018-9846] (#6238)
  • Fix possible IMAP command injection vulnerability [CVE-2018-9846] (#6229)
  • Fix security issue in remote content blocking on HTML image and style tags (#6178)

@thomascube thomascube released this Apr 11, 2018 · 1493 commits to master since this release

Assets 8

This is a security update to the stable version 1.3. It primarily fixes a recently discovered IMAP command injection vulnerability caused by insufficient input validation within the archive plugin. Details about the vulnerability are published under CVE-2018-9846.

Additionally, we back-ported some minor fixes from the master branch which improve PHP 7.2 compatibility as well as PGP signing and key handling for those who use the Enigma plugin. See the complete changelog below.

We strongly recommend to update all productive installations of Roundcube.
Please do backup your data before updating!

CHANGELOG

  • Fix parsing date strings (e.g. from a Date: mail header) with comments (#6216)
  • Fix PHP 7.2: count(): Parameter must be an array in enchant-based spellchecker (#6234)
  • Fix possible IMAP command injection and type juggling vulnerabilities (#6229)
  • Enigma: Fix key selection for signing
  • Enigma: Enable keypair generation on Internet Explorer 11
  • Fix check_request() bypass in places using get_uids() [CVE-2018-9846] (#6238)
  • Fix bug where usernames without domain part could be malformed or converted to lower-case on logon (#6224)

@thomascube thomascube released this Mar 15, 2018 · 1493 commits to master since this release

Assets 8

This is a service release to update the stable version 1.3 of Roundcube Webmail.
It contains fixes to several bugs backported from the master branch. One can be called a minor security fix as it fixes blocking of remote content on specially crafted style tags. See the complete changelog below.

This version in considered stable and we recommend to update all productive installations
of Roundcube with it. Please do backup your data before updating!

CHANGELOG

  • Managesieve: Fix bug where text: syntax was forced for strings longer than 1024 characters (#6143)
  • Managesieve: Fix missing Save button in Edit Filter Set page of Classic skin (#6154)
  • Fix duplicated labels in Test SMTP Config section (#6166)
  • Fix PHP Warning: exif_read_data(...): Illegal IFD size (#6169)
  • Enigma: Fix key generation in Safari by upgrade to OpenPGP 2.6.2 (#6149)
  • Fix security issue in remote content blocking on HTML image and style tags (#6178)
  • Added 9pt and 11pt to the list of font sizes in HTML editor
  • Fix handling encoding of HTML tags in "inline" JSON output (#6207)
  • Fix bug where some unix timestamps were not handled correctly by rcube_utils::anytodatetime() (#6212)

@thomascube thomascube released this Jan 14, 2018 · 1493 commits to master since this release

Assets 8

This is a service release to update the stable version 1.3 of Roundcube Webmail.
It contains fixes to several bugs reported by our dear community members and
makes Roundcube fully compatible with PHP 7.2. See the complete changelog below.

This version considered stable and we recommend to update all productive installations
of Roundcube with it. Please do backup your data before updating!

CHANGELOG

  • Fix a couple of warnings on PHP 7.2 (#6098)
  • Fix bug where contacts search could skip some records (#6130)
  • Fix possible information leak - add more strict sql error check on user creation (#6125)
  • Fix broken long filenames when using imap4d server - workaround server bug (#6048)
  • Fix so temp_dir misconfiguration prints an error to the log (#6045)
  • Fix untagged COPYUID responses handling - again (#5982)
  • Fix PHP warning "idn_to_utf8(): INTL_IDNA_VARIANT_2003 is deprecated" with PHP 7.2 (#6075)
  • Fix bug where Archive folder wasn't auto-created on login with create_default_folders=true
  • Fix performance issue when parsing malformed and long Date header (#6087)
  • Fix syntax error in mssql.initial.sql (#6097)
  • Fix bug where contacts export by selection returned no more than 10 entries (#6103)
  • Fix searching contacts by address in LDAP source (#6084)
  • Fix X-Frame-Options: ALLOW-FROM support, remove custom click-jacking protection (#6057)

@thomascube thomascube released this Nov 8, 2017 · 1493 commits to master since this release

Assets 8

This is a security update to the stable version 1.3. It primarily fixes a recently discovered file disclosure vulnerability caused by insufficient input validation in conjunction with file-based attachment plugins, which are used by default. More details will be published under CVE-2017-16651.

We strongly recommend to update all productive installations of Roundcube.
Please do backup your data before updating!

CHANGELOG

  • Fix decoding of mailto: links with + character in HTML messages (#6020)
  • Fix false reporting of failed upgrade in installto.sh (#6019)
  • Fix file disclosure vulnerability caused by insufficient input validation (#6026)
  • Fix mangled non-ASCII characters in links in HTML messages (#6028)