@thomascube thomascube released this Nov 8, 2017 · 2052 commits to master since this release

Assets 8

This is a security update to the stable version 1.2. It primarily fixes a recently discovered file disclosure vulnerability caused by insufficient input validation in conjunction with file-based attachment plugins, which are used by default. More details will be published under CVE-2017-16651.

We strongly recommend to update all productive installations of Roundcube 1.2.x.
Please do backup your data before updating!

CHANGELOG

  • Fix rewind(): stream does not support seeking (#5950)
  • Fix bug where HTML messages could have been rendered empty on some systems (#5957)
  • Fix (again) bug where image data URIs in css style were treated as evil/remote in mail preview (#5580)
  • Managesieve: Fix parsing dot-staffed lines in multiline text (#5838, #5959)
  • Fix file disclosure vulnerability caused by insufficient input validation (#6026)