@thomascube thomascube released this Oct 26, 2018 · 1588 commits to master since this release

Assets 8

This is a service release to update the stable version 1.3 of Roundcube Webmail.
It contains fixes to several bugs backported from the master branch including a security fix for a reported XSS vulnerability plus updates to ensure compatibility with PHP 7.3 and recent versions of Courier-IMAP, Dovecot and MySQL 8. See the complete changelog below.


  • Fix PHP warnings on dummy QUOTA responses in Courier-IMAP 4.17.1 (#6374)
  • Fix so fallback from BINARY to BODY FETCH is used also on [PARSE] errors in dovecot 2.3 (#6383)
  • Enigma: Fix deleting keys with authentication subkeys (#6381)
  • Fix invalid regular expressions that throw warnings on PHP 7.3 (#6398)
  • Fix so Classic skin splitter does not escape out of window (#6397)
  • Fix XSS issue in handling invalid style tag content (#6410)
  • Fix compatibility with MySQL 8 - error on 'system' table use
  • Managesieve: Fix bug where show_real_foldernames setting wasn't respected (#6422)
  • New_user_identity: Fix %fu/%u vars substitution in user specific LDAP params (#6419)
  • Fix support for "allow-from " in x_frame_options config option (#6449)
  • Fix bug where valid content between HTML comments could have been skipped in some cases (#6464)
  • Fix multiple VCard field search (#6466)
  • Fix session issue on long running requests (#6470)