Roundcube Webmail 1.1.9

This is a security update to the stable version 1.1. It primarily fixes a recently discovered vulnerability in the virtualmin and sasl drivers of the password plugin plus adds a few cherry-picked bug fixes from upstream versions. A detailed list of changes is shown below.

It's considered stable and we recommend to update all productive installations of Roundcube 1.1.x with this version. Please do backup your data before updating!

CHANGELOG

• Password: Fix security issue in virtualmin and sasl drivers [CVE-2017-8114]
• Fix regression in LDAP fuzzy search where it always used prefix search instead (#5713)
• Fix bug where base_dn setting was ignored inside group_filters (#5720)

Roundcube Webmail 1.0.11

This is a security update to the LTS version 1.0. It fixes a recently discovered vulnerability in the virtualmin and sasl drivers of the password plugin

It's considered stable and we recommend to update all productive installations of Roundcube 1.0.x with this version if for some reason you're not able to upgrade to the latest stable version. Please do backup your data before updating!

Instead of a full update you can apply the following patch:
https://github.com/roundcube/roundcubemail/commit/271426429b.diff

CHANGELOG

• Password: Fix security issue in virtualmin and sasl drivers [CVE-2017-8114]

Roundcube Webmail 1.3-rc

This is feature-complete version for the next major version 1.3 of Roundcube webmail for final testing. After dropping support for older browsers and PHP versions and adding some new features like the widescreen layout, the release candidate finalizes that work and also fixes two security issues plus adds improvements to the Managesieve and Enigma plugins.

As a reminder: if you're installing the dependent package or run Roundcube directly from source, you now need to install the removed 3rd party javascript modules by executing the following install script:

$ bin/install-jsdeps.sh

With the upcoming stable release of 1.3.0 the old 1.x series will only receive important security fixes.

Please note that this is a release candidate and we recommend to test it on a separate environment. And don't forget to backup your data before installing it.

CHANGELOG

• "Flattened" the larry theme: fresher look by removing shadows and gradients
• Support logging to php://stdout (#5721)
• Add support for DelSp=Yes in format=flowed messages (#5702)
• Update to jQuery 3.2.1
• Update to TinyMCE 4.5.6
• Plugin API: Call message_part_structure hook for sub-parts of multipart/alternative message (#5678)
• Enigma: Always use detached signatures (#5624)
• Enigma: Fix handling of messages with nested PGP encrypted parts (#5634)
• Minimize unwanted message loading in preview frame on drag (#5616)
• Fix failing database schema check in all engines except mysql (#5730)
• Fix autocomplete popup closing with click outside the input, don't handle Tab key as Enter (#5606)
• Fix jsdeps.json synchronization on update, warn about missing requirements of install-jsdeps.sh (#5598)
• Fix missing thread expand icon on search result in widescreen mode (#5613)
• Fix bug where image data URIs in css style were treated as evil/remote in mail preview (#5580)
• Fix bug where external content in src attribute of input/video tags was not secured (#5583)
• Fix PHP error on update of a contact with multiple email addresses when using PHP 7.1 (#5587)
• Fix bug where mail content frame couldn't be reset in some corner cases (#5608)
• Fix bug where some classic skin images were not displayed in IE/Edge (#5614)
• Fix bug where signature couldn't be added above the quote in Firefox 51 (#5628)
• Fix regression where groups with email address were resolved to its members' addresses
• Fix update of group name in the contacts list header on group rename (#5648)
• Add rewrite rule to disable access to /vendor/bin folder in .htaccess (#5630)
• Fix bug where it was too easy accidentally move a folder when using the subscription checkbox (#5655)
• Managesieve: Fix parser issue with empty lines between comments (#5657)
• Managesieve: Fix possible defect in handling \r\n in scripts (#5685)
• Fix/rephrase "unsaved changes" warning when cancelling a draft (#5610)
• Fix XSS issue in handling of a style tag inside of an svg element [CVE-2017-6820]
• Fix bug where settings/upload.inc could not be used by plugins (#5694)
• Fix regression in LDAP fuzzy search where it always used prefix search instead (#5713)
• Fix bug where namespace prefix could not be truncated on folders list if show_real_foldernames=true (#5695)
• Fix undesired effects when postgres database uses different timezone than PHP host (#5708)
• Installer: Fix DB schema initialization on MS SQL Server
• Fix bug where base_dn setting was ignored inside group_filters (#5720)
• Password: Fix security issue in virtualmin and sasl drivers [CVE-2017-8114]

Roundcube Webmail 1.0.10

This is a security update to the LTS version 1.0. It contains some important bug fixes and security improvements backported from the master version.

It's considered stable and we recommend to update all productive installations of Roundcube 1.0.x with this version if for some reason you're not able to ubgrate to the latest stable version. Please do backup your data before updating!

CHANGELOG

• Strip HTML tags inside CSS style definitions
• Fix vulnerability in handling of mail()'s 5th argument (CVE-2016-9920)
• Don't create multipart/alternative messages with empty text/plain part (#5283)
• Fix XSS issue in href attribute on area tag (#5240)
• Wash position:fixed style in HTML mail for better security (#5264)

Roundcube Webmail 1.2.4

This is another service release to update the stable version 1.2. It contains some important bug fixes and improvements which we picked from the upstream branch. A detailed list of changes is shown below.

It's considered stable and we recommend to update all productive installations of Roundcube with this version. Please do backup your data before updating!

CHANGELOG

• Managesieve: Fix handling of scripts with nested rules (#5540)
• Managesieve: Fix parser issue with empty lines between comments (#5657)
• Managesieve: Fix possible defect in handling \r\n in scripts (#5685)
• Enigma: Fix handling of messages with nested PGP encrypted parts (#5634)
• Enigma: Fix PHP fatal error when decrypting a message with invalid signature (#5555)
• Enigma: Fix missing require statement for Crypt_GPG_KeyGenerator (#5641)
• Fix variable substitution in ldap host for some use-cases, e.g. new_user_identity (#5544)
• Fix adding images to new identity signatures
• Fix rsync error handling in installto.sh script (#5562)
• Fix some advanced search issues with multiple addressbooks (#5572)
• Fix so group/addressbook selection is retained on page refresh
• Fix bug where image data URIs in css style were treated as evil/remote in mail preview (#5580)
• Fix bug where external content in src attribute of input/video tags was not secured (#5583)
• Fix PHP error on update of a contact with multiple email addresses when using PHP 7.1 (#5587)
• Fix bug where mail content frame couldn't be reset in some corner cases (#5608)
• Fix bug where some classic skin images were not displayed in IE/Edge (#5614)
• Fix bug where signature couldn't be added above the quote in Firefox 51 (#5628)
• Fix regression where groups with email address were resolved to its members' addresses
• Fix update of group name in the contacts list header on group rename (#5648)
• Add rewrite rule to disable access to /vendor/bin folder in .htaccess (#5630)
• Fix bug where it was too easy accidentally move a folder when using the subscription checkbox (#5655)
• Fix XSS issue in handling of a style tag inside of an svg element (CVE-2017-6820)

Roundcube Webmail 1.1.8

This is a security update to the stable version 1.1. It contains a few fixes which we picked from the upstream branch. A detailed list of changes is shown below.

It's considered stable and we recommend to update all productive installations of Roundcube 1.1.x with this version. Please do backup your data before updating!

CHANGELOG

• Fix bug where mail content frame couldn't be reset in some corner cases (#5608)
• Fix regression where groups with email address were resolved to its members' addresses
• Fix so group/addressbook selection is retained on page refresh
• Fix bug where signature couldn't be added above the quote in Firefox 51 (#5628)
• Fix so microseconds macro (u) in log_date_format works (#1490446)
• Fix XSS issue in handling of a style tag inside of an svg element (CVE-2017-6820)

Roundcube Webmail 1.3-beta

This is a beta release of the next major version 1.3 of Roundcube webmail.
With this milestone we introduce some new features:

• Widescreen layout aka Three Column View
• Possibility to display QR code for contacts data
• New identicon plugin
• Attach contact vCards to composed message
• Support WEBP images and MathML preview
• Preview, download and rename attachments when composing a message
• message/rfc822 attachment preview
• Various Enigma (PGP) and Managesieve plugin improvements

Plus security and deployment improvements:

• Improve randomness of password salts and random hashes
• Fixed redundancy in sql caching system and compatibility with Galera Cluster

And finally some code-cleanup:

• Dropped support for legacy browsers (IE < 10; removed legacy_browser plugin)
• Require PHP >= 5.4
• Removed PHP mail() support
• Removed 3rd party javascript libraries from repo

IMPORTANT: The code-cleanup part brings major changes and possibly incompatibilities to your existing Roundcube installations. So please read the Changelog carefully and thoroughly test your upgrade scenario.

Please note that Roundcube 1.3

1. no longer runs on PHP 5.3
2. no longer supports IE < 10 and old versions of Firefox, Chrome and Safari
3. requires an SMTP server connection to send mails

In case you're running Roundcube directly from source, you now need to install the removed 3rd party javascript modules by executing the following install script:

$ bin/install-jsdeps.sh

Roundcube Webmail 1.2.3

This is the third service release to update the stable version 1.2. It contains some important bug fixes and improvements which we picked from the upstream branch. A detailed list of changes is shown below. Included is a fix for a recently reported security issue when using PHP's mail() function. It has been discovered by Robin Peraglie using RIPS and more details along with a CVE number will be published shortly.

It's considered stable and we recommend to update all productive installations of Roundcube with this version. Please do backup your data before updating!

CHANGELOG

• Fix vulnerability in handling of mail()'s 5th argument
• Searching in both contacts and groups when LDAP addressbook with group_filters option is used
• Fix To: header encoding in mail sent with mail() method (#5475)
• Fix flickering of header top-line in min-mode (#5426)
• Fix bug where folders list would scroll to top when clicking on subscription checkbox (#5447)
• Fix decoding of GB2312/GBK text when iconv is not installed (#5448)
• Fix regression where creation of default folders wasn't functioning without prefix (#5460)
• Enigma: Fix bug where last records on keys list were hidden (#5461)
• Enigma: Fix key search with keyword containing non-ascii characters (#5459)
• Fix bug where deleting folders with subfolders could fail in some cases (#5466)
• Fix bug where IMAP password could be exposed via error message (#5472)
• Fix bug where it wasn't possible to store more that 2MB objects in memcache/apc,
  Added memcache_max_allowed_packet and apc_max_allowed_packet settings (#5452)
• Fix "Illegal string offset" warning in rcube::log_bug() on PHP 7.1 (#5508)
• Fix storing "empty" values in rcube_cache/rcube_cache_shared (#5519)
• Fix missing content check when image resize fails on attachment thumbnail generation (#5485)
• Fix displaying attached images with wrong Content-Type specified (#5527)

Roundcube Webmail 1.1.7

This is a security update to the stable version 1.1. It contains one fix for a recently reported security issue when using PHP's mail() function. It has been discovered by Robin Peraglie using RIPS and more details along with a CVE number will be pulished shortly.

It's considered stable and we recommend to update all productive installations of Roundcube 1.1.x which do not have an SMTP server configured for mail delivery.

Please do backup your data before updating!

CHANGELOG

• Fix vulnerability in handling of mail()'s 5th argument

Roundcube Webmail 1.2.2

This is the second service release to update the stable version 1.2. It contains
some important bug fixes and again more improvements of the Enigma plugin
for PGP encryption. A detailed list of changes is listed below.

It's considered stable and we recommend to update all productive installations
of Roundcube with this version. Please do backup your data before updating!

CHANGELOG

• Enigma: Add possibility to configure gpg-agent binary location (enigma_pgp_agent)
• Enigma: Fix signature verification with some IMAP servers, e.g. Gmail, DBMail (#5371)
• Enigma: Make recipient key searches case-insensitive (#5434)
• Fix regression in resizing JPEG images with Imagick (#5376)
• Managesieve: Fix parsing of vacation date-time with non-default date_format (#5372)
• Use SymLinksIfOwnerMatch in .htaccess instead of FollowSymLinks disabled on some hosts for security reasons (#5370)
• Wash position:fixed style in HTML mail for better security (#5264)
• Fix bug where memcache_debug didn't work for session operations
• Fix bug where Message-ID domain part was tied to username instead of current identity (#5385)
• Fix bug where blocked.gif couldn't be attached to reply/forward with insecure content
• Fix E_DEPRECATED warning when using Auth_SASL::factory() (#5401)
• Fix bug where names of downloaded files could be malformed when derived from the message subject (#5404)
• Fix so "All" messages selection is resetted on search reset (#5413)
• Fix bug where folder creation could fail if personal namespace contained more than one entry (#5403)
• Fix error causing empty INBOX listing in Firefox when using an URL with user:password specified (#5400)
• Fix PHP warning when handling shared namespace with empty prefix (#5420)
• Fix so folders list is scrolled to the selected folder on page load (#5424)
• Fix so when moving to Trash we make sure the folder exists (#5192)
• Fix displaying size of attachments with zero size
• Fix so "Action disabled" error uses more appropriate 404 code (#5440)