All Versions
30
Latest Version
Avg Release Cycle
74 days
Latest Release
858 days ago

Changelog History
Page 2

  • v1.4-rc2 Changes

    September 16, 2019

    ๐Ÿš€ This is the long awaited second release candidate for the next major version 1.4 of Roundcube webmail. Many fixes, improvements and final touches have gone into this since the first release candidate was published.

    ๐Ÿ’… We strongly encourage everybody to customize the Elastic skin using the _styles.less and _variables.less files to blend into your corporate design. You'll find guidance for customization in the README.md file inside the skin folder.

    0๏ธโƒฃ Rolling out a new and significantly different user interface should be carefully planned and we recommend to prepare your users for the change. Therefore the Elastic theme is not set to be the default theme. Adjust your config in order to enable it by default or let your users switch themselves in the user settings.

    ๐Ÿš€ Please note that the Classic skin will no longer be maintained and completely removed in future releases. Within the 1.4 release series, the Classic skin remains part of the package but it will not receive new features that were added to the Larry or Elastic themes.

    ๐Ÿš€ This is still a preview release and we recommend to test it on a separate environment.
    And don't forget to backup your data before installing it.

    ๐Ÿ”„ CHANGELOG

    • โšก๏ธ Update to jQuery 3.4.1
    • Clarified 'address_book_type' option behavior (#6680)
    • โž• Added cookie mismatch detection, display an error message informing the user to clear cookies
    • Renamed 'log_session' option to 'session_debug'
    • โœ‚ Removed 'delete_always' option (#6782)
    • ๐ŸŒฒ Don't log full session identifiers in userlogins log (#6625)
    • ๐Ÿ‘Œ Support $HasAttachment/$HasNoAttachment keywords (#6201)
    • ๐Ÿ‘Œ Support PECL memcached extension as a session and cache storage driver (experimental)
    • Switch to IDNA2008 variant (#6806)
    • โšก๏ธ installto.sh: Add possibility to run the update even on the up-to-date installation (#6533)
    • Plugin API: Add 'render_folder_selector' hook
    • โž• Added 'keyservers' option to define list of HKP servers for Enigma/Mailvelope (#6326)
    • โž• Added flag to disable server certificate validation via Mysql DSN argument (#6848)
    • Select all records on the current list page with CTRL + A (#6813)
    • ๐Ÿšš Use Left/Right Arrow keys to faster move over threaded messages list (#6399)
    • ๐Ÿ”„ Changes in display_next setting (#6795):
      • Move it to Preferences > User Interface > Main Options
      • Make it apply to Contacts interface too
      • Make it apply only if deleting/moving a previewed message/contact
    • ๐Ÿ‘ Redis: Support connection to unix socket
    • Put charset meta specification before a title tag, add page title automatically (#6811)
    • ๐Ÿ”จ Elastic: Various internal refactorings
    • Elastic: Add Prev/Next buttons on message page toolbar (#6648)
    • Elastic: Close search options on Enter key press in quick-search input (#6660)
    • Elastic: Changed some icons (#6852)
    • Elastic: Changed read/unread icons (#6636)
    • ๐Ÿšš Elastic: Changed "Move to..." icon (#6637)
    • Elastic: Add hide/show for advanced preferences (#6632)
    • 0๏ธโƒฃ Elastic: Add default icon on Settings/Preferences lists for external plugins (#6814)
    • Elastic: Add indicator for popover menu items that open a submenu (#6868)
    • ๐Ÿšš Elastic: Move compose attachments/options to the right side (#6839)
    • Elastic: Add border/background to attachments list widget (#6842)
    • Elastic: Add "Show unread messages" button to the search bar (#6587)
    • Elastic: Fix bug where toolbar disappears on attachment menu use in Chrome (#6677)
    • Elastic: Fix folders list scrolling on touch devices (#6706)
    • ๐Ÿ’ป Elastic: Fix non-working pretty selects in Chrome browser (#6705)
    • Elastic: Fix issue with absolute positioned mail content (#6739)
    • โš  Elastic: Fix bug where some menu actions could cause a browser popup warning
    • Elastic: Fix handling mailto: URL parameters in contact menu (#6751)
    • Elastic: Fix keyboard navigation in some menus, e.g. the contact menu
    • โš  Elastic: Fix visual issue with long buttons in .boxwarning (#6797)
    • Elastic: Fix handling new-line in text pasted to a recipient input
    • Elastic: Fix so search is not reset when returning from the message preview page (#6847)
    • Larry: Fix regression where menu actions didn't work with keyboard (#6740)
    • ACL: Display user/group names (from ldap) instead of acl identifier
    • Password: Added ldap_exop driver (#4992)
    • ๐Ÿ‘ Password: Added support for SSHA512 password algorithm (#6805)
    • Managesieve: Fix bug where global includes were requested for vacation (#6716)
    • Managesieve: Use RFC-compliant line endings, CRLF instead of LF (#6686)
    • Managesieve: Fix so "Create filter" option does not show up when Filters menu is disabled (#6723)
    • Enigma: For verified signatures, display the user id associated with the sender address (#5958)
    • Enigma: Fix bug where revoked users/keys were not greyed out in key info
    • Enigma: Fix error message when trying to encrypt with a revoked key (#6607)
    • Enigma: Fix "decryption oracle" bug [CVE-2019-10740] (#6638)
    • Enigma: Fix bug where signature verification could have been skipped for some message structures (#6838)
    • ๐Ÿ›  Fix language selection for spellchecker in html mode (#6915)
    • ๐Ÿ›  Fix css styles leak from replied/forwarded message to the rest of the composed text (#6831)
    • ๐Ÿ›  Fix invalid path to "add contact" icon when using assets_path setting
    • ๐Ÿ›  Fix invalid path to blocked.gif when using assets_path setting (#6752)
    • ๐Ÿ›  Fix so advanced search dialog is not automatically displayed on searchonly addressbooks (#6679)
    • ๐Ÿ›  Fix so an error is logged when more than one attachment plugin has been enabled, initialize the first one (#6735)
    • ๐Ÿ›  Fix bug where flag change could have been passed to a preview frame when not expected
    • ๐Ÿ›  Fix bug in HTML parser that could cause missing text fragments when there was no head/body tag (#6713)
    • ๐Ÿ›  Fix bug where HTML messages with a xml:namespace tag were not rendered (#6697)
    • ๐Ÿ›  Fix TinyMCE download location (#6694)
    • ๐Ÿ›  Fix so "Open in new window" consistently displays "external window" interface (#6659)
    • ๐Ÿ›  Fix bug where next row wasn't selected after deleting a collapsed thread (#6655)
    • ๐Ÿ›  Fix bug where external content (e.g. mail body) was passed to templates parsing code (#6640)
    • Fix bug where attachment preview didn't work with x_frame_options=deny (#6688)
    • ๐Ÿ›  Fix so bin/install-jsdeps.sh returns error code on error (#6704)
    • ๐Ÿ›  Fix bug where bmp images couldn't be displayed on some systems (#6728)
    • ๐Ÿ›  Fix bug in parsing vCard data using PHP 7.3 due to an invalid regexp (#6744)
    • ๐Ÿ›  Fix bug where bold/strong text was converted to upper-case on html-to-text conversion (6758)
    • ๐Ÿ“œ Fix bug in rcube_utils::parse_hosts() where %t, %d, %z could return only tld (#6746)
    • ๐Ÿ›  Fix bug where Next/Prev button in mail view didn't work with multi-folder search result (#6793)
    • ๐Ÿ›  Fix bug where selection of columns on messages list wasn't working
    • ๐Ÿ›  Fix bug in converting multi-page Tiff images to Jpeg (#6824)
    • ๐Ÿ›  Fix bug where handling multiple messages from multi-folder search result could not work (#6845)
    • ๐Ÿ›  Fix bug where unread count wasn't updated after moving multi-folder result (#6846)
    • ๐Ÿ›  Fix wrong messages order after returning to a multi-folder search result (#6836)
    • ๐Ÿ›  Fix some PHP 7.4 compat. issues (#6884, #6866)
    • ๐Ÿ›  Fix bug where it was possible to bypass the position:fixed CSS check in received messages (#6898)
    • ๐Ÿ›  Fix bug where some strict remote URIs in url() style were unintentionally blocked (#6899)
    • ๐Ÿ›  Fix bug where it was possible to bypass the CSS jail in HTML messages using :root pseudo-class (#6897)
    • ๐Ÿ›  Fix bug where it was possible to bypass href URI check with data:application/xhtml+xml URIs (#6896)
  • v1.4-rc1 Changes

    February 28, 2019

    ๐Ÿš€ This is a first release candidate for the next major version 1.4 of Roundcube webmail which has now been in development for quite a while. Although the new responsive Elastic skin is now functional and feature complete, it still lacks the final brush-up to make it shine. We have now finally found a volunteer to work on this and once completed, a second release candidate will follow.

    ๐Ÿš€ For now youโ€™re all invited to give the new 1.4 version another test run. Besides the responsive theme it comes with lots of new features and improvements since the beta release. Check the Changelog below for a complete list of changes.

    ๐Ÿ’… Please also try customizing the Elastic skin using the _styles.less and _variables.less files and let us know whatโ€™s missing. You'll find guidance in the README.md file inside the skin folder.

    0๏ธโƒฃ Because we donโ€™t yet consider the Elastic theme fully complete, itโ€™s not set to be the default theme. Adjust your config in order to enable it with

    $config['skin'] = 'elastic';
    

    ๐Ÿš€ This is a beta release and we recommend to test it on a separate environment.
    And don't forget to backup your data before installing it.

    ๐Ÿ”„ CHANGELOG

    • ๐Ÿ”„ Changed 'password_charset' default to 'UTF-8' (#6522)
    • โž• Add skins_allowed option (#6483)
    • ๐Ÿ”Œ SMTP GSSAPI support via krb_authentication plugin (#6417)
    • Avoid Referer leaking by using Referrer-Policy:same-origin header (#6385)
    • โœ‚ Removed 'referer_check' option (#6440)
    • ๐Ÿšš Use constant prefix for temp file names, don't remove temp files from other apps (#6511)
    • Ignore 'Sender' header on Reply-All action (#6506)
    • deluser.sh: Add option to delete users who have not logged in for more than X days (#6340)
    • HTML5 Upload Progress - as a replacement for the old server-side solution (#6177)
    • โšก๏ธ Update to TinyMCE 4.8.2
    • โšก๏ธ Update to jQuery-MiniColors 2.3.4
    • ๐Ÿ—„ Prevent from using deprecated timezone names from jsTimezoneDetect
    • ๐Ÿ‘ฎ Force session.gc_probability=1 when using custom session handlers (#6560)
    • ๐Ÿ‘Œ Support simple field labels (e.g. LetterHub examples) in csv imports (#6541)
    • โž• Add cache busters also to images used by templates (#6610)
    • ๐Ÿ”Œ Plugin API: Added 'raise_error' hook (#6199)
    • ๐Ÿ”Œ Plugin API: Added 'common_headers' hook (#6385)
    • ๐Ÿ”Œ Plugin API: Added 'ldap_connected' hook
    • โšก๏ธ Enigma: Update to OpenPGPjs 4.2.1 - fixes user name encoding issues in key generation (#6524)
    • ๐Ÿ”€ Enigma: Fixed multi-host synchronization of private and deleted keys and pubring.kbx file
    • ๐Ÿ‘ Managesieve: Added support for 'editheader' extension - RFC5293 (#5954)
    • Managesieve: Fix bug where custom header or variable could be lost on form submission (#6594)
    • Markasjunk: Integrate markasjunk2 features into markasjunk - marking as non-junk + learning engine (#6504)
    • Password: Added 'modoboa' driver (#6361)
    • Password: Fix bug where password_dovecotpw_with_method setting could be ignored (#6436)
    • Password: Fix bug where new users could skip forced password change (#6434)
    • 0๏ธโƒฃ Password: Allow drivers to override default password comparisons (eg new is not same as current) (#6473)
    • 0๏ธโƒฃ Password: Allow drivers to override default strength checks (eg allow for 'not the same as last x passwords') (#246)
    • Passowrd: Allow drivers to define password strength rules displayed to the user
    • Password: Allow separate password saving and strength drivers for use of strength checking services (#5040)
    • Password: Add zxcvbn driver for checking password strength (#6479)
    • Password: Disallow control characters in passwords
    • ๐Ÿ‘ Password: Add support for Plesk >= 17.8 (#6526)
    • Elastic: Improved datepicker displayed always in parent window
    • Elastic: On touch devices display attachment icons on messages list (#6296)
    • Elastic: Make menu button inactive if all subactions are inactive (#6444)
    • Elastic: On mobile/tablet jump to the list on folder selection (#6415)
    • Elastic: Various improvements on mail compose screen (#6413)
    • ๐Ÿ‘ Elastic: Support new-line char as a separator for pasted recipients (#6460)
    • ๐Ÿ”Š Elastic: Improved UX of search dialogs (#6416)
    • Elastic: Fix unwanted thread expanding when selecting a collapsed thread in non-mobile mode (#6445)
    • Elastic: Fix too small height of mailvelope mail preview frame (#6600)
    • Elastic: Add "status bar" for mobile in mail composer
    • Elastic: Add selection options on contacts list (#6595)
    • Elastic: Fix unintentional layout preference overwrite (#6613)
    • ๐ŸŒฒ Log errors caused by low pcre.backtrack_limit when sending a mail message (#6433)
    • Fix so max_message_size limit is checked also when forwarding messages as attachments (#6580)
    • ๐Ÿ‘‰ Fix so performance stats are logged to the main console log also when per_user_logging=true
    • ๐Ÿ›  Fix malformed message saved into Sent folder when using big attachments and low memory limit (#6498)
    • ๐Ÿ›  Fix incorrect IMAP SASL GSSAPI negotiation (#6308)
    • ๐Ÿ›  Fix so unicode in local part of the email address is also supported in recipient inputs (#6490)
    • ๐Ÿ›  Fix bug where autocomplete list could be displayed out of screen (#6469)
    • ๐Ÿ›  Fix style/navigation on error page depending on authentication state (#6362)
    • Fix so invalid smtp_helo_host is never used, fallback to localhost (#6408)
    • ๐Ÿ›  Fix custom logo size in Elastic (#6424)
    • ๐Ÿ›  Fix listing the same attachment multiple times on forwarded messages
    • ๐Ÿ›  Fix bug where a message/rfc822 part without a filename wasn't listed on the attachments list (#6494)
    • ๐Ÿ›  Fix inconsistent offset for various time zones - always display Standard Time offset (#6531)
    • ๐Ÿ›  Fix dummy Message-Id when resuming a draft without Message-Id header (#6548)
    • ๐Ÿ›  Fix handling of empty entries in vCard import (#6564)
    • ๐Ÿ›  Fix bug in parsing some IMAP command responses that include unsolicited replies (#6577)
    • ๐Ÿ›  Fix PHP 7.2 compatibility in debug_logger plugin (#6586)
    • ๐Ÿ›  Fix so ANY record is not used for email domain validation, use A, MX, CNAME, AAAA instead (#6581)
    • Fix so mime_content_type check in Installer uses files that should always be available (i.e. from program/resources) (#6599)
    • ๐Ÿ›  Fix missing CSRF token on a link to download too-big message part (#6621)
    • ๐Ÿ›  Fix bug when aborting dragging with ESC key didn't stop the move action (#6623)
  • v1.4-beta Changes

    August 25, 2018

    ๐Ÿš€ This is a beta release of the next major version 1.4 of Roundcube webmail.
    With this milestone we introduce some new features:

    • ๐Ÿ†• New responsive skin with mobile support
    • Email Resent (Bounce) feature
    • ๐Ÿ‘Œ Improved Mailvelope integration
    • ๐Ÿ‘Œ Support for Redis cache
    • ๐Ÿ‘Œ Support for SMTPUTF8

    ๐Ÿ“ฑ Because the new responsive skin is not yet fully completed, it's not enabled
    0๏ธโƒฃ by default. In order to make it the default for your users, change your
    config.inc.php accordingly:

    $config['skin'] = 'elastic';
    

    ๐Ÿ’… Although it still needs some polishing, the new skin solves the urgent need
    ๐Ÿ“ฆ to enable access to Roundcube for mobile devices. The plugin elastic4mobile
    ๐Ÿ”ง makes it the default for mobile devices while keeping the configured default
    ๐Ÿ’ป for desktop browsers.

    The Elastic skin is built with LESS and of course the sources are included.
    ๐Ÿ’… They allow a certain degree of customization by adjusting some color variables.
    All you need is to compile your very own customized skin with lessc.

    In case you're running Roundcube directly from source or if you're not using
    ๐Ÿ“ฆ the complete package, you need to install 3rd party javascript modules
    by executing the following install script:

    $ bin/install-jsdeps.sh
    

    ๐Ÿš€ This is a beta release and we recommend to test it on a separate environment.
    And don't forget to backup your data before installing it.

    ๐Ÿ”„ CHANGELOG

    • โž• Added new skin with mobile support - the Elastic
    • ๐Ÿ‘Œ Support Redis cache
    • Email Resent (Bounce) feature (#4985)
    • ๐Ÿ‘Œ Improved Mailvelope integration
      • Added private key listing and generating to identity settings
      • Enable encrypt & sign option if Mailvelope supports it
    • ๐Ÿ‘ Allow contacts without an email address (#5079)
    • ๐Ÿ‘Œ Support SMTPUTF8 and relax email address validation to support unicode in local part (#5120)
    • ๐Ÿ‘Œ Support for IMAP folders that cannot contain both folders and messages (#5057)
    • โšก๏ธ Update to jQuery-3.3.1
    • โšก๏ธ Update to jQuery-minicolors 2.2.6
    • โšก๏ธ Update to TinyMCE 4.7.13
    • โœ‚ Remove sample PHP configuration from .htaccess and .user.ini files (#5850)
    • Extend skin_logo setting to allow per skin logos (#6272)
    • ๐Ÿ“œ Use Masterminds/HTML5 parser for better HTML5 support (#5761)
    • โž• Add More actions button in Contacts toolbar with Copy/Move actions (#6081)
    • Display an error when clicking disabled link to register protocol handler (#6079)
    • Add option trusted_host_patterns (#6009, #5752)
    • ๐Ÿ‘Œ Support additional connect parameters in PostgreSQL database wrapper
    • ๐Ÿ”Š Use UI dialogs instead of confirm() and alert() where possible
    • Display value of the SMTP message size limit in the error message (#6032)
    • ๐Ÿ‘‰ Show message flagged status in message view (#5080)
    • Skip redundant INSERT query on successful logon when using PHP7
    • ๐Ÿ”– Replace display_version with display_product_version (#5904)
    • Extend disabled_actions config so it accepts also button names (#5903)
    • ๐Ÿ’… Handle remote stylesheets the same as remote images, ask the user to allow them (#5994)
    • โž• Add Message-ID to the sendmail log (#5871)
    • โž• Add option to hide folders in share/other-user namespace or outside of the personal namespace root (#5073)
    • Archive: Fix archiving by sender address on cyrus-imap
    • ๐Ÿ’… Archive: Style Archive folder also on folder selector and folder manager lists
    • Archive: Add Thunderbird compatible Month option (#5623)
    • ๐Ÿ”ง Archive: Create archive folder automatically if it's configured, but does not exist (#6076)
    • Enigma: Add button to send mail unencrypted if no key was found (#5913)
    • Enigma: Add options to set PGP cipher/digest algorithms (#5645)
    • ๐Ÿ‘ Enigma: Multi-host support
    • Managesieve: Add ability to disable filter sets and other actions (#5496, #5898)
    • Managesieve: Add option managesieve_forward to enable settings dialog for simple forwarding (#6021)
    • ๐Ÿ‘ Managesieve: Support filter action with custom IMAP flags (#6011)
    • โœ… Managesieve: Support 'mime' extension tests - RFC5703 (#5832)
    • ๐Ÿ”Œ Managesieve: Support GSSAPI authentication with krb_authentication plugin (#5779)
    • ๐Ÿ”Œ Managesieve: Support enabling the plugin for specified hosts only (#6292)
    • Password: Support host variables in password_db_dsn option (#5955)
    • Password: Automatic virtualmin domain setting, removed password_virtualmin_format option (#5759)
    • ๐Ÿ‘‰ Password: Added password_username_format option (#5766)
    • subscriptions_option: show \Noselect folders greyed out (#5621)
    • zipdownload: Added option to define size limit for multiple messages download (#5696)
    • vcard_attachments: Add possibility to send contact vCard from Contacts toolbar (#6080)
    • ๐Ÿ‘‰ Changed defaults for smtp_user (%u), smtp_pass (%p) and smtp_port (587)
    • Composer: Fix certificate validation errors by using packagist only (#5148)
    • โž• Add --get and --extract arguments and CACHEDIR env-variable support to install-jsdeps.sh (#5882)
    • Support _filter and _scope as GET arguments for opening mail UI (#5825)
    • Various improvements for templating engine and skin behaviours
      • Support conditional include
      • Support for 'link' objects
      • Support including files with path relative to templates directory
      • Use instead of for submit button on logon screen
    • ๐Ÿ‘Œ Support skin localization (#5853)
    • Reset onerror on images if placeholder does not exist to prevent from requests storm
    • Unified and simplified code for loading content frame for responses and identities
    • ๐Ÿ”Š Display contact import and advanced search in popup dialogs
    • ๐Ÿ‘ Display a dialog for mail import with supported format description and upload size hint
    • ๐Ÿ‘‰ Make possible to set (some) config options from a skin
    • โž• Added optional checkbox selection for the list widget
    • ๐Ÿ‘‰ Make 'compose' command always enabled
    • Add .log suffix to all log file names, add option log_file_ext to control this (#313)
    • Return "401 Unauthorized" status when login fails (#5663)
    • ๐Ÿ‘Œ Support both comma and semicolon as recipient separator, drop recipients_separator option (#5092)
    • ๐Ÿ”Œ Plugin API: Added 'show_bytes' hook (#5001)
    • โž• Add option to not indent quoted text on top-posting reply (#5105)
    • โœ‚ Removed global $CONFIG variable
    • โœ‚ Removed debug_level setting
    • ๐Ÿ‘Œ Support AUTHENTICATE LOGIN for IMAP connections (#5563)
    • ๐Ÿ‘Œ Support LDAP GSSAPI authentication (#5703)
    • Localized timezone selector (#4983)
    • ๐Ÿ‘‰ Use 7bit encoding for ISO-2022-* charsets in sent mail (#5640)
    • ๐Ÿ– Handle inline images also inside multipart/mixed messages (#5905)
    • ๐Ÿ‘ Allow style tags in HTML editor on composed/reply messages (#5751)
    • โ†ช Use Github API as a fallback to fetch js dependencies to workaround throttling issues (#6248)
    • ๐Ÿ‘‰ Show confirm dialog when moving folders using drag and drop (#6119)
    • ๐Ÿ‘‰ Fix bug where new_user_dialog email check could have been circumvented by deleting / abandoning session (#5929)
    • ๐Ÿ›  Fix skin extending for assets (#5115)
    • ๐Ÿ›  Fix handling of forwarded messages inside of a TNEF message (#5632)
    • ๐Ÿ›  Fix bug where attachment size wasn't visible when the filename was too long (#6033)
    • ๐Ÿ›  Fix checking table columns when there's more schemas/databases in postgres/mysql (#6047)
    • ๐Ÿ›  Fix css conflicts in user interface and e-mail content (#5891)
    • ๐Ÿ›  Fix duplicated signature when using Back button in Chrome (#5809)
    • ๐Ÿ›  Fix touch event issue on messages list in IE/Edge (#5781)
    • ๐Ÿ›  Fix so links over images are not removed in plain text signatures converted from HTML (#4473)
    • ๐Ÿ›  Fix various issues when downloading files with names containing non-ascii chars, use RFC 2231 (#5772)
    • ๐Ÿ›  Fix PHP warnings on dummy QUOTA responses in Courier-IMAP 4.17.1 (#6374)
    • ๐Ÿ›  Fix so fallback from BINARY to BODY FETCH is used also on [PARSE] errors in dovecot 2.3 (#6383)
    • Enigma: Fix deleting keys with authentication subkeys (#6381)
    • ๐Ÿ›  Fix invalid regular expressions that throw warnings on PHP 7.3 (#6398)
    • ๐Ÿ›  Fix so Classic skin splitter does not escape out of window (#6397)
  • v1.3.15 Changes

    August 10, 2020

    โšก๏ธ This is a security update to the LTS version 1.3.
    ๐Ÿ›  It fixes two recently reported cross-site scripting (XSS) vulnerabilities via HTML messages with malicious svg and math contents.

    โœ… Credits for these findings go to ลukasz Pilorz from Pentesters.

    โšก๏ธ This version in considered stable and we strongly recommend to update all productive installations of Roundcube 1.3.x with it.
    โšก๏ธ Please do backup your data before updating!

  • v1.3.14 Changes

    July 05, 2020

    โšก๏ธ This is a security update to the LTS version 1.3.
    ๐Ÿ›  It fixes a recently reported cross-site scripting (XSS) vulnerability via HTML messages with malicious svg/namespace (CVE-2020-15562).

    Credits for this finding go to SSD Secure Disclosure.

    โšก๏ธ This version in considered stable and we strongly recommend to update all productive
    โšก๏ธ installations of Roundcube 1.3.x with it. Please do backup your data before updating!

  • v1.3.13 Changes

    June 07, 2020

    ๐Ÿš€ This is a follow-up release to the recently published version 1.3.12 of Roundcube Webmail.

    ๐Ÿš€ It contains a single fix for the installer's test step which was broken with the last release. The update is therefore only relevant for new installations which use the installer to set up Roundcube.

    ๐Ÿ”„ CHANGELOG

    • โœ… Installer: Fix regression in SMTP test section (#7417)
  • v1.3.12 Changes

    June 02, 2020

    โšก๏ธ This is a service and security update to the LTS version 1.3 of Roundcube Webmail.
    ๐Ÿ”’ It contains four fixes for recently reported security vulnerabilities as well a
    โœ… small number of general improvements backported from the latest stable version.
    ๐Ÿ‘€ See the full changelog below.

    ๐Ÿ”’ Security fixes

    • ๐Ÿ›  Fix XSS issue in template object 'username' (#7406)
    • ๐Ÿ›  Fix cross-site scripting (XSS) via malicious XML attachment
    • ๐Ÿ›  Fix a couple of XSS issues in Installer (#7406)
    • ๐Ÿ‘ Better fix for CVE-2020-12641

    The latter two vulnerabilities again are related to public access to the Roundcube installer
    and are therefore classified minor.

    โšก๏ธ This version in considered stable and we recommend to update all productive installations
    โšก๏ธ of Roundcube 1.3.x with it. Please do backup your data before updating!

    ๐Ÿ”„ CHANGELOG

    • ๐Ÿ”’ Security: Better fix for CVE-2020-12641
    • ๐Ÿ”’ Security: Fix XSS issue in template object 'username' (#7406)
    • ๐Ÿ”’ Security: Fix couple of XSS issues in Installer (#7406)
    • ๐Ÿ”’ Security: Fix cross-site scripting (XSS) via malicious XML attachment
  • v1.3.11 Changes

    April 29, 2020

    โšก๏ธ This is a service and security update to the LTS version 1.3 of Roundcube Webmail.
    ๐Ÿ”’ It contains four fixes for recently reported security vulnerabilities as well a
    โœ… small number of general improvements backported from the latest stable version.
    ๐Ÿ‘€ See the full changelog below.

    ๐Ÿ”’ Security fixes

    • Cross-Site Scripting (XSS) via malicious HTML content
    • CSRF attack can cause an authenticated user to be logged out
    • Remote code execution via crafted config options
    • ๐Ÿ”Œ Path traversal vulnerability allowing local file inclusion via crafted 'plugins' option

    The latter two vulnerabilities are classified minor because they only affect Roundcube installations
    with public access to the Roundcube installer. That's generally a high-risk situation and is expected
    ๐Ÿš€ to be rare or practically non-existent in productive Roundcube deployments. However, the fixes are done
    in core in order to also prevent from future and yet unknown attack vectors.

    โšก๏ธ This version in considered stable and we recommend to update all productive installations
    โšก๏ธ of Roundcube 1.3.x with it. Please do backup your data before updating!

    ๐Ÿ”„ CHANGELOG

    • Enigma: Fix compatibility with Mail_Mime >= 1.10.5
    • ๐Ÿ›  Fix permissions on some folders created by bin/install-jsdeps.sh script (#6930)
    • ๐Ÿ›  Fix bug where inline images could have been ignored if Content-Id header contained redundant spaces (#6980)
    • ๐Ÿ›  Fix PHP Warning: Use of undefined constant LOG_EMERGE (#6991)
    • ๐Ÿ›  Fix PHP warning: "array_merge(): Expected parameter 2 to be an array, null given in sendmail.inc (#7003)
    • ๐Ÿ”’ Security: Fix XSS issue in handling of CDATA in HTML messages
    • Security: Fix remote code execution via crafted 'im_convert_path' or 'im_identify_path' settings
    • ๐Ÿ”’ Security: Fix local file inclusion (and code execution) via crafted 'plugins' option
    • ๐Ÿ”’ Security: Fix CSRF bypass that could be used to log out an authenticated user (#7302)
  • v1.3.10 Changes

    August 28, 2019

    ๐Ÿš€ This is a service release to update the stable version 1.3 of Roundcube Webmail.
    ๐Ÿ”’ It contains fixes to several bugs backported from the master branch including minor security fixes around CSS and HTML cleanup. See the complete changelog below.

    โšก๏ธ This version in considered stable and we recommend to update all productive installations of Roundcube with it. Please do backup your data before updating!

    ๐Ÿ”„ CHANGELOG

    • Managesieve: Fix so "Create filter" option does not show up when Filters menu is disabled (#6723)
    • Enigma: Fix bug where revoked users/keys were not greyed out in key info
    • Enigma: Fix error message when trying to encrypt with a revoked key (#6607)
    • Enigma: Fix "decryption oracle" bug [CVE-2019-10740] (#6638)
    • ๐Ÿ›  Fix compatibility with kolab/net_ldap3 > 1.0.7 (#6785)
    • ๐Ÿ›  Fix bug where bmp images couldn't be displayed on some systems (#6728)
    • ๐Ÿ›  Fix bug in parsing vCard data using PHP 7.3 due to an invalid regexp (#6744)
    • ๐Ÿ›  Fix bug where bold/strong text was converted to upper-case on html-to-text conversion (6758)
    • ๐Ÿ“œ Fix bug in rcube_utils::parse_hosts() where %t, %d, %z could return only tld (#6746)
    • ๐Ÿ›  Fix bug where Next/Prev button in mail view didn't work with multi-folder search result (#6793)
    • ๐Ÿ›  Fix bug where selection of columns on messages list wasn't working
    • ๐Ÿ›  Fix bug in converting multi-page Tiff images to Jpeg (#6824)
    • ๐Ÿ›  Fix wrong messages order after returning to a multi-folder search result (#6836)
    • ๐Ÿ›  Fix PHP 7.4 deprecation: implode() wrong parameter order (#6866)
    • ๐Ÿ›  Fix bug where it was possible to bypass the position:fixed CSS check in received messages (#6898)
    • ๐Ÿ›  Fix bug where some strict remote URIs in url() style were unintentionally blocked (#6899)
    • ๐Ÿ›  Fix bug where it was possible to bypass the CSS jail in HTML messages using :root pseudo-class (#6897)
    • ๐Ÿ›  Fix bug where it was possible to bypass href URI check with data:application/xhtml+xml URIs (#6896)
  • v1.3.9 Changes

    March 31, 2019

    ๐Ÿš€ This is a service release to update the stable version 1.3 of Roundcube Webmail. It contains fixes to several bugs backported from the master branch. See the complete changelog below.

    โšก๏ธ This version in considered stable and we recommend to update all productive installations
    โšก๏ธ of Roundcube with it. Please do backup your data before updating!

    ๐Ÿ”„ CHANGELOG

    • ๐Ÿ›  Fix TinyMCE download location(s) (#6694)
    • ๐Ÿ›  Fix bug where a message/rfc822 part without a filename wasn't listed on the attachments list (#6494)
    • ๐Ÿ›  Fix handling of empty entries in vCard import (#6564)
    • ๐Ÿ›  Fix bug in parsing some IMAP command responses that include unsolicited replies (#6577)
    • ๐Ÿ›  Fix PHP 7.2 compatibility in debug_logger plugin (#6586)
    • ๐Ÿ›  Fix so ANY record is not used for email domain validation, use A, MX, CNAME, AAAA instead (#6581)
    • Fix so mime_content_type check in Installer uses files that should always be available (i.e. from program/resources) (#6599)
    • ๐Ÿ›  Fix missing CSRF token on a link to download too-big message part (#6621)
    • ๐Ÿ›  Fix bug when aborting dragging with ESC key didn't stop the move action (#6623)
    • ๐Ÿ›  Fix bug where next row wasn't selected after deleting a collapsed thread (#6655)