All Versions
30
Latest Version
Avg Release Cycle
74 days
Latest Release
644 days ago

Changelog History
Page 3

  • v1.3.8 Changes

    October 26, 2018

    ๐Ÿš€ This is a service release to update the stable version 1.3 of Roundcube Webmail.
    โšก๏ธ It contains fixes to several bugs backported from the master branch including a security fix for a reported XSS vulnerability plus updates to ensure compatibility with PHP 7.3 and recent versions of Courier-IMAP, Dovecot and MySQL 8. See the complete changelog below.

    ๐Ÿ”„ CHANGELOG

    • ๐Ÿ›  Fix PHP warnings on dummy QUOTA responses in Courier-IMAP 4.17.1 (#6374)
    • ๐Ÿ›  Fix so fallback from BINARY to BODY FETCH is used also on [PARSE] errors in dovecot 2.3 (#6383)
    • Enigma: Fix deleting keys with authentication subkeys (#6381)
    • ๐Ÿ›  Fix invalid regular expressions that throw warnings on PHP 7.3 (#6398)
    • ๐Ÿ›  Fix so Classic skin splitter does not escape out of window (#6397)
    • ๐Ÿ›  Fix XSS issue in handling invalid style tag content (#6410)
    • ๐Ÿ›  Fix compatibility with MySQL 8 - error on 'system' table use
    • Managesieve: Fix bug where show_real_foldernames setting wasn't respected (#6422)
    • ๐Ÿ‘‰ New_user_identity: Fix %fu/%u vars substitution in user specific LDAP params (#6419)
    • Fix support for "allow-from " in x_frame_options config option (#6449)
    • ๐Ÿ›  Fix bug where valid content between HTML comments could have been skipped in some cases (#6464)
    • ๐Ÿ›  Fix multiple VCard field search (#6466)
    • ๐Ÿ›  Fix session issue on long running requests (#6470)
  • v1.3.7 Changes

    July 27, 2018

    ๐Ÿš€ This is a service release to update the stable version 1.3 of Roundcube Webmail. It contains fixes to several bugs backported from the master branch including a security fix mitigating the EFAIL issue recently discovered in OpenPGP. See the complete changelog below.

    โšก๏ธ This version in considered stable and we recommend to update all productive installations
    โšก๏ธ of Roundcube with it. Please do backup your data before updating!

    ๐Ÿ”„ CHANGELOG

    • ๐Ÿ›  Fix PHP Warning: Use of undefined constant IDNA_DEFAULT on systems without php-intl (#6244)
    • ๐Ÿ›  Fix bug where some parts of quota information could have been ignored (#6280)
    • ๐Ÿ›  Fix bug where some escape sequences in html styles could bypass security checks
    • ๐Ÿ›  Fix bug where some forbidden characters on Cyrus-IMAP were not prevented from use in folder names
    • ๐Ÿ›  Fix bug where only attachments with the same name would be ignored on zip download (#6301)
    • ๐Ÿ›  Fix bug where unicode contact names could have been broken/emptied or caused DB errors (#6299)
    • ๐Ÿ›  Fix bug where after "mark all folders as read" action message counters were not reset (#6307)
    • Enigma: [EFAIL] Don't decrypt PGP messages with no MDC protection (#6289)
    • ๐Ÿ›  Fix bug where some HTML comments could have been malformed by HTML parser (#6333)
  • v1.3.6 Changes

    April 11, 2018

    โšก๏ธ This is a security update to the stable version 1.3. It primarily fixes a recently discovered IMAP command injection vulnerability caused by insufficient input validation within the archive plugin. Details about the vulnerability are published under CVE-2018-9846.

    โž• Additionally, we back-ported some minor fixes from the master branch which improve PHP 7.2 compatibility as well as PGP signing and key handling for those who use the Enigma plugin. See the complete changelog below.

    โšก๏ธ We strongly recommend to update all productive installations of Roundcube.
    โšก๏ธ Please do backup your data before updating!

    ๐Ÿ”„ CHANGELOG

    • ๐Ÿ›  Fix parsing date strings (e.g. from a Date: mail header) with comments (#6216)
    • ๐Ÿ›  Fix PHP 7.2: count(): Parameter must be an array in enchant-based spellchecker (#6234)
    • ๐Ÿ›  Fix possible IMAP command injection and type juggling vulnerabilities (#6229)
    • Enigma: Fix key selection for signing
    • Enigma: Enable keypair generation on Internet Explorer 11
    • Fix check_request() bypass in places using get_uids() [CVE-2018-9846] (#6238)
    • ๐Ÿ›  Fix bug where usernames without domain part could be malformed or converted to lower-case on logon (#6224)
  • v1.2.12 Changes

    August 10, 2020

    โšก๏ธ This is a security update to the LTS version 1.2.
    ๐Ÿ›  It fixes two recently reported cross-site scripting (XSS) vulnerabilities via HTML messages with malicious svg and math contents.

    โœ… Credits for these findings go to ลukasz Pilorz from Pentesters.

    โšก๏ธ We strongly recommend to update all productive installations of Roundcube 1.2.x if you cannot upgrade to a more recent version.
    โšก๏ธ Please do backup your data before updating!

  • v1.2.11 Changes

    July 05, 2020

    โšก๏ธ This is a security update to the LTS version 1.2.
    ๐Ÿ›  It fixes a recently reported cross-site scripting (XSS) vulnerability via HTML messages with malicious svg/namespace (CVE-2020-15562).

    Credits for this finding go to SSD Secure Disclosure.

    โšก๏ธ We strongly recommend to update all productive installations of Roundcube 1.2.x
    โšก๏ธ if you cannot upgrade to a more recent version. Please do backup your data before updating!

  • v1.2.10 Changes

    April 29, 2020

    โšก๏ธ This is a security update to the LTS version 1.2.
    ๐Ÿ”’ It fixes four recently reported security vulnerabilities:

    • Cross-Site Scripting (XSS) via malicious HTML content
    • CSRF attack can cause an authenticated user to be logged out
    • Remote code execution via crafted config options
    • ๐Ÿ”Œ Path traversal vulnerability allowing local file inclusion via crafted 'plugins' option

    The latter two vulnerabilities are classified minor because they only affect Roundcube installations
    with public access to the Roundcube installer. That's generally a high-risk situation and is expected
    ๐Ÿš€ to be rare or practically non-existent in productive Roundcube deployments. However, the fixes are done
    in core in order to also prevent from future and yet unknown attack vectors.

    โšก๏ธ We strongly recommend to update all productive installations of Roundcube 1.2.x.
    โšก๏ธ if you cannot upgrade to a more recent version. Please do backup your data before updating!

    ๐Ÿ”„ CHANGELOG

    • ๐Ÿ›  Fix missing message-htmlpart1 class breaking inline CSS (#6493)
    • ๐Ÿ”’ Security: Fix XSS issue in handling of CDATA in HTML messages
    • Security: Fix remote code execution via crafted 'im_convert_path' or 'im_identify_path' settings
    • ๐Ÿ”’ Security: Fix local file inclusion (and code execution) via crafted 'plugins' option
    • ๐Ÿ”’ Security: Fix CSRF bypass that could be used to log out an authenticated user (#7302)
  • v1.2.9 Changes

    April 29, 2018

    โšก๏ธ This is a follow-up to the recent security update for the stable version 1.2. It fixes a regression that sneaked in with the IMAP command injection protection which unintentionally disabled actions that operate on all selected messages (e.g. mark all as junk).

    โšก๏ธ We recommend to update all productive installations of Roundcube 1.2.8.
    โšก๏ธ Please do backup your data before updating!

    ๐Ÿ”„ CHANGELOG

    • ๐Ÿ›  Fix regression where IMAP commands with '*' uidset argument wasn't working
  • v1.2.8 Changes

    April 17, 2018

    โšก๏ธ This is a security update to the stable version 1.2. It fixes a recently reported vulnerability allowing IMAP command injection via a GET parameters. More details about this are published under CVE-2018-9846.

    ๐Ÿ’… The second fix is about a missed remote content blocking on HTML messages with specially crafted image and style tags.

    โšก๏ธ We strongly recommend to update all productive installations of Roundcube 1.2.x.
    โšก๏ธ Please do backup your data before updating!

    ๐Ÿ”„ CHANGELOG

    • Fix check_request() bypass in places using get_uids() [CVE-2018-9846] (#6238)
    • ๐Ÿ›  Fix possible IMAP command injection vulnerability [CVE-2018-9846] (#6229)
    • ๐Ÿ›  Fix security issue in remote content blocking on HTML image and style tags (#6178)
  • v1.1.12 Changes

    April 29, 2018

    โšก๏ธ This is a follow-up to the recent security update for the stable version 1.1. It fixes a regression that sneaked in with the IMAP command injection protection which unintentionally disabled actions that operate on all selected messages (e.g. mark all as junk).

    โšก๏ธ We recommend to update all productive installations of Roundcube 1.1.11.
    โšก๏ธ Please do backup your data before updating!

    ๐Ÿ”„ CHANGELOG

    • ๐Ÿ›  Fix regression where IMAP commands with '*' uidset argument wasn't working
  • v1.1.11 Changes

    April 18, 2018

    โšก๏ธ This is a security update to the stable version 1.2. It fixes a recently reported vulnerability allowing IMAP command injection via a GET parameters. More details about this are published under CVE-2018-9846.

    ๐Ÿ’… The second fix is about a missed remote content blocking on HTML messages with specially crafted image and style tags.

    โšก๏ธ We strongly recommend to update all productive installations of Roundcube 1.1.x.
    โšก๏ธ Please do backup your data before updating!

    ๐Ÿ”„ CHANGELOG

    • ๐Ÿ‘‰ Don't ignore (global) userlogins/sendmail logs in per_user_logging mode
    • ๐Ÿ›  Fix security issue in remote content blocking on HTML image and style tags (#6178)
    • Fix check_request() bypass in places using get_uids() [CVE-2018-9846] (#6238)
    • ๐Ÿ›  Fix possible IMAP command injection vulnerability [CVE-2018-9846] (#6229)