Roundcube v1.4.8 Release Notes

Release Date: 2020-08-10 // about 2 years ago
  • โšก๏ธ This is a service and security update to the stable version 1.4 of Roundcube Webmail.
    ๐Ÿ”’ It contains fixes for recently reported security vulnerabilities as well a small number of general improvements from our issue tracker. See the full changelog below.

    ๐Ÿ”’ Security fixes

    • ๐Ÿ›  Fix potential XSS issue in HTML editor of the identity signature input
    • ๐Ÿ›  Fix cross-site scripting (XSS) via HTML messages with malicious svg content [CVE-2020-16145]
    • ๐Ÿ›  Fix cross-site scripting (XSS) via HTML messages with malicious math content

    โœ… Credits for the latter two findings go to ลukasz Pilorz from Pentesters.

    โšก๏ธ This version is considered stable and we recommend to update all productive installations of Roundcube with it.
    โšก๏ธ Please do backup your data before updating!

    ๐Ÿ”„ CHANGELOG

    • Managesieve: Fix too-small input field in Elastic when using custom headers (#7498)
    • Fix support for an error as a string in message_before_send hook (#7475)
    • Elastic: Fix redundant scrollbar in plain text editor on mail reply (#7500)
    • Elastic: Fix deleted and replied+forwarded icons on messages list (#7503)
    • Managesieve: Allow angle brackets in out-of-office message body (#7518)
    • ๐Ÿ›  Fix bug in conversion of email addresses to mailto links in plain text messages (#7526)
    • ๐Ÿ›  Fix format=flowed formatting on plain text part derived from the HTML content (#7504)
    • ๐Ÿ›  Fix incorrect rewriting of internal links in HTML content (#7512)
    • ๐Ÿ›  Fix handling links without defined protocol (#7454)
    • ๐Ÿ›  Fix paging of search results on IMAP servers with no SORT capability (#7462)
    • ๐Ÿ›  Fix detecting special folders on servers with both SPECIAL-USE and LIST-STATUS (#7525)
    • ๐Ÿ”’ Security: Fix potential XSS issue in HTML editor of the identity signature input (#7507)
    • ๐Ÿ”’ Security: Fix cross-site scripting (XSS) via HTML messages with malicious svg content [CVE-2020-16145]
    • ๐Ÿ”’ Security: Fix cross-site scripting (XSS) via HTML messages with malicious math content