Changelog History
Page 3
-
v1.3.8 Changes
October 26, 2018๐ This is a service release to update the stable version 1.3 of Roundcube Webmail.
โก๏ธ It contains fixes to several bugs backported from the master branch including a security fix for a reported XSS vulnerability plus updates to ensure compatibility with PHP 7.3 and recent versions of Courier-IMAP, Dovecot and MySQL 8. See the complete changelog below.๐ CHANGELOG
- ๐ Fix PHP warnings on dummy QUOTA responses in Courier-IMAP 4.17.1 (#6374)
- ๐ Fix so fallback from BINARY to BODY FETCH is used also on [PARSE] errors in dovecot 2.3 (#6383)
- Enigma: Fix deleting keys with authentication subkeys (#6381)
- ๐ Fix invalid regular expressions that throw warnings on PHP 7.3 (#6398)
- ๐ Fix so Classic skin splitter does not escape out of window (#6397)
- ๐ Fix XSS issue in handling invalid style tag content (#6410)
- ๐ Fix compatibility with MySQL 8 - error on 'system' table use
- Managesieve: Fix bug where
show_real_foldernames
setting wasn't respected (#6422) - ๐ New_user_identity: Fix %fu/%u vars substitution in user specific LDAP params (#6419)
- Fix support for "allow-from " in
x_frame_options
config option (#6449) - ๐ Fix bug where valid content between HTML comments could have been skipped in some cases (#6464)
- ๐ Fix multiple VCard field search (#6466)
- ๐ Fix session issue on long running requests (#6470)
-
v1.3.7 Changes
July 27, 2018๐ This is a service release to update the stable version 1.3 of Roundcube Webmail. It contains fixes to several bugs backported from the master branch including a security fix mitigating the EFAIL issue recently discovered in OpenPGP. See the complete changelog below.
โก๏ธ This version in considered stable and we recommend to update all productive installations
โก๏ธ of Roundcube with it. Please do backup your data before updating!๐ CHANGELOG
- ๐ Fix PHP Warning: Use of undefined constant IDNA_DEFAULT on systems without php-intl (#6244)
- ๐ Fix bug where some parts of quota information could have been ignored (#6280)
- ๐ Fix bug where some escape sequences in html styles could bypass security checks
- ๐ Fix bug where some forbidden characters on Cyrus-IMAP were not prevented from use in folder names
- ๐ Fix bug where only attachments with the same name would be ignored on zip download (#6301)
- ๐ Fix bug where unicode contact names could have been broken/emptied or caused DB errors (#6299)
- ๐ Fix bug where after "mark all folders as read" action message counters were not reset (#6307)
- Enigma: [EFAIL] Don't decrypt PGP messages with no MDC protection (#6289)
- ๐ Fix bug where some HTML comments could have been malformed by HTML parser (#6333)
-
v1.3.6 Changes
April 11, 2018โก๏ธ This is a security update to the stable version 1.3. It primarily fixes a recently discovered IMAP command injection vulnerability caused by insufficient input validation within the archive plugin. Details about the vulnerability are published under
CVE-2018-9846
.โ Additionally, we back-ported some minor fixes from the master branch which improve PHP 7.2 compatibility as well as PGP signing and key handling for those who use the Enigma plugin. See the complete changelog below.
โก๏ธ We strongly recommend to update all productive installations of Roundcube.
โก๏ธ Please do backup your data before updating!๐ CHANGELOG
- ๐ Fix parsing date strings (e.g. from a Date: mail header) with comments (#6216)
- ๐ Fix PHP 7.2: count(): Parameter must be an array in enchant-based spellchecker (#6234)
- ๐ Fix possible IMAP command injection and type juggling vulnerabilities (#6229)
- Enigma: Fix key selection for signing
- Enigma: Enable keypair generation on Internet Explorer 11
- Fix check_request() bypass in places using get_uids() [CVE-2018-9846] (#6238)
- ๐ Fix bug where usernames without domain part could be malformed or converted to lower-case on logon (#6224)
-
v1.2.12 Changes
August 10, 2020โก๏ธ This is a security update to the LTS version 1.2.
๐ It fixes two recently reported cross-site scripting (XSS) vulnerabilities via HTML messages with malicious svg and math contents.โ Credits for these findings go to ลukasz Pilorz from Pentesters.
โก๏ธ We strongly recommend to update all productive installations of Roundcube 1.2.x if you cannot upgrade to a more recent version.
โก๏ธ Please do backup your data before updating! -
v1.2.11 Changes
July 05, 2020โก๏ธ This is a security update to the LTS version 1.2.
๐ It fixes a recently reported cross-site scripting (XSS) vulnerability via HTML messages with malicious svg/namespace (CVE-2020-15562
).Credits for this finding go to SSD Secure Disclosure.
โก๏ธ We strongly recommend to update all productive installations of Roundcube 1.2.x
โก๏ธ if you cannot upgrade to a more recent version. Please do backup your data before updating! -
v1.2.10 Changes
April 29, 2020โก๏ธ This is a security update to the LTS version 1.2.
๐ It fixes four recently reported security vulnerabilities:- Cross-Site Scripting (XSS) via malicious HTML content
- CSRF attack can cause an authenticated user to be logged out
- Remote code execution via crafted config options
- ๐ Path traversal vulnerability allowing local file inclusion via crafted 'plugins' option
The latter two vulnerabilities are classified minor because they only affect Roundcube installations
with public access to the Roundcube installer. That's generally a high-risk situation and is expected
๐ to be rare or practically non-existent in productive Roundcube deployments. However, the fixes are done
in core in order to also prevent from future and yet unknown attack vectors.โก๏ธ We strongly recommend to update all productive installations of Roundcube 1.2.x.
โก๏ธ if you cannot upgrade to a more recent version. Please do backup your data before updating!๐ CHANGELOG
- ๐ Fix missing message-htmlpart1 class breaking inline CSS (#6493)
- ๐ Security: Fix XSS issue in handling of CDATA in HTML messages
- Security: Fix remote code execution via crafted 'im_convert_path' or 'im_identify_path' settings
- ๐ Security: Fix local file inclusion (and code execution) via crafted 'plugins' option
- ๐ Security: Fix CSRF bypass that could be used to log out an authenticated user (#7302)
-
v1.2.9 Changes
April 29, 2018โก๏ธ This is a follow-up to the recent security update for the stable version 1.2. It fixes a regression that sneaked in with the IMAP command injection protection which unintentionally disabled actions that operate on all selected messages (e.g. mark all as junk).
โก๏ธ We recommend to update all productive installations of Roundcube 1.2.8.
โก๏ธ Please do backup your data before updating!๐ CHANGELOG
- ๐ Fix regression where IMAP commands with '*' uidset argument wasn't working
-
v1.2.8 Changes
April 17, 2018โก๏ธ This is a security update to the stable version 1.2. It fixes a recently reported vulnerability allowing IMAP command injection via a GET parameters. More details about this are published under
CVE-2018-9846
.๐ The second fix is about a missed remote content blocking on HTML messages with specially crafted image and style tags.
โก๏ธ We strongly recommend to update all productive installations of Roundcube 1.2.x.
โก๏ธ Please do backup your data before updating!๐ CHANGELOG
-
v1.1.12 Changes
April 29, 2018โก๏ธ This is a follow-up to the recent security update for the stable version 1.1. It fixes a regression that sneaked in with the IMAP command injection protection which unintentionally disabled actions that operate on all selected messages (e.g. mark all as junk).
โก๏ธ We recommend to update all productive installations of Roundcube 1.1.11.
โก๏ธ Please do backup your data before updating!๐ CHANGELOG
- ๐ Fix regression where IMAP commands with '*' uidset argument wasn't working
-
v1.1.11 Changes
April 18, 2018โก๏ธ This is a security update to the stable version 1.2. It fixes a recently reported vulnerability allowing IMAP command injection via a GET parameters. More details about this are published under
CVE-2018-9846
.๐ The second fix is about a missed remote content blocking on HTML messages with specially crafted image and style tags.
โก๏ธ We strongly recommend to update all productive installations of Roundcube 1.1.x.
โก๏ธ Please do backup your data before updating!๐ CHANGELOG
- ๐ Don't ignore (global) userlogins/sendmail logs in per_user_logging mode
- ๐ Fix security issue in remote content blocking on HTML image and style tags (#6178)
- Fix
check_request()
bypass in places usingget_uids()
[CVE-2018-9846] (#6238) - ๐ Fix possible IMAP command injection vulnerability [CVE-2018-9846] (#6229)