Roundcube Webmail 1.6.9

This is the next service release to update the stable version 1.6.
It provides two regression fixes that were introduced in from the previous release. See the full changelog below.

This version is considered stable and we recommend to update all productive installations of Roundcube with it. Please do backup your data before updating!

CHANGELOG

• Fix regression where printing/scaling/rotating image attachments was broken (#9571)
• Fix regression where HTML messages were displayed unstyled (#9586)

Roundcube Webmail 1.5.9

This is the next service release to update the stable version 1.5.
It provides two regression fixes that were introduced in from the previous release. See the full changelog below.

This version is considered stable and we recommend to update all productive installations of Roundcube with it. Please do backup your data before updating!

CHANGELOG

• Fix regression where printing/scaling/rotating image attachments was broken (#9571)
• Fix regression where HTML messages were displayed unstyled (#9586)

Roundcube Webmail 1.6.8

This is a security update to the stable version 1.6 of Roundcube Webmail.
It provides fixes to recently reported security vulnerabilities:

• Fix XSS vulnerability in post-processing of sanitized HTML content [CVE-2024-42009]
• Fix XSS vulnerability in serving of attachments other than HTML or SVG [CVE-2024-42008]
• Fix information leak (access to remote content) via insufficient CSS filtering [CVE-2024-42010]

Credits to Oskar Zeino-Mahmalat (Sonar) for all these findings and thanks for providing a very detailed report in a private communication.

This version is considered stable and we recommend to update all productive installations of Roundcube 1.6.x with it. Please do backup your data before updating!

CHANGELOG

• Managesieve: Protect special scripts in managesieve_kolab_master mode
• Fix newmail_notifier notification focus in Chrome (#9467)
• Fix fatal error when parsing some TNEF attachments (#9462)
• Fix double scrollbar when composing a mail with many plain text lines (#7760)
• Fix decoding mail parts with multiple base64-encoded text blocks (#9290)
• Fix bug where some messages could get malformed in an import from a MBOX file (#9510)
• Fix invalid line break characters in multi-line text in Sieve scripts (#9543)
• Fix bug where "with attachment" filter could fail on some fts engines (#9514)
• Fix bug where an unhandled exception was caused by an invalid image attachment (#9475)
• Fix bug where a long subject title could not be displayed in some cases (#9416)
• Fix infinite loop when parsing malformed Sieve script (#9562)
• Fix bug where imap_conn_option's 'socket' was ignored (#9566)
• Fix XSS vulnerability in post-processing of sanitized HTML content [CVE-2024-42009]
• Fix XSS vulnerability in serving of attachments other than HTML or SVG [CVE-2024-42008]
• Fix information leak (access to remote content) via insufficient CSS filtering [CVE-2024-42010]

Roundcube Webmail 1.5.8

This is a security update to the stable version 1.5 of Roundcube Webmail.
It provides fixes to recently reported security vulnerabilities:

• Fix XSS vulnerability in post-processing of sanitized HTML content [CVE-2024-42009]
• Fix XSS vulnerability in serving of attachments other than HTML or SVG [CVE-2024-42008]
• Fix information leak (access to remote content) via insufficient CSS filtering [CVE-2024-42010]

Credits to Oskar Zeino-Mahmalat (Sonar) for all these findings and thanks for providing a very detailed report in a private communication.

This version is considered stable and we recommend to update all productive installations of Roundcube 1.5.x with it. Please do backup your data before updating!

Roundcube Webmail 1.6.7

This is a security update to the stable version 1.6 of Roundcube Webmail.
It provides a fix to a recently reported XSS vulnerabilities:

• Fix cross-site scripting (XSS) vulnerability in handling SVG animate attributes.
  Reported by Valentin T. and Lutz Wolf of CrowdStrike.
• Fix cross-site scripting (XSS) vulnerability in handling list columns from user preferences.
  Reported by Huy Nguyễn Phạm Nhật.
• Fix command injection via crafted im_convert_path/im_identify_path on Windows.
  Reported by Huy Nguyễn Phạm Nhật.

This version is considered stable and we recommend to update all productive installations of Roundcube 1.6.x with it. Please do backup your data before updating!

CHANGELOG

• Makefile: Use phpDocumentor v3.4 for the Framework docs (#9313)
• Fix bug where HTML entities in URLs were not decoded on HTML to plain text conversion (#9312)
• Fix bug in collapsing/expanding folders with some special characters in names (#9324)
• Fix PHP8 warnings (#9363, #9365, #9429)
• Fix missing field labels in CSV import, for some locales (#9393)
• Fix cross-site scripting (XSS) vulnerability in handling SVG animate attributes
• Fix cross-site scripting (XSS) vulnerability in handling list columns from user preferences
• Fix command injection via crafted im_convert_path/im_identify_path on Windows

Roundcube Webmail 1.5.7

This is a security update to the stable version 1.5 of Roundcube Webmail.
It provides a fix to a recently reported XSS vulnerabilities:

• Fix cross-site scripting (XSS) vulnerability in handling SVG animate attributes.
  Reported by Valentin T. and Lutz Wolf of CrowdStrike.
• Fix cross-site scripting (XSS) vulnerability in handling list columns from user preferences.
  Reported by Huy Nguyễn Phạm Nhật.
• Fix command injection via crafted im_convert_path/im_identify_path on Windows.
  Reported by Huy Nguyễn Phạm Nhật.

This version is considered stable and we recommend to update all productive installations of Roundcube 1.5.x with it. Please do backup your data before updating!

CHANGELOG

• Enigma: Fix finding of a private key when decrypting a message using GnuPG v2.3
• Fix TinyMCE localization installation (#9266)
• Makefile: Use phpDocumentor v3.4 for the Framework docs (#9313)
• Fix cross-site scripting (XSS) vulnerability in handling SVG animate attributes
• Fix cross-site scripting (XSS) vulnerability in handling list columns from user preferences
• Fix command injection via crafted im_convert_path/im_identify_path on Windows

Roundcube Webmail 1.6.6

This is the next service release to update the stable version 1.6.
It provides a bunch of small fixes and improvements after getting your feedback from the previous releases. See the full changelog below.

This version is considered stable and we recommend to update all productive installations of Roundcube with it. Please do backup your data before updating!

CHANGELOG

• Fix regression in handling LDAP search_fields configuration parameter (#9210)
• Enigma: Fix finding of a private key when decrypting a message using GnuPG v2.3
• Fix page jump menu flickering on click (#9196)
• Update to TinyMCE 5.10.9 security release (#9228)
• Fix PHP8 warnings (#9235, #9238, #9242, #9306)
• Fix saving other encryption settings besides enigma's (#9240)
• Fix unneeded php command use in installto.sh and deluser.sh scripts (#9237)
• Fix TinyMCE localization installation (#9266)
• Fix bug where trailing non-ascii characters in email addresses could have been removed in recipient input (#9257)
• Fix IMAP GETMETADATA command with options - RFC5464

Roundcube Webmail 1.6.5

This is a security update to the stable version 1.6 of Roundcube Webmail.
It provides a fix to a recently reported XSS vulnerability:

• Fix cross-site scripting (XSS) vulnerability in setting Content-Type/Content-Disposition for attachment preview/download reported by Rene Rehme (rehme.infosec).

This version is considered stable and we recommend to update all productive installations of Roundcube 1.6.x with it. Please do backup your data before updating!

CHANGELOG

• Fix PHP8 fatal error when parsing a malformed BODYSTRUCTURE (#9171)
• Fix duplicated Inbox folder on IMAP servers that do not use Inbox folder with all capital letters (#9166)
• Fix PHP warnings (#9174)
• Fix UI issue when dealing with an invalid managesieve_default_headers value (#9175)
• Fix bug where images attached to application/smil messages weren't displayed (#8870)
• Fix PHP string replacement error in utils/error.php (#9185)
• Fix regression where smtp_user did not allow pre/post strings before/after %u placeholder (#9162)
• Fix cross-site scripting (XSS) vulnerability in setting Content-Type/Content-Disposition for attachment preview/download

Roundcube Webmail 1.5.6

This is a security update to the stable version 1.5 of Roundcube Webmail.
It provides a fix to a recently reported XSS vulnerability:

• Fix cross-site scripting (XSS) vulnerability in setting Content-Type/Content-Disposition for attachment preview/download reported by Rene Rehme (rehme.infosec).

This version is considered stable and we recommend to update all productive installations of Roundcube 1.5.x with it. Please do backup your data before updating!

CHANGELOG

• Fix cross-site scripting (XSS) vulnerability in setting Content-Type/Content-Disposition for attachment preview/download
  reported by Rene Rehme (rehme.infosec).

Roundcube Webmail 1.6.4

This is a security update to the stable version 1.6 of Roundcube Webmail.
It provides a fix to a recently reported XSS vulnerability:

• Fix cross-site scripting (XSS) vulnerability in handling of SVG in HTML messages (#9168) reported separately by Matthieu Faou (ESET) and Denys Klymenko.

This version is considered stable and we recommend to update all productive installations of Roundcube 1.6.x with it. Please do backup your data before updating!

CHANGELOG

• Fix PHP8 warnings (#9142, #9160)
• Fix default 'mime.types' path on Windows (#9113)
• Managesieve: Fix javascript error when relational or spamtest extension is not enabled (#9139)
• Fix cross-site scripting (XSS) vulnerability in handling of SVG in HTML messages (#9168)