- update to 1.6.13
This is a security update to the stable version 1.6 of Roundcube Webmail.
It provides fixes to recently reported security vulnerabilities:
+ Fix CSS injection vulnerability reported by CERT Polska.
+ Fix remote image blocking bypass via SVG content reported by nullcathedral.
This version is considered stable and we recommend to update all productive
installations of Roundcube 1.6.x with it. Please do backup your data
before updating!
CHANGELOG
+ Managesieve: Fix handling of string-list format values for date
tests in Out of Office (#10075)
+ Fix CSS injection vulnerability reported by CERT Polska.
+ Fix remote image blocking bypass via SVG content reported by nullcathedral.
OBS-URL: https://build.opensuse.org/request/show/1331860
OBS-URL: https://build.opensuse.org/package/show/server:php:applications/roundcubemail?expand=0&rev=181
- update to 1.6.12
This is a security update to the stable version 1.6 of Roundcube Webmail.
It provides fixes to recently reported security vulnerabilities:
+ Fix Cross-Site-Scripting vulnerability via SVG's animate tag
reported by Valentin T., CrowdStrike.
+ Fix Information Disclosure vulnerability in the HTML style
sanitizer reported by somerandomdev.
This version is considered stable and we recommend to update all
productive installations of Roundcube 1.6.x with it.
+ Support IPv6 in database DSN (#9937)
+ Don't force specific error_reporting setting
+ Fix compatibility with PHP 8.5 regarding array_first()
+ Remove X-XSS-Protection example from .htaccess file (#9875)
+ Fix "Assign to group" action state after creation of a first group (#9889)
+ Fix bug where contacts search would fail if contactlist_fields contained vcard fields (#9850)
+ Fix bug where an mbox export file could include inconsistent message delimiters (#9879)
+ Fix parsing of inline styles that aren't well-formatted (#9948)
+ Fix Cross-Site-Scripting vulnerability via SVG's animate tag
+ Fix Information Disclosure vulnerability in the HTML style sanitizer
OBS-URL: https://build.opensuse.org/request/show/1322959
OBS-URL: https://build.opensuse.org/package/show/server:php:applications/roundcubemail?expand=0&rev=180
- update to 1.6.11
This is a security update to the stable version 1.6 of Roundcube Webmail.
It provides fixes to recently reported security vulnerabilities:
* Fix Post-Auth RCE via PHP Object Deserialization reported by firs0v.
- CHANGELOG
* Managesieve: Fix match-type selector (remove unsupported options) in delete header action (#9610)
* Improve installer to fix confusion about disabling SMTP authentication (#9801)
* Fix PHP warning in index.php (#9813)
* OAuth: Fix/improve token refresh
* Fix dark mode bug where wrong colors were used for blockquotes in HTML mail preview (#9820)
* Fix HTML message preview if it contains floating tables (#9804)
* Fix removing/expiring redis/memcache records when using a key prefix
* Fix bug where a wrong SPECIAL-USE folder could have been detected, if there were more than one per-type (#9781)
* Fix a default value and documentation of password_ldap_encodage option (#9658)
* Remove mobile/floating Create button from the list in Settings > Folders (#9661)
* Fix Delete and Empty buttons state while creating a folder (#9047)
* Fix connecting to LDAP using ldapi:// URI (#8990)
* Fix cursor position on "below the quote" reply in HTML mode (#8700)
* Fix bug where attachments with content type of application/vnd.ms-tnef were not parsed (#7119)
OBS-URL: https://build.opensuse.org/request/show/1281690
OBS-URL: https://build.opensuse.org/package/show/server:php:applications/roundcubemail?expand=0&rev=179
- update to 1.6.7
This is a security update to the stable version 1.6 of Roundcube Webmail.
It provides a fix to a recently reported XSS vulnerabilities:
* Fix cross-site scripting (XSS) vulnerability in handling SVG animate attributes.
Reported by Valentin T. and Lutz Wolf of CrowdStrike.
* Fix cross-site scripting (XSS) vulnerability in handling list columns from user preferences.
Reported by Huy Nguyễn Phạm Nhật.
* Fix command injection via crafted im_convert_path/im_identify_path on Windows.
Reported by Huy Nguyễn Phạm Nhật.
CHANGELOG
* Makefile: Use phpDocumentor v3.4 for the Framework docs (#9313)
* Fix bug where HTML entities in URLs were not decoded on HTML to plain text conversion (#9312)
* Fix bug in collapsing/expanding folders with some special characters in names (#9324)
* Fix PHP8 warnings (#9363, #9365, #9429)
* Fix missing field labels in CSV import, for some locales (#9393)
* Fix cross-site scripting (XSS) vulnerability in handling SVG animate attributes
* Fix cross-site scripting (XSS) vulnerability in handling list columns from user preferences
* Fix command injection via crafted im_convert_path/im_identify_path on Windows
OBS-URL: https://build.opensuse.org/request/show/1175253
OBS-URL: https://build.opensuse.org/package/show/server:php:applications/roundcubemail?expand=0&rev=173
- update to 1.6.5 (bsc#1216895)
* Fix cross-site scripting (XSS) vulnerability in setting
Content-Type/Content-Disposition for attachment
preview/download CVE-2023-47272
Other changes
* Fix PHP8 fatal error when parsing a malformed BODYSTRUCTURE (#9171)
* Fix duplicated Inbox folder on IMAP servers that do not use Inbox
folder with all capital letters (#9166)
* Fix PHP warnings (#9174)
* Fix UI issue when dealing with an invalid managesieve_default_headers
value (#9175)
* Fix bug where images attached to application/smil messages
weren't displayed (#8870)
* Fix PHP string replacement error in utils/error.php (#9185)
* Fix regression where smtp_user did not allow pre/post strings
before/after %u placeholder (#9162)
OBS-URL: https://build.opensuse.org/request/show/1123659
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/roundcubemail?expand=0&rev=81
* Fix PHP8 fatal error when parsing a malformed BODYSTRUCTURE (#9171)
* Fix duplicated Inbox folder on IMAP servers that do not use Inbox
folder with all capital letters (#9166)
* Fix PHP warnings (#9174)
* Fix UI issue when dealing with an invalid managesieve_default_headers
value (#9175)
* Fix bug where images attached to application/smil messages
weren't displayed (#8870)
* Fix PHP string replacement error in utils/error.php (#9185)
* Fix regression where smtp_user did not allow pre/post strings
before/after %u placeholder (#9162)
OBS-URL: https://build.opensuse.org/package/show/server:php:applications/roundcubemail?expand=0&rev=169
* Fix bug where installto.sh/update.sh scripts were removing some
essential options from the config file (#9051)
* Update jQuery-UI to version 1.13.2 (#9041)
* Fix regression that broke use_secure_urls feature (#9052)
* Fix potential PHP fatal error when opening a message with
message/rfc822 part (#8953)
* Fix bug where a duplicate <title> tag in HTML email could cause some
parts being cut off (#9029)
* Fix bug where a list of folders could have been sorted
incorrectly (#9057)
* Fix regression where LDAP addressbook 'filter' option was
ignored (#9061)
* Fix wrong order of a multi-folder search result when sorting by
size (#9065)
* Fix so install/update scripts do not require PEAR (#9037)
* Fix regression where some mail parts could have been decoded
incorrectly, or not at all (#9096)
* Fix handling of an error case in Cyrus IMAP BINARY FETCH, fallback to
non-binary FETCH (#9097)
* Fix PHP8 deprecation warning in the reconnect plugin (#9083)
* Fix "Show source" on mobile with x_frame_options = deny (#9084)
* Fix various PHP warnings (#9098)
* Fix deprecated use of ldap_connect() in password's ldap_simple driver (#9060)
* Fix cross-site scripting (XSS) vulnerability in handling of linkrefs
in plain text messages
OBS-URL: https://build.opensuse.org/package/show/server:php:applications/roundcubemail?expand=0&rev=165
- update to 1.6.2
* Add Uyghur localization
* Fix regression in OAuth request URI caused by use of REQUEST_URI
instead of SCRIPT_NAME as a default (#8878)
* Fix bug where false attachment reminder was displayed on HTML mail
with inline images (#8885)
* Fix bug where a non-ASCII character in app.js could cause error in
javascript engine (#8894)
* Fix JWT decoding with url safe base64 schema (#8890)
* Fix bug where .wav instead of .mp3 file was used for the new mail
notification in Firefox (#8895)
* Fix PHP8 warning (#8891)
* Fix support for Windows-31J charset (#8869)
* Fix so LDAP VLV option is disabled by default as documented (#8833)
* Fix so an email address with name is supported as input to the
managesieve notify :from parameter (#8918)
* Fix Help plugin menu (#8898)
* Fix invalid onclick handler on the logo image when using non-array
skin_logo setting (#8933)
* Fix duplicate recipients in "To" and "Cc" on reply (#8912)
* Fix bug where it wasn't possible to scroll lists by clicking middle
mouse button (#8942)
* Fix bug where label text in a single-input dialog could be partially
invisible in some locales (#8905)
* Fix bug where LDAP (fulltext) search didn't work without 'search_fields'
in config (#8874)
* Fix extra leading newlines in plain text converted from HTML (#8973)
* Fix so recipients with a domain ending with .s are allowed (#8854)
* Fix so vCard output does not contain non-standard/redundant TYPE=OTHER
and TYPE=INTERNET (#8838)
OBS-URL: https://build.opensuse.org/request/show/1096557
OBS-URL: https://build.opensuse.org/package/show/server:php:applications/roundcubemail?expand=0&rev=164
* Kill session if refreshing oauth token fails (#8734)
* Fix various PHP 8.1 warnings (#8628, #8644, #8667, #8656, #8647)
* Password: Remove references to %c variable that has been removed before (#8633)
* Fix anchor links in HTML mail (#8632)
* Fix bug where config creation in Installer did ignore options in the form (#8634)
* Fix bug where renamed options were removed from the config on
installto.sh (update.sh) run (#8643)
* Fix favicon rewrite rule in .htaccess (#8654)
* Fix various PHP 8.2 warnings
* Fix bug where it wasn't possible to create more than one response
record on SQLite and Postgres (#8664)
* Fix support for ManageSieve over implicit SSL (#8670)
* Fix bug where "about:blank" page could trigger "load error" (#8554)
* Fix bug where setting 'Clear Trash on Logout' to 'all messages'
didn't work (#8687)
* Fix bug where the attachment menu wouldn't disappear after an action
is selected (#8691)
* Fix bug where some dialogs in an eml attachment preview would not
close on mobile (#8627)
* Fix bug where multiline data:image URI's in emails were stripped
from the message on display (#8613)
* Fix fatal error on identity page if Enigma plugin is misconfigured (#8719)
* Fix so N property always exists in a vCard export (#8771)
* Fix authenticating to Courier IMAP with passwords containing
a '~' character (#8772)
* Fix handling of smtp/imap port options on configuration file
update (#8756)
* Fix bug where array values could not be saved in utils/save_pref
action (#8781)
OBS-URL: https://build.opensuse.org/package/show/server:php:applications/roundcubemail?expand=0&rev=163
+ full PHP8 support
+ Dark mode for Elastic skin
+ OAuth2/XOauth support (with plugin hooks)
+ Collected recipients and trusted senders
+ Moving recipients between inputs with drag & drop
+ Full unicode support with MySQL database
+ Support of IMAP LITERAL- extension RFC 7888
<https://datatracker.ietf.org/doc/html/rfc7888>
+ Support of RFC 2231 <https://datatracker.ietf.org/doc/html/rfc2231>
encoded names
+ Cache refactoring
More at https://github.com/roundcube/roundcubemail/releases/tag/1.5.0
- adjusted some file names to new release
(_styles.less -> styles.less; _variables.less -> variables.less;
CHANGELOG -> CHANGELOG.md)
- vendor/roundcube/plugin-installer/src/bin/rcubeinitdb.sh does not exist
any longer
- added SECURITY.md to documentation
- mark the whole documentation directory as documentation instead of
listing some files and others not (avoid duplicate entries in RPM-DB)
OBS-URL: https://build.opensuse.org/package/show/server:php:applications/roundcubemail?expand=0&rev=154
