- update to 1.6.7
This is a security update to the stable version 1.6 of Roundcube Webmail.
It provides a fix to a recently reported XSS vulnerabilities:
* Fix cross-site scripting (XSS) vulnerability in handling SVG animate attributes.
Reported by Valentin T. and Lutz Wolf of CrowdStrike.
* Fix cross-site scripting (XSS) vulnerability in handling list columns from user preferences.
Reported by Huy Nguyễn Phạm Nhật.
* Fix command injection via crafted im_convert_path/im_identify_path on Windows.
Reported by Huy Nguyễn Phạm Nhật.
CHANGELOG
* Makefile: Use phpDocumentor v3.4 for the Framework docs (#9313)
* Fix bug where HTML entities in URLs were not decoded on HTML to plain text conversion (#9312)
* Fix bug in collapsing/expanding folders with some special characters in names (#9324)
* Fix PHP8 warnings (#9363, #9365, #9429)
* Fix missing field labels in CSV import, for some locales (#9393)
* Fix cross-site scripting (XSS) vulnerability in handling SVG animate attributes
* Fix cross-site scripting (XSS) vulnerability in handling list columns from user preferences
* Fix command injection via crafted im_convert_path/im_identify_path on Windows
OBS-URL: https://build.opensuse.org/request/show/1175253
OBS-URL: https://build.opensuse.org/package/show/server:php:applications/roundcubemail?expand=0&rev=173
- update to 1.6.5 (bsc#1216895)
* Fix cross-site scripting (XSS) vulnerability in setting
Content-Type/Content-Disposition for attachment
preview/download CVE-2023-47272
Other changes
* Fix PHP8 fatal error when parsing a malformed BODYSTRUCTURE (#9171)
* Fix duplicated Inbox folder on IMAP servers that do not use Inbox
folder with all capital letters (#9166)
* Fix PHP warnings (#9174)
* Fix UI issue when dealing with an invalid managesieve_default_headers
value (#9175)
* Fix bug where images attached to application/smil messages
weren't displayed (#8870)
* Fix PHP string replacement error in utils/error.php (#9185)
* Fix regression where smtp_user did not allow pre/post strings
before/after %u placeholder (#9162)
OBS-URL: https://build.opensuse.org/request/show/1123659
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/roundcubemail?expand=0&rev=81
* Fix PHP8 fatal error when parsing a malformed BODYSTRUCTURE (#9171)
* Fix duplicated Inbox folder on IMAP servers that do not use Inbox
folder with all capital letters (#9166)
* Fix PHP warnings (#9174)
* Fix UI issue when dealing with an invalid managesieve_default_headers
value (#9175)
* Fix bug where images attached to application/smil messages
weren't displayed (#8870)
* Fix PHP string replacement error in utils/error.php (#9185)
* Fix regression where smtp_user did not allow pre/post strings
before/after %u placeholder (#9162)
OBS-URL: https://build.opensuse.org/package/show/server:php:applications/roundcubemail?expand=0&rev=169
* Fix bug where installto.sh/update.sh scripts were removing some
essential options from the config file (#9051)
* Update jQuery-UI to version 1.13.2 (#9041)
* Fix regression that broke use_secure_urls feature (#9052)
* Fix potential PHP fatal error when opening a message with
message/rfc822 part (#8953)
* Fix bug where a duplicate <title> tag in HTML email could cause some
parts being cut off (#9029)
* Fix bug where a list of folders could have been sorted
incorrectly (#9057)
* Fix regression where LDAP addressbook 'filter' option was
ignored (#9061)
* Fix wrong order of a multi-folder search result when sorting by
size (#9065)
* Fix so install/update scripts do not require PEAR (#9037)
* Fix regression where some mail parts could have been decoded
incorrectly, or not at all (#9096)
* Fix handling of an error case in Cyrus IMAP BINARY FETCH, fallback to
non-binary FETCH (#9097)
* Fix PHP8 deprecation warning in the reconnect plugin (#9083)
* Fix "Show source" on mobile with x_frame_options = deny (#9084)
* Fix various PHP warnings (#9098)
* Fix deprecated use of ldap_connect() in password's ldap_simple driver (#9060)
* Fix cross-site scripting (XSS) vulnerability in handling of linkrefs
in plain text messages
OBS-URL: https://build.opensuse.org/package/show/server:php:applications/roundcubemail?expand=0&rev=165
- update to 1.6.2
* Add Uyghur localization
* Fix regression in OAuth request URI caused by use of REQUEST_URI
instead of SCRIPT_NAME as a default (#8878)
* Fix bug where false attachment reminder was displayed on HTML mail
with inline images (#8885)
* Fix bug where a non-ASCII character in app.js could cause error in
javascript engine (#8894)
* Fix JWT decoding with url safe base64 schema (#8890)
* Fix bug where .wav instead of .mp3 file was used for the new mail
notification in Firefox (#8895)
* Fix PHP8 warning (#8891)
* Fix support for Windows-31J charset (#8869)
* Fix so LDAP VLV option is disabled by default as documented (#8833)
* Fix so an email address with name is supported as input to the
managesieve notify :from parameter (#8918)
* Fix Help plugin menu (#8898)
* Fix invalid onclick handler on the logo image when using non-array
skin_logo setting (#8933)
* Fix duplicate recipients in "To" and "Cc" on reply (#8912)
* Fix bug where it wasn't possible to scroll lists by clicking middle
mouse button (#8942)
* Fix bug where label text in a single-input dialog could be partially
invisible in some locales (#8905)
* Fix bug where LDAP (fulltext) search didn't work without 'search_fields'
in config (#8874)
* Fix extra leading newlines in plain text converted from HTML (#8973)
* Fix so recipients with a domain ending with .s are allowed (#8854)
* Fix so vCard output does not contain non-standard/redundant TYPE=OTHER
and TYPE=INTERNET (#8838)
OBS-URL: https://build.opensuse.org/request/show/1096557
OBS-URL: https://build.opensuse.org/package/show/server:php:applications/roundcubemail?expand=0&rev=164
* Kill session if refreshing oauth token fails (#8734)
* Fix various PHP 8.1 warnings (#8628, #8644, #8667, #8656, #8647)
* Password: Remove references to %c variable that has been removed before (#8633)
* Fix anchor links in HTML mail (#8632)
* Fix bug where config creation in Installer did ignore options in the form (#8634)
* Fix bug where renamed options were removed from the config on
installto.sh (update.sh) run (#8643)
* Fix favicon rewrite rule in .htaccess (#8654)
* Fix various PHP 8.2 warnings
* Fix bug where it wasn't possible to create more than one response
record on SQLite and Postgres (#8664)
* Fix support for ManageSieve over implicit SSL (#8670)
* Fix bug where "about:blank" page could trigger "load error" (#8554)
* Fix bug where setting 'Clear Trash on Logout' to 'all messages'
didn't work (#8687)
* Fix bug where the attachment menu wouldn't disappear after an action
is selected (#8691)
* Fix bug where some dialogs in an eml attachment preview would not
close on mobile (#8627)
* Fix bug where multiline data:image URI's in emails were stripped
from the message on display (#8613)
* Fix fatal error on identity page if Enigma plugin is misconfigured (#8719)
* Fix so N property always exists in a vCard export (#8771)
* Fix authenticating to Courier IMAP with passwords containing
a '~' character (#8772)
* Fix handling of smtp/imap port options on configuration file
update (#8756)
* Fix bug where array values could not be saved in utils/save_pref
action (#8781)
OBS-URL: https://build.opensuse.org/package/show/server:php:applications/roundcubemail?expand=0&rev=163
+ full PHP8 support
+ Dark mode for Elastic skin
+ OAuth2/XOauth support (with plugin hooks)
+ Collected recipients and trusted senders
+ Moving recipients between inputs with drag & drop
+ Full unicode support with MySQL database
+ Support of IMAP LITERAL- extension RFC 7888
<https://datatracker.ietf.org/doc/html/rfc7888>
+ Support of RFC 2231 <https://datatracker.ietf.org/doc/html/rfc2231>
encoded names
+ Cache refactoring
More at https://github.com/roundcube/roundcubemail/releases/tag/1.5.0
- adjusted some file names to new release
(_styles.less -> styles.less; _variables.less -> variables.less;
CHANGELOG -> CHANGELOG.md)
- vendor/roundcube/plugin-installer/src/bin/rcubeinitdb.sh does not exist
any longer
- added SECURITY.md to documentation
- mark the whole documentation directory as documentation instead of
listing some files and others not (avoid duplicate entries in RPM-DB)
OBS-URL: https://build.opensuse.org/package/show/server:php:applications/roundcubemail?expand=0&rev=154
- update to 1.4.10:
* Stored cross-site scripting (XSS) via HTML or plain text messages
with malicious content ( CVE-2020-35730 boo#1180399 )
* Fix extra angle brackets in In-Reply-To header derived from mailto: params (#7655)
* Fix folder list issue when special folder is a subfolder (#7647)
* Fix Elastic's folder subscription toggle in search result (#7653)
* Fix state of subscription toggle on folders list after changing
folder state from the search result (#7653)
* Security: Fix cross-site scripting (XSS) via HTML or plain text
messages with malicious content
OBS-URL: https://build.opensuse.org/request/show/858987
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/roundcubemail?expand=0&rev=69
* Stored cross-site scripting (XSS) via HTML or plain text messages
with malicious content [CVE-2020-35730]
* Fix extra angle brackets in In-Reply-To header derived from mailto: params (#7655)
* Fix folder list issue when special folder is a subfolder (#7647)
* Fix Elastic's folder subscription toggle in search result (#7653)
* Fix state of subscription toggle on folders list after changing
folder state from the search result (#7653)
* Security: Fix cross-site scripting (XSS) via HTML or plain text
messages with malicious content
OBS-URL: https://build.opensuse.org/package/show/server:php:applications/roundcubemail?expand=0&rev=150
- finally renamed roundcubemail-1.4.8-config_dir.patch to
roundcubemail-config_dir.patch to avoid additional roundtrip
times with each submission:
+ removed roundcubemail-1.4.7-config_dir.patch
+ added roundcubemail-config_dir.patch
- update to 1.4.8 with security fixes:
* Fix cross-site scripting (XSS) via HTML messages with malicious svg content (CVE-2020-16145)
* Fix cross-site scripting (XSS) via HTML messages with malicious math content
OBS-URL: https://build.opensuse.org/request/show/826894
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/roundcubemail?expand=0&rev=66
- update to 1.4.7 with security fix:
* Security: Fix cross-site scripting (XSS) via HTML messages with malicious svg/namespace
* Fix bug where subfolders of special folders could have been duplicated on folder list
* Increase maximum size of contact jobtitle and department fields to 128 characters
* Fix missing newline after the logged line when writing to stdout (#7418)
* Elastic: Fix context menu (paste) on the recipient input (#7431)
* Fix problem with forwarding inline images attached to messages with no HTML part (#7414)
* Fix problem with handling attached images with same name when using
database_attachments/redundant_attachments (#7455)
OBS-URL: https://build.opensuse.org/request/show/818992
OBS-URL: https://build.opensuse.org/package/show/server:php:applications/roundcubemail?expand=0&rev=143
- update to 1.4.5
Security fixes
* Fix XSS issue in template object 'username' (#7406)
* Fix cross-site scripting (XSS) via malicious XML attachment
* Fix a couple of XSS issues in Installer (#7406)
* Better fix for CVE-2020-12641
Other changes
* Fix bug in extracting required plugins from composer.json that led
to spurious error in log (#7364)
* Fix so the database setup description is compatible with MySQL 8 (#7340)
* Markasjunk: Fix regression in jsevent driver (#7361)
* Fix missing flag indication on collapsed thread in Larry and Elastic (#7366)
* Fix default keyservers (use keys.openpgp.org), add note about CORS (#7373, #7367)
* Password: Fix issue with Modoboa driver (#7372)
* Mailvelope: Use sender's address to find pubkeys to check signatures (#7348)
* Mailvelope: Fix Encrypt button hidden in Elastic (#7353)
* Fix PHP warning: count(): Parameter must be an array or an object...
in ID command handler (#7392)
* Fix error when user-configured skin does not exist anymore (#7271)
* Elastic: Fix aspect ratio of a contact photo in mail preview (#7339)
* Fix bug where PDF attachments marked as inline could have not been
attached on mail forward (#7382)
* Security: Fix a couple of XSS issues in Installer (#7406)
* Security: Fix XSS issue in template object 'username' (#7406)
* Security: Fix cross-site scripting (XSS) via malicious XML attachment
* Security: Better fix for CVE-2020-12641
- renamed roundcubemail-1.4.4-config_dir.patch to
roundcubemail-1.4.5-config_dir.patch
OBS-URL: https://build.opensuse.org/request/show/811037
OBS-URL: https://build.opensuse.org/package/show/server:php:applications/roundcubemail?expand=0&rev=139
- update to 1.4.3
* Enigma: Fix so key list selection is reset when opening key creation form (#7154)
* Enigma: Fix so using list checkbox selection does not load the key preview frame
* Enigma: Fix generation of key pairs for identities with IDN domains (#7181)
* Enigma: Display IDN domains of key users and identities in UTF8
* Enigma: Fix bug where "Send unencrypted" button didn't work in Elastic skin (#7205)
* Managesieve: Fix bug where it wasn't possible to save flag actions (#7188)
* Markasjunk: Fix bug where marking as spam/ham didn't work on moving messages with drag-and-drop (#7137)
* Password: Make chpass-wrapper.py Python 3 compatible (#7135)
* Elastic: Fix disappearing sidebar in mail compose after clicking Mail button
* Elastic: Fix incorrect aria-disabled attribute on Mail taskmenu button in mail compose
* Elastic: Fix bug where it was possible to switch editor mode when 'htmleditor' was in 'dont_override' (#7143)
* Elastic: Fix text selection in recipient inputs (#7129)
* Elastic: Fix missing Close button in "more recipients" dialog
* Elastic: Fix non-working folder subscription checkbox for newly added folders (#7174)
* Fix regression where "Open in new window" action didn't work (#7155)
* Fix PHP Warning: array_filter() expects parameter 1 to be array, null given in subscriptions_option plugin (#7165)
* Fix unexpected error message when mail refresh involves folder auto-unsubscribe (#6923)
* Fix recipient duplicates in print-view when the recipient list has been expanded (#7169)
* Fix bug where files in skins/ directory were listed on skins list (#7180)
* Fix bug where message parts with no Content-Disposition header and no name were not listed on attachments list (#7117)
* Fix display issues with mail subject that contains line-breaks (#7191)
* Fix invalid Content-Transfer-Encoding on multipart messages - Mail_Mime fix (#7170)
* Fix regression where using an absolute path to SQLite database file on Windows didn't work (#7196)
* Fix using unix:///path/to/socket.file in memcached driver (#7210)
- adjusted/renamed roundcubemail-1.4.2-config_dir.patch to
roundcubemail-1.4.3-config_dir.patch
OBS-URL: https://build.opensuse.org/request/show/778032
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/roundcubemail?expand=0&rev=61
- update to 1.4.2:
* Plugin API: Make actionbefore, before, actionafter and after
events working with plugin actions (#7106)
* Managesieve: Replace "Filter disabled" with "Filter enabled" (#7028)
* Managesieve: Fix so modifier type select wasn't hidden after hiding
modifier select on header change
* Managesieve: Fix filter selection after removing a first filter (#7079)
* Markasjunk: Fix marking more than one message as spam/ham with
email_learn driver (#7121)
* Password: Fix kpasswd and smb drivers' double-escaping bug (#7092)
* Enigma: Add script to import keys from filesystem to the db
storage (for multihost)
* Installer: Fix DB Write test on SQLite database
("database is locked" error) (#7064)
* Installer: Fix so SQLite DSN with a relative path to the database
file works in Installer
* Elastic: Fix contrast of warning toasts (#7058)
* Elastic: Simple search in pretty selects (#7072)
* Elastic: Fix hidden list widget on mobile/tablet when selecting
folder while search menu is open (#7120)
* Fix so type attribute on script tags is not used on HTML5 pages (#6975)
* Fix unread count after purge on a folder that is not currently selected (#7051)
* Fix bug where Enter key didn't work on messages list in "List" layout (#7052)
* Fix bug where deleting a saved search in addressbook caused
display issue on sources/groups list (#7061)
* Fix bug where a new saved search added after removing all searches
wasn't added to the list (#7061)
* Fix bug where a new contact group added after removing all groups
from addressbook wasn't added to the list
* Fix so install-jsdeps.sh removes Bootstrap's sourceMappingURL (#7035)
OBS-URL: https://build.opensuse.org/request/show/761569
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/roundcubemail?expand=0&rev=59
* Plugin API: Make actionbefore, before, actionafter and after
events working with plugin actions (#7106)
* Managesieve: Replace "Filter disabled" with "Filter enabled" (#7028)
* Managesieve: Fix so modifier type select wasn't hidden after hiding
modifier select on header change
* Managesieve: Fix filter selection after removing a first filter (#7079)
* Markasjunk: Fix marking more than one message as spam/ham with
email_learn driver (#7121)
* Password: Fix kpasswd and smb drivers' double-escaping bug (#7092)
* Enigma: Add script to import keys from filesystem to the db
storage (for multihost)
* Installer: Fix DB Write test on SQLite database
("database is locked" error) (#7064)
* Installer: Fix so SQLite DSN with a relative path to the database
file works in Installer
* Elastic: Fix contrast of warning toasts (#7058)
* Elastic: Simple search in pretty selects (#7072)
* Elastic: Fix hidden list widget on mobile/tablet when selecting
folder while search menu is open (#7120)
* Fix so type attribute on script tags is not used on HTML5 pages (#6975)
* Fix unread count after purge on a folder that is not currently selected (#7051)
* Fix bug where Enter key didn't work on messages list in "List" layout (#7052)
* Fix bug where deleting a saved search in addressbook caused
display issue on sources/groups list (#7061)
* Fix bug where a new saved search added after removing all searches
wasn't added to the list (#7061)
* Fix bug where a new contact group added after removing all groups
from addressbook wasn't added to the list
* Fix so install-jsdeps.sh removes Bootstrap's sourceMappingURL (#7035)
OBS-URL: https://build.opensuse.org/package/show/server:php:applications/roundcubemail?expand=0&rev=129
Added: recommend php-imagick
- remove more cruft from the source (like .tavis or .gitignore)
- php documentor is not needed on a productive system -> remove
- also fix /usr/bin/env calls for two vendor scripts
- skins now have some configurable files in their directories:
move those files over to /etc/roundcubemail/skins/
- move other text files (incl. vendor ones) out of the root
directory (and handle the LICENSE file a bit different)
- enable mod_filter and add AddOutputFilterByType for common media
types like html, javascript or xml
- enable php7 on newer openSUSE versions
- enable deflate, expires, filter, headers and setenvif on a new
installation - do not enable any module in case of an update
- recommend php-imagick for additional features
OBS-URL: https://build.opensuse.org/request/show/758882
OBS-URL: https://build.opensuse.org/package/show/server:php:applications/roundcubemail?expand=0&rev=128
- Upgrade to version 1.3.8:
* Fix PHP warnings on dummy QUOTA responses in Courier-IMAP 4.17.1 (#6374)
* Fix so fallback from BINARY to BODY FETCH is used also on [PARSE] errors in dovecot 2.3 (#6383)
* Enigma: Fix deleting keys with authentication subkeys (#6381)
* Fix invalid regular expressions that throw warnings on PHP 7.3 (#6398)
* Fix so Classic skin splitter does not escape out of window (#6397)
* Fix XSS issue in handling invalid style tag content (#6410)
* Fix compatibility with MySQL 8 - error on 'system' table use
* Managesieve: Fix bug where show_real_foldernames setting wasn't respected (#6422)
* New_user_identity: Fix %fu/%u vars substitution in user specific LDAP params (#6419)
* Fix support for "allow-from " in x_frame_options config option (#6449)
* Fix bug where valid content between HTML comments could have been skipped in some cases (#6464)
* Fix multiple VCard field search (#6466)
* Fix session issue on long running requests (#6470)
- add files with .log entry to logrotate config
- enhance apache configuration by:
+ disable mbstring function overload (http://bugs.php.net/bug.php?id=30766)
+ do not allow to see README*, INSTALL, LICENSE or CHANGELOG files
+ set additional headers:
++ Content-Security-Policy: ask browsers to not set the referrer
++ Cache-Control: ask not to cache the content
++ Strict-Transport-Security: set HSTS rules for SSL traffic
++ X-XSS-Protection: configure built in reflective XSS protection
- adjust README.openSUSE:
+ db.inc.php is not used any longer
+ flush privileges after creating/changing users in mysql
- use %%license macro on newer distributions
OBS-URL: https://build.opensuse.org/request/show/644894
OBS-URL: https://build.opensuse.org/package/show/server:php:applications/roundcubemail?expand=0&rev=121
- Upgrade to version 1.3.6
* Fix parsing date strings (e.g. from a Date: mail header) with comments
* Fix PHP 7.2: count(): Parameter must be an array in enchant-based spellchecker
* Fix possible IMAP command injection and type juggling vulnerabilities
* Enigma: Fix key selection for signing
* Enigma: Enable keypair generation on Internet Explorer 11
* Fix check_request() bypass in places using get_uids() (CVE-2018-9846 boo#1067574)
* Fix bug where usernames without domain part could be malformed or converted to lower-case on logon
OBS-URL: https://build.opensuse.org/request/show/596134
OBS-URL: https://build.opensuse.org/package/show/server:php:applications/roundcubemail?expand=0&rev=118
- Enigma: Add possibility to configure gpg-agent binary location (enigma_pgp_agent)
- Enigma: Fix signature verification with some IMAP servers, e.g. Gmail, DBMail (#5371)
- Enigma: Make recipient key searches case-insensitive (#5434)
- Fix regression in resizing JPEG images with Imagick (#5376)
- Managesieve: Fix parsing of vacation date-time with non-default date_format (#5372)
- Use SymLinksIfOwnerMatch in .htaccess instead of FollowSymLinks disabled on some hosts for security reasons (#5370)
- Wash position:fixed style in HTML mail for better security (#5264)
- Fix bug where memcache_debug didn't work for session operations
- Fix bug where Message-ID domain part was tied to username instead of current identity (#5385)
- Fix bug where blocked.gif couldn't be attached to reply/forward with insecure content
- Fix E_DEPRECATED warning when using Auth_SASL::factory() (#5401)
- Fix bug where names of downloaded files could be malformed when derived from the message subject (#5404)
- Fix so "All" messages selection is resetted on search reset (#5413)
- Fix bug where folder creation could fail if personal namespace contained more than one entry (#5403)
- Fix error causing empty INBOX listing in Firefox when using an URL with user:password specified (#5400)
- Fix PHP warning when handling shared namespace with empty prefix (#5420)
- Fix so folders list is scrolled to the selected folder on page load (#5424)
- Fix so when moving to Trash we make sure the folder exists (#5192)
- Fix displaying size of attachments with zero size
- Fix so "Action disabled" error uses more appropriate 404 code (#5440)
OBS-URL: https://build.opensuse.org/package/show/server:php:applications/roundcubemail?expand=0&rev=104
Plugin API: Add html2text hook
Plugin API: Added addressbook_export hook
Fix missing emoticons on html-to-text conversion
Fix random "access to this resource is secured against CSRF" message at logout (#4956)
Fix missing language name in "Add to Dictionary" request in HTML mode (#4951)
Enable use of TLSv1.1 and TLSv1.2 for IMAP (#4955)
Fix XSS issue in SVG images handling (#4949)
Fix (again) security issue in DBMail driver of password plugin CVE-2015-2181
Fix bug where Archive/Junk buttons were not active after page jump with select=all mode (#4961)
Fix bug in long recipients list parsing for cases where recipient name contained @-char (#4964)
Fix additional_message_headers plugin compatibility with Mail_Mime >= 1.9 (#4966)
Hide DSN option in Preferences when smtp_server is not used (#4967)
Protect download urls against CSRF using unique request tokens (#4957)
newmail_notifier: Refactor desktop notifications
Fix so contactlist_fields option can be set via config file
Fix so SPECIAL-USE assignments are forced only until user sets special folders (#4782)
Fix performance in reverting order of THREAD result
Fix converting mail addresses with @www. into mailto links (#5197)
OBS-URL: https://build.opensuse.org/package/show/server:php:applications/roundcubemail?expand=0&rev=101
- Update to 1.1.4
Add workaround for https://bugs.php.net/bug.php?id=70757 (#1490582)
Fix duplicate messages in list and wrong count after delete (#1490572)
Fix so Installer requires PHP5
Make brute force attacks harder by re-generating security token on every failed login (#1490549)
Slow down brute-force attacks by waiting for a second after failed login (#1490549)
Fix .htaccess rewrite rules to not block .well-known URIs (#1490615)
Fix mail view scaling on iOS (#1490551)
Fix so database_attachments::cleanup() does not remove attachments from other sessions (#1490542)
Fix responses list update issue after response name change (#1490555)
Fix bug where message preview was unintentionally reset on check-recent action (#1490563)
Fix bug where HTML messages with invalid/excessive css styles couldn't be displayed (#1490539)
Fix redundant blank lines when using HTML and top posting (#1490576)
Fix redundant blank lines on start of text after html to text conversion (#1490577)
Fix HTML sanitizer to skip <!-- node type X --> in output (#1490583)
Fix invalid LDAP query in ACL user autocompletion (#1490591)
Fix regression in displaying contents of message/rfc822 parts (#1490606)
Fix handling of message/rfc822 attachments on replies and forwards (#1490607)
Fix PDF support detection in Firefox > 19 (#1490610)
Fix path traversal vulnerability (CWE-22) in setting a skin (#1490620)
Fix so drag-n-drop of text (e.g. recipient addresses) on compose page actually works (#1490619)
- explicitely add required PHP packages (according to INSTALL):
+ php-dom, php-json, php-sockets
- also recommend additional PHP packages:
+ php-zip, php-pear-Crypt_GPG
- use generic php- prefix also for recommended packages (no explicit php5-)
- no Dockerfile readme any more
OBS-URL: https://build.opensuse.org/request/show/351471
OBS-URL: https://build.opensuse.org/package/show/server:php:applications/roundcubemail?expand=0&rev=96
- Update to 1.1.2
Add new plugin hook 'identity_create_after' providing the ID of the inserted identity (#1490358)
Add option to place signature at bottom of the quoted text even in top-posting mode [sig_below]
Fix handling of %-encoded entities in mailto: URLs (#1490346)
Fix zipped messages downloads after selecting all messages in a folder (#1490339)
Fix vpopmaild driver of password plugin
Fix PHP warning: Non-static method PEAR::setErrorHandling() should not be called statically (#1490343)
Fix tables listing routine on mysql and postgres so it skips system or other database tables and views (#1490337)
Fix message list header in classic skin on window resize in Internet Explorer (#1490213)
Fix so text/calendar parts are listed as attachments even if not marked as such (#1490325)
Fix lack of signature separator for plain text signatures in html mode (#1490352)
Fix font artifact in Google Chrome on Windows (#1490353)
Fix bug where forced extwin page reload could exit from the extwin mode (#1490350)
Fix bug where some unrelated attachments in multipart/related message were not listed (#1490355)
Fix mouseup event handling when dragging a list record (#1490359)
Fix bug where preview_pane setting wasn't always saved into user preferences (#1490362)
Fix bug where messages count was not updated after message move/delete with skip_deleted=false (#1490372)
Fix security issue in contact photo handling (#1490379)
Fix possible memcache/apc cache data consistency issues (#1490390)
Fix bug where imap_conn_options were ignored in IMAP connection test (#1490392)
Fix bug where some files could have "executable" extension when stored in temp folder (#1490377)
Fix attached file path unsetting in database_attachments plugin (#1490393)
Fix issues when using moduserprefs.sh without --user argument (#1490399)
Fix potential info disclosure issue by protecting directory access (#1490378)
Fix blank image in html_signature when saving identity changes (#1490412)
Installer: Use openssl_random_pseudo_bytes() (if available) to generate des_key (#1490402)
Fix XSS vulnerability in _mbox argument handling (#1490417)
OBS-URL: https://build.opensuse.org/request/show/311197
OBS-URL: https://build.opensuse.org/package/show/server:php:applications/roundcubemail?expand=0&rev=93
New features:
- Allow searching across multiple folders
- Improved support for screen readers and assistive technology using
WCAG 2.0 andWAI ARIA standards
- Update to TinyMCE 4.1 to support images in HTML signatures (copy & paste)
- Added namespace filter and folder searching in folder manager
- New config option to disable UI elements/actions
- Stronger password encryption using OpenSSL
- Support for the IMAP SPECIAL-USE extension
- Support for Oracle as database backend
- Manage 3rd party libs with Composer
- Secure URLs [1] (disabled by default)
Changelog:
Make SMTP error log more verbose - include server response and error code
Fix download options menu (added by zipdownload plugin) in classic skin (#1490228)
Fix blocked.gif image usage with assets_dir set
Fix bug where max_group_members was ignored when adding a new contact (#1490214)
Hide MDN and DSN options in compose if disabled by admin (#1490221)
Fix checks based on window.ActiveXObject in IE > 10
Fix XSS issue in style attribute handling (#1490227)
Fix bug where Drafts list wasn't updated on draft-save action in new window (#1490225)
Fix so "set as default" option is hidden if identities_level > 1 (#1490226)
Fix bug where search was reset after returning from compose visited for reply
Fix javascript error in "IE 8.0/Tablet PC" browser (#1490210)
Fix bug where Reply-To address was ignored on reply to messages sent by self (#1490233)
Fix bug where empty fieldmap config entries caused empty results of ldap search (#1490229)
Fix bug where drafts list wasn't refreshed after draft message was sent from another window (#1490238)
Fix keyboard navigation and css in datepicker widget across many Firefox versions
Fix false warning when opening attached text/plain files (#1490241)
OBS-URL: https://build.opensuse.org/package/show/server:php:applications/roundcubemail?expand=0&rev=91
* Send X-Frame-Options headers to protect from clickjacking (#1487037)
* Fallback to mail_domain in LDAP variable replacements; added 'host' to 'user_create' hook arguments (#1488024)
* Fixed wrong vCard type parameter mobile (#1488067)
* Fixed vCard WORKFAX issue (#1488046)
* Add vCard's Profile URL support (#1488062)
* jQuery 1.6.3
* Fix imap_cache setting to values other than 'db' (#1488060)
* Fix handling of attachments inside message/rfc822 parts (#1488026)
* Make list of mimetypes that open in preview window configurable (#1487625)
* Added plugin hook 'message_part_get' for attachment downloads
* Localize forwarded message header (#1488058)
* Added unique connection identifier to IMAP debug messages
* Added 'priority' column on messages list (#1486782)
* Fix image type check for contact photo uploads
- Release 0.6-beta ¶
* Add option to hide selected LDAP addressbook on the list
* Add client-side checking of uploaded files size
* Add newlines between organization, department, jobtitle (#1488028)
* Recalculate date when replying to a message and localize the cite header (#1487675)
* Fix handling of email addresses with quoted local part (#1487939)
* Fix EOL character in vCard exports (#1487873)
* Added optional "multithreading" autocomplete feature
* Plugin API: Added 'config_get' hook
* Fixed new_user_identity plugin to work with updated rcube_ldap class (#1487994)
* Plugin API: added folder_delete and folder_rename hooks
* Added possibility to undo last contact delete operation
* Fix sorting of contact groups after group create (#1487747)
* Add optional textual upload progress indicator (#1486039)
* Fix parsing URLs containing commas (#1487970)
OBS-URL: https://build.opensuse.org/package/show/server:php:applications/roundcubemail?expand=0&rev=28
Blocking a user prevents them from interacting with repositories, such as opening or commenting on pull requests or issues. Learn more about blocking a user.
