Releases: roundcube/roundcubemail
Roundcube Webmail 1.6.6
This is the next service release to update the stable version 1.6.
It provides a bunch of small fixes and improvements after getting your feedback from the previous releases. See the full changelog below.
This version is considered stable and we recommend to update all productive installations of Roundcube with it. Please do backup your data before updating!
CHANGELOG
- Fix regression in handling LDAP search_fields configuration parameter (#9210)
- Enigma: Fix finding of a private key when decrypting a message using GnuPG v2.3
- Fix page jump menu flickering on click (#9196)
- Update to TinyMCE 5.10.9 security release (#9228)
- Fix PHP8 warnings (#9235, #9238, #9242, #9306)
- Fix saving other encryption settings besides enigma's (#9240)
- Fix unneeded php command use in installto.sh and deluser.sh scripts (#9237)
- Fix TinyMCE localization installation (#9266)
- Fix bug where trailing non-ascii characters in email addresses could have been removed in recipient input (#9257)
- Fix IMAP GETMETADATA command with options - RFC5464
Roundcube Webmail 1.6.5
This is a security update to the stable version 1.6 of Roundcube Webmail.
It provides a fix to a recently reported XSS vulnerability:
- Fix cross-site scripting (XSS) vulnerability in setting Content-Type/Content-Disposition for attachment preview/download reported by Rene Rehme (rehme.infosec).
This version is considered stable and we recommend to update all productive installations of Roundcube 1.6.x with it. Please do backup your data before updating!
CHANGELOG
- Fix PHP8 fatal error when parsing a malformed BODYSTRUCTURE (#9171)
- Fix duplicated Inbox folder on IMAP servers that do not use Inbox folder with all capital letters (#9166)
- Fix PHP warnings (#9174)
- Fix UI issue when dealing with an invalid managesieve_default_headers value (#9175)
- Fix bug where images attached to application/smil messages weren't displayed (#8870)
- Fix PHP string replacement error in utils/error.php (#9185)
- Fix regression where
smtp_userdid not allow pre/post strings before/after%uplaceholder (#9162) - Fix cross-site scripting (XSS) vulnerability in setting Content-Type/Content-Disposition for attachment preview/download
Roundcube Webmail 1.5.6
This is a security update to the stable version 1.5 of Roundcube Webmail.
It provides a fix to a recently reported XSS vulnerability:
- Fix cross-site scripting (XSS) vulnerability in setting Content-Type/Content-Disposition for attachment preview/download reported by Rene Rehme (rehme.infosec).
This version is considered stable and we recommend to update all productive installations of Roundcube 1.5.x with it. Please do backup your data before updating!
CHANGELOG
- Fix cross-site scripting (XSS) vulnerability in setting Content-Type/Content-Disposition for attachment preview/download
reported by Rene Rehme (rehme.infosec).
Roundcube Webmail 1.6.4
This is a security update to the stable version 1.6 of Roundcube Webmail.
It provides a fix to a recently reported XSS vulnerability:
- Fix cross-site scripting (XSS) vulnerability in handling of SVG in HTML messages (#9168) reported separately by Matthieu Faou (ESET) and Denys Klymenko.
This version is considered stable and we recommend to update all productive installations of Roundcube 1.6.x with it. Please do backup your data before updating!
CHANGELOG
Roundcube Webmail 1.5.5
This is a security update to the stable version 1.5 of Roundcube Webmail.
It provides a fix to a recently reported XSS vulnerability:
Fix cross-site scripting (XSS) vulnerability in handling of SVG in HTML messages (#9168) reported separately by Matthieu Faou (ESET) and Denys Klymenko.
This version is considered stable and we recommend to update all productive installations of Roundcube 1.5.x with it. Please do backup your data before updating!
CHANGELOG
- Fix cross-site scripting (XSS) vulnerability in handling of SVG in HTML messages (#9168)
Roundcube Webmail 1.4.15
This is a security update to the stable version 1.4 of Roundcube Webmail.
It provides a fix to a recently reported XSS vulnerability:
- Fix cross-site scripting (XSS) vulnerability in handling of SVG in HTML messages (#9168) reported separately by Matthieu Faou (ESET) and Denys Klymenko.
This version is considered stable and we recommend to update all productive installations of Roundcube 1.4.x with it. Please do backup your data before updating!
CHANGELOG
Roundcube Webmail 1.5.4
This is a security update to the stable version 1.5 of Roundcube Webmail.
It provides a fix to a recently reported XSS vulnerability:
- Fix cross-site scripting (XSS) vulnerability in handling of linkrefs in plain text messages, reported by Niraj Shivtarkar.
This version is considered stable and we recommend to update all productive installations of Roundcube 1.5.x with it. Please do backup your data before updating!
CHANGELOG
- Fix cross-site scripting (XSS) vulnerability in handling of linkrefs in plain text messages
- Fix so output of log_date_format with microseconds contains time in server time zone, not UTC
- Fix so N property always exists in a vCard export (#8771)
- Fix so rcmail::format_date() works with DateTimeImmutable input (#8867)
- Fix bug where a non-ASCII character in app.js could cause error in javascript engine (#8894)
Roundcube Webmail 1.4.14
This is a security update to the stable version 1.4 of Roundcube Webmail.
It provides a fix to a recently reported XSS vulnerability:
- Fix cross-site scripting (XSS) vulnerability in handling of linkrefs in plain text messages, reported by Niraj Shivtarkar.
This version is considered stable and we recommend to update all productive installations of Roundcube 1.4.x with it. Please do backup your data before updating!
CHANGELOG
- Fix cross-site scripting (XSS) vulnerability in handling of linkrefs in plain text messages
- Enigma: Fix initial synchronization of private keys
Roundcube Webmail 1.6.3
This is a security update to the stable version 1.6 of Roundcube Webmail.
It provides a fix to a recently reported XSS vulnerability:
- Fix cross-site scripting (XSS) vulnerability in handling of linkrefs in plain text messages, reported by Niraj Shivtarkar.
This version is considered stable and we recommend to update all productive installations of Roundcube 1.6.x with it. Please do backup your data before updating!
CHANGELOG
- Fix bug where installto.sh/update.sh scripts were removing some essential options from the config file (#9051)
- Update jQuery-UI to version 1.13.2 (#9041)
- Fix regression that broke use_secure_urls feature (#9052)
- Fix potential PHP fatal error when opening a message with message/rfc822 part (#8953)
- Fix bug where a duplicate
<title>tag in HTML email could cause some parts being cut off (#9029) - Fix bug where a list of folders could have been sorted incorrectly (#9057)
- Fix regression where LDAP addressbook 'filter' option was ignored (#9061)
- Fix wrong order of a multi-folder search result when sorting by size (#9065)
- Fix so install/update scripts do not require PEAR (#9037)
- Fix regression where some mail parts could have been decoded incorrectly, or not at all (#9096)
- Fix handling of an error case in Cyrus IMAP BINARY FETCH, fallback to non-binary FETCH (#9097)
- Fix PHP8 deprecation warning in the reconnect plugin (#9083)
- Fix "Show source" on mobile with x_frame_options = deny (#9084)
- Fix various PHP warnings (#9098)
- Fix deprecated use of ldap_connect() in password's ldap_simple driver (#9060)
- Fix cross-site scripting (XSS) vulnerability in handling of linkrefs in plain text messages
Roundcube Webmail 1.6.2
This is the second service release to update the stable version 1.6.
It provides a bunch of small fixes and improvements after getting your feedback from the previous releases. See the full changelog below.
This version is considered stable and we recommend to update all productive installations of Roundcube with it. Please do backup your data before updating!
Upgrading the Complete Package
Attention when upgrading Roundcube using the complete package!
The installto.sh script does not update the vendor folder of the installation target.
If you're not using Composer to install plugins or other dependencies, please remove the composer.json file of your Roundcube installation before running the installto.sh script.
If you have Composer installed, run composer update --no-dev to complete the upgrade.
CHANGELOG
- Add Uyghur localization
- Fix regression in OAuth request URI caused by use of REQUEST_URI instead of SCRIPT_NAME as a default (#8878)
- Fix bug where false attachment reminder was displayed on HTML mail with inline images (#8885)
- Fix bug where a non-ASCII character in app.js could cause error in javascript engine (#8894)
- Fix JWT decoding with url safe base64 schema (#8890)
- Fix bug where .wav instead of .mp3 file was used for the new mail notification in Firefox (#8895)
- Fix PHP8 warning (#8891)
- Fix support for Windows-31J charset (#8869)
- Fix so LDAP VLV option is disabled by default as documented (#8833)
- Fix so an email address with name is supported as input to the managesieve notify :from parameter (#8918)
- Fix Help plugin menu (#8898)
- Fix invalid onclick handler on the logo image when using non-array skin_logo setting (#8933)
- Fix duplicate recipients in "To" and "Cc" on reply (#8912)
- Fix bug where it wasn't possible to scroll lists by clicking middle mouse button (#8942)
- Fix bug where label text in a single-input dialog could be partially invisible in some locales (#8905)
- Fix bug where LDAP (fulltext) search didn't work without 'search_fields' in config (#8874)
- Fix extra leading newlines in plain text converted from HTML (#8973)
- Fix so recipients with a domain ending with .s are allowed (#8854)
- Fix so vCard output does not contain non-standard/redundant TYPE=OTHER and TYPE=INTERNET (#8838)
- Fix QR code images for contacts with non-ASCII characters (#9001)
- Fix PHP8 warnings when using list_flags and list_cols properties by plugins (#8998)
- Fix bug where subfolders could loose subscription on parent folder rename (#8892)
- Fix connecting to LDAP using an URI with ldapi:// scheme (#8990)
- Fix insecure shell command params handling in cmd_learn driver of markasjunk plugin (#9005)
- Fix bug where some mail headers didn't work in cmd_learn driver of markasjunk plugin (#9005)
- Fix PHP fatal error when importing vcf file using PHP 8.2 (#9025)
- Fix so output of log_date_format with microseconds contains time in server time zone, not UTC