Roundcube Webmail 1.6.3

This is a security update to the stable version 1.6 of Roundcube Webmail.
It provides a fix to a recently reported XSS vulnerability:

• Fix cross-site scripting (XSS) vulnerability in handling of linkrefs in plain text messages, reported by Niraj Shivtarkar.

This version is considered stable and we recommend to update all productive installations of Roundcube 1.6.x with it. Please do backup your data before updating!

CHANGELOG

• Fix bug where installto.sh/update.sh scripts were removing some essential options from the config file (#9051)
• Update jQuery-UI to version 1.13.2 (#9041)
• Fix regression that broke use_secure_urls feature (#9052)
• Fix potential PHP fatal error when opening a message with message/rfc822 part (#8953)
• Fix bug where a duplicate <title> tag in HTML email could cause some parts being cut off (#9029)
• Fix bug where a list of folders could have been sorted incorrectly (#9057)
• Fix regression where LDAP addressbook 'filter' option was ignored (#9061)
• Fix wrong order of a multi-folder search result when sorting by size (#9065)
• Fix so install/update scripts do not require PEAR (#9037)
• Fix regression where some mail parts could have been decoded incorrectly, or not at all (#9096)
• Fix handling of an error case in Cyrus IMAP BINARY FETCH, fallback to non-binary FETCH (#9097)
• Fix PHP8 deprecation warning in the reconnect plugin (#9083)
• Fix "Show source" on mobile with x_frame_options = deny (#9084)
• Fix various PHP warnings (#9098)
• Fix deprecated use of ldap_connect() in password's ldap_simple driver (#9060)
• Fix cross-site scripting (XSS) vulnerability in handling of linkrefs in plain text messages