Skip to content

Roundcube Webmail 1.6.5
Compare
Choose a tag to compare
@alecpl alecpl released this 05 Nov 09:40
· 519 commits to master since this release
1.6.5
This tag was signed with the committer’s verified signature.
alecpl Aleksander Machniak
GPG key ID: BEE674A019359DC1
Learn about vigilant mode.
81ac3c3

This is a security update to the stable version 1.6 of Roundcube Webmail.
It provides a fix to a recently reported XSS vulnerability:

  • Fix cross-site scripting (XSS) vulnerability in setting Content-Type/Content-Disposition for attachment preview/download reported by Rene Rehme (rehme.infosec).

This version is considered stable and we recommend to update all productive installations of Roundcube 1.6.x with it. Please do backup your data before updating!

CHANGELOG

  • Fix PHP8 fatal error when parsing a malformed BODYSTRUCTURE (#9171)
  • Fix duplicated Inbox folder on IMAP servers that do not use Inbox folder with all capital letters (#9166)
  • Fix PHP warnings (#9174)
  • Fix UI issue when dealing with an invalid managesieve_default_headers value (#9175)
  • Fix bug where images attached to application/smil messages weren't displayed (#8870)
  • Fix PHP string replacement error in utils/error.php (#9185)
  • Fix regression where smtp_user did not allow pre/post strings before/after %u placeholder (#9162)
  • Fix cross-site scripting (XSS) vulnerability in setting Content-Type/Content-Disposition for attachment preview/download
Assets 8