Roundcube Webmail 1.2.12

This is a security update to the LTS version 1.2.
It fixes two recently reported cross-site scripting (XSS) vulnerabilities via HTML messages with malicious svg and math contents.

Credits for these findings go to Łukasz Pilorz from Pentesters.

We strongly recommend to update all productive installations of Roundcube 1.2.x if you cannot upgrade to a more recent version.
Please do backup your data before updating!

Roundcube Webmail 1.4.7

This is a service and security update to the stable version 1.4 of Roundcube Webmail.
It contains a fix for recently reported security vulnerability as well a small number of general improvements from our issue tracker. See the full changelog below.

Security fix

Prevent cross-site scripting (XSS) via HTML messages with malicious svg/namespace (CVE-2020-15562)

Credits for this finding go to SSD Secure Disclosure.

This version is considered stable and we recommend to update all productive installations of Roundcube with it. Please do backup your data before updating!

CHANGELOG

• Fix bug where subfolders of special folders could have been duplicated on folder list
• Increase maximum size of contact jobtitle and department fields to 128 characters
• Fix missing newline after the logged line when writing to stdout (#7418)
• Elastic: Fix context menu (paste) on the recipient input (#7431)
• Fix problem with forwarding inline images attached to messages with no HTML part (#7414)
• Fix problem with handling attached images with same name when using database_attachments/redundant_attachments (#7455)
• Security: Fix cross-site scripting (XSS) via HTML messages with malicious svg/namespace

Roundcube Webmail 1.3.14

This is a security update to the LTS version 1.3.
It fixes a recently reported cross-site scripting (XSS) vulnerability via HTML messages with malicious svg/namespace (CVE-2020-15562).

Credits for this finding go to SSD Secure Disclosure.

This version in considered stable and we strongly recommend to update all productive
installations of Roundcube 1.3.x with it. Please do backup your data before updating!

Roundcube Webmail 1.2.11

This is a security update to the LTS version 1.2.
It fixes a recently reported cross-site scripting (XSS) vulnerability via HTML messages with malicious svg/namespace (CVE-2020-15562).

Credits for this finding go to SSD Secure Disclosure.

We strongly recommend to update all productive installations of Roundcube 1.2.x
if you cannot upgrade to a more recent version. Please do backup your data before updating!

Roundcube Webmail 1.4.6

This is a follow-up release to the recently published version 1.4.5 of Roundcube Webmail.

It contains a single fix for the installer's test step which was broken with the last release. The update is therefore only relevant for new installations which use the installer to set up Roundcube.

CHANGELOG

• Installer: Fix regression in SMTP test section (#7417)

Roundcube Webmail 1.3.13

This is a follow-up release to the recently published version 1.3.12 of Roundcube Webmail.

It contains a single fix for the installer's test step which was broken with the last release. The update is therefore only relevant for new installations which use the installer to set up Roundcube.

CHANGELOG

• Installer: Fix regression in SMTP test section (#7417)

Roundcube Webmail 1.3.12

This is a service and security update to the LTS version 1.3 of Roundcube Webmail.
It contains four fixes for recently reported security vulnerabilities as well a
small number of general improvements backported from the latest stable version.
See the full changelog below.

Security fixes

• Fix XSS issue in template object 'username' (#7406)
• Fix cross-site scripting (XSS) via malicious XML attachment
• Fix a couple of XSS issues in Installer (#7406)
• Better fix for CVE-2020-12641

The latter two vulnerabilities again are related to public access to the Roundcube installer
and are therefore classified minor.

This version in considered stable and we recommend to update all productive installations
of Roundcube 1.3.x with it. Please do backup your data before updating!

CHANGELOG

• Security: Better fix for CVE-2020-12641
• Security: Fix XSS issue in template object 'username' (#7406)
• Security: Fix couple of XSS issues in Installer (#7406)
• Security: Fix cross-site scripting (XSS) via malicious XML attachment

Roundcube Webmail 1.4.5

This is a service and security update to the stable version 1.4 of Roundcube Webmail.
It contains fixes for recently reported security vulnerabilities as well a number
of general improvements from our issue tracker. See the full changelog below.

Security fixes

• Fix XSS issue in template object 'username' (#7406)
• Fix cross-site scripting (XSS) via malicious XML attachment
• Fix a couple of XSS issues in Installer (#7406)
• Better fix for CVE-2020-12641

The latter two vulnerabilities again are related to public access to the Roundcube installer
and are therefore classified minor.

This version is considered stable and we recommend to update all productive installations
of Roundcube with it. Please do backup your data before updating!

CHANGELOG

• Fix bug in extracting required plugins from composer.json that led to spurious error in log (#7364)
• Fix so the database setup description is compatible with MySQL 8 (#7340)
• Markasjunk: Fix regression in jsevent driver (#7361)
• Fix missing flag indication on collapsed thread in Larry and Elastic (#7366)
• Fix default keyservers (use keys.openpgp.org), add note about CORS (#7373, #7367)
• Password: Fix issue with Modoboa driver (#7372)
• Mailvelope: Use sender's address to find pubkeys to check signatures (#7348)
• Mailvelope: Fix Encrypt button hidden in Elastic (#7353)
• Fix PHP warning: count(): Parameter must be an array or an object... in ID command handler (#7392)
• Fix error when user-configured skin does not exist anymore (#7271)
• Elastic: Fix aspect ratio of a contact photo in mail preview (#7339)
• Fix bug where PDF attachments marked as inline could have not been attached on mail forward (#7382)
• Security: Fix a couple of XSS issues in Installer (#7406)
• Security: Fix XSS issue in template object 'username' (#7406)
• Security: Fix cross-site scripting (XSS) via malicious XML attachment
• Security: Better fix for CVE-2020-12641

Roundcube Webmail 1.4.4

This is a service and security update to the stable version 1.4 of Roundcube Webmail.
It contains four fixes for recently reported security vulnerabilities as well a number
of general improvements from our issue tracker. See the full changelog below.

Security fixes

• Cross-Site Scripting (XSS) via malicious HTML content
• CSRF attack can cause an authenticated user to be logged out
• Remote code execution via crafted config options
• Path traversal vulnerability allowing local file inclusion via crafted 'plugins' option

The latter two vulnerabilities are classified minor because they only affect Roundcube installations
with public access to the Roundcube installer. That's generally a high-risk situation and is expected
to be rare or practically non-existent in productive Roundcube deployments. However, the fixes are done
in core in order to also prevent from future and yet unknown attack vectors.

This version is considered stable and we recommend to update all productive installations
of Roundcube with it. Please do backup your data before updating!

CHANGELOG

• Fix bug where attachments with Content-Id were attached to the message on reply (#7122)
• Fix identity selection on reply when both sender and recipient addresses are included in identities (#7211)
• Elastic: Fix text selection with Shift+PageUp and Shift+PageDown in plain text editor when using Chrome (#7230)
• Elastic: Fix recipient input bug when using click to select a contact from autocomplete list (#7231)
• Elastic: Fix color of a folder with recent messages (#7281)
• Elastic: Restrict logo size in print view (#7275)
• Fix invalid Content-Type for messages with only html part and inline images - Mail_Mime-1.10.7 (#7261)
• Fix missing contact display name in QR Code data (#7257)
• Fix so button label in Select image/media dialogs is "Close" not "Cancel" (#7246)
• Fix regression in testing database schema on MSSQL (#7227)
• Fix cursor position after inserting a group to a recipient input using autocompletion (#7267)
• Fix string literals handling in IMAP STATUS (and various other) responses (#7290)
• Fix bug where multiple images in a message were replaced by the first one on forward/reply/edit (#7293)
• Fix handling keyservers configured with protocol prefix (#7295)
• Markasjunk: Fix marking as spam/ham on moving messages with Move menu (#7189)
• Markasjunk: Fix bug where moving to Junk was failing on messages selected with Select > All (#7206)
• Fix so imap error message is displayed to the user on folder create/update (#7245)
• Fix bug where a special folder couldn't be created if a special-use flag is not supported (#7147)
• Mailvelope: Fix bug where recipients with name were not handled properly in mail compose (#7312)
• Fix characters encoding in group rename input after group creation/rename (#7330)
• Fix bug where some message/rfc822 parts could not be attached on forward (#7323)
• Make install-jsdeps.sh script working without the file program installed (#7325)
• Fix performance issue of parsing big HTML messages by disabling HTML5 parser for these (#7331)
• Fix so Print button for PDF attachments works on Firefox >= 75 (#5125)
• Security: Fix XSS issue in handling of CDATA in HTML messages
• Security: Fix remote code execution via crafted 'im_convert_path' or 'im_identify_path' settings
• Security: Fix local file inclusion (and code execution) via crafted 'plugins' option
• Security: Fix CSRF bypass that could be used to log out an authenticated user (#7302)

[Security Update] Roundcube Webmail 1.3.11

This is a service and security update to the LTS version 1.3 of Roundcube Webmail.
It contains four fixes for recently reported security vulnerabilities as well a
small number of general improvements backported from the latest stable version.
See the full changelog below.

Security fixes

• Cross-Site Scripting (XSS) via malicious HTML content
• CSRF attack can cause an authenticated user to be logged out
• Remote code execution via crafted config options
• Path traversal vulnerability allowing local file inclusion via crafted 'plugins' option

The latter two vulnerabilities are classified minor because they only affect Roundcube installations
with public access to the Roundcube installer. That's generally a high-risk situation and is expected
to be rare or practically non-existent in productive Roundcube deployments. However, the fixes are done
in core in order to also prevent from future and yet unknown attack vectors.

This version in considered stable and we recommend to update all productive installations
of Roundcube 1.3.x with it. Please do backup your data before updating!

CHANGELOG

• Enigma: Fix compatibility with Mail_Mime >= 1.10.5
• Fix permissions on some folders created by bin/install-jsdeps.sh script (#6930)
• Fix bug where inline images could have been ignored if Content-Id header contained redundant spaces (#6980)
• Fix PHP Warning: Use of undefined constant LOG_EMERGE (#6991)
• Fix PHP warning: "array_merge(): Expected parameter 2 to be an array, null given in sendmail.inc (#7003)
• Security: Fix XSS issue in handling of CDATA in HTML messages
• Security: Fix remote code execution via crafted 'im_convert_path' or 'im_identify_path' settings
• Security: Fix local file inclusion (and code execution) via crafted 'plugins' option
• Security: Fix CSRF bypass that could be used to log out an authenticated user (#7302)