Roundcube - Package updates

nebulon

[2.6.2]

• Update Roundcube to 1.5.2
• Full changelog
• Cross-site scripting (XSS) via HTML messages with malicious CSS content

girish

[2.6.3]

• Remove hardcoded PHP memory limit

nebulon

[2.6.4]

• Update Roundcube to 1.5.3
• Full changelog
• Enigma: Fix initial synchronization of private keys
• Enigma: Fix double quoted-printable encoding of pgp-signed messages with no attachments (#8413)
• Fix various PHP8 warnings (#8392)
• Fix mail headers injection via the subject field on mail compose (#8404)
• Fix bug where small message/rfc822 parts could not be decoded (#8408)
• Fix setting HTML mode on reply/forward of a signed message (#8405)
• Fix handling of RFC2231-encoded attachment names inside of a message/rfc822 part (#8418)
• Fix bug where some mail parts (images) could have not be listed as attachments (#8425)
• Fix bug where attachment icons were stuck at the top of the messages list in Safari (#8433)
• Fix handling of message/rfc822 parts that are small and are multipart structures with a single part (#8458)
• Fix bug where session could time out if DB and PHP timezone were different (#8303)
• Fix bug where DSN flag state wasn't stored with a draft (#8371)
• Fix broken encoding of HTML content encapsulated in a RTF attachment (#8444)
• Fix problem with aria-hidden=true on toolbar menus in the Elastic skin (#8517)
• Fix bug where title tag content was displayed in the body if it contained HTML tags (#8540)
• Fix support for DSN specification without host e.g. pgsql:///dbname (#8558)

girish

[2.7.0]

• Update ROundcube to 1.6.0
• Full changelog
• Update to jQuery-UI 1.13.1 (#8455)
• Added possibility to make the logo image a link via the 'skin_logo' option (#8501)
• Use navigator.pdfViewerEnabled for PDF viewer detection
• Remove use of unreliable charset detection (#8344)
• Don't list images attached to multipart/related part as attachments (#7184)
• Password: Add support for ssha256 algorithm (#8459)
• Fix so unix:// URI is supported in various host spec. options again (#8468)
• Fix slow loading of long HTML content into the HTML editor (#8108)
• Fix bug where SMTP password didn't work if it contained '%p' (#8435)
• Enigma: Fix initial synchronization of private keys
• Enigma: Fix double quoted-printable encoding of pgp-signed messages with no attachments (#8413)

girish

[2.7.1]

• Update base image to 4.0

girish

[2.7.2]

• Update Roundcube to 1.6.1
• Full changelog
• Kill session if refreshing oauth token fails (#8734)
• Fix various PHP 8.1 warnings (#8628, #8644, #8667, #8656, #8647)
• Password: Remove references to %c variable that has been removed before (#8633)
• Fix anchor links in HTML mail (#8632)
• Fix bug where config creation in Installer did ignore options in the form (#8634)
• Fix bug where renamed options were removed from the config on installto.sh (update.sh) run (#8643)
• Fix favicon rewrite rule in .htaccess (#8654)

nebulon

[2.7.3]

• Update Roundcube to 1.6.2
• Full changelog
• Add Uyghur localization
• Fix regression in OAuth request URI caused by use of REQUEST_URI instead of SCRIPT_NAME as a default (#8878)
• Fix bug where false attachment reminder was displayed on HTML mail with inline images (#8885)
• Fix bug where a non-ASCII character in app.js could cause error in javascript engine (#8894)
• Fix JWT decoding with url safe base64 schema (#8890)
• Fix bug where .wav instead of .mp3 file was used for the new mail notification in Firefox (#8895)
• Fix PHP8 warning (#8891)
• Fix support for Windows-31J charset (#8869)
• Fix so LDAP VLV option is disabled by default as documented (#8833)
• Fix so an email address with name is supported as input to the managesieve notify :from parameter (#8918)
• Fix Help plugin menu (#8898)
• Fix invalid onclick handler on the logo image when using non-array skin_logo setting (#8933)
• Fix duplicate recipients in "To" and "Cc" on reply (#8912)
• Fix bug where it wasn't possible to scroll lists by clicking middle mouse button (#8942)
• Fix bug where label text in a single-input dialog could be partially invisible in some locales (#8905)
• Fix bug where LDAP (fulltext) search didn't work without 'search_fields' in config (#8874)
• Fix extra leading newlines in plain text converted from HTML (#8973)
• Fix so recipients with a domain ending with .s are allowed (#8854)
• Fix so vCard output does not contain non-standard/redundant TYPE=OTHER and TYPE=INTERNET (#8838)
• Fix QR code images for contacts with non-ASCII characters (#9001)
• Fix PHP8 warnings when using list_flags and list_cols properties by plugins (#8998)
• Fix bug where subfolders could loose subscription on parent folder rename (#8892)
• Fix connecting to LDAP using an URI with ldapi:// scheme (#8990)
• Fix insecure shell command params handling in cmd_learn driver of markasjunk plugin (#9005)
• Fix bug where some mail headers didn't work in cmd_learn driver of markasjunk plugin (#9005)
• Fix PHP fatal error when importing vcf file using PHP 8.2 (#9025)
• Fix so output of log_date_format with microseconds contains time in server time zone, not UTC

nebulon

[2.7.4]

• Update Roundcube to 1.6.3
• Full changelog
• Fix cross-site scripting (XSS) vulnerability in handling of linkrefs in plain text messages, reported by Niraj Shivtarkar.
• Fix bug where installto.sh/update.sh scripts were removing some essential options from the config file (#9051)
• Update jQuery-UI to version 1.13.2 (#9041)
• Fix regression that broke use_secure_urls feature (#9052)
• Fix potential PHP fatal error when opening a message with message/rfc822 part (#8953)
• Fix bug where a duplicate <title> tag in HTML email could cause some parts being cut off (#9029)
• Fix bug where a list of folders could have been sorted incorrectly (#9057)
• Fix regression where LDAP addressbook 'filter' option was ignored (#9061)
• Fix wrong order of a multi-folder search result when sorting by size (#9065)
• Fix so install/update scripts do not require PEAR (#9037)
• Fix regression where some mail parts could have been decoded incorrectly, or not at all (#9096)
• Fix handling of an error case in Cyrus IMAP BINARY FETCH, fallback to non-binary FETCH (#9097)
• Fix PHP8 deprecation warning in the reconnect plugin (#9083)
• Fix "Show source" on mobile with x_frame_options = deny (#9084)
• Fix various PHP warnings (#9098)
• Fix deprecated use of ldap_connect() in password's ldap_simple driver (#9060)

girish

[2.8.0]

• Update base image to 4.2.0

nebulon

[2.8.1]

• Update Roundcube to 1.6.4
• Full changelog
• Fix cross-site scripting (XSS) vulnerability in handling of SVG in HTML messages (#9168)

girish

[2.8.2]

• Update Roundcube to 1.6.5
• Full changelog
• Fix cross-site scripting (XSS) vulnerability in setting Content-Type/Content-Disposition for attachment preview/download reported by Rene Rehme (rehme.infosec).
• Fix PHP8 fatal error when parsing a malformed BODYSTRUCTURE (#9171)
• Fix duplicated Inbox folder on IMAP servers that do not use Inbox folder with all capital letters (#9166)

nebulon

[2.8.3]

• Update Roundcube to 1.6.6
• Full changelog
• Fix regression in handling LDAP search_fields configuration parameter (#9210)
• Enigma: Fix finding of a private key when decrypting a message using GnuPG v2.3
• Fix page jump menu flickering on click (#9196)
• Update to TinyMCE 5.10.9 security release (#9228)
• Fix PHP8 warnings (#9235, #9238, #9242, #9306)
• Fix saving other encryption settings besides enigma's (#9240)
• Fix unneeded php command use in installto.sh and deluser.sh scripts (#9237)
• Fix TinyMCE localization installation (#9266)
• Fix bug where trailing non-ascii characters in email addresses could have been removed in recipient input (#9257)
• Fix IMAP GETMETADATA command with options - RFC5464

nebulon

[2.8.4]

• Update Roundcube to 1.6.7
• Full changelog
• Fix bug where HTML entities in URLs were not decoded on HTML to plain text conversion (#9312)
• Fix bug in collapsing/expanding folders with some special characters in names (#9324)
• Fix PHP8 warnings (#9363, #9365, #9429)
• Fix missing field labels in CSV import, for some locales (#9393)
• Fix cross-site scripting (XSS) vulnerability in handling SVG animate attributes
• Fix cross-site scripting (XSS) vulnerability in handling list columns from user preferences

Package Updates

[2.8.5]

• Update Roundcube to 1.6.8
• Full changelog
• Managesieve: Protect special scripts in managesieve_kolab_master mode
• Fix newmail_notifier notification focus in Chrome (#9467)
• Fix fatal error when parsing some TNEF attachments (#9462)
• Fix double scrollbar when composing a mail with many plain text lines (#7760)
• Fix decoding mail parts with multiple base64-encoded text blocks (#9290)
• Fix bug where some messages could get malformed in an import from a MBOX file (#9510)
• Fix invalid line break characters in multi-line text in Sieve scripts (#9543)
• Fix bug where "with attachment" filter could fail on some fts engines (#9514)
• Fix bug where an unhandled exception was caused by an invalid image attachment (#9475)
• Fix bug where a long subject title could not be displayed in some cases (#9416)
• Fix infinite loop when parsing malformed Sieve script (#9562)
• Fix bug where imap_conn_option's 'socket' was ignored (#9566)
• Fix XSS vulnerability in post-processing of sanitized HTML content [CVE-2024-42009]
• Fix XSS vulnerability in serving of attachments other than HTML or SVG [CVE-2024-42008]
• Fix information leak (access to remote content) via insufficient CSS filtering [CVE-2024-42010]

Package Updates

[2.8.6]

• Update Roundcube to 1.6.9
• Full changelog
• Fix regression where printing/scaling/rotating image attachments was broken (#9571)
• Fix regression where HTML messages were displayed unstyled (#9586)