Cloudron makes it easy to run web apps like WordPress, Nextcloud, GitLab on your server. Find out more or install now.

Roundcube Webmail 1.4.4 released


    This is a service and security update to the stable version 1.4 of Roundcube Webmail.
    It contains four fixes for recently reported security vulnerabilities as well a number
    of general improvements from our issue tracker. See the full changelog below.
    Security fixes

    Cross-Site Scripting (XSS) via malicious HTML content
    CSRF attack can cause an authenticated user to be logged out
    Remote code execution via crafted config options
    Path traversal vulnerability allowing local file inclusion via crafted 'plugins' option

    The latter two vulnerabilities are classified minor because they only affect Roundcube installations
    with public access to the Roundcube installer. That's generally a high-risk situation and is expected
    to be rare or practically non-existent in productive Roundcube deployments. However, the fixes are done
    in core in order to also prevent from future and yet unknown attack vectors.

    This version is considered stable and we recommend to update all productive installations
    of Roundcube with it. Please do backup your data before updating!

    Fix bug where attachments with Content-Id were attached to the message on reply (#7122)
    Fix identity selection on reply when both sender and recipient addresses are included in identities (#7211)
    Elastic: Fix text selection with Shift+PageUp and Shift+PageDown in plain text editor when using Chrome (#7230)
    Elastic: Fix recipient input bug when using click to select a contact from autocomplete list (#7231)
    Elastic: Fix color of a folder with recent messages (#7281)
    Elastic: Restrict logo size in print view (#7275)
    Fix invalid Content-Type for messages with only html part and inline images - Mail_Mime-1.10.7 (#7261)
    Fix missing contact display name in QR Code data (#7257)
    Fix so button label in Select image/media dialogs is "Close" not "Cancel" (#7246)
    Fix regression in testing database schema on MSSQL (#7227)
    Fix cursor position after inserting a group to a recipient input using autocompletion (#7267)
    Fix string literals handling in IMAP STATUS (and various other) responses (#7290)
    Fix bug where multiple images in a message were replaced by the first one on forward/reply/edit (#7293)
    Fix handling keyservers configured with protocol prefix (#7295)
    Markasjunk: Fix marking as spam/ham on moving messages with Move menu (#7189)
    Markasjunk: Fix bug where moving to Junk was failing on messages selected with Select > All (#7206)
    Fix so imap error message is displayed to the user on folder create/update (#7245)
    Fix bug where a special folder couldn't be created if a special-use flag is not supported (#7147)
    Mailvelope: Fix bug where recipients with name were not handled properly in mail compose (#7312)
    Fix characters encoding in group rename input after group creation/rename (#7330)
    Fix bug where some message/rfc822 parts could not be attached on forward (#7323)
    Make script working without the file program installed (#7325)
    Fix performance issue of parsing big HTML messages by disabling HTML5 parser for these (#7331)
    Fix so Print button for PDF attachments works on Firefox >= 75 (#5125)
    Security: Fix XSS issue in handling of CDATA in HTML messages
    Security: Fix remote code execution via crafted 'im_convert_path' or 'im_identify_path' settings
    Security: Fix local file inclusion (and code execution) via crafted 'plugins' option
    Security: Fix CSRF bypass that could be used to log out an authenticated user (#7302)

  • @necrevistonnezr Think you mean "Roundcube Webmail 1.4.4 released"!

  • Thanks, fixed.

  • Staff

    Updated, thanks!

Log in to reply