Cloudron makes it easy to run web apps like WordPress, Nextcloud, GitLab on your server. Find out more or install now.


    Cloudron Forum

    • Register
    • Login
    • Search
    • Categories
    • Recent
    • Tags
    • Popular

    Solved Roundcube Webmail 1.4.4 released

    Roundcube
    3
    4
    663
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • necrevistonnezr
      necrevistonnezr last edited by necrevistonnezr

      https://github.com/roundcube/roundcubemail/releases/tag/1.4.4

      This is a service and security update to the stable version 1.4 of Roundcube Webmail.
      It contains four fixes for recently reported security vulnerabilities as well a number
      of general improvements from our issue tracker. See the full changelog below.
      Security fixes

      Cross-Site Scripting (XSS) via malicious HTML content
      CSRF attack can cause an authenticated user to be logged out
      Remote code execution via crafted config options
      Path traversal vulnerability allowing local file inclusion via crafted 'plugins' option
      

      The latter two vulnerabilities are classified minor because they only affect Roundcube installations
      with public access to the Roundcube installer. That's generally a high-risk situation and is expected
      to be rare or practically non-existent in productive Roundcube deployments. However, the fixes are done
      in core in order to also prevent from future and yet unknown attack vectors.

      This version is considered stable and we recommend to update all productive installations
      of Roundcube with it. Please do backup your data before updating!
      CHANGELOG

      Fix bug where attachments with Content-Id were attached to the message on reply (#7122)
      Fix identity selection on reply when both sender and recipient addresses are included in identities (#7211)
      Elastic: Fix text selection with Shift+PageUp and Shift+PageDown in plain text editor when using Chrome (#7230)
      Elastic: Fix recipient input bug when using click to select a contact from autocomplete list (#7231)
      Elastic: Fix color of a folder with recent messages (#7281)
      Elastic: Restrict logo size in print view (#7275)
      Fix invalid Content-Type for messages with only html part and inline images - Mail_Mime-1.10.7 (#7261)
      Fix missing contact display name in QR Code data (#7257)
      Fix so button label in Select image/media dialogs is "Close" not "Cancel" (#7246)
      Fix regression in testing database schema on MSSQL (#7227)
      Fix cursor position after inserting a group to a recipient input using autocompletion (#7267)
      Fix string literals handling in IMAP STATUS (and various other) responses (#7290)
      Fix bug where multiple images in a message were replaced by the first one on forward/reply/edit (#7293)
      Fix handling keyservers configured with protocol prefix (#7295)
      Markasjunk: Fix marking as spam/ham on moving messages with Move menu (#7189)
      Markasjunk: Fix bug where moving to Junk was failing on messages selected with Select > All (#7206)
      Fix so imap error message is displayed to the user on folder create/update (#7245)
      Fix bug where a special folder couldn't be created if a special-use flag is not supported (#7147)
      Mailvelope: Fix bug where recipients with name were not handled properly in mail compose (#7312)
      Fix characters encoding in group rename input after group creation/rename (#7330)
      Fix bug where some message/rfc822 parts could not be attached on forward (#7323)
      Make install-jsdeps.sh script working without the file program installed (#7325)
      Fix performance issue of parsing big HTML messages by disabling HTML5 parser for these (#7331)
      Fix so Print button for PDF attachments works on Firefox >= 75 (#5125)
      Security: Fix XSS issue in handling of CDATA in HTML messages
      Security: Fix remote code execution via crafted 'im_convert_path' or 'im_identify_path' settings
      Security: Fix local file inclusion (and code execution) via crafted 'plugins' option
      Security: Fix CSRF bypass that could be used to log out an authenticated user (#7302)
      
      ? 1 Reply Last reply Reply Quote 3
      • ?
        A Former User @necrevistonnezr last edited by

        @necrevistonnezr Think you mean "Roundcube Webmail 1.4.4 released"!

        1 Reply Last reply Reply Quote 0
        • necrevistonnezr
          necrevistonnezr last edited by

          Thanks, fixed.

          1 Reply Last reply Reply Quote 0
          • girish
            girish Staff last edited by

            Updated, thanks!

            1 Reply Last reply Reply Quote 2
            • First post
              Last post
            Powered by NodeBB