Cloudron makes it easy to run web apps like WordPress, Nextcloud, GitLab on your server. Find out more or install now.


Skip to content
  • Categories
  • Recent
  • Tags
  • Popular
  • Bookmarks
  • Search
Skins
  • Light
  • Cerulean
  • Cosmo
  • Flatly
  • Journal
  • Litera
  • Lumen
  • Lux
  • Materia
  • Minty
  • Morph
  • Pulse
  • Sandstone
  • Simplex
  • Sketchy
  • Spacelab
  • United
  • Yeti
  • Zephyr
  • Dark
  • Cyborg
  • Darkly
  • Quartz
  • Slate
  • Solar
  • Superhero
  • Vapor

  • Default (No Skin)
  • No Skin
Collapse
Brand Logo

Cloudron Forum

Apps | Demo | Docs | Install
  1. Cloudron Forum
  2. Roundcube
  3. Roundcube Webmail 1.4.4 released

Roundcube Webmail 1.4.4 released

Scheduled Pinned Locked Moved Solved Roundcube
4 Posts 3 Posters 1.1k Views 3 Watching
  • Oldest to Newest
  • Newest to Oldest
  • Most Votes
Reply
  • Reply as topic
Log in to reply
This topic has been deleted. Only users with topic management privileges can see it.
  • necrevistonnezrN Offline
    necrevistonnezrN Offline
    necrevistonnezr
    wrote on last edited by necrevistonnezr
    #1

    https://github.com/roundcube/roundcubemail/releases/tag/1.4.4

    This is a service and security update to the stable version 1.4 of Roundcube Webmail.
    It contains four fixes for recently reported security vulnerabilities as well a number
    of general improvements from our issue tracker. See the full changelog below.
    Security fixes

    Cross-Site Scripting (XSS) via malicious HTML content
    CSRF attack can cause an authenticated user to be logged out
    Remote code execution via crafted config options
    Path traversal vulnerability allowing local file inclusion via crafted 'plugins' option
    

    The latter two vulnerabilities are classified minor because they only affect Roundcube installations
    with public access to the Roundcube installer. That's generally a high-risk situation and is expected
    to be rare or practically non-existent in productive Roundcube deployments. However, the fixes are done
    in core in order to also prevent from future and yet unknown attack vectors.

    This version is considered stable and we recommend to update all productive installations
    of Roundcube with it. Please do backup your data before updating!
    CHANGELOG

    Fix bug where attachments with Content-Id were attached to the message on reply (#7122)
    Fix identity selection on reply when both sender and recipient addresses are included in identities (#7211)
    Elastic: Fix text selection with Shift+PageUp and Shift+PageDown in plain text editor when using Chrome (#7230)
    Elastic: Fix recipient input bug when using click to select a contact from autocomplete list (#7231)
    Elastic: Fix color of a folder with recent messages (#7281)
    Elastic: Restrict logo size in print view (#7275)
    Fix invalid Content-Type for messages with only html part and inline images - Mail_Mime-1.10.7 (#7261)
    Fix missing contact display name in QR Code data (#7257)
    Fix so button label in Select image/media dialogs is "Close" not "Cancel" (#7246)
    Fix regression in testing database schema on MSSQL (#7227)
    Fix cursor position after inserting a group to a recipient input using autocompletion (#7267)
    Fix string literals handling in IMAP STATUS (and various other) responses (#7290)
    Fix bug where multiple images in a message were replaced by the first one on forward/reply/edit (#7293)
    Fix handling keyservers configured with protocol prefix (#7295)
    Markasjunk: Fix marking as spam/ham on moving messages with Move menu (#7189)
    Markasjunk: Fix bug where moving to Junk was failing on messages selected with Select > All (#7206)
    Fix so imap error message is displayed to the user on folder create/update (#7245)
    Fix bug where a special folder couldn't be created if a special-use flag is not supported (#7147)
    Mailvelope: Fix bug where recipients with name were not handled properly in mail compose (#7312)
    Fix characters encoding in group rename input after group creation/rename (#7330)
    Fix bug where some message/rfc822 parts could not be attached on forward (#7323)
    Make install-jsdeps.sh script working without the file program installed (#7325)
    Fix performance issue of parsing big HTML messages by disabling HTML5 parser for these (#7331)
    Fix so Print button for PDF attachments works on Firefox >= 75 (#5125)
    Security: Fix XSS issue in handling of CDATA in HTML messages
    Security: Fix remote code execution via crafted 'im_convert_path' or 'im_identify_path' settings
    Security: Fix local file inclusion (and code execution) via crafted 'plugins' option
    Security: Fix CSRF bypass that could be used to log out an authenticated user (#7302)
    
    ? 1 Reply Last reply
    3
    • necrevistonnezrN necrevistonnezr

      https://github.com/roundcube/roundcubemail/releases/tag/1.4.4

      This is a service and security update to the stable version 1.4 of Roundcube Webmail.
      It contains four fixes for recently reported security vulnerabilities as well a number
      of general improvements from our issue tracker. See the full changelog below.
      Security fixes

      Cross-Site Scripting (XSS) via malicious HTML content
      CSRF attack can cause an authenticated user to be logged out
      Remote code execution via crafted config options
      Path traversal vulnerability allowing local file inclusion via crafted 'plugins' option
      

      The latter two vulnerabilities are classified minor because they only affect Roundcube installations
      with public access to the Roundcube installer. That's generally a high-risk situation and is expected
      to be rare or practically non-existent in productive Roundcube deployments. However, the fixes are done
      in core in order to also prevent from future and yet unknown attack vectors.

      This version is considered stable and we recommend to update all productive installations
      of Roundcube with it. Please do backup your data before updating!
      CHANGELOG

      Fix bug where attachments with Content-Id were attached to the message on reply (#7122)
      Fix identity selection on reply when both sender and recipient addresses are included in identities (#7211)
      Elastic: Fix text selection with Shift+PageUp and Shift+PageDown in plain text editor when using Chrome (#7230)
      Elastic: Fix recipient input bug when using click to select a contact from autocomplete list (#7231)
      Elastic: Fix color of a folder with recent messages (#7281)
      Elastic: Restrict logo size in print view (#7275)
      Fix invalid Content-Type for messages with only html part and inline images - Mail_Mime-1.10.7 (#7261)
      Fix missing contact display name in QR Code data (#7257)
      Fix so button label in Select image/media dialogs is "Close" not "Cancel" (#7246)
      Fix regression in testing database schema on MSSQL (#7227)
      Fix cursor position after inserting a group to a recipient input using autocompletion (#7267)
      Fix string literals handling in IMAP STATUS (and various other) responses (#7290)
      Fix bug where multiple images in a message were replaced by the first one on forward/reply/edit (#7293)
      Fix handling keyservers configured with protocol prefix (#7295)
      Markasjunk: Fix marking as spam/ham on moving messages with Move menu (#7189)
      Markasjunk: Fix bug where moving to Junk was failing on messages selected with Select > All (#7206)
      Fix so imap error message is displayed to the user on folder create/update (#7245)
      Fix bug where a special folder couldn't be created if a special-use flag is not supported (#7147)
      Mailvelope: Fix bug where recipients with name were not handled properly in mail compose (#7312)
      Fix characters encoding in group rename input after group creation/rename (#7330)
      Fix bug where some message/rfc822 parts could not be attached on forward (#7323)
      Make install-jsdeps.sh script working without the file program installed (#7325)
      Fix performance issue of parsing big HTML messages by disabling HTML5 parser for these (#7331)
      Fix so Print button for PDF attachments works on Firefox >= 75 (#5125)
      Security: Fix XSS issue in handling of CDATA in HTML messages
      Security: Fix remote code execution via crafted 'im_convert_path' or 'im_identify_path' settings
      Security: Fix local file inclusion (and code execution) via crafted 'plugins' option
      Security: Fix CSRF bypass that could be used to log out an authenticated user (#7302)
      
      ? Offline
      ? Offline
      A Former User
      wrote on last edited by
      #2

      @necrevistonnezr Think you mean "Roundcube Webmail 1.4.4 released"!

      1 Reply Last reply
      0
      • necrevistonnezrN Offline
        necrevistonnezrN Offline
        necrevistonnezr
        wrote on last edited by
        #3

        Thanks, fixed.

        1 Reply Last reply
        0
        • girishG Offline
          girishG Offline
          girish
          Staff
          wrote on last edited by
          #4

          Updated, thanks!

          1 Reply Last reply
          2
          Reply
          • Reply as topic
          Log in to reply
          • Oldest to Newest
          • Newest to Oldest
          • Most Votes


          • Login

          • Don't have an account? Register

          • Login or register to search.
          • First post
            Last post
          0
          • Categories
          • Recent
          • Tags
          • Popular
          • Bookmarks
          • Search