Roundcube - Package updates

nebulon

[2.7.4]

• Update Roundcube to 1.6.3
• Full changelog
• Fix cross-site scripting (XSS) vulnerability in handling of linkrefs in plain text messages, reported by Niraj Shivtarkar.
• Fix bug where installto.sh/update.sh scripts were removing some essential options from the config file (#9051)
• Update jQuery-UI to version 1.13.2 (#9041)
• Fix regression that broke use_secure_urls feature (#9052)
• Fix potential PHP fatal error when opening a message with message/rfc822 part (#8953)
• Fix bug where a duplicate <title> tag in HTML email could cause some parts being cut off (#9029)
• Fix bug where a list of folders could have been sorted incorrectly (#9057)
• Fix regression where LDAP addressbook 'filter' option was ignored (#9061)
• Fix wrong order of a multi-folder search result when sorting by size (#9065)
• Fix so install/update scripts do not require PEAR (#9037)
• Fix regression where some mail parts could have been decoded incorrectly, or not at all (#9096)
• Fix handling of an error case in Cyrus IMAP BINARY FETCH, fallback to non-binary FETCH (#9097)
• Fix PHP8 deprecation warning in the reconnect plugin (#9083)
• Fix "Show source" on mobile with x_frame_options = deny (#9084)
• Fix various PHP warnings (#9098)
• Fix deprecated use of ldap_connect() in password's ldap_simple driver (#9060)

girish

[2.8.0]

• Update base image to 4.2.0

nebulon

[2.8.1]

• Update Roundcube to 1.6.4
• Full changelog
• Fix cross-site scripting (XSS) vulnerability in handling of SVG in HTML messages (#9168)

girish

[2.8.2]

• Update Roundcube to 1.6.5
• Full changelog
• Fix cross-site scripting (XSS) vulnerability in setting Content-Type/Content-Disposition for attachment preview/download reported by Rene Rehme (rehme.infosec).
• Fix PHP8 fatal error when parsing a malformed BODYSTRUCTURE (#9171)
• Fix duplicated Inbox folder on IMAP servers that do not use Inbox folder with all capital letters (#9166)

nebulon

[2.8.3]

• Update Roundcube to 1.6.6
• Full changelog
• Fix regression in handling LDAP search_fields configuration parameter (#9210)
• Enigma: Fix finding of a private key when decrypting a message using GnuPG v2.3
• Fix page jump menu flickering on click (#9196)
• Update to TinyMCE 5.10.9 security release (#9228)
• Fix PHP8 warnings (#9235, #9238, #9242, #9306)
• Fix saving other encryption settings besides enigma's (#9240)
• Fix unneeded php command use in installto.sh and deluser.sh scripts (#9237)
• Fix TinyMCE localization installation (#9266)
• Fix bug where trailing non-ascii characters in email addresses could have been removed in recipient input (#9257)
• Fix IMAP GETMETADATA command with options - RFC5464

nebulon

[2.8.4]

• Update Roundcube to 1.6.7
• Full changelog
• Fix bug where HTML entities in URLs were not decoded on HTML to plain text conversion (#9312)
• Fix bug in collapsing/expanding folders with some special characters in names (#9324)
• Fix PHP8 warnings (#9363, #9365, #9429)
• Fix missing field labels in CSV import, for some locales (#9393)
• Fix cross-site scripting (XSS) vulnerability in handling SVG animate attributes
• Fix cross-site scripting (XSS) vulnerability in handling list columns from user preferences

Package Updates

[2.8.5]

• Update Roundcube to 1.6.8
• Full changelog
• Managesieve: Protect special scripts in managesieve_kolab_master mode
• Fix newmail_notifier notification focus in Chrome (#9467)
• Fix fatal error when parsing some TNEF attachments (#9462)
• Fix double scrollbar when composing a mail with many plain text lines (#7760)
• Fix decoding mail parts with multiple base64-encoded text blocks (#9290)
• Fix bug where some messages could get malformed in an import from a MBOX file (#9510)
• Fix invalid line break characters in multi-line text in Sieve scripts (#9543)
• Fix bug where "with attachment" filter could fail on some fts engines (#9514)
• Fix bug where an unhandled exception was caused by an invalid image attachment (#9475)
• Fix bug where a long subject title could not be displayed in some cases (#9416)
• Fix infinite loop when parsing malformed Sieve script (#9562)
• Fix bug where imap_conn_option's 'socket' was ignored (#9566)
• Fix XSS vulnerability in post-processing of sanitized HTML content [CVE-2024-42009]
• Fix XSS vulnerability in serving of attachments other than HTML or SVG [CVE-2024-42008]
• Fix information leak (access to remote content) via insufficient CSS filtering [CVE-2024-42010]

Package Updates

[2.8.6]

• Update Roundcube to 1.6.9
• Full changelog
• Fix regression where printing/scaling/rotating image attachments was broken (#9571)
• Fix regression where HTML messages were displayed unstyled (#9586)

Package Updates

[2.9.2]

• Update roundcubemail to 1.6.12
• Full Changelog
• Support IPv6 in database DSN (#9937)
• Don't force specific error_reporting setting
• Fix compatibility with PHP 8.5 regarding array_first()
• Remove X-XSS-Protection example from .htaccess file (#9875)
• Fix "Assign to group" action state after creation of a first group (#9889)
• Fix bug where contacts search would fail if contactlist_fields contained vcard fields (#9850)
• Fix bug where an mbox export file could include inconsistent message delimiters (#9879)
• Fix parsing of inline styles that aren't well-formatted (#9948)
• Fix Cross-Site-Scripting vulnerability via SVG's animate tag
• Fix Information Disclosure vulnerability in the HTML style sanitizer

Package Updates

[2.9.3]

• Update roundcubemail to 1.6.13
• Full Changelog
• Managesieve: Fix handling of string-list format values for date tests in Out of Office (#10075)
• Fix CSS injection vulnerability reported by CERT Polska.
• Fix remote image blocking bypass via SVG content reported by nullcathedral.

Package Updates

[2.9.5]

• Update roundcubemail to 1.6.15
• Full Changelog
• SVG Animate FUNCIRI Attribute Bypass Remote Image Loading via fill/filter/stroke, reported by class_nzm.
• Fix regression where mail search would fail on non-ascii search criteria (#​10121)
• Fix regression where some data url images could get ignored/lost (#​10128)
• Fix SVG Animate FUNCIRI Attribute Bypass Remote Image Loading via fill/filter/stroke

Package Updates

[2.10.0]

• Update roundcubemail to 1.7.0
• Full Changelog
• Dropped support for PHP < 8.1.
• Dropped support for Internet Explorer.
• Dropped support for MS SQL Server and Oracle.
• public_html/ entry-point made mandatory, all static resources are served via public_html/static.php.
• Removed apc cache driver (replaced by apcu cache driver).
• Changed smtp_log option default value to false.
• Removed contact_search_name option in favor of contactlist_name_template.
• Replaced session property changed by expires_at.
• Removed the (insecure) virtualmin password driver.
• Allow cidr (subnets) in proxy_whitelist (#7103)