Roundcube - Package updates

girish

You can use this thread to track updates to the Roundcube package.

Please open issues in a separate topic instead of replying here.

girish

Package 2.2.0 released:

• Update Roundcube to 1.4.4
• Use latest base image 2.0.0
• Full changelog
• Fixes some important security issues

girish

[2.2.1]

• Update Roundcube to 1.4.5
• Full changelog
• Security: Fix XSS issue in template object 'username' (#7406)
• Security: Fix cross-site scripting (XSS) via malicious XML attachment
• Security: Fix a couple of XSS issues in Installer (#7406)
• Security: Better fix for CVE-2020-12641

nebulon

[2.2.2]

• Update Roundcube to 1.4.6
• Installer: Fix regression in SMTP test section (#7417)

girish

[2.3.0]

• Use /app/data/php.ini for custom PHP configuration

girish

[2.3.1]

• Update Roundcube to 1.4.7
• Full changelog
• Prevent cross-site scripting (XSS) via HTML messages with malicious svg/namespace
• Fix bug where subfolders of special folders could have been duplicated on folder list
• Increase maximum size of contact jobtitle and department fields to 128 characters
• Fix missing newline after the logged line when writing to stdout (#7418)

nebulon

[2.3.2]

• Update Roundcube to 1.4.2
• Full changelog
• Fix potential XSS issue in HTML editor of the identity signature input
• Fix cross-site scripting (XSS) via HTML messages with malicious svg content [CVE-2020-16145]
• Fix cross-site scripting (XSS) via HTML messages with malicious math content

nebulon

[2.3.3]

• Update Roundcube to 1.4.9
• Full changelog
• Fix HTML editor in latest Chrome 85.0.4183.102, update to TinyMCE 4.9.11 (#7615)
• Add missing localization for some label/legend elements in userinfo plugin (#7478)
• Fix importing birthday dates from Gmail vCards (BDAY:YYYYMMDD)
• Fix restoring Cc/Bcc fields from local storage (#7554)
• Fix jstz.min.js installation, bump version to 1.0.7
• Fix incorrect PDO::lastInsertId() use in sqlsrv driver (#7564)
• Fix link to closure compiler in bin/jsshrink.sh script (#7567)
• Fix bug where some parts of a message could have been missing in a reply/forward body (#7568)
• Fix empty space on mail printouts in Chrome (#7604)
• Fix empty output from HTML5 parser when content contains XML tag (#7624)
• Fix scroll jump on key press in plain text mode of the HTML editor (#7622)
• Fix so autocompletion list does not hide on scroll inside it (#7592)

girish

[2.3.4]

• Use UTF-8 encoding for mailbox names in sieve rules.

nebulon

[2.4.1]

• Update Roundcube to 1.4.10
• Stored cross-site scripting (XSS) via HTML or plain text messages with malicious content [CVE-2020-35730]

girish

[2.5.0]

• Update Roundcube to 1.4.11
• Full changelog
• Security fix: Fix cross-site scripting (XSS) via HTML messages with malicious CSS content
• Use base image v3
• Use PHP 7.4

girish

[2.5.1]

• Add separate forwarding and vacation section

d19dotca

@girish said in Roundcube - Package updates:

[2.5.1]

• Add separate forwarding and vacation section

Is it possible to expand on the "add separate forwarding and vacation section". I have a lot of users using Roundcube and just want to be sure I know what to expect or notify them of if needed, as many have various rules set for auto-responses and such. It doesn't seem this was an update to Roundcube based on their GitHub releases, so curious what was changed.

I found https://git.cloudron.io/cloudron/roundcube-app/-/commit/b8b2caac3c54d08d4e14e2d7cafc62224a8a4451 - this looks like it's more platform-related then, no actual UI changes for users, right?

nebulon

[2.6.0]

• Update Roundcube to 1.5.0
• Full changelog
• Dark mode for Elastic skin
• OAuth2/XOauth support (with plugin hooks)
• Collected recipients and trusted senders
• Moving recipients between inputs with drag & drop
• Full unicode support with MySQL database
• Support of IMAP LITERAL- extension [RFC 7888]
• Support of RFC 2231 encoded names
• Cache refactoring

girish

[2.6.1]

• Update Roundcube to 1.5.1
• Full changelog
• Fix importing contacts with no email address (#8227)
• Fix so session's search scope is not used if search is not active (#8199)
• Fix some PHP8 warnings (#8239)
• Fix so dark mode state is retained after closing the browser (#8237)
• Fix bug where new messages were not added to the list on refresh if skip_deleted=true (#8234)
• Fix colors on "Show source" page in dark mode (#8246)
• Fix handling of dark_mode_support:false setting in skins meta.json - also when devel_mode=false (#8249)

nebulon

[2.6.2]

• Update Roundcube to 1.5.2
• Full changelog
• Cross-site scripting (XSS) via HTML messages with malicious CSS content

girish

[2.6.3]

• Remove hardcoded PHP memory limit

nebulon

[2.6.4]

• Update Roundcube to 1.5.3
• Full changelog
• Enigma: Fix initial synchronization of private keys
• Enigma: Fix double quoted-printable encoding of pgp-signed messages with no attachments (#8413)
• Fix various PHP8 warnings (#8392)
• Fix mail headers injection via the subject field on mail compose (#8404)
• Fix bug where small message/rfc822 parts could not be decoded (#8408)
• Fix setting HTML mode on reply/forward of a signed message (#8405)
• Fix handling of RFC2231-encoded attachment names inside of a message/rfc822 part (#8418)
• Fix bug where some mail parts (images) could have not be listed as attachments (#8425)
• Fix bug where attachment icons were stuck at the top of the messages list in Safari (#8433)
• Fix handling of message/rfc822 parts that are small and are multipart structures with a single part (#8458)
• Fix bug where session could time out if DB and PHP timezone were different (#8303)
• Fix bug where DSN flag state wasn't stored with a draft (#8371)
• Fix broken encoding of HTML content encapsulated in a RTF attachment (#8444)
• Fix problem with aria-hidden=true on toolbar menus in the Elastic skin (#8517)
• Fix bug where title tag content was displayed in the body if it contained HTML tags (#8540)
• Fix support for DSN specification without host e.g. pgsql:///dbname (#8558)

girish

[2.7.0]

• Update ROundcube to 1.6.0
• Full changelog
• Update to jQuery-UI 1.13.1 (#8455)
• Added possibility to make the logo image a link via the 'skin_logo' option (#8501)
• Use navigator.pdfViewerEnabled for PDF viewer detection
• Remove use of unreliable charset detection (#8344)
• Don't list images attached to multipart/related part as attachments (#7184)
• Password: Add support for ssha256 algorithm (#8459)
• Fix so unix:// URI is supported in various host spec. options again (#8468)
• Fix slow loading of long HTML content into the HTML editor (#8108)
• Fix bug where SMTP password didn't work if it contained '%p' (#8435)
• Enigma: Fix initial synchronization of private keys
• Enigma: Fix double quoted-printable encoding of pgp-signed messages with no attachments (#8413)