Skip to content

[Security Update] Roundcube Webmail 1.2.8
Compare
Choose a tag to compare
@thomascube thomascube released this 17 Apr 19:22
· 4504 commits to master since this release
1.2.8
This tag was signed with the committer’s verified signature.
thomascube Thomas B.
GPG key ID: D105DEA0B545B36C
Learn about vigilant mode.
7901047

This is a security update to the stable version 1.2. It fixes a recently reported vulnerability allowing IMAP command injection via a GET parameters. More details about this are published under CVE-2018-9846.

The second fix is about a missed remote content blocking on HTML messages with specially crafted image and style tags.

We strongly recommend to update all productive installations of Roundcube 1.2.x.
Please do backup your data before updating!

CHANGELOG

  • Fix check_request() bypass in places using get_uids() [CVE-2018-9846] (#6238)
  • Fix possible IMAP command injection vulnerability [CVE-2018-9846] (#6229)
  • Fix security issue in remote content blocking on HTML image and style tags (#6178)
Assets 8
Loading