[Security Update] Roundcube Webmail 1.1.11

This is a security update to the stable version 1.2. It fixes a recently reported vulnerability allowing IMAP command injection via a GET parameters. More details about this are published under CVE-2018-9846.

The second fix is about a missed remote content blocking on HTML messages with specially crafted image and style tags.

We strongly recommend to update all productive installations of Roundcube 1.1.x.
Please do backup your data before updating!

CHANGELOG

• Don't ignore (global) userlogins/sendmail logs in per_user_logging mode
• Fix security issue in remote content blocking on HTML image and style tags (#6178)
• Fix check_request() bypass in places using get_uids() [CVE-2018-9846] (#6238)
• Fix possible IMAP command injection vulnerability [CVE-2018-9846] (#6229)

[Security Update] Roundcube Webmail 1.2.8

This is a security update to the stable version 1.2. It fixes a recently reported vulnerability allowing IMAP command injection via a GET parameters. More details about this are published under CVE-2018-9846.

The second fix is about a missed remote content blocking on HTML messages with specially crafted image and style tags.

We strongly recommend to update all productive installations of Roundcube 1.2.x.
Please do backup your data before updating!

CHANGELOG

• Fix check_request() bypass in places using get_uids() [CVE-2018-9846] (#6238)
• Fix possible IMAP command injection vulnerability [CVE-2018-9846] (#6229)
• Fix security issue in remote content blocking on HTML image and style tags (#6178)

[Security Update] Roundcube Webmail 1.3.6

This is a security update to the stable version 1.3. It primarily fixes a recently discovered IMAP command injection vulnerability caused by insufficient input validation within the archive plugin. Details about the vulnerability are published under CVE-2018-9846.

Additionally, we back-ported some minor fixes from the master branch which improve PHP 7.2 compatibility as well as PGP signing and key handling for those who use the Enigma plugin. See the complete changelog below.

We strongly recommend to update all productive installations of Roundcube.
Please do backup your data before updating!

CHANGELOG

• Fix parsing date strings (e.g. from a Date: mail header) with comments (#6216)
• Fix PHP 7.2: count(): Parameter must be an array in enchant-based spellchecker (#6234)
• Fix possible IMAP command injection and type juggling vulnerabilities (#6229)
• Enigma: Fix key selection for signing
• Enigma: Enable keypair generation on Internet Explorer 11
• Fix check_request() bypass in places using get_uids() [CVE-2018-9846] (#6238)
• Fix bug where usernames without domain part could be malformed or converted to lower-case on logon (#6224)

Roundcube Webmail 1.3.5

This is a service release to update the stable version 1.3 of Roundcube Webmail.
It contains fixes to several bugs backported from the master branch. One can be called a minor security fix as it fixes blocking of remote content on specially crafted style tags. See the complete changelog below.

This version in considered stable and we recommend to update all productive installations
of Roundcube with it. Please do backup your data before updating!

CHANGELOG

• Managesieve: Fix bug where text: syntax was forced for strings longer than 1024 characters (#6143)
• Managesieve: Fix missing Save button in Edit Filter Set page of Classic skin (#6154)
• Fix duplicated labels in Test SMTP Config section (#6166)
• Fix PHP Warning: exif_read_data(...): Illegal IFD size (#6169)
• Enigma: Fix key generation in Safari by upgrade to OpenPGP 2.6.2 (#6149)
• Fix security issue in remote content blocking on HTML image and style tags (#6178)
• Added 9pt and 11pt to the list of font sizes in HTML editor
• Fix handling encoding of HTML tags in "inline" JSON output (#6207)
• Fix bug where some unix timestamps were not handled correctly by rcube_utils::anytodatetime() (#6212)

Roundcube Webmail 1.3.4

This is a service release to update the stable version 1.3 of Roundcube Webmail.
It contains fixes to several bugs reported by our dear community members and
makes Roundcube fully compatible with PHP 7.2. See the complete changelog below.

This version considered stable and we recommend to update all productive installations
of Roundcube with it. Please do backup your data before updating!

CHANGELOG

• Fix a couple of warnings on PHP 7.2 (#6098)
• Fix bug where contacts search could skip some records (#6130)
• Fix possible information leak - add more strict sql error check on user creation (#6125)
• Fix broken long filenames when using imap4d server - workaround server bug (#6048)
• Fix so temp_dir misconfiguration prints an error to the log (#6045)
• Fix untagged COPYUID responses handling - again (#5982)
• Fix PHP warning "idn_to_utf8(): INTL_IDNA_VARIANT_2003 is deprecated" with PHP 7.2 (#6075)
• Fix bug where Archive folder wasn't auto-created on login with create_default_folders=true
• Fix performance issue when parsing malformed and long Date header (#6087)
• Fix syntax error in mssql.initial.sql (#6097)
• Fix bug where contacts export by selection returned no more than 10 entries (#6103)
• Fix searching contacts by address in LDAP source (#6084)
• Fix X-Frame-Options: ALLOW-FROM support, remove custom click-jacking protection (#6057)

[Security Update] Roundcube Webmail 1.3.3

This is a security update to the stable version 1.3. It primarily fixes a recently discovered file disclosure vulnerability caused by insufficient input validation in conjunction with file-based attachment plugins, which are used by default. More details will be published under CVE-2017-16651.

We strongly recommend to update all productive installations of Roundcube.
Please do backup your data before updating!

CHANGELOG

• Fix decoding of mailto: links with + character in HTML messages (#6020)
• Fix false reporting of failed upgrade in installto.sh (#6019)
• Fix file disclosure vulnerability caused by insufficient input validation (#6026)
• Fix mangled non-ASCII characters in links in HTML messages (#6028)

[Security Update] Roundcube Webmail 1.2.7

This is a security update to the stable version 1.2. It primarily fixes a recently discovered file disclosure vulnerability caused by insufficient input validation in conjunction with file-based attachment plugins, which are used by default. More details will be published under CVE-2017-16651.

We strongly recommend to update all productive installations of Roundcube 1.2.x.
Please do backup your data before updating!

CHANGELOG

• Fix rewind(): stream does not support seeking (#5950)
• Fix bug where HTML messages could have been rendered empty on some systems (#5957)
• Fix (again) bug where image data URIs in css style were treated as evil/remote in mail preview (#5580)
• Managesieve: Fix parsing dot-staffed lines in multiline text (#5838, #5959)
• Fix file disclosure vulnerability caused by insufficient input validation (#6026)

[Security Update] Roundcube Webmail 1.1.10

This is a security update to the stable version 1.1. It fixes a recently discovered file disclosure vulnerability caused by insufficient input validation in conjunction with file-based attachment plugins, which are used by default. More details will be published under CVE-2017-16651.

We strongly recommend to update all productive installations of Roundcube 1.1.x.
Please do backup your data before updating!

CHANGELOG

• Fix file disclosure vulnerability caused by insufficient input validation (#6026)

Roundcube Webmail 1.0.12

This is a security update to the LTS version 1.0. It closes a potential file disclosure vulnerability discovered in the file-based attachment plugins. While there's currently no exploit path for Roundcube 1.0.x the fix was nevertheless back-ported to protect from yet unknown zero-day exploits.

It's considered stable and we recommend to update all productive installations of Roundcube 1.0.x with this version if for some reason you're not able to upgrade to the latest stable version. Please do backup your data before updating!

CHANGELOG

• Fix file disclosure vulnerability caused by insufficient input validation (#6026)

Roundcube Webmail 1.3.2

This is the second service release to update the stable version 1.3.
It contains fixes to several bugs reported by our dear community members as well as translation updates synchronized from Transifex.

We also changed the wording for the setting that controls the time after which an opened message is marked as read. This was previously only affecting messages being viewed in the preview panel but now applies to all means of opening a message. That change came with 1.3.0 an apparently confused many users. Some translation work is still needed here.

This version considered stable and we recommend to update all productive installations of Roundcube with it. Please do backup your data before updating!

CHANGELOG

• Improve detection for Egde browser and add pointer event support (#5922)
• Fix bug where pink image was used instead of a thumbnail when image resize fails (#5933)
• Fix so files size/count limit is verified (client-side) also on drag-n-drop uploads (#5940)
• Fix invalid template loading on a message error in preview frame (#5941)
• Fix bug where HTML messages could have been rendered empty on some systems (#5957)
• Fix wording of "Mark previewed messages as read" to "Mark messages as read" (#5952)
• Enigma: Fix decryption of messages encoded with non-ascii charset (#5962)
• Fix missing cursor in HTML editor on mail reply (#5969)
• Fix (again) bug where image data URIs in css style were treated as evil/remote in mail preview (#5580)
• Fix bug where mail search could return empty result on servers without SORT capability (#5973)
• Fix bug where assets_path wasn't added to some watermark frames
• Fix so untagged COPYUID responses are also supported according to RFC6851 (#5982)
• Fix issue caused by non-default session.cookie_lifetime setting (#5961)
• Fix Edge encoding bug when pasting text into the HTML editor, update to TinyMCE 4.5.8 (#5885)
• Fix handling of unknown Content-Disposition type (#6002)
• Fix truncated folder name on messages list in multi-folder mode, for folders with non-ascii characters (#6004)
• Fix bug where removing the last subfolder did not hide toggle button on its parent record (#6007)
• Fix bug where ghost messages could be added to the list after fast delete (#5941)