Roundcube Webmail 1.2.6

This is a service and security update to the stable version 1.2. It contains some important bug fixes and improvements which we picked from the upstream branch. A detailed list of changes is shown below.

It's considered stable and we recommend to update all productive installations of Roundcube with this version. Please do backup your data before updating!

CHANGELOG

• Don't ignore (global) userlogins/sendmail logging in per_user_logging mode
• Enigma: Fix compatibility with assets_dir
• Managesieve: Fix AM/PM suffix in vacation time selectors
• Fix bug where comment notation within style tag would cause the whole style to be ignored (#5747)
• Fix bug where it wasn't possible to scroll folders list in Edge (#5750)
• Fix addressbook searching by gender (#5757)
• Fix SQL syntax error on MariaDB 10.2 (#5774)
• Fix bug where it wasn't possible to set timezone to auto-detected value (#5782)
• Fix uninitialized string offset in rcube_utils::bin2ascii() and make sure rcube_utils::random_bytes() result has always requested length (#5788)
• Fix potential XSS vulnerability with malformed HTML message markup

Roundcube Webmail 1.3.1

This is the first service release to update the stable version 1.3. We did some touching-up on the new features introduced with the 1.3.0 release. For example it brings back the double-click behavior to open messages which was reduced to the list-only view. Because the switch to change the mail view layout was a bit hidden, we also added it to the preferences section.

The update also includes fixes to reported bugs and one potential XSS vulnerability as well as optimizations to smoothly run on the latest version of PHP. A detailed list of changes is shown below.

It's considered stable and we recommend to update all productive installations of Roundcube with this version. Please do backup your data before updating!

CHANGELOG

• Don't ignore (global) userlogins/sendmail logs in per_user_logging mode
• Add Preferences > Mailbox View > Main Options > Layout (#5829)
• Password: Fix compatibility with PHP 7+ in cpanel_webmail driver (#5820)
• Managesieve: Fix parsing dot-staffed lines in multiline text (#5838)
• Managesieve: Fix AM/PM suffix in vacation time selectors
• Managesieve: Fix bug where 'exists' operator was reset to 'contains' (#5899)
• Remove non-printable characters from filenames on download/display (#5880)
• Fix decoding non-ascii attachment names from TNEF attachments (#5646, #5799)
• Fix uninitialized string offset warnings and make sure random_bytes() has the requested length (#5788)
• Fix bug where HTML messages with @media styles could moddify style of page body (#5811)
• Fix style issue on selected and unfocused message that is part of a thread (#5798)
• Fix bug where a.button style from managesieve plugin could impact other elements (#5800)
• Fix position of selected icon for (Mailvelope) Encrypt button
• Fix fatal error when using DMY- or MDY-based date format in PostgreSQL (#5808)
• Fix bug where errors were not printed when using bin/update.sh (#5834)
• Fix PHP 7.2 warnings on count() use (#5845)
• Fix bug where Chrome could not upload the same file that was selected before (#5854)
• Fix duplicate messages on the list after deleting messages on the next to the last page (#5862)
• Fix bug where messages count was not updated after delete when imap_cache is set (#5872)
• Fix potential XSS vulnerability with malformed HTML message markup
• Fix sending message with "Too many public recipients" dialog buttons (#5924)
• Bring back double-click behavior on the message list which was removed in 1.3.0 (#5823)
• Enigma: Fix decrypting an encrypted+signed message when signature verification fails (#5914)

Roundcube Webmail 1.3.0

This is a the next major version 1.3 of Roundcube webmail.
With this milestone we introduce new features like:

• Widescreen layout aka Three Column View
• Possibility to display QR code for contacts data
• New identicon plugin
• Attach contact vCards to composed message
• Support WEBP images and MathML preview
• Preview, download and rename attachments when composing a message
• Message/rfc822 attachment preview
• Various Enigma (PGP) and Managesieve plugin improvements
• "Flattened" the Larry theme giving it a fresher look

Plus security and deployment improvements:

• Improve randomness of password salts and random hashes
• Fixed redundancy in sql caching system and compatibility with Galera Cluster

And finally some code-cleanup:

• Dropped support for legacy browsers (IE < 10; removed legacy_browser plugin)
• Require PHP >= 5.4
• Removed PHP mail() support
• Removed 3rd party javascript libraries from repo
• Require jQuery 3.x which has breaking changes to older versions

IMPORTANT: The code-cleanup part brings major changes and possibly incompatibilities to your existing Roundcube installations. So please read the Changelog carefully and thoroughly test your upgrade scenario.

Please note that Roundcube 1.3

1. no longer runs on PHP 5.3
2. no longer supports IE < 10 and old versions of Firefox, Chrome and Safari
3. requires an SMTP server connection to send mails
4. uses jQuery 3.2 and will not work with current jQuery mobile plugin

With the release of Roundcube 1.3.0, the previous stable release branches 1.2.x and 1.1.x will switch in to LTS low maintenance mode which means they will only receive important security updates but no longer any regular improvement updates.

CHANGELOG

• Update to TinyMCE 4.5.7
• Fix bug where invalid recipients could be silently discarded (#5739)
• Fix conflict with _gid cookie of Google Analytics (#5748)
• Print error from CLI scripts when system/exec function is disabled (#5744)
• Fix bug where comment notation within style tag would cause the whole style to be ignored (#5747)
• Fix bug where it wasn't possible to scroll folders list in Edge (#5750)
• Fix folders list sorting on Windows - if php-intl is available (#5732)
• Fix addressbook searching by gender (#5757)
• Fix prevention from using % and * characters in folder name (#5762)
• Fix POST parameter reflection in default_charset selector (#5768)
• Enigma: Fix compatibility with assets_dir
• Managesieve: Skip redundant LISTSCRIPTS command
• Fix SQL syntax error on MariaDB 10.2 (#5774)
• Fix bug where zipdownload ignored files with the same name (#5777)
• Fix bug where it wasn't possible to set timezone to auto-detected value (#5782)

RELEASE 1.3-rc

• "Flattened" the larry theme: fresher look by removing shadows and gradients
• Support logging to php://stdout (#5721)
• Add support for DelSp=Yes in format=flowed messages (#5702)
• Update to jQuery 3.2.1
• Update to TinyMCE 4.5.6
• Plugin API: Call message_part_structure hook for sub-parts of multipart/alternative message (#5678)
• Enigma: Always use detached signatures (#5624)
• Enigma: Fix handling of messages with nested PGP encrypted parts (#5634)
• Minimize unwanted message loading in preview frame on drag (#5616)
• Fix failing database schema check in all engines except mysql (#5730)
• Fix autocomplete popup closing with click outside the input, don't handle Tab key as Enter (#5606)
• Fix jsdeps.json synchronization on update, warn about missing requirements of install-jsdeps.sh (#5598)
• Fix missing thread expand icon on search result in widescreen mode (#5613)
• Fix bug where image data URIs in css style were treated as evil/remote in mail preview (#5580)
• Fix bug where external content in src attribute of input/video tags was not secured (#5583)
• Fix PHP error on update of a contact with multiple email addresses when using PHP 7.1 (#5587)
• Fix bug where mail content frame couldn't be reset in some corner cases (#5608)
• Fix bug where some classic skin images were not displayed in IE/Edge (#5614)
• Fix bug where signature couldn't be added above the quote in Firefox 51 (#5628)
• Fix regression where groups with email address were resolved to its members' addresses
• Fix update of group name in the contacts list header on group rename (#5648)
• Add rewrite rule to disable access to /vendor/bin folder in .htaccess (#5630)
• Fix bug where it was too easy accidentally move a folder when using the subscription checkbox (#5655)
• Managesieve: Fix parser issue with empty lines between comments (#5657)
• Managesieve: Fix possible defect in handling \r\n in scripts (#5685)
• Fix/rephrase "unsaved changes" warning when cancelling a draft (#5610)
• Fix XSS issue in handling of a style tag inside of an svg element [CVE-2017-6820]
• Fix bug where settings/upload.inc could not be used by plugins (#5694)
• Fix regression in LDAP fuzzy search where it always used prefix search instead (#5713)
• Fix bug where namespace prefix could not be truncated on folders list if show_real_foldernames=true (#5695)
• Fix undesired effects when postgres database uses different timezone than PHP host (#5708)
• Installer: Fix DB schema initialization on MS SQL Server
• Fix bug where base_dn setting was ignored inside group_filters (#5720)
• Password: Fix security issue in virtualmin and sasl drivers [CVE-2017-8114]

RELEASE 1.3-beta

• Nicely handle contact deletion on contact edit (#5522)
• vcard_attachments: Add possibility to attach contact vCard to composed message (#4997)
• Preserve message internal/received date on import in mbox format (#5559)
• Zipdownload: Fix date format in mbox "From line"
• Possibility to display QR code for contacts data (#5030)
• Added identicon plugin
• Widescreen layout aka three column view (#5093)
• Unify automatic marking as \Seen in preview pane, full-page and extwin views (#5071)
• Disable double-click on the list when preview pane is on (#5199)
• Support hostname and hostname:port in force_https option (#5511)
• Support ALLOW-FROM in x_frame_options (#5122)
• Allow to omit a subject when sending an email (#5068)
• Warn about too many disclosed recipients in composed email [max_disclosed_recipients] (#5132)
• identity_select: Support Received header (#5085)
• Plugin API: Added get_compose_responses hook (#5457)
• Display error when trying to upload more files than specified in max_file_uploads (#5483)
• Add missing sql upgrade file for 'ip' column resize in session table (#5465)
• Do not show inline images of unsupported mimetype (#5463)
• Password: Added replacement variables support in password_pop_host (#5539)
• Password: Don't store passwords in temp files when using dovecotpw (#5531)
• Password: Added LDAP PPolicy driver (#5364)
• Password: Added cpanel_webmail driver (#5549)
• Password: Added possibility to nicely redirect from other plugins on password expiration (#5468)
• Implement separate action to mark all messages in a folder as \Seen (#5006)
• Implement marking as \Seen in all folders or in a folder and its subfolders (#5076)
• Archive: Don't reload messages list when it's not needed (#5225)
• Archive: Add option to automatically mark archived messages as \Seen (#5142)
• Improve randomness of password salts and random hashes (#5266)
• Password/cPanel: Add support for hash authentication and reseller accounts (#5252)
• Support host-specific imap_conn_options/smtp_conn_options/managesieve_conn_options (#5136)
• Center and scale images in attachment preview frame (#5421)
• Added max_message_size option enforced when attaching files to a composed message (#4993)
• Added Search button in quick search menus (#5312)
• Implement "one click" attachment/messages/photo upload (#5024)
• Squirrelmail_usercopy: Add option to define character set of data files
• Removed useless 'created' column from 'session' table (#5389)
• Dropped legacy browsers support (#5167)
  • Removed legacy_browser plugin
  • Removed hacks for IE < 10
  • Update to jQuery 3.1.1 and jQuery-UI 1.12.0
  • compile .min.js files with ECMASCRIPT5 option
• Require PHP >= 5.4
• Add possibility to preview and download attachments in mail compose (#5053)
• Add possibility to rename attachments in mail compose (#4996)
• Remove backward compatibility "layer" of bc.php (#4902)
• Support WEBP images in mail messages (#5362)
• Support MathML in HTML message preview (#5182)
• Rename Addressbook to Contacts (#5233)
• Remove PHP mail() support, smtp_server is required now (#5340)
• Display full message subject in onmouseover on truncated subject in mail view (#5346)
• Enigma: Support GnuPG 2.1 (#5313)
• Enigma: Support key generation for multiple identities (#5383)
• Enigma: Import keys from key-server(s) (#5286)
• Enigma: Search missing public keys on a key-server in mail compose (#5286)
• Enigma: Delete user keys when using deluser.sh script
• Enigma: Fix redundant list-secret-keys/list-public-keys calls on signing/encryption
• Enigma: Implement PGP encryption and signing in one go (#5302)
• Enigma: Display signature verification status for encrypted+signed messages (#5302)
• Display different attachment icon on encrypted messages
• Display different confirmation text when moving messages to Trash (#5220)
• Indicate that a collapsed thread has flagged children (#5013)
• Implemented message/rfc822 attachment preview
• Update to jsTimezoneDetect 1.0.6
• Managesieve: Add (optional) RAW script editor (#5414)
• Managesieve: Add option to automatically set vacation :from address (#5428)
• Managesieve: Support 'string' test from variables extension [RFC 5229] (#5248)
• Managesieve: Support 'duplicate' extension [RFC 7352]
• Managesieve: Unhide advanced rule controls if there are inputs ...

Roundcube Webmail 1.2.5

This is a security update to the stable version 1.2. It primarily fixes a recently discovered vulnerability in the virtualmin and sasl drivers of the password plugin plus adds a few cherry-picked bug fixes from upstream versions. A detailed list of changes is shown below.

It's considered stable and we recommend to update all productive installations of Roundcube with this version. Please do backup your data before updating!

CHANGELOG

• Password: Fix security issue in virtualmin and sasl drivers [CVE-2017-8114]
• Fix re-positioning of the fixed header of messages list in Chrome when using minimal mode toggle and About dialog (#5711)
• Fix so settings/upload.inc could not be used by plugins (#5694)
• Fix regression in LDAP fuzzy search where it always used prefix search instead (#5713)
• Fix bug where namespace prefix could not be truncated on folders list if show_real_foldernames=true (#5695)
• Fix bug where base_dn setting was ignored inside group_filters (#5720)

Roundcube Webmail 1.1.9

This is a security update to the stable version 1.1. It primarily fixes a recently discovered vulnerability in the virtualmin and sasl drivers of the password plugin plus adds a few cherry-picked bug fixes from upstream versions. A detailed list of changes is shown below.

It's considered stable and we recommend to update all productive installations of Roundcube 1.1.x with this version. Please do backup your data before updating!

CHANGELOG

• Password: Fix security issue in virtualmin and sasl drivers [CVE-2017-8114]
• Fix regression in LDAP fuzzy search where it always used prefix search instead (#5713)
• Fix bug where base_dn setting was ignored inside group_filters (#5720)

Roundcube Webmail 1.0.11

This is a security update to the LTS version 1.0. It fixes a recently discovered vulnerability in the virtualmin and sasl drivers of the password plugin

It's considered stable and we recommend to update all productive installations of Roundcube 1.0.x with this version if for some reason you're not able to upgrade to the latest stable version. Please do backup your data before updating!

Instead of a full update you can apply the following patch:
https://github.com/roundcube/roundcubemail/commit/271426429b.diff

CHANGELOG

• Password: Fix security issue in virtualmin and sasl drivers [CVE-2017-8114]

Roundcube Webmail 1.3-rc

This is feature-complete version for the next major version 1.3 of Roundcube webmail for final testing. After dropping support for older browsers and PHP versions and adding some new features like the widescreen layout, the release candidate finalizes that work and also fixes two security issues plus adds improvements to the Managesieve and Enigma plugins.

As a reminder: if you're installing the dependent package or run Roundcube directly from source, you now need to install the removed 3rd party javascript modules by executing the following install script:

$ bin/install-jsdeps.sh

With the upcoming stable release of 1.3.0 the old 1.x series will only receive important security fixes.

Please note that this is a release candidate and we recommend to test it on a separate environment. And don't forget to backup your data before installing it.

CHANGELOG

• "Flattened" the larry theme: fresher look by removing shadows and gradients
• Support logging to php://stdout (#5721)
• Add support for DelSp=Yes in format=flowed messages (#5702)
• Update to jQuery 3.2.1
• Update to TinyMCE 4.5.6
• Plugin API: Call message_part_structure hook for sub-parts of multipart/alternative message (#5678)
• Enigma: Always use detached signatures (#5624)
• Enigma: Fix handling of messages with nested PGP encrypted parts (#5634)
• Minimize unwanted message loading in preview frame on drag (#5616)
• Fix failing database schema check in all engines except mysql (#5730)
• Fix autocomplete popup closing with click outside the input, don't handle Tab key as Enter (#5606)
• Fix jsdeps.json synchronization on update, warn about missing requirements of install-jsdeps.sh (#5598)
• Fix missing thread expand icon on search result in widescreen mode (#5613)
• Fix bug where image data URIs in css style were treated as evil/remote in mail preview (#5580)
• Fix bug where external content in src attribute of input/video tags was not secured (#5583)
• Fix PHP error on update of a contact with multiple email addresses when using PHP 7.1 (#5587)
• Fix bug where mail content frame couldn't be reset in some corner cases (#5608)
• Fix bug where some classic skin images were not displayed in IE/Edge (#5614)
• Fix bug where signature couldn't be added above the quote in Firefox 51 (#5628)
• Fix regression where groups with email address were resolved to its members' addresses
• Fix update of group name in the contacts list header on group rename (#5648)
• Add rewrite rule to disable access to /vendor/bin folder in .htaccess (#5630)
• Fix bug where it was too easy accidentally move a folder when using the subscription checkbox (#5655)
• Managesieve: Fix parser issue with empty lines between comments (#5657)
• Managesieve: Fix possible defect in handling \r\n in scripts (#5685)
• Fix/rephrase "unsaved changes" warning when cancelling a draft (#5610)
• Fix XSS issue in handling of a style tag inside of an svg element [CVE-2017-6820]
• Fix bug where settings/upload.inc could not be used by plugins (#5694)
• Fix regression in LDAP fuzzy search where it always used prefix search instead (#5713)
• Fix bug where namespace prefix could not be truncated on folders list if show_real_foldernames=true (#5695)
• Fix undesired effects when postgres database uses different timezone than PHP host (#5708)
• Installer: Fix DB schema initialization on MS SQL Server
• Fix bug where base_dn setting was ignored inside group_filters (#5720)
• Password: Fix security issue in virtualmin and sasl drivers [CVE-2017-8114]

Roundcube Webmail 1.0.10

This is a security update to the LTS version 1.0. It contains some important bug fixes and security improvements backported from the master version.

It's considered stable and we recommend to update all productive installations of Roundcube 1.0.x with this version if for some reason you're not able to ubgrate to the latest stable version. Please do backup your data before updating!

CHANGELOG

• Strip HTML tags inside CSS style definitions
• Fix vulnerability in handling of mail()'s 5th argument (CVE-2016-9920)
• Don't create multipart/alternative messages with empty text/plain part (#5283)
• Fix XSS issue in href attribute on area tag (#5240)
• Wash position:fixed style in HTML mail for better security (#5264)

Roundcube Webmail 1.2.4

This is another service release to update the stable version 1.2. It contains some important bug fixes and improvements which we picked from the upstream branch. A detailed list of changes is shown below.

It's considered stable and we recommend to update all productive installations of Roundcube with this version. Please do backup your data before updating!

CHANGELOG

• Managesieve: Fix handling of scripts with nested rules (#5540)
• Managesieve: Fix parser issue with empty lines between comments (#5657)
• Managesieve: Fix possible defect in handling \r\n in scripts (#5685)
• Enigma: Fix handling of messages with nested PGP encrypted parts (#5634)
• Enigma: Fix PHP fatal error when decrypting a message with invalid signature (#5555)
• Enigma: Fix missing require statement for Crypt_GPG_KeyGenerator (#5641)
• Fix variable substitution in ldap host for some use-cases, e.g. new_user_identity (#5544)
• Fix adding images to new identity signatures
• Fix rsync error handling in installto.sh script (#5562)
• Fix some advanced search issues with multiple addressbooks (#5572)
• Fix so group/addressbook selection is retained on page refresh
• Fix bug where image data URIs in css style were treated as evil/remote in mail preview (#5580)
• Fix bug where external content in src attribute of input/video tags was not secured (#5583)
• Fix PHP error on update of a contact with multiple email addresses when using PHP 7.1 (#5587)
• Fix bug where mail content frame couldn't be reset in some corner cases (#5608)
• Fix bug where some classic skin images were not displayed in IE/Edge (#5614)
• Fix bug where signature couldn't be added above the quote in Firefox 51 (#5628)
• Fix regression where groups with email address were resolved to its members' addresses
• Fix update of group name in the contacts list header on group rename (#5648)
• Add rewrite rule to disable access to /vendor/bin folder in .htaccess (#5630)
• Fix bug where it was too easy accidentally move a folder when using the subscription checkbox (#5655)
• Fix XSS issue in handling of a style tag inside of an svg element (CVE-2017-6820)

Roundcube Webmail 1.1.8

This is a security update to the stable version 1.1. It contains a few fixes which we picked from the upstream branch. A detailed list of changes is shown below.

It's considered stable and we recommend to update all productive installations of Roundcube 1.1.x with this version. Please do backup your data before updating!

CHANGELOG

• Fix bug where mail content frame couldn't be reset in some corner cases (#5608)
• Fix regression where groups with email address were resolved to its members' addresses
• Fix so group/addressbook selection is retained on page refresh
• Fix bug where signature couldn't be added above the quote in Firefox 51 (#5628)
• Fix so microseconds macro (u) in log_date_format works (#1490446)
• Fix XSS issue in handling of a style tag inside of an svg element (CVE-2017-6820)