Roundcube Webmail 1.3-beta

This is a beta release of the next major version 1.3 of Roundcube webmail.
With this milestone we introduce some new features:

• Widescreen layout aka Three Column View
• Possibility to display QR code for contacts data
• New identicon plugin
• Attach contact vCards to composed message
• Support WEBP images and MathML preview
• Preview, download and rename attachments when composing a message
• message/rfc822 attachment preview
• Various Enigma (PGP) and Managesieve plugin improvements

Plus security and deployment improvements:

• Improve randomness of password salts and random hashes
• Fixed redundancy in sql caching system and compatibility with Galera Cluster

And finally some code-cleanup:

• Dropped support for legacy browsers (IE < 10; removed legacy_browser plugin)
• Require PHP >= 5.4
• Removed PHP mail() support
• Removed 3rd party javascript libraries from repo

IMPORTANT: The code-cleanup part brings major changes and possibly incompatibilities to your existing Roundcube installations. So please read the Changelog carefully and thoroughly test your upgrade scenario.

Please note that Roundcube 1.3

1. no longer runs on PHP 5.3
2. no longer supports IE < 10 and old versions of Firefox, Chrome and Safari
3. requires an SMTP server connection to send mails

In case you're running Roundcube directly from source, you now need to install the removed 3rd party javascript modules by executing the following install script:

$ bin/install-jsdeps.sh

Roundcube Webmail 1.2.3

This is the third service release to update the stable version 1.2. It contains some important bug fixes and improvements which we picked from the upstream branch. A detailed list of changes is shown below. Included is a fix for a recently reported security issue when using PHP's mail() function. It has been discovered by Robin Peraglie using RIPS and more details along with a CVE number will be published shortly.

It's considered stable and we recommend to update all productive installations of Roundcube with this version. Please do backup your data before updating!

CHANGELOG

• Fix vulnerability in handling of mail()'s 5th argument
• Searching in both contacts and groups when LDAP addressbook with group_filters option is used
• Fix To: header encoding in mail sent with mail() method (#5475)
• Fix flickering of header top-line in min-mode (#5426)
• Fix bug where folders list would scroll to top when clicking on subscription checkbox (#5447)
• Fix decoding of GB2312/GBK text when iconv is not installed (#5448)
• Fix regression where creation of default folders wasn't functioning without prefix (#5460)
• Enigma: Fix bug where last records on keys list were hidden (#5461)
• Enigma: Fix key search with keyword containing non-ascii characters (#5459)
• Fix bug where deleting folders with subfolders could fail in some cases (#5466)
• Fix bug where IMAP password could be exposed via error message (#5472)
• Fix bug where it wasn't possible to store more that 2MB objects in memcache/apc,
  Added memcache_max_allowed_packet and apc_max_allowed_packet settings (#5452)
• Fix "Illegal string offset" warning in rcube::log_bug() on PHP 7.1 (#5508)
• Fix storing "empty" values in rcube_cache/rcube_cache_shared (#5519)
• Fix missing content check when image resize fails on attachment thumbnail generation (#5485)
• Fix displaying attached images with wrong Content-Type specified (#5527)

Roundcube Webmail 1.1.7

This is a security update to the stable version 1.1. It contains one fix for a recently reported security issue when using PHP's mail() function. It has been discovered by Robin Peraglie using RIPS and more details along with a CVE number will be pulished shortly.

It's considered stable and we recommend to update all productive installations of Roundcube 1.1.x which do not have an SMTP server configured for mail delivery.

Please do backup your data before updating!

CHANGELOG

• Fix vulnerability in handling of mail()'s 5th argument

Roundcube Webmail 1.2.2

This is the second service release to update the stable version 1.2. It contains
some important bug fixes and again more improvements of the Enigma plugin
for PGP encryption. A detailed list of changes is listed below.

It's considered stable and we recommend to update all productive installations
of Roundcube with this version. Please do backup your data before updating!

CHANGELOG

• Enigma: Add possibility to configure gpg-agent binary location (enigma_pgp_agent)
• Enigma: Fix signature verification with some IMAP servers, e.g. Gmail, DBMail (#5371)
• Enigma: Make recipient key searches case-insensitive (#5434)
• Fix regression in resizing JPEG images with Imagick (#5376)
• Managesieve: Fix parsing of vacation date-time with non-default date_format (#5372)
• Use SymLinksIfOwnerMatch in .htaccess instead of FollowSymLinks disabled on some hosts for security reasons (#5370)
• Wash position:fixed style in HTML mail for better security (#5264)
• Fix bug where memcache_debug didn't work for session operations
• Fix bug where Message-ID domain part was tied to username instead of current identity (#5385)
• Fix bug where blocked.gif couldn't be attached to reply/forward with insecure content
• Fix E_DEPRECATED warning when using Auth_SASL::factory() (#5401)
• Fix bug where names of downloaded files could be malformed when derived from the message subject (#5404)
• Fix so "All" messages selection is resetted on search reset (#5413)
• Fix bug where folder creation could fail if personal namespace contained more than one entry (#5403)
• Fix error causing empty INBOX listing in Firefox when using an URL with user:password specified (#5400)
• Fix PHP warning when handling shared namespace with empty prefix (#5420)
• Fix so folders list is scrolled to the selected folder on page load (#5424)
• Fix so when moving to Trash we make sure the folder exists (#5192)
• Fix displaying size of attachments with zero size
• Fix so "Action disabled" error uses more appropriate 404 code (#5440)

Roundcube Webmail 1.1.6

This is a security update to the stable version 1.1. It contains some important bug fixes and improvements in contacts searching as well as a few localization fixes. A detailed list of changes is listed below.

It's considered stable and we recommend to update all productive installations of Roundcube 1.1.x with this version. Please do backup your data before updating!

CHANGELOG

• Searching in both contacts and groups when LDAP addressbook with group_filters option is used
• Use contact_search_name format in popup on results in compose contacts search
• Fix missing localization of HTML editor when assets_dir != INSTALL_PATH
• Fix handling of blockquote tags with mixed case on html2text conversion (#5363)
• Fix message list multi-select/deselect issue (#5219)
• Fix bug where contact search menu fields where always unchecked in Larry skin
• Fix XSS issue in href attribute on area tag (#5240)
• Fix bug where message list columns could be in wrong order after column drag-n-drop and list sorting
• Don't create multipart/alternative messages with empty text/plain part (#5283)
• Wash position:fixed style in HTML mail for better security (#5264)
• Fix error causing empty INBOX listing in Firefox when using an URL with user:password specified (#5400)

Roundcube Webmail 1.2.1

This is the first service release to update the stable version 1.2. It contains some important bug fixes and improvements in the recently introduced Enigma plugin for PGP encryption. A detailed list of changes is shown below.

It's considered stable and we recommend to update all productive installations of Roundcube with this version. Please do backup your data before updating!

CHANGELOG

• Update TinyMCE to version 4.3.13 (#5309)
• Fix bug where errors could have been not logged when per_user_logging=true
• Fix bug where message list columns could be in wrong order after column drag-n-drop and list sorting
• Fix so minified publickey.js (with cache-buster) is used when available (#5254)
• Fix (replace) application/x-tar file extension test as it might not exist in nginx config (#5253)
• Fix PHP warning when password_hosts is set, but is not an array (#5260)
• Fix redundant keep-alive requests when session_lifetime is greater than ~20000 (#5273)
• Fix so subfolders of INBOX can be set as Archive (#5274)
• Fix bug where multi-folder search could choose a wrong folder in "this and subfolders" scope (#5282)
• Fix bug where multi-folder search didn't work for unsubscribed INBOX (#5259)
• Fix bug where "no body" alert could be displayed when sending mailvelope email
• Enigma: Fix keys import from inside of an encrypted message (#5285)
• Enigma: Fix malformed signed messages with force_7bit=true (#5292)
• Enigma: Add possibility to configure gpg binary location (enigma_pgp_binary)
• Enigma: Add possibility to export private keys (#5321)
• Fix searching by email address in contacts with multiple addresses (#5291)
• Fix handling of --delete argument in moduserprefs.sh script (#5296)
• Workaround PHP issue by calling closelog() on script shutdown when using log_driver=syslog (#5289)
• Fix so upgrade script makes sure program/lib directory does not contain old libraries (#5287)
• Fix subscription checkbox state on error in folder subscribe/unsubscribe action (#5243)
• Fix bug where microsecond format in logged date didn't work in some cases
• Fix conflict in new_user_dialog and password_force_new_user settings (#5275)
• Don't create multipart/alternative messages with empty text/plain part (#5283)
• Use contact_search_name format in popup on results in compose contacts search
• Fix handling of 'mailto' and 'error' arguments in message_before_send hook (#5347)
• Fix missing localization of HTML editor when assets_dir != INSTALL_PATH
• Fix handling of blockquote tags with mixed case on html2text conversion (#5363)
• Fix javascript errors in IE on page with iframe that points to another domain

Roundcube Webmail 1.2.0

This is the next major version 1.2 of Roundcube webmail.
It introduces new features since version 1.1 primarily focusing on security and PGP encryption:

• PHP7 compatibility
• PGP encryption via Mailvelope (browser) or the Enigma plugin (server-side)
• Drag-n-drop attachments from mail preview to compose window
• Mail messages searching with predefined date interval
• Improved security measures to protect from brute-force attacks

And of course plenty of small improvements and bug fixes.

As already announced with the 1.2-beta release, PGP encryption comes in two flavours: client-side using the Mailvelope browser extension and server-side with the Enigma plugin using GnuPG on the server.

Support with the Mailvelope browser plugin comes out of the box and is enabled if the Mailvelope API is detected in a user's browser. The Mailvelope documentation explains how to enable it for your site.

The features of the Enigma plugin, which comes with the release package and simply needs to be activated for your Roundcube installation are explained in this blog post.

IMPORTANT: with this version, we finally deprecate some old Roundcube library functions. Please test your plugins thoroughly and look for deprecation warnings in the logs.

With the release of Roundcube 1.2.0, the previous stable release branches 1.0.x and 1.1.x will switch in to LTS low maintenance mode which means they will only receive important security updates but no longer any regular improvement updates.

CHANGELOG (since 1.2-rc)

• Enigma: Added enigma_debug option
• Fix message list multi-select/deselect issue (#5219)
• Fix bug where getting HTML editor content could steal focus from other form controls (#5223)
• Fix bug where contact search menu fields where always unchecked in Larry skin
• Fix autoloading of 'html' class
• Fix bug where Encrypt button appears when switching editor to HTML (#5235)
• Fix XSS issue in href attribute on area tag (#5240)

See the complete Changelog in the wiki.

Roundcube Webmail 1.1.5

This is a service update to the stable version 1.1. It contains some important bug fixes and helps protecting Roundcube against more XSS and CSRF attacks.

It's considered stable and we recommend to update all productive installations
of Roundcube with this version. Please do backup your data before updating!

Changelog

• Plugin API: Add html2text hook
• Plugin API: Added addressbook_export hook
• Fix missing emoticons on html-to-text conversion
• Fix random "access to this resource is secured against CSRF" message at logout (#4956)
• Fix missing language name in "Add to Dictionary" request in HTML mode (#4951)
• Enable use of TLSv1.1 and TLSv1.2 for IMAP (#4955)
• Fix XSS issue in SVG images handling (#4949)
• Fix (again) security issue in DBMail driver of password plugin CVE-2015-2181
• Fix bug where Archive/Junk buttons were not active after page jump with select=all mode (#4961)
• Fix bug in long recipients list parsing for cases where recipient name contained @-char (#4964)
• Fix additional_message_headers plugin compatibility with Mail_Mime >= 1.9 (#4966)
• Hide DSN option in Preferences when smtp_server is not used (#4967)
• Protect download urls against CSRF using unique request tokens (#4957)
• newmail_notifier: Refactor desktop notifications
• Fix so contactlist_fields option can be set via config file
• Fix so SPECIAL-USE assignments are forced only until user sets special folders (#4782)
• Fix performance in reverting order of THREAD result
• Fix converting mail addresses with @www. into mailto links (#5197)

Roundcube Webmail 1.0.9

This is a security update to the stable version 1.0. It contains some important bug fixes and security improvements back-ported from the master branch.

It's considered stable and we recommend to update all productive installations of Roundcube 1.0.x with this version if for some reason you're not able to upgrade to the latest stable version. Please do backup your data before updating!

CHANGELOG

• Fix a regression where some contact data was missing in export and PHP warnings were logged
• Enable use of TLSv1.1 and TLSv1.2 for IMAP (#4955)
• Fix XSS issue in SVG images handling (#4949)
• Fix (again) security issue in DBMail driver of password plugin (CVE-2015-2181) (#4958)
• Fix bug where Archive/Junk buttons were not active after page jump with select=all mode (#4961)
• Fix bug in long recipients list parsing for cases where recipient name contained @-char (#4964)
• Fix additional_message_headers plugin compatibility with Mail_Mime >= 1.9 (#4966)
• Hide DSN option in Preferences when smtp_server is not used (#4967)

Roundcube Webmail 1.2-rc

This is the feature-complete version for the next major version 1.2 of Roundcube webmail for final testing. After adding PHP7 support and PGP encryption in 1.2-beta, this release candidate finalizes that work and also fixes two security issues.

IMPORTANT: with this version, we finally deprecate some old Roundcube library functions.
Please test your plugins thoroughly and look for deprecation warnings in the logs.

Also, with the upcoming stable release of 1.2.0 the old 1.0.x and the 1.1.x series will only receive important security fixes.

Please note that this is a release candidate and we recommend to test it on a separate environment. And don't forget to backup your data before installing it.

See the complete Changelog in our wiki.