Overview
Request 1191902 accepted
- update to 1.6.8
This is a security update to the stable version 1.6 of Roundcube Webmail.
It provides fixes to recently reported security vulnerabilities:
* Fix XSS vulnerability in post-processing of sanitized HTML content [CVE-2024-42009] [bsc#1228900]
* Fix XSS vulnerability in serving of attachments other than HTML or SVG [CVE-2024-42008]
* Fix information leak (access to remote content) via insufficient CSS filtering [CVE-2024-42010] [bsc#1228901]
- For further changes, see https://github.com/roundcube/roundcubemail/releases/tag/1.6.8
- update to 1.6.7
This is a security update to the stable version 1.6 of Roundcube Webmail.
It provides a fix to a recently reported XSS vulnerabilities:
* Fix cross-site scripting (XSS) vulnerability in handling SVG animate attributes.
Reported by Valentin T. and Lutz Wolf of CrowdStrike.
* Fix cross-site scripting (XSS) vulnerability in handling list columns from user preferences.
Reported by Huy Nguyễn Phạm Nhật.
* Fix command injection via crafted im_convert_path/im_identify_path on Windows.
Reported by Huy Nguyễn Phạm Nhật.
CHANGELOG
* Makefile: Use phpDocumentor v3.4 for the Framework docs (#9313)
* Fix bug where HTML entities in URLs were not decoded on HTML to plain text conversion (#9312)
* Fix bug in collapsing/expanding folders with some special characters in names (#9324)
* Fix PHP8 warnings (#9363, #9365, #9429)
* Fix missing field labels in CSV import, for some locales (#9393)
* Fix cross-site scripting (XSS) vulnerability in handling SVG animate attributes
* Fix cross-site scripting (XSS) vulnerability in handling list columns from user preferences
* Fix command injection via crafted im_convert_path/im_identify_path on Windows
- Use %autosetup macro. Allows to eliminate the usage of deprecated
%patchN.
- update to 1.6.6
* Fix regression in handling LDAP search_fields configuration parameter (#9210)
* Enigma: Fix finding of a private key when decrypting a message using GnuPG v2.3
* Fix page jump menu flickering on click (#9196)
* Update to TinyMCE 5.10.9 security release (#9228)
* Fix PHP8 warnings (#9235, #9238, #9242, #9306)
* Fix saving other encryption settings besides enigma's (#9240)
* Fix unneeded php command use in installto.sh and deluser.sh scripts (#9237)
* Fix TinyMCE localization installation (#9266)
* Fix bug where trailing non-ascii characters in email addresses
could have been removed in recipient input (#9257)
* Fix IMAP GETMETADATA command with options - RFC5464
- update to 1.6.5 (bsc#1216895)
* Fix cross-site scripting (XSS) vulnerability in setting
Content-Type/Content-Disposition for attachment
preview/download CVE-2023-47272
Other changes
* Fix PHP8 fatal error when parsing a malformed BODYSTRUCTURE (#9171)
* Fix duplicated Inbox folder on IMAP servers that do not use Inbox
folder with all capital letters (#9166)
* Fix PHP warnings (#9174)
* Fix UI issue when dealing with an invalid managesieve_default_headers
value (#9175)
* Fix bug where images attached to application/smil messages
weren't displayed (#8870)
* Fix PHP string replacement error in utils/error.php (#9185)
* Fix regression where smtp_user did not allow pre/post strings
before/after %u placeholder (#9162)
- update to 1.6.4 (bsc#1216429)
* Fix cross-site scripting (XSS) vulnerability in handling of SVG
in HTML messages (#9168) CVE-2023-5631
* Fix PHP8 warnings (#9142, #9160)
* Fix default 'mime.types' path on Windows (#9113)
* Managesieve: Fix javascript error when relational or spamtest
extension is not enabled (#9139)
- update to 1.6.3 (bsc#1215433)
* Fix bug where installto.sh/update.sh scripts were removing some
essential options from the config file (#9051)
* Update jQuery-UI to version 1.13.2 (#9041)
* Fix regression that broke use_secure_urls feature (#9052)
* Fix potential PHP fatal error when opening a message with
message/rfc822 part (#8953)
* Fix bug where a duplicate tag in HTML email could cause some
parts being cut off (#9029)
* Fix bug where a list of folders could have been sorted
incorrectly (#9057)
* Fix regression where LDAP addressbook 'filter' option was
ignored (#9061)
* Fix wrong order of a multi-folder search result when sorting by
size (#9065)
* Fix so install/update scripts do not require PEAR (#9037)
* Fix regression where some mail parts could have been decoded
incorrectly, or not at all (#9096)
* Fix handling of an error case in Cyrus IMAP BINARY FETCH, fallback to
non-binary FETCH (#9097)
* Fix PHP8 deprecation warning in the reconnect plugin (#9083)
* Fix "Show source" on mobile with x_frame_options = deny (#9084)
* Fix various PHP warnings (#9098)
* Fix deprecated use of ldap_connect() in password's ldap_simple driver (#9060)
* Fix cross-site scripting (XSS) vulnerability in handling of linkrefs
in plain text messages
- update to 1.6.2
* Add Uyghur localization
* Fix regression in OAuth request URI caused by use of REQUEST_URI
instead of SCRIPT_NAME as a default (#8878)
* Fix bug where false attachment reminder was displayed on HTML mail
with inline images (#8885)
* Fix bug where a non-ASCII character in app.js could cause error in
javascript engine (#8894)
* Fix JWT decoding with url safe base64 schema (#8890)
* Fix bug where .wav instead of .mp3 file was used for the new mail
notification in Firefox (#8895)
* Fix PHP8 warning (#8891)
* Fix support for Windows-31J charset (#8869)
* Fix so LDAP VLV option is disabled by default as documented (#8833)
* Fix so an email address with name is supported as input to the
managesieve notify :from parameter (#8918)
* Fix Help plugin menu (#8898)
* Fix invalid onclick handler on the logo image when using non-array
skin_logo setting (#8933)
* Fix duplicate recipients in "To" and "Cc" on reply (#8912)
* Fix bug where it wasn't possible to scroll lists by clicking middle
mouse button (#8942)
* Fix bug where label text in a single-input dialog could be partially
invisible in some locales (#8905)
* Fix bug where LDAP (fulltext) search didn't work without 'search_fields'
in config (#8874)
* Fix extra leading newlines in plain text converted from HTML (#8973)
* Fix so recipients with a domain ending with .s are allowed (#8854)
* Fix so vCard output does not contain non-standard/redundant TYPE=OTHER
and TYPE=INTERNET (#8838)
* Fix QR code images for contacts with non-ASCII characters (#9001)
* Fix PHP8 warnings when using list_flags and list_cols properties by plugins (#8998)
* Fix bug where subfolders could loose subscription on parent folder rename (#8892)
* Fix connecting to LDAP using an URI with ldapi:// scheme (#8990)
* Fix insecure shell command params handling in cmd_learn driver of markasjunk plugin (#9005)
* Fix bug where some mail headers didn't work in cmd_learn driver of markasjunk plugin (#9005)
* Fix PHP fatal error when importing vcf file using PHP 8.2 (#9025)
* Fix so output of log_date_format with microseconds contains time in
server time zone, not UTC
- update to 1.6.1
* Kill session if refreshing oauth token fails (#8734)
* Fix various PHP 8.1 warnings (#8628, #8644, #8667, #8656, #8647)
* Password: Remove references to %c variable that has been removed before (#8633)
* Fix anchor links in HTML mail (#8632)
* Fix bug where config creation in Installer did ignore options in the form (#8634)
* Fix bug where renamed options were removed from the config on
installto.sh (update.sh) run (#8643)
* Fix favicon rewrite rule in .htaccess (#8654)
* Fix various PHP 8.2 warnings
* Fix bug where it wasn't possible to create more than one response
record on SQLite and Postgres (#8664)
* Fix support for ManageSieve over implicit SSL (#8670)
* Fix bug where "about:blank" page could trigger "load error" (#8554)
* Fix bug where setting 'Clear Trash on Logout' to 'all messages'
didn't work (#8687)
* Fix bug where the attachment menu wouldn't disappear after an action
is selected (#8691)
* Fix bug where some dialogs in an eml attachment preview would not
close on mobile (#8627)
* Fix bug where multiline data:image URI's in emails were stripped
from the message on display (#8613)
* Fix fatal error on identity page if Enigma plugin is misconfigured (#8719)
* Fix so N property always exists in a vCard export (#8771)
* Fix authenticating to Courier IMAP with passwords containing
a '~' character (#8772)
* Fix handling of smtp/imap port options on configuration file
update (#8756)
* Fix bug where array values could not be saved in utils/save_pref
action (#8781)
* Add workaround for using Roundcube behind a reverse proxy with a
subpath: 'request_path' option (#8738, #8770)
* Fix bug where "Invalid skin name" error was logged on preferences
save if there's only one skin (#8825)
* Fix SIGBUS raised in ImageMagick when more than one process tried
to generate a thumbnail of the same image attachment (#8511)
* Fix bug where updater does not update the vendor packages (#8642)
* Fix missing mail composing textarea on reply/draft with a long
plain text content (#8866)
- update to 1.6.0 with these most noteworthy changes:
* PHP 8.1 support
* Dropped support for PHP < 7.3
* Support responses (snippets) in HTML format
* Option to purge deleted mails older than 30, 60 or 90 days
* Unified and simplified services connection config options
* Removed the Classic and Larry skins from the release packages
* SQLite: Use foreign keys, require SQLite >= 3.6.19
- update to 1.5.3
* Enigma: Fix initial synchronization of private keys
* Enigma: Fix double quoted-printable encoding of pgp-signed messages with no attachments (#8413)
* Fix various PHP8 warnings (#8392)
* Fix mail headers injection via the subject field on mail compose (#8404)
* Fix bug where small message/rfc822 parts could not be decoded (#8408)
* Fix setting HTML mode on reply/forward of a signed message (#8405)
* Fix handling of RFC2231-encoded attachment names inside of a message/rfc822 part (#8418)
* Fix bug where some mail parts (images) could have not be listed as attachments (#8425)
* Fix bug where attachment icons were stuck at the top of the messages list in Safari (#8433)
* Fix handling of message/rfc822 parts that are small and are multipart structures with a single part (#8458)
* Fix bug where session could time out if DB and PHP timezone were different (#8303)
* Fix bug where DSN flag state wasn't stored with a draft (#8371)
* Fix broken encoding of HTML content encapsulated in a RTF attachment (#8444)
* Fix problem with aria-hidden=true on toolbar menus in the Elastic skin (#8517)
* Fix bug where title tag content was displayed in the body if it contained HTML tags (#8540)
* Fix support for DSN specification without host e.g. pgsql:///dbname (#8558)
- update to 1.5.2
* OAuth: pass 'id_token' to 'oauth_login' plugin hook (#8214)
* OAuth: fix expiration of short-lived oauth tokens (#8147)
* OAuth: fix relative path to assets if /index.php/foo/bar url is used (#8144)
* OAuth: no auto-redirect on imap login failures (#8370)
* OAuth: refresh access token in 'refresh' plugin hook (#8224)
* Fix so folder search parameters are honored by subscriptions_option plugin (#8312)
* Fix password change with Directadmin driver (#8322, #8329)
* Fix so css files in plugins/jqueryui/themes will be minified too (#8337)
* Fix handling of unicode/special characters in custom From input (#8357)
* Fix some PHP8 compatibility issues (#8363)
* Fix chpass-wrapper.py helper compatibility with Python 3 (#8324)
* Fix scrolling and missing Close button in the Select image dialog in Elastic/mobile (#8367)
* Security: fix cross-site scripting (XSS) via HTML messages with malicious CSS content
- added Suggests: php-sqlite
- use the virtual provides from each PHP module, to allow the installation
of roundcubemail with various PHP versions.
The only problem, we are currently facing is the automatic
enablement of the PHP apache module during post-installation:
Trying to evaluate the correct PHP module now during post as well,
which should eleminate the pre-definition of the required
PHP-Version during build completely.
See https://build.opensuse.org/request/show/940859 for the initial
discussion.
- Created by aeneas_jaissle
- In state accepted
Request History
aeneas_jaissle created request
- update to 1.6.8
This is a security update to the stable version 1.6 of Roundcube Webmail.
It provides fixes to recently reported security vulnerabilities:
* Fix XSS vulnerability in post-processing of sanitized HTML content [CVE-2024-42009] [bsc#1228900]
* Fix XSS vulnerability in serving of attachments other than HTML or SVG [CVE-2024-42008]
* Fix information leak (access to remote content) via insufficient CSS filtering [CVE-2024-42010] [bsc#1228901]
- For further changes, see https://github.com/roundcube/roundcubemail/releases/tag/1.6.8
- update to 1.6.7
This is a security update to the stable version 1.6 of Roundcube Webmail.
It provides a fix to a recently reported XSS vulnerabilities:
* Fix cross-site scripting (XSS) vulnerability in handling SVG animate attributes.
Reported by Valentin T. and Lutz Wolf of CrowdStrike.
* Fix cross-site scripting (XSS) vulnerability in handling list columns from user preferences.
Reported by Huy Nguyễn Phạm Nhật.
* Fix command injection via crafted im_convert_path/im_identify_path on Windows.
Reported by Huy Nguyễn Phạm Nhật.
CHANGELOG
* Makefile: Use phpDocumentor v3.4 for the Framework docs (#9313)
* Fix bug where HTML entities in URLs were not decoded on HTML to plain text conversion (#9312)
* Fix bug in collapsing/expanding folders with some special characters in names (#9324)
* Fix PHP8 warnings (#9363, #9365, #9429)
* Fix missing field labels in CSV import, for some locales (#9393)
* Fix cross-site scripting (XSS) vulnerability in handling SVG animate attributes
* Fix cross-site scripting (XSS) vulnerability in handling list columns from user preferences
* Fix command injection via crafted im_convert_path/im_identify_path on Windows
- Use %autosetup macro. Allows to eliminate the usage of deprecated
%patchN.
- update to 1.6.6
* Fix regression in handling LDAP search_fields configuration parameter (#9210)
* Enigma: Fix finding of a private key when decrypting a message using GnuPG v2.3
* Fix page jump menu flickering on click (#9196)
* Update to TinyMCE 5.10.9 security release (#9228)
* Fix PHP8 warnings (#9235, #9238, #9242, #9306)
* Fix saving other encryption settings besides enigma's (#9240)
* Fix unneeded php command use in installto.sh and deluser.sh scripts (#9237)
* Fix TinyMCE localization installation (#9266)
* Fix bug where trailing non-ascii characters in email addresses
could have been removed in recipient input (#9257)
* Fix IMAP GETMETADATA command with options - RFC5464
- update to 1.6.5 (bsc#1216895)
* Fix cross-site scripting (XSS) vulnerability in setting
Content-Type/Content-Disposition for attachment
preview/download CVE-2023-47272
Other changes
* Fix PHP8 fatal error when parsing a malformed BODYSTRUCTURE (#9171)
* Fix duplicated Inbox folder on IMAP servers that do not use Inbox
folder with all capital letters (#9166)
* Fix PHP warnings (#9174)
* Fix UI issue when dealing with an invalid managesieve_default_headers
value (#9175)
* Fix bug where images attached to application/smil messages
weren't displayed (#8870)
* Fix PHP string replacement error in utils/error.php (#9185)
* Fix regression where smtp_user did not allow pre/post strings
before/after %u placeholder (#9162)
- update to 1.6.4 (bsc#1216429)
* Fix cross-site scripting (XSS) vulnerability in handling of SVG
in HTML messages (#9168) CVE-2023-5631
* Fix PHP8 warnings (#9142, #9160)
* Fix default 'mime.types' path on Windows (#9113)
* Managesieve: Fix javascript error when relational or spamtest
extension is not enabled (#9139)
- update to 1.6.3 (bsc#1215433)
* Fix bug where installto.sh/update.sh scripts were removing some
essential options from the config file (#9051)
* Update jQuery-UI to version 1.13.2 (#9041)
* Fix regression that broke use_secure_urls feature (#9052)
* Fix potential PHP fatal error when opening a message with
message/rfc822 part (#8953)
* Fix bug where a duplicate tag in HTML email could cause some
parts being cut off (#9029)
* Fix bug where a list of folders could have been sorted
incorrectly (#9057)
* Fix regression where LDAP addressbook 'filter' option was
ignored (#9061)
* Fix wrong order of a multi-folder search result when sorting by
size (#9065)
* Fix so install/update scripts do not require PEAR (#9037)
* Fix regression where some mail parts could have been decoded
incorrectly, or not at all (#9096)
* Fix handling of an error case in Cyrus IMAP BINARY FETCH, fallback to
non-binary FETCH (#9097)
* Fix PHP8 deprecation warning in the reconnect plugin (#9083)
* Fix "Show source" on mobile with x_frame_options = deny (#9084)
* Fix various PHP warnings (#9098)
* Fix deprecated use of ldap_connect() in password's ldap_simple driver (#9060)
* Fix cross-site scripting (XSS) vulnerability in handling of linkrefs
in plain text messages
- update to 1.6.2
* Add Uyghur localization
* Fix regression in OAuth request URI caused by use of REQUEST_URI
instead of SCRIPT_NAME as a default (#8878)
* Fix bug where false attachment reminder was displayed on HTML mail
with inline images (#8885)
* Fix bug where a non-ASCII character in app.js could cause error in
javascript engine (#8894)
* Fix JWT decoding with url safe base64 schema (#8890)
* Fix bug where .wav instead of .mp3 file was used for the new mail
notification in Firefox (#8895)
* Fix PHP8 warning (#8891)
* Fix support for Windows-31J charset (#8869)
* Fix so LDAP VLV option is disabled by default as documented (#8833)
* Fix so an email address with name is supported as input to the
managesieve notify :from parameter (#8918)
* Fix Help plugin menu (#8898)
* Fix invalid onclick handler on the logo image when using non-array
skin_logo setting (#8933)
* Fix duplicate recipients in "To" and "Cc" on reply (#8912)
* Fix bug where it wasn't possible to scroll lists by clicking middle
mouse button (#8942)
* Fix bug where label text in a single-input dialog could be partially
invisible in some locales (#8905)
* Fix bug where LDAP (fulltext) search didn't work without 'search_fields'
in config (#8874)
* Fix extra leading newlines in plain text converted from HTML (#8973)
* Fix so recipients with a domain ending with .s are allowed (#8854)
* Fix so vCard output does not contain non-standard/redundant TYPE=OTHER
and TYPE=INTERNET (#8838)
* Fix QR code images for contacts with non-ASCII characters (#9001)
* Fix PHP8 warnings when using list_flags and list_cols properties by plugins (#8998)
* Fix bug where subfolders could loose subscription on parent folder rename (#8892)
* Fix connecting to LDAP using an URI with ldapi:// scheme (#8990)
* Fix insecure shell command params handling in cmd_learn driver of markasjunk plugin (#9005)
* Fix bug where some mail headers didn't work in cmd_learn driver of markasjunk plugin (#9005)
* Fix PHP fatal error when importing vcf file using PHP 8.2 (#9025)
* Fix so output of log_date_format with microseconds contains time in
server time zone, not UTC
- update to 1.6.1
* Kill session if refreshing oauth token fails (#8734)
* Fix various PHP 8.1 warnings (#8628, #8644, #8667, #8656, #8647)
* Password: Remove references to %c variable that has been removed before (#8633)
* Fix anchor links in HTML mail (#8632)
* Fix bug where config creation in Installer did ignore options in the form (#8634)
* Fix bug where renamed options were removed from the config on
installto.sh (update.sh) run (#8643)
* Fix favicon rewrite rule in .htaccess (#8654)
* Fix various PHP 8.2 warnings
* Fix bug where it wasn't possible to create more than one response
record on SQLite and Postgres (#8664)
* Fix support for ManageSieve over implicit SSL (#8670)
* Fix bug where "about:blank" page could trigger "load error" (#8554)
* Fix bug where setting 'Clear Trash on Logout' to 'all messages'
didn't work (#8687)
* Fix bug where the attachment menu wouldn't disappear after an action
is selected (#8691)
* Fix bug where some dialogs in an eml attachment preview would not
close on mobile (#8627)
* Fix bug where multiline data:image URI's in emails were stripped
from the message on display (#8613)
* Fix fatal error on identity page if Enigma plugin is misconfigured (#8719)
* Fix so N property always exists in a vCard export (#8771)
* Fix authenticating to Courier IMAP with passwords containing
a '~' character (#8772)
* Fix handling of smtp/imap port options on configuration file
update (#8756)
* Fix bug where array values could not be saved in utils/save_pref
action (#8781)
* Add workaround for using Roundcube behind a reverse proxy with a
subpath: 'request_path' option (#8738, #8770)
* Fix bug where "Invalid skin name" error was logged on preferences
save if there's only one skin (#8825)
* Fix SIGBUS raised in ImageMagick when more than one process tried
to generate a thumbnail of the same image attachment (#8511)
* Fix bug where updater does not update the vendor packages (#8642)
* Fix missing mail composing textarea on reply/draft with a long
plain text content (#8866)
- update to 1.6.0 with these most noteworthy changes:
* PHP 8.1 support
* Dropped support for PHP < 7.3
* Support responses (snippets) in HTML format
* Option to purge deleted mails older than 30, 60 or 90 days
* Unified and simplified services connection config options
* Removed the Classic and Larry skins from the release packages
* SQLite: Use foreign keys, require SQLite >= 3.6.19
- update to 1.5.3
* Enigma: Fix initial synchronization of private keys
* Enigma: Fix double quoted-printable encoding of pgp-signed messages with no attachments (#8413)
* Fix various PHP8 warnings (#8392)
* Fix mail headers injection via the subject field on mail compose (#8404)
* Fix bug where small message/rfc822 parts could not be decoded (#8408)
* Fix setting HTML mode on reply/forward of a signed message (#8405)
* Fix handling of RFC2231-encoded attachment names inside of a message/rfc822 part (#8418)
* Fix bug where some mail parts (images) could have not be listed as attachments (#8425)
* Fix bug where attachment icons were stuck at the top of the messages list in Safari (#8433)
* Fix handling of message/rfc822 parts that are small and are multipart structures with a single part (#8458)
* Fix bug where session could time out if DB and PHP timezone were different (#8303)
* Fix bug where DSN flag state wasn't stored with a draft (#8371)
* Fix broken encoding of HTML content encapsulated in a RTF attachment (#8444)
* Fix problem with aria-hidden=true on toolbar menus in the Elastic skin (#8517)
* Fix bug where title tag content was displayed in the body if it contained HTML tags (#8540)
* Fix support for DSN specification without host e.g. pgsql:///dbname (#8558)
- update to 1.5.2
* OAuth: pass 'id_token' to 'oauth_login' plugin hook (#8214)
* OAuth: fix expiration of short-lived oauth tokens (#8147)
* OAuth: fix relative path to assets if /index.php/foo/bar url is used (#8144)
* OAuth: no auto-redirect on imap login failures (#8370)
* OAuth: refresh access token in 'refresh' plugin hook (#8224)
* Fix so folder search parameters are honored by subscriptions_option plugin (#8312)
* Fix password change with Directadmin driver (#8322, #8329)
* Fix so css files in plugins/jqueryui/themes will be minified too (#8337)
* Fix handling of unicode/special characters in custom From input (#8357)
* Fix some PHP8 compatibility issues (#8363)
* Fix chpass-wrapper.py helper compatibility with Python 3 (#8324)
* Fix scrolling and missing Close button in the Select image dialog in Elastic/mobile (#8367)
* Security: fix cross-site scripting (XSS) via HTML messages with malicious CSS content
- added Suggests: php-sqlite
- use the virtual provides from each PHP module, to allow the installation
of roundcubemail with various PHP versions.
The only problem, we are currently facing is the automatic
enablement of the PHP apache module during post-installation:
Trying to evaluate the correct PHP module now during post as well,
which should eleminate the pre-definition of the required
PHP-Version during build completely.
See https://build.opensuse.org/request/show/940859 for the initial
discussion.
aeneas_jaissle accepted request