roundcube - Logo

Roundcube Security und Bugfix Release 1.4.4 LTS – 1.3.11 und 1.2.10

Der beliebte Webmailer, Roundcube, erhielt in den Hauptzweigen 1.4, 1.3 und 1.2 ein wichtiges Update. Dieses schließt 4 weniger kritische Sicherheitslücken, sollte dennoch schnellst möglich installiert werden.

Roundcube 1.4.4 Security Fixes

  • Cross-Site Scripting (XSS) via malicious HTML content
  • CSRF attack can cause an authenticated user to be logged out
  • Remote code execution via crafted config options
  • Path traversal vulnerability allowing local file inclusion via crafted ‘plugins’ option

Roundcube Bugfix 1.4.4 Release Notes

  • Fix bug where attachments with Content-Id were attached to the message on reply (#7122)
  • Fix identity selection on reply when both sender and recipient addresses are included in identities (#7211)
  • Elastic: Fix text selection with Shift+PageUp and Shift+PageDown in plain text editor when using Chrome (#7230)
  • Elastic: Fix recipient input bug when using click to select a contact from autocomplete list (#7231)
  • Elastic: Fix color of a folder with recent messages (#7281)
  • Elastic: Restrict logo size in print view (#7275)
  • Fix invalid Content-Type for messages with only html part and inline images – Mail_Mime-1.10.7 (#7261)
  • Fix missing contact display name in QR Code data (#7257)
  • Fix so button label in Select image/media dialogs is “Close” not “Cancel” (#7246)
  • Fix regression in testing database schema on MSSQL (#7227)
  • Fix cursor position after inserting a group to a recipient input using autocompletion (#7267)
  • Fix string literals handling in IMAP STATUS (and various other) responses (#7290)
  • Fix bug where multiple images in a message were replaced by the first one on forward/reply/edit (#7293)
  • Fix handling keyservers configured with protocol prefix (#7295)
  • Markasjunk: Fix marking as spam/ham on moving messages with Move menu (#7189)
  • Markasjunk: Fix bug where moving to Junk was failing on messages selected with Select > All (#7206)
  • Fix so imap error message is displayed to the user on folder create/update (#7245)
  • Fix bug where a special folder couldn’t be created if a special-use flag is not supported (#7147)
  • Mailvelope: Fix bug where recipients with name were not handled properly in mail compose (#7312)
  • Fix characters encoding in group rename input after group creation/rename (#7330)
  • Fix bug where some message/rfc822 parts could not be attached on forward (#7323)
  • Make install-jsdeps.sh script working without the file program installed (#7325)
  • Fix performance issue of parsing big HTML messages by disabling HTML5 parser for these (#7331)
  • Fix so Print button for PDF attachments works on Firefox >= 75 (#5125)
  • Security: Fix XSS issue in handling of CDATA in HTML messages
  • Security: Fix remote code execution via crafted ‘im_convert_path’ or ‘im_identify_path’ settings
  • Security: Fix local file inclusion (and code execution) via crafted ‘plugins’ option
  • Security: Fix CSRF bypass that could be used to log out an authenticated user (#7302)

Roundcube 1.3.11 Release Notes

  • Enigma: Fix compatibility with Mail_Mime >= 1.10.5
  • Fix permissions on some folders created by bin/install-jsdeps.sh script (#6930)
  • Fix bug where inline images could have been ignored if Content-Id header contained redundant spaces (#6980)
  • Fix PHP Warning: Use of undefined constant LOG_EMERGE (#6991)
  • Fix PHP warning: “array_merge(): Expected parameter 2 to be an array, null given in sendmail.inc (#7003)
  • Security: Fix XSS issue in handling of CDATA in HTML messages
  • Security: Fix remote code execution via crafted ‘im_convert_path’ or ‘im_identify_path’ settings
  • Security: Fix local file inclusion (and code execution) via crafted ‘plugins’ option
  • Security: Fix CSRF bypass that could be used to log out an authenticated user (#7302)

Roundcube 1.2.10 Release Notes

  • Fix missing message-htmlpart1 class breaking inline CSS (#6493)
  • Security: Fix XSS issue in handling of CDATA in HTML messages
  • Security: Fix remote code execution via crafted ‘im_convert_path’ or ‘im_identify_path’ settings
  • Security: Fix local file inclusion (and code execution) via crafted ‘plugins’ option
  • Security: Fix CSRF bypass that could be used to log out an authenticated user (#7302)

Quelle: https://github.com/roundcube/roundcubemail/releases

Schreibe einen Kommentar

Diese Website verwendet Akismet, um Spam zu reduzieren. Erfahre mehr darüber, wie deine Kommentardaten verarbeitet werden.