From release announce:
We just published a security update to the version 1.6 of Roundcube Webmail.
It provides a fix to a recently reported XSS vulnerability:
Fix cross-site scripting (XSS) vulnerability in handling of linkrefs in
plain text messages, reported by Niraj Shivtarkar. See the full changelog
in the release notes in the release notes on the Github download page.
We strongly recommend to update all productive installations of Roundcube
1.6.x with this new version.
1.6.3 (2023-09-15)
* Fix bug where installto.sh/update.sh scripts were removing some essential
options from the config file (#9051)
* Update jQuery-UI to version 1.13.2 (#9041)
* Fix regression that broke use_secure_urls feature (#9052)
* Fix potential PHP fatal error when opening a message with message/rfc822
part (#8953)
* Fix bug where a duplicate `<title>` tag in HTML email could cause some
parts being cut off (#9029)
* Fix bug where a list of folders could have been sorted incorrectly (#9057)
* Fix regression where LDAP addressbook 'filter' option was ignored (#9061)
* Fix wrong order of a multi-folder search result when sorting by size
(#9065)
* Fix so install/update scripts do not require PEAR (#9037)
* Fix regression where some mail parts could have been decoded incorrectly,
or not at all (#9096)
* Fix handling of an error case in Cyrus IMAP BINARY FETCH, fallback to
non-binary FETCH (#9097)
* Fix PHP8 deprecation warning in the reconnect plugin (#9083)
* Fix "Show source" on mobile with x_frame_options = deny (#9084)
* Fix various PHP warnings (#9098)
* Fix deprecated use of ldap_connect() in password's ldap_simple driver
(#9060)
* Fix cross-site scripting (XSS) vulnerability in handling of linkrefs in
plain text messages
1.6.2 (2023-07-02)
* Add Uyghur localization
* Fix regression in OAuth request URI caused by use of REQUEST_URI instead
of SCRIPT_NAME as a default (#8878)
* Fix bug where false attachment reminder was displayed on HTML mail with
inline images (#8885)
* Fix bug where a non-ASCII character in app.js could cause error in
javascript engine (#8894)
* Fix JWT decoding with url safe base64 schema (#8890)
* Fix bug where .wav instead of .mp3 file was used for the new mail
notification in Firefox (#8895)
* Fix PHP8 warning (#8891)
* Fix support for Windows-31J charset (#8869)
* Fix so LDAP VLV option is disabled by default as documented (#8833)
* Fix so an email address with name is supported as input to the managesieve
notify :from parameter (#8918)
* Fix Help plugin menu (#8898)
* Fix invalid onclick handler on the logo image when using non-array
skin_logo setting (#8933)
* Fix duplicate recipients in "To" and "Cc" on reply (#8912)
* Fix bug where it wasn't possible to scroll lists by clicking middle mouse
button (#8942)
* Fix bug where label text in a single-input dialog could be partially
invisible in some locales (#8905)
* Fix bug where LDAP (fulltext) search didn't work without 'search_fields'
in config (#8874)
* Fix extra leading newlines in plain text converted from HTML (#8973)
* Fix so recipients with a domain ending with .s are allowed (#8854)
* Fix so vCard output does not contain non-standard/redundant TYPE=OTHER and
TYPE=INTERNET (#8838)
* Fix QR code images for contacts with non-ASCII characters (#9001)
* Fix PHP8 warnings when using list_flags and list_cols properties by
plugins (#8998)
* Fix bug where subfolders could loose subscription on parent folder rename
(#8892)
* Fix connecting to LDAP using an URI with ldapi:// scheme (#8990)
* Fix insecure shell command params handling in cmd_learn driver of
markasjunk plugin (#9005)
* Fix bug where some mail headers didn't work in cmd_learn driver of
markasjunk plugin (#9005)
* Fix PHP fatal error when importing vcf file using PHP 8.2 (#9025)
* Fix so output of log_date_format with microseconds contains time in server
time zone, not UTC
pkgsrc changes:
* Add "USE_TOOLS+= pax" to plugins.mk.
* Add some note to MESSAGES.
* update DESCR.
1.6.0 (2022-07-28)
We proudly announce the release of the next major version 1.6 of Roundcube
webmail. With this milestone we cleaned up the codebase and bring full
support for PHP 8.1. The most noteworthy changes, as already announced with
the beta release, are:
* PHP 8.1 support
* Dropped support for PHP < 7.3
* Support responses (snippets) in HTML format
* Option to purge deleted mails older than 30, 60 or 90 days
* Unified and simplified services connection config options
* Removed the Classic and Larry skins from the release packages
* SQLite: Use foreign keys, require SQLite >= 3.6.19
See the full changelog in the release notes on the Github download page.
Breaking Changes to 1.5 and prior versions
The following config options have either been removed or renamed:
1. IMAP:
* renamed default_host to imap_host
* removed default_port option (non-standard port can be set via
imap_host)
* set "localhost:143" as a default for imap_host
2. SMTP:
* renamed smtp_server to smtp_host
* removed smtp_port option (non-standard port can be set via smtp_host)
* set "localhost:587" as a default for smtp_host
3. LDAP:
* removed port option from ldap_public array (non-standard port can be set
via host)
* removed use_tls option from ldap_public array (use tls:// prefix in host)
4. Managesieve:
* removed managesieve_port option (non-standard port can be set via
managesieve_host)
* removed managesieve_usetls option (set tls:// prefix to managesieve_host)
1.5.3 (2022-06-26)
* Enigma: Fix initial synchronization of private keys
* Enigma: Fix double quoted-printable encoding of pgp-signed messages with
no attachments (#8413)
* Fix various PHP8 warnings (#8392)
* Fix mail headers injection via the subject field on mail compose (#8404)
* Fix bug where small message/rfc822 parts could not be decoded (#8408)
* Fix setting HTML mode on reply/forward of a signed message (#8405)
* Fix handling of RFC2231-encoded attachment names inside of a
message/rfc822 part (#8418)
* Fix bug where some mail parts (images) could have not be listed as
attachments (#8425)
* Fix bug where attachment icons were stuck at the top of the messages list
in Safari (#8433)
* Fix handling of message/rfc822 parts that are small and are multipart
structures with a single part (#8458)
* Fix bug where session could time out if DB and PHP timezone were different
(#8303)
* Fix bug where DSN flag state wasn't stored with a draft (#8371)
* Fix broken encoding of HTML content encapsulated in a RTF attachment
(#8444)
* Fix problem with aria-hidden=true on toolbar menus in the Elastic
skin (#8517)
* Fix bug where title tag content was displayed in the body if it contained
HTML tags (#8540)
* Fix support for DSN specification without host e.g. pgsql:///dbname
(#8558)
1.5.0 (2021-10-17)
Quote from release announce:
We proudly announce the final release of the next major version 1.5 of
Roundcube webmail. With this milestone we introduce new features and full
PHP 8.0 support. The most noteworthy additions are:
- Dark mode for Elastic skin
- OAuth2/XOauth support (with plugin hooks)
- Collected recipients and trusted senders
- Moving recipients between inputs with drag & drop
- Full unicode support with MySQL database
- Support of IMAP LITERAL- extension RFC 7888
<https://datatracker.ietf.org/doc/html/rfc7888>
- Support of RFC 2231 <https://datatracker.ietf.org/doc/html/rfc2231>
encoded names
- Cache refactoring
This moves the configuration files for Roundcube plug-ins to $PKG_SYSCONFDIR,
where they should belong instead of $RC_DIR/$PLUGIN_DIR.
This works without any further patches, because Roundcube falls back to
RCUBE_CONFIG_DIR.'/'.$this->ID . '.inc.php' for plug-ins basically.
Bumps PKGREVISION for the plug-ins using ../../mail/roundcube/plugins.mk
(enigma, password, and zipdownload).
Tested on NetBSD/amd64.
OK taca@
Update roundcube-plugin-enigma to 1.4.2.
pkgsrc change:
* Use common patches/distinfo directory with roundcube.
RELEASE 1.4.2
-------------
- Enigma: Add script to import keys from filesystem to the db storage (for multihost)
RELEASE 1.4.1
-------------
- Enigma: Fix bug where signing option was set to disabled after saving a draft in Elastic skin (#6515)
RELEASE 1.4-rc2
---------------
- Added 'keyservers' option to define list of HKP servers for Enigma/Mailvelope (#6326)
- Enigma: For verified signatures, display the user id associated with the sender address (#5958)
- Enigma: Fix bug where revoked users/keys were not greyed out in key info
- Enigma: Fix error message when trying to encrypt with a revoked key (#6607)
- Enigma: Fix "decryption oracle" bug [CVE-2019-10740] (#6638)
- Enigma: Fix bug where signature verification could have been skipped for some message structures (#6838)
RELEASE 1.4-rc1
---------------
- Enigma: Update to OpenPGPjs 4.2.1 - fixes user name encoding issues in key generation (#6524)
- Enigma: Fixed multi-host synchronization of private and deleted keys and pubring.kbx file
- Elastic: Fix bug where Enigma options in mail compose could sometimes be ignored (#6515)
RELEASE 1.4-beta
----------------
- Enigma: Add button to send mail unencrypted if no key was found (#5913)
- Enigma: Add options to set PGP cipher/digest algorithms (#5645)
- Enigma: Multi-host support
RELEASE 1.3.10
--------------
- Enigma: Fix bug where revoked users/keys were not greyed out in key info
- Enigma: Fix error message when trying to encrypt with a revoked key (#6607)
- Enigma: Fix "decryption oracle" bug [CVE-2019-10740] (#6638)
Update roundcube and related pacakges to 1.3.9.
RELEASE 1.3.9
-------------
- Fix TinyMCE download location (#6694)
- Fix bug where a message/rfc822 part without a filename wasn't listed on the attachments list (#6494)
- Fix handling of empty entries in vCard import (#6564)
- Fix bug in parsing some IMAP command responses that include unsolicited replies (#6577)
- Fix PHP 7.2 compatibility in debug_logger plugin (#6586)
- Fix so ANY record is not used for email domain validation, use A, MX, CNAME, AAAA instead (#6581)
- Fix so mime_content_type check in Installer uses files that should always be available (i.e. from program/resources) (#6599)
- Fix missing CSRF token on a link to download too-big message part (#6621)
- Fix bug when aborting dragging with ESC key didn't stop the move action (#6623)
- Fix bug where next row wasn't selected after deleting a collapsed thread (#6655)
This is a security update to the stable version 1.2. It fixes a recently
reported vulnerability allowing IMAP command injection via a GET parameters.
More details about this are published under CVE-2018-9846.
The second fix is about a missed remote content blocking on HTML messages with
specially crafted image and style tags.
We strongly recommend to update all productive installations of Roundcube
1.2.x. Please do backup your data before updating!
CHANGELOG
* Fix check_request() bypass in places using get_uids() [CVE-2018-9846]
(#6238)
* Fix possible IMAP command injection vulnerability [CVE-2018-9846] (#6229)
* Fix security issue in remote content blocking on HTML image and style tags
(#6178)
Security fix for CVE-2017-16651.
RELEASE 1.2.7
-------------
- Fix rewind(): stream does not support seeking (#5950)
- Fix bug where HTML messages could have been rendered empty on some systems
(#5957)
- Fix (again) bug where image data URIs in css style were treated as
evil/remote in mail preview (#5580)
- Managesieve: Fix parsing dot-staffed lines in multiline text (#5838, #5959)
- Fix file disclosure vulnerability caused by insufficient input validation
[CVE-2017-16651] (#6026)
pkgsrc changes:
* Add dependency to security/pear-Crypt_GPG.
other changes:
* Add eu_EU and sq_AL locale.
RELEASE 1.2.3
* Enigma: Fix bug where last records on keys list were hidden (#5461)
* Enigma: Fix key search with keyword containing non-ascii characters (#5459)
official roundcube.
Enigma Plugin for Roundcube
This plugin adds support for viewing and sending of signed and encrypted
messages in PGP (RFC 2440) and PGP/MIME (RFC 3156) format.
The plugin uses gpg binary on the server and stores all keys
(including private keys of the users) on the server.
Encryption/decryption is done server-side. So, this plugin
is for users that trust the server.