This is a service and security update to the stable version 1.4 of Roundcube Webmail.
It provides fixes for two recently discovered SQL injection and XSS vulnerabilities as well a some general improvements from our issue tracker. See the full changelog below.
Security fixes
- Fix XSS issue in handling attachment filename extension in mimetype mismatch warning
- Fix possible SQL injection via some session variables
This version is considered stable and we recommend to update all productive installations of Roundcube with it. Please do backup your data before updating!
CHANGELOG
- Enigma: Fix bug where signature verification could fail for non-ascii bodies (#7919)
- Fix bug where contacts search didn't work with addressbook_search_mods set to an empty array (#7974)
- Fix bug causing some HTML message content to be not centered in Elastic skin (#7911)
- Fix bug where consecutive LDAP searches could return wrong results (#8064)
- Fix bug where plus characters in attachment filename could have been ignored (#8074)
- Fix displaying HTML body with inline images encapsulated using TNEF format (winmail.dat)
- Fix handling of custom sender addresses with names (#8106)
- Fix shift + drag'n'drop menu not working in Elastic skin with Chrome browser (#8107)
- Fix Firefox infinite loading display on mail screen (#8128)
- Fix XSS issue in handling attachment filename extension in mimetype mismatch warning (#8193)
- Fix SQL injection via some session variables