This is the second service release to update the new stable version 1.5. It provides a bunch of small fixes and improvements to the OAuth feature as well as a security fix to a recently reported XSS vulnerability. See the full changelog below.
Security fix
- Cross-site scripting (XSS) via HTML messages with malicious CSS content
This version is considered stable and we recommend to update all productive installations of Roundcube with it. Please do backup your data before updating!
CHANGELOG
- OAuth: pass 'id_token' to 'oauth_login' plugin hook (#8214)
- OAuth: fix expiration of short-lived oauth tokens (#8147)
- OAuth: fix relative path to assets if
/index.php/foo/barurl is used (#8144) - OAuth: no auto-redirect on imap login failures (#8370)
- OAuth: refresh access token in 'refresh' plugin hook (#8224)
- Fix so folder search parameters are honored by subscriptions_option plugin (#8312)
- Fix password change with Directadmin driver (#8322, #8329)
- Fix so css files in plugins/jqueryui/themes will be minified too (#8337)
- Fix handling of unicode/special characters in custom From input (#8357)
- Fix some PHP8 compatibility issues (#8363)
- Fix
chpass-wrapper.pyhelper compatibility with Python 3 (#8324) - Fix scrolling and missing Close button in the Select image dialog in Elastic/mobile (#8367)
- Security: fix cross-site scripting (XSS) via HTML messages with malicious CSS content