This is a security update to the stable version 1.6 of Roundcube Webmail.
It provides fixes to recently reported security vulnerabilities:
- Fix pre-auth arbitrary file write via unsafe deserialization in redis/memcache session handler, reported by y0us.
- Fix bug where a password could get changed without providing the old password, reported by flydragon777.
- Fix IMAP Injection + CSRF bypass in mail search, reported by Martila Security Research Team.
- Fix remote image blocking bypass via various SVG animate attributes, reported by nullcathedral.
- Fix remote image blocking bypass via a crafted body background attribute, reported by nullcathedral.
- Fix fixed position mitigation bypass via use of !important, reported by nullcathedral.
- Fix XSS issue in a HTML attachment preview, reported by aikido_security.
- Fix SSRF + Information Disclosure via stylesheet links to a local network hosts, reported by Georgios Tsimpidas (aka Frey), Security Researcher at https://i0.rs/.
This version is considered stable and we recommend to update all productive installations of Roundcube 1.6.x with it. Please do backup your data before updating!
CHANGELOG
- Fix Postgres connection using IPv6 address (#10104)
- Security: Fix pre-auth arbitrary file write via unsafe deserialization in redis/memcache session handler
- Security: Fix bug where a password could get changed without providing the old password
- Security: Fix IMAP Injection + CSRF bypass in mail search
- Security: Fix remote image blocking bypass via various SVG animate attributes
- Security: Fix remote image blocking bypass via a crafted body background attribute
- Security: Fix fixed position mitigation bypass via use of !important
- Security: Fix XSS issue in a HTML attachment preview
- Security: Fix SSRF + Information Disclosure via stylesheet links to a local network hosts