This is the third release candidate for the next major version 1.7 of Roundcube webmail.
It fixes two security issues:
- Fix CSS injection vulnerability reported by CERT Polska.
- Fix remote image blocking bypass via SVG content reported by nullcathedral.
Additionally it contains a few more fixes for several other issues.
- Support
request_urlconfig option for resolving relative URLs (#9868) - Support X-Forwarded-Host/X-Forwarded-Port in self URLs generation (#9952)
- Support $HasAttachment/$HasNoAttachment keywords for "With attachment" search filter (#10053)
- OAuth: Fix bug where it was impossible to login again after logout (#10073)
- OAuth: Add
oauth_auth_typeoption - Managesieve: Fix handling of string-list format values for date tests in Out of Office (#10075)
- Password: Extend Dovecot passwdfile driver with dynamic file path support (#10036)
- Fix a UI issue on using browser Back button after allowing remote resources (#10062)
- Fix syntax error in DDL scripts for Postgres (#10070)
To view all details please see here: 1.7-rc2...1.7-rc3
We believe it is production ready, but we recommend to test it on a separate environment.
Migrate existing configs with either the installto.sh or the update.sh scripts.
And don't forget to backup your data before installing it!