github roundcube/roundcubemail 1.7-rc5
Roundcube Webmail 1.7 RC5
on GitHub

pre-release14 hours ago

This is hopefully the last release candidate for the next major version 1.7 of Roundcube Webmail.
It provides fixes to recently reported security vulnerabilities:

  • Fix pre-auth arbitrary file write via unsafe deserialization in redis/memcache session handler, reported by y0us.
  • Fix bug where a password could get changed without providing the old password, reported by flydragon777.
  • Fix IMAP Injection + CSRF bypass in mail search, reported by Martila Security Research Team.
  • Fix remote image blocking bypass via various SVG animate attributes, reported by nullcathedral.
  • Fix remote image blocking bypass via a crafted body background attribute, reported by nullcathedral.
  • Fix fixed position mitigation bypass via use of !important, reported by nullcathedral.
  • Fix XSS issue in a HTML attachment preview, reported by aikido_security.
  • Fix SSRF + Information Disclosure via stylesheet links to a local network hosts, reported by Georgios Tsimpidas (aka Frey), Security Researcher at https://i0.rs/.

We believe it is production ready, but we recommend to test it on a separate environment.

Migrate existing configs with either the installto.sh or the update.sh scripts.

And don't forget to backup your data before installing it!

CHANGELOG

  • Password: Add nt-binary hashing method (#10096)
  • Fix URL matching for domain names with port numbers (#10105)
  • Fix PHP fatal error when using IMAP cache (#10102)
  • Fix Postgres connection using IPv6 address (#10104)
  • Fix bug where rel=stylesheet part of a <link> could get removed
  • Security: Fix pre-auth arbitrary file write via unsafe deserialization in redis/memcache session handler
  • Security: Fix bug where a password could get changed without providing the old password
  • Security: Fix IMAP Injection + CSRF bypass in mail search
  • Security: Fix remote image blocking bypass via various SVG animate attributes
  • Security: Fix remote image blocking bypass via a crafted body background attribute
  • Security: Fix fixed position mitigation bypass via use of !important
  • Security: Fix XSS issue in a HTML attachment preview
  • Security: Fix SSRF + Information Disclosure via stylesheet links to a local network hosts
Check out latest releases or
releases around roundcube/roundcubemail 1.7-rc5

Don't miss a new roundcubemail release

NewReleases is sending notifications on new releases.

Get notifications