github roundcube/roundcubemail 1.7.1
Roundcube Webmail 1.7.1
on GitHub

6 hours ago

This is a security update to the stable version 1.7 of Roundcube Webmail.
It provides fixes to recently reported security vulnerabilities:

  • Fix stored XSS/HTML/CSS injection in subject field of the draft restore dialog, reported by zazy
  • Fix CSS injection bypass in HTML sanitizer via SVG <animate attributeName="style">, reported by wooseokdotkim
  • Fix pre-auth SQL injection in virtuser_query plugin via preg_replace backslash escape bypass, reported by skull
  • Fix SSRF bypass via specific local address URLs
  • Fix local/private URL fetch bypass when remote resources were not allowed, reported by Orange Cyberdefense Vulnerability Disclosure Team
  • Fix bypass of remote image blocking via CSS var(), reported by Geame
  • Fix pre-auth arbitrary file delete via redis/memcache session poisoning bypass, reported by valent1
  • Fix code injection vulnerability - remove support for code evaluation in LDAP autovalues option, reported by Glendaenri

This version is considered stable and we recommend to update all productive installations of Roundcube 1.7.x with it. Please do backup your data before updating!

CHANGELOG

  • Enigma: Support automatic public key lookup (import) using HKP v1 protocol (#5314)
  • Managesieve: Fix error when a mail message contains duplicate List-Id header (#10186)
  • Clarified Elastic installation instructions (#10163)
  • Added HTMLFormElement.requestSubmit() polyfill for older browsers (#10179)
  • Fix so "has:attachment" search uses $HasAttachment/$HasNoAttachment keywords (#10168)
  • Fix potential too long value in IMAP ID command (#10136)
  • Fix redis/memcache disconnection in rcube::sleep() (#10127)
  • Fix so static resources, e.g. skin_logo can be put inside the public_html directory (#10160)
  • Fix so REQUEST_URI is used as a fallback if PATH_INFO is not set in static.php (#10181)
  • Fix assets_path feature and remove dependency on PATH_INFO (#10185)
  • Fix MySQL upgrade on MySQL < 8.0 and MariaDB < 10.5.3 (#10188)
  • Security: Fix stored XSS/HTML/CSS injection in subject field of the draft restore dialog
  • Security: Fix CSS injection bypass in HTML sanitizer via SVG <animate attributeName="style">
  • Security: Fix pre-auth SQL injection in virtuser_query plugin via preg_replace backslash escape bypass
  • Security: Fix SSRF bypass via specific local address URLs
  • Security: Fix bypass of remote image blocking via CSS var()
  • Security: Fix local/private URL fetch bypass when remote resources were not allowed
  • Security: Fix pre-auth arbitrary file delete via redis/memcache session poisoning bypass
  • Security: Fix code injection vulnerability - remove support for code evaluation in LDAP autovalues option
Check out latest releases or
releases around roundcube/roundcubemail 1.7.1

Don't miss a new roundcubemail release

NewReleases is sending notifications on new releases.

Get notifications