This update for roundcubemail fixes the following issues:
Update to 1.6.7
This is a security update to the stable version 1.6 of Roundcube Webmail.
It provides a fix to a recently reported XSS vulnerabilities:
- Fix cross-site scripting (XSS) vulnerability in handling SVG animate attributes.
Reported by Valentin T. and Lutz Wolf of CrowdStrike.
- Fix cross-site scripting (XSS) vulnerability in handling list columns from user preferences.
Reported by Huy Nguyễn Phạm Nhật.
- Fix command injection via crafted im_convert_path/im_identify_path on Windows.
Reported by Huy Nguyễn Phạm Nhật.
CHANGELOG
- Makefile: Use phpDocumentor v3.4 for the Framework docs (#9313)
- Fix bug where HTML entities in URLs were not decoded on HTML to plain text conversion (#9312)
- Fix bug in collapsing/expanding folders with some special characters in names (#9324)
- Fix PHP8 warnings (#9363, #9365, #9429)
- Fix missing field labels in CSV import, for some locales (#9393)
- Fix cross-site scripting (XSS) vulnerability in handling SVG animate attributes
- Fix cross-site scripting (XSS) vulnerability in handling list columns from user preferences
- Fix command injection via crafted im_convert_path/im_identify_path on Windows
Update to 1.6.6:
- Fix regression in handling LDAP search_fields configuration parameter (#9210)
- Enigma: Fix finding of a private key when decrypting a message using GnuPG v2.3
- Fix page jump menu flickering on click (#9196)
- Update to TinyMCE 5.10.9 security release (#9228)
- Fix PHP8 warnings (#9235, #9238, #9242, #9306)
- Fix saving other encryption settings besides enigma’s (#9240)
- Fix unneeded php command use in installto.sh and deluser.sh scripts (#9237)
- Fix TinyMCE localization installation (#9266)
- Fix bug where trailing non-ascii characters in email addresses
could have been removed in recipient input (#9257)
- Fix IMAP GETMETADATA command with options - RFC5464
Update to 1.6.5 (boo#1216895):
- Fix cross-site scripting (XSS) vulnerability in setting
Content-Type/Content-Disposition for attachment
preview/download CVE-2023-47272
Other changes:
- Fix PHP8 fatal error when parsing a malformed BODYSTRUCTURE (#9171)
- Fix duplicated Inbox folder on IMAP servers that do not use Inbox
folder with all capital letters (#9166)
- Fix PHP warnings (#9174)
- Fix UI issue when dealing with an invalid managesieve_default_headers
value (#9175)
- Fix bug where images attached to application/smil messages
weren’t displayed (#8870)
- Fix PHP string replacement error in utils/error.php (#9185)
- Fix regression where smtp_user did not allow pre/post strings
before/after %u placeholder (#9162)