This is a security update to the stable version 1.6 of Roundcube Webmail.
It provides fixes to some regressions introduced in the previous release as well a recently reported security vulnerability:

• SVG Animate FUNCIRI Attribute Bypass — Remote Image Loading via fill/filter/stroke, reported by class_nzm.

This version is considered stable and we recommend to update all productive installations of Roundcube 1.6.x with it. Please do backup your data before updating!

CHANGELOG

• Fix regression where mail search would fail on non-ascii search criteria (#10121)
• Fix regression where some data url images could get ignored/lost (#10128)
• Fix SVG Animate FUNCIRI Attribute Bypass — Remote Image Loading via fill/filter/stroke

This is a security update to the stable version 1.5 of Roundcube Webmail.
It provides fixes to some regressions introduced in the previous release as well a recently reported security vulnerability:

• SVG Animate FUNCIRI Attribute Bypass — Remote Image Loading via fill/filter/stroke, reported by class_nzm.

This version is considered stable and we recommend to update all productive installations of Roundcube 1.5.x with it. Please do backup your data before updating!

CHANGELOG

• Fix so distribution packages (and composer.json) don't include development dependencies
• Fix regression where mail search would fail on non-ascii search criteria (#10121)
• Fix regression where some data url images could get ignored/lost (#10128)
• Fix SVG Animate FUNCIRI Attribute Bypass — Remote Image Loading via fill/filter/stroke

This is hopefully the last release candidate for the next major version 1.7 of Roundcube Webmail.
It provides a fix to recently reported security vulnerability:

• SVG Animate FUNCIRI Attribute Bypass — Remote Image Loading via fill/filter/stroke, reported by class_nzm.

We believe it is production ready, but we recommend to test it on a separate environment.

Migrate existing configs with either the installto.sh or the update.sh scripts.

And don't forget to backup your data before installing it!

CHANGELOG

• Added support for arrays in smtp_user and smtp_pass config options (#10083)
• Added system health checker CLI script (#10106)
• Stricter recognition of an Ajax request (#10118)
• Password: Added Stalwart driver (#10114)
• Fix regression where some data url images could get ignored/lost (#10128)
• Fix SVG Animate FUNCIRI Attribute Bypass — Remote Image Loading via fill/filter/stroke

This is a security update to the stable version 1.6 of Roundcube Webmail.
It provides fixes to recently reported security vulnerabilities:

• Fix pre-auth arbitrary file write via unsafe deserialization in redis/memcache session handler, reported by y0us.
• Fix bug where a password could get changed without providing the old password, reported by flydragon777.
• Fix IMAP Injection + CSRF bypass in mail search, reported by Martila Security Research Team.
• Fix remote image blocking bypass via various SVG animate attributes, reported by nullcathedral.
• Fix remote image blocking bypass via a crafted body background attribute, reported by nullcathedral.
• Fix fixed position mitigation bypass via use of !important, reported by nullcathedral.
• Fix XSS issue in a HTML attachment preview, reported by aikido_security.
• Fix SSRF + Information Disclosure via stylesheet links to a local network hosts, reported by Georgios Tsimpidas (aka Frey), Security Researcher at https://i0.rs/.

This version is considered stable and we recommend to update all productive installations of Roundcube 1.6.x with it. Please do backup your data before updating!

CHANGELOG

• Fix Postgres connection using IPv6 address (#10104)
• Security: Fix pre-auth arbitrary file write via unsafe deserialization in redis/memcache session handler
• Security: Fix bug where a password could get changed without providing the old password
• Security: Fix IMAP Injection + CSRF bypass in mail search
• Security: Fix remote image blocking bypass via various SVG animate attributes
• Security: Fix remote image blocking bypass via a crafted body background attribute
• Security: Fix fixed position mitigation bypass via use of !important
• Security: Fix XSS issue in a HTML attachment preview
• Security: Fix SSRF + Information Disclosure via stylesheet links to a local network hosts

This is a security update to the stable version 1.5 of Roundcube Webmail.
It provides fixes to recently reported security vulnerabilities:

• Fix pre-auth arbitrary file write via unsafe deserialization in redis/memcache session handler, reported by y0us.
• Fix bug where a password could get changed without providing the old password, reported by flydragon777.
• Fix IMAP Injection + CSRF bypass in mail search, reported by Martila Security Research Team.
• Fix remote image blocking bypass via various SVG animate attributes, reported by nullcathedral.
• Fix remote image blocking bypass via a crafted body background attribute, reported by nullcathedral.
• Fix fixed position mitigation bypass via use of !important, reported by nullcathedral.
• Fix XSS issue in a HTML attachment preview, reported by aikido_security.

This version is considered stable and we recommend to update all productive installations of Roundcube 1.5.x with it, if you can't move to 1.6 yet. Please do backup your data before updating!

CHANGELOG

• Security: Fix pre-auth arbitrary file write via unsafe deserialization in redis/memcache session handler
• Security: Fix bug where a password could get changed without providing the old password
• Security: Fix IMAP Injection + CSRF bypass in mail search
• Security: Fix remote image blocking bypass via various SVG animate attributes
• Security: Fix remote image blocking bypass via a crafted body background attribute
• Security: Fix fixed position mitigation bypass via use of !important
• Security: Fix XSS issue in a HTML attachment preview

This is hopefully the last release candidate for the next major version 1.7 of Roundcube Webmail.
It provides fixes to recently reported security vulnerabilities:

• Fix pre-auth arbitrary file write via unsafe deserialization in redis/memcache session handler, reported by y0us.
• Fix bug where a password could get changed without providing the old password, reported by flydragon777.
• Fix IMAP Injection + CSRF bypass in mail search, reported by Martila Security Research Team.
• Fix remote image blocking bypass via various SVG animate attributes, reported by nullcathedral.
• Fix remote image blocking bypass via a crafted body background attribute, reported by nullcathedral.
• Fix fixed position mitigation bypass via use of !important, reported by nullcathedral.
• Fix XSS issue in a HTML attachment preview, reported by aikido_security.
• Fix SSRF + Information Disclosure via stylesheet links to a local network hosts, reported by Georgios Tsimpidas (aka Frey), Security Researcher at https://i0.rs/.

We believe it is production ready, but we recommend to test it on a separate environment.

Migrate existing configs with either the installto.sh or the update.sh scripts.

And don't forget to backup your data before installing it!

CHANGELOG

• Password: Add nt-binary hashing method (#10096)
• Fix URL matching for domain names with port numbers (#10105)
• Fix PHP fatal error when using IMAP cache (#10102)
• Fix Postgres connection using IPv6 address (#10104)
• Fix bug where rel=stylesheet part of a <link> could get removed
• Security: Fix pre-auth arbitrary file write via unsafe deserialization in redis/memcache session handler
• Security: Fix bug where a password could get changed without providing the old password
• Security: Fix IMAP Injection + CSRF bypass in mail search
• Security: Fix remote image blocking bypass via various SVG animate attributes
• Security: Fix remote image blocking bypass via a crafted body background attribute
• Security: Fix fixed position mitigation bypass via use of !important
• Security: Fix XSS issue in a HTML attachment preview
• Security: Fix SSRF + Information Disclosure via stylesheet links to a local network hosts

This is the fourth release candidate for the next major version 1.7 of Roundcube webmail.

It release fixes two minor issues, and is mostly published to fix a file permission problem in the previous release v1.7-rc3.

The changes are:

• Ensure correct file permissions when building a release.
• Installer: Fix broken link to download the created configuration file (#10092)

The tarballs can be downloaded from roundcube.net/download.

Or directly from the release page at github.com.

We believe it is production ready, but we recommend to test it on a separate environment.

Migrate existing configs with either the installto.sh or the update.sh scripts.

And don't forget to backup your data before installing it!

This is the third release candidate for the next major version 1.7 of Roundcube webmail.

It fixes two security issues:

• Fix CSS injection vulnerability reported by CERT Polska.
• Fix remote image blocking bypass via SVG content reported by nullcathedral.

Additionally it contains a few more fixes for several other issues.

• Support request_url config option for resolving relative URLs (#9868)
• Support X-Forwarded-Host/X-Forwarded-Port in self URLs generation (#9952)
• Support $HasAttachment/$HasNoAttachment keywords for "With attachment" search filter (#10053)
• OAuth: Fix bug where it was impossible to login again after logout (#10073)
• OAuth: Add oauth_auth_type option
• Managesieve: Fix handling of string-list format values for date tests in Out of Office (#10075)
• Password: Extend Dovecot passwdfile driver with dynamic file path support (#10036)
• Fix a UI issue on using browser Back button after allowing remote resources (#10062)
• Fix syntax error in DDL scripts for Postgres (#10070)

To view all details please see here: 1.7-rc2...1.7-rc3

We believe it is production ready, but we recommend to test it on a separate environment.

Migrate existing configs with either the installto.sh or the update.sh scripts.

And don't forget to backup your data before installing it!

This is a security update to the stable version 1.6 of Roundcube Webmail.
It provides fixes to recently reported security vulnerabilities:

• Fix CSS injection vulnerability reported by CERT Polska.
• Fix remote image blocking bypass via SVG content reported by nullcathedral.

This version is considered stable and we recommend to update all productive installations of Roundcube 1.6.x with it. Please do backup your data before updating!

CHANGELOG

• Managesieve: Fix handling of string-list format values for date tests in Out of Office (#10075)
• Fix CSS injection vulnerability reported by CERT Polska.
• Fix remote image blocking bypass via SVG content reported by nullcathedral.

This is a security update to the LTS version 1.5 of Roundcube Webmail.
It provides fixes to recently reported security vulnerabilities:

• Fix CSS injection vulnerability reported by CERT Polska.
• Fix remote image blocking bypass via SVG content reported by nullcathedral.

This version is considered stable and we recommend to update all productive installations of Roundcube 1.5.x with it, if you can't move to 1.6 yet. Please do backup your data before updating!