roundcubemail

This is the stable release of the next major version of Roundcube webmail.
With this milestone we introduce new features and full PHP 8.0 support.
The most noteworthy additions are:

• Dark mode for Elastic skin
• OAuth2/XOauth support (with plugin hooks)
• Collected recipients and trusted senders
• Moving recipients between inputs with drag & drop
• Full unicode support with MySQL database
• Support of IMAP LITERAL- extension [RFC 7888]
• Support of RFC 2231 encoded names
• Cache refactoring

See the full changelog below.

We also disabled the spell checking feature using spell.roundcube.net by default because some privacy concerns were raised. It now needs to be enabled explicitly by setting the enable_spellcheck config option to true.

In case you're running Roundcube directly from source or if you're not using the complete package, you need to install 3rd party javascript modules using the bin/install-jsdeps.sh script. In the 1.5.x series the toolchain required to build a functional package has changed a bit:

• bin/jsshrink.sh: replaced google-closure-compiler with UglifyJS
• bin/cssshrink.sh: replaced yuicompressor with csso
• Elastic theme: require lessc >= 2.5.2 (and add support for v4) with less-plugin-clean-css

This release is considered stable and we encourage you to update your productive installations after carefully testing the upgrade scenario.

With the release of Roundcube 1.5.0, the previous stable release branches 1.4.x and 1.3.x will change into LTS low maintenance mode which means they will only receive important security updates but no longer any regular improvement updates. The 1.2.x series is no longer supported and maintained.

CHANGELOG (since 1.5-rc)

• Support displaying RTF content (including encapsulated HTML) from a TNEF attachment
• Disable the default spellchecker option using spell.roundcube.net (#8182)
• Newmail_notifier: Improved the notification sound (#8155)
• Fix size of Mailvelope iframe for PGP-inlined mail, again (#8126)
• Fix handling of group names with @ character in autocomplete and contacts widget (#8098)
• Fix Firefox infinate loading display on mail screen (#8128)
• Fix converting >1MB of HTML content into plain text (#8137)
• Fix bug where expanding a group in the recipient input could corrupt the input content (#7569)
• Fix fatal error/warning on invalid input to user parameter (#8152)
• Fix changing password with dovecot_passwdfile driver (#8145)
• Fix handling of headers that occur multiple times by show_additional_headers plugin (#8157)
• Fix bug where vertical scrollbar in new HTML message bounced back on scroll (#8046)
• Fix displaying inline images with incorrectly declared content-type (#8158)
• Fix so addr-spec with missing closing angle bracket can be parsed (#8164)
• Fix handling of spellcheck connection errors (#8172)
• Fix a couple of PHP8 warnings (#8175, #8176)
• Fix bug where "from my contacts" and "from trusted senders" values were mixed up (#8177)
• Fix password/token length check on OAuth login (#8178)
• Fix XSS issue in handling attachment filename extension in mimetype mismatch warning (#8193)
• Fix SQL injection via some session variables
• Fix handling of dark_mode_support:false setting in skins meta.json (#8186)
• Fix security issues regarding server name and trusted_host_patterns setting

This is the release candidate for the next major version 1.5 of Roundcube webmail.
Based on the feedback we received from the beta release and some new features from
the backlog, we have now finalized the development branch to prepare the final version.
See the changelog below for details.

Some noteworthy additions since 1.5-beta are

• Support of XOAUTH2 in Managesieve plugin
• Support of IMAP LITERAL- extension [RFC 7888]
• Support of RFC 2231 encoded names
• Plugin hooks for OAuth events

We believe it is production ready, but we recommend to test it on a separate environment.
And don't forget to backup your data before installing it.

CHANGELOG

• Upgrade to TinyMCE 5.8.2
• SMTP XCLIENT support (#7893, #6411)
• Add IDN homograph attack (spoofing) detection [CVE-2019-15237] (#6891)
• Add configuration options for subject prefixes (#7929, #4981)
• Support IMAP LITERAL- extension [RFC 7888] (#6878)
• Warn the user about a potential data leak on mail bounce or forward (#7993)
• Make the Empty action available for every non-empty folder, not only Trash (#7948)
• Remove (incorrect) use of Return-Receipt-To header (#8069)
• Submit various simple dialog forms with the Enter key (#7133)
• Add RFC2231 support to rcube_mime_decode (#7390)
• Plugin API: Allow modification of 'error' argument in message_send_error hook (#7914)
• OAuth: add plugin hooks oauth_login and oauth_refresh_token for oauth events (#8028, #8040)
• Debug_logger: Fix the main plugin functionality and documentation (#8041)
• Enigma: Fix bug where signature verification could fail for non-ascii bodies (#7919)
• Enigma: Fix invalid expiration dates of PGP keys on a 32bit system (#7531)
• Enigma: Display an information that public and private keys are stored on the server (#7941)
• Enigma: Optional support for passwordless keys (#7265)
• Managesieve: Fix removing nested rules in scripts (#8011)
• Managesieve: Support XOAUTH2, requires Net_Sieve 1.4.5 (#7925)
• Managesieve: Added ability to remove 'redirect' option from UI (#7922)
• New_user_dialog: Use the identity_update hook (#8023)
• Password: Fix broken 'hmail' driver (#7966)
• Password: Set password_minimum_length to 8 by default (#8003)
• Vcard_attachments: Improve handling of multiple contacts (#7027)
• Fix inserting a group from non-default source using the Insert contact(s) dialog (#8095)
• Fix invalid search fields after search scope change (#6919)
• Fix so "Always allow from..." button appears also when allow_images=3 (#7961)
• Fix Elastic's pretty select scroll position in Chrome (#7964)
• Fix bug where invalid non-unicode characters in JSON output could make the UI unresponsive (#7955)
• Fix PHP 8 fatal error when allowing images in an email (#7968)
• Fix so session expiration is more precise and do not depend on the garbage collector (#7576)
• Fix bug where imap_conn_options settings were ignored (#7912)
• Fix bug causing some HTML message content to be not centered in Elastic skin (#7911)
• Fix bug when sending an email and recipient's email address contains a trailing dot (#7899)
• Fix bug where the list page wasn't reset when changing a folder on mail view page (#7932)
• Fix so selecting the same folder to reset search resets also the page number (#7125)
• Fix login page rendering after oauth failure (#7812,#7923)
• Fix bug where assigning users to groups via menu (not drag'n'drop) could fail in Elastic theme (#7973)
• Fix HTML5 parser issue with a messy HTML code from Outlook (#7356)
• Fix handling of multiple link references with the same index in plain text message (#8021)
• Fix various actions on folders with angle brackets in name (#8037)
• Fix inconsistent fowarding actions statuses on drafts (#8039)
• Fix bug where start and reversed attributes of ol tag were ignored (#8059)
• Fix bug where consecutive LDAP searches could return wrong results (#8064)
• Fix bug where plus characters in attachment filename could have been ignored (#8074)
• Fix displaying HTML body with inline images encapsulated using TNEF format (winmail.dat)
• Fix handling of custom sender addresses with names (#8106)
• Fix shift + drag'n'drop menu not working in Elastic skin with Chrome browser (#8107)

This is a beta release for the next major version 1.5 of Roundcube webmail.
With this milestone we introduce new features and long-awaited improvements.
The most noteworthy additions are:

• PHP 8.0 support
• OAuth2/XOauth support
• Dark mode for Elastic skin
• Collected recipients and trusted senders
• Moving recipients between inputs with drag & drop
• Full unicode support with MySQL database
• Cache refactoring

Adding support for PHP 8 required some deep refactoring of the Roundcube codebase which started with early PHP 5 versions. However, this refactoring also was a bit of a cleaning procedure and resulted in more testable components.

In case you're running Roundcube directly from source or if you're not using the complete package, you need to install 3rd party javascript modules using the bin/install-jsdeps.sh script. With this release the toolchain required to build a functional package has changed a bit:

• bin/jsshrink.sh: replaced google-closure-compiler with UglifyJS
• bin/cssshrink.sh: replaced yuicompressor with csso
• Elastic theme: require lessc >= 2.5.2 (and add support for v4) with less-plugin-clean-css

This is a beta release and we recommend to test it on a separate environment.
And don't forget to backup your data before installing it.

CHANGELOG

• Require PHP >= 5.5
• Support PHP 8.0 (#7625)
• Require php-intl
• Remove use of Net_IDNA2 package
• Require GuzzleHttp\Client
• Upgrade to TinyMCE 5.5.1
• Upgrade to jQuery 3.5.1 (#7464)
• Update build tools (#7800, #7804, #7497):
  • jsshrink.sh: Replace google-closure-compiler with UglifyJS
  • cssshrink.sh: Replace yuicompressor with csso
  • require lessc >= 2.5.2 (and add support for v4) with less-plugin-clean-css for Less files compilation
• Automatically collected recipients and trusted senders (#6904)
  • Added configurable Collected Recipients addressbook source (#4971)
  • Added configurable Trusted Senders addressbook source (#5046)
  • Added 'contact_exists' hook
  • Added separate "trusted senders" options for show_images and mdn_request preferences (#7614)
• Contact form mode: private/business (#7630)
• OAuth/XOauth support (#7425, #6933)
• Cache refactoring (#6312)
• Added special value 'email' to login_username_filter, it changes also logon input type (#7179)
• Allow array in smtp_host config (#7296)
• Support proxy for server-side HTTP requests (#7658)
• By default do not set the User-Agent header (#7731)
• Add posibility to (re-)define field mapping on contacts import from a CSV file (#7045, #6668)
• Move "On request for return receipt" from "Mailbox View" to "Displaying Messages" (#7614)
• Support RFC8438: IMAP STATUS=SIZE - for faster folder size calculation (#7269)
• MySQL: Use utf8mb4 charset and utf8mb4_unicode_ci collation (#6535, #7113)
• Allow NULL in users.preferences column in postgres and sqlite db, the same as for other engines (#7767)
• Support for language codes up to 16 chars long (e.g. es-419) in database schema (#6851)
• Relaxed domain name validation for extended TLDs support (#5588)
• Allow opening application/octet-stream attachments according to filename extension (#6821)
• Added support for INSERT OR REPLACE queries (#6771)
• Allow skins to define which layout options they support (#7235)
• Extract RFC2231 attachment name from message headers (#6729, #6783)
• Add support for SameSite cookie attribute via session_samesite option (req PHP >= 7.3.0) (#6772)
• Change folders sorting so shared/other users namespaces are listed last (#5012)
• Display a warning and do not try to open empty attachments (#7332)
• Return 204 rather than 404 on missing contact photo (#7777)
• Add 'reconnect' plugin to retry IMAP connection (#7844)
• Plugin API: Added 'message' argument to 'message_compose_body' hook
• Plugin API: Added 'preferences' parameter to 'user_create' hook (#7692)
• Elastic: Dark mode (#6709)
• Elastic: Display email size on the list of messages (#7162)
• Elastic: Replace properties sidebar with a dialog on the attachment preview page (#7635)
• Elastic: Minimize forms/colors blink on page load
• Elastic: Improve mail header "detailed mode" (#7224)
• Elastic: Moving single recipients between recipient inputs with drag-n-drop (#5069)
• Elastic: Display a special icon for other users and shared namespace roots (#5012)
• Elastic: Support space-separated email addresses in recipient input (#6529, #6457)
• Elastic: Remember list checkbox selection state (#7148)
• Elastic: Add "Open in new window" in mail compose (#7260)
• Elastic: Make custom less files optional (#7497)
• Elastic: Prevent from opening mail preview in a new window on touch devices using double tap (#7732)
• Templates: Add support for expressions in object attributes (#7237)
• Templates: Add support for nested if conditions (#6818)
• Templates: Make [space][slash] ending of condition objects optional (#6954)
• Mailvelope: Fix size of iframe for PGP-inlined mail (#7348)
• Mailvelope: Add config option to use Main Keyring (#7348, #7157)
• Mailvelope: Add config option to set the size for new keys (#7348)
• Mailvelope: Always ask before discarding email currently being composed (#7348)
• Mailvelope: Fix unnecessary warning to re-add attachments when restoring a draft (#7348)
• Archive: Added options to split archive by year or year+month and folder (#7216)
• Enigma: Support ECC key generation - when using GnuPG >= 2.1.7 (#6853)
• Managesieve: Add support for 'spamtest' extension - RFC3685 (#6950)
• Managesieve: Allow display name with email address in vacation :from field (#6760)
• Managesieve: Improve UX on custom header input (#7207)
• Managesieve: Fix bug where activation of forward/vacation rule could activate a wrong script (#7423)
• Managesieve: Fix bug where forward/vacation rule could end up being duplicated (#7349)
• new_user_identity: Fix missing password for user-specific LDAP operations (#7667)
• Password: Added 'pwned' password strength driver (#7274)
• Password: Added Mail-in-a-Box (miab) driver (#7824)
• Password: Added TinyCP driver (#7510)
• Password: Added httpapi driver to connect to generic HTTP/HTTPS APIs (#7439)
• Password: Added dovecot_passwdfile driver (#5786)
• Password: Removed old 'cpanel' driver, 'cpanel_webmail' driver renamed to 'cpanel' (#7780)
• Fix handling of address groups in email headers by ignoring their names (#7663)
• Fix so message flags are updated on refresh also for multifolder search results (#7774)
• Fix so IMAP ID command is send only after authentication (#7517)
• Fix bug where it wasn't possible to save Spanish (Latin America) locale preference (#7784)
• Fix mail search error on invalid search_mods definition (#7789)
• Fix error when dealing with message/rfc822 attachments using Gmail IMAP (#6854)
• Fix ISO-2022-JP-MS encoding issues (#7091)
• Fix so messages in threads with no root aren't displayed separately (#4999)
• Fix so anchor tags without href attribute are not modified (#7413)
• Fix invalid IMAP SEARCH command in some rare case on messages cache synchronization (#7895)
• Fix so allowing remote resources does not add an entry to browser history (#6620)

This is a service and security update to the stable version 1.4 of Roundcube Webmail.
It provides a fix for a recently reported stored XSS vulnerability as well a some general improvements from our issue tracker. See the full changelog below.

Security fix

• Fix cross-site scripting (XSS) via HTML messages with malicious CSS content

Credits for this finding go to Mateusz Szymaniec (CERT Polska).

This version is considered stable and we recommend to update all productive installations of Roundcube with it.
Please do backup your data before updating!

CHANGELOG

• Display a nice error informing about no PHP8 support
• Elastic: Fix compatibility with Less v3 and v4 (#7813)
• Fix bug with managesieve_domains in Settings > Forwarding form (#7849)
• Fix errors in MSSQL database update scripts (#7853)
• Security: Fix cross-site scripting (XSS) via HTML messages with malicious CSS content

This is a service and security update to the stable version 1.4 of Roundcube Webmail.
It contains a fix for a recently reported stored XSS vulnerability as well a small number
of general improvements from our issue tracker. See the full changelog below.

Security fix

• Stored cross-site scripting (XSS) via HTML or plain text messages with malicious content [CVE-2020-35730]

Credits for this finding go to Alex Birnberg.

This version is considered stable and we recommend to update all productive installations
of Roundcube with it. Please do backup your data before updating!

CHANGELOG

• Fix extra angle brackets in In-Reply-To header derived from mailto: params (#7655)
• Fix folder list issue when special folder is a subfolder (#7647)
• Fix Elastic's folder subscription toggle in search result (#7653)
• Fix state of subscription toggle on folders list after changing folder state from the search result (#7653)
• Security: Fix cross-site scripting (XSS) via HTML or plain text messages with malicious content

This is a security update to the LTS version 1.3.
It fixes a recently reported stored cross-site scripting (XSS)
vulnerability via HTML or plain text messages with malicious content [CVE-2020-35730].

Credits for this finding go to Alex Birnberg.

This version in considered stable and we strongly recommend to update all productive
installations of Roundcube 1.3.x with it. Please do backup your data before updating!

This is a security update to the LTS version 1.2.
It fixes a recently reported stored cross-site scripting (XSS)
vulnerability via HTML or plain text messages with malicious content [CVE-2020-35730].

Credits for this finding go to Alex Birnberg.

We strongly recommend to update all productive installations of Roundcube 1.2.x
if you cannot upgrade to a more recent version. Please do backup your data before updating!

This is a service update to the stable version 1.4 of Roundcube Webmail.
It contains fixes and general improvements from our issue tracker, mainly related to email composition and UI oddities in Elastic skin and with the TinyMCE richtext editor. See the full changelog below.

This version is considered stable and we recommend to update all productive installations of Roundcube with it.
Please do backup your data before updating!

CHANGELOG

• Fix HTML editor in latest Chrome 85.0.4183.102, update to TinyMCE 4.9.11 (#7615)
• Add missing localization for some label/legend elements in userinfo plugin (#7478)
• Fix importing birthday dates from Gmail vCards (BDAY:YYYYMMDD)
• Fix restoring Cc/Bcc fields from local storage (#7554)
• Fix jstz.min.js installation, bump version to 1.0.7
• Fix incorrect PDO::lastInsertId() use in sqlsrv driver (#7564)
• Fix link to closure compiler in bin/jsshrink.sh script (#7567)
• Fix bug where some parts of a message could have been missing in a reply/forward body (#7568)
• Fix empty space on mail printouts in Chrome (#7604)
• Fix empty output from HTML5 parser when content contains XML tag (#7624)
• Fix scroll jump on key press in plain text mode of the HTML editor (#7622)
• Fix so autocompletion list does not hide on scroll inside it (#7592)

This is a service and security update to the stable version 1.4 of Roundcube Webmail.
It contains fixes for recently reported security vulnerabilities as well a small number of general improvements from our issue tracker. See the full changelog below.

Security fixes

• Fix potential XSS issue in HTML editor of the identity signature input
• Fix cross-site scripting (XSS) via HTML messages with malicious svg content [CVE-2020-16145]
• Fix cross-site scripting (XSS) via HTML messages with malicious math content

Credits for the latter two findings go to Łukasz Pilorz from Pentesters.

This version is considered stable and we recommend to update all productive installations of Roundcube with it.
Please do backup your data before updating!

CHANGELOG

• Managesieve: Fix too-small input field in Elastic when using custom headers (#7498)
• Fix support for an error as a string in message_before_send hook (#7475)
• Elastic: Fix redundant scrollbar in plain text editor on mail reply (#7500)
• Elastic: Fix deleted and replied+forwarded icons on messages list (#7503)
• Managesieve: Allow angle brackets in out-of-office message body (#7518)
• Fix bug in conversion of email addresses to mailto links in plain text messages (#7526)
• Fix format=flowed formatting on plain text part derived from the HTML content (#7504)
• Fix incorrect rewriting of internal links in HTML content (#7512)
• Fix handling links without defined protocol (#7454)
• Fix paging of search results on IMAP servers with no SORT capability (#7462)
• Fix detecting special folders on servers with both SPECIAL-USE and LIST-STATUS (#7525)
• Security: Fix potential XSS issue in HTML editor of the identity signature input (#7507)
• Security: Fix cross-site scripting (XSS) via HTML messages with malicious svg content [CVE-2020-16145]
• Security: Fix cross-site scripting (XSS) via HTML messages with malicious math content

This is a security update to the LTS version 1.3.
It fixes two recently reported cross-site scripting (XSS) vulnerabilities via HTML messages with malicious svg and math contents.

Credits for these findings go to Łukasz Pilorz from Pentesters.

This version in considered stable and we strongly recommend to update all productive installations of Roundcube 1.3.x with it.
Please do backup your data before updating!

This is a security update to the LTS version 1.2.
It fixes two recently reported cross-site scripting (XSS) vulnerabilities via HTML messages with malicious svg and math contents.

Credits for these findings go to Łukasz Pilorz from Pentesters.

We strongly recommend to update all productive installations of Roundcube 1.2.x if you cannot upgrade to a more recent version.
Please do backup your data before updating!

This is a service and security update to the stable version 1.4 of Roundcube Webmail.
It contains a fix for recently reported security vulnerability as well a small number of general improvements from our issue tracker. See the full changelog below.

Security fix

Prevent cross-site scripting (XSS) via HTML messages with malicious svg/namespace (CVE-2020-15562)

Credits for this finding go to SSD Secure Disclosure.

This version is considered stable and we recommend to update all productive installations of Roundcube with it. Please do backup your data before updating!

CHANGELOG

• Fix bug where subfolders of special folders could have been duplicated on folder list
• Increase maximum size of contact jobtitle and department fields to 128 characters
• Fix missing newline after the logged line when writing to stdout (#7418)
• Elastic: Fix context menu (paste) on the recipient input (#7431)
• Fix problem with forwarding inline images attached to messages with no HTML part (#7414)
• Fix problem with handling attached images with same name when using database_attachments/redundant_attachments (#7455)
• Security: Fix cross-site scripting (XSS) via HTML messages with malicious svg/namespace

This is a security update to the LTS version 1.3.
It fixes a recently reported cross-site scripting (XSS) vulnerability via HTML messages with malicious svg/namespace (CVE-2020-15562).

Credits for this finding go to SSD Secure Disclosure.

This version in considered stable and we strongly recommend to update all productive
installations of Roundcube 1.3.x with it. Please do backup your data before updating!

This is a security update to the LTS version 1.2.
It fixes a recently reported cross-site scripting (XSS) vulnerability via HTML messages with malicious svg/namespace (CVE-2020-15562).

Credits for this finding go to SSD Secure Disclosure.

We strongly recommend to update all productive installations of Roundcube 1.2.x
if you cannot upgrade to a more recent version. Please do backup your data before updating!

This is a follow-up release to the recently published version 1.4.5 of Roundcube Webmail.

It contains a single fix for the installer's test step which was broken with the last release. The update is therefore only relevant for new installations which use the installer to set up Roundcube.

CHANGELOG

• Installer: Fix regression in SMTP test section (#7417)

This is a follow-up release to the recently published version 1.3.12 of Roundcube Webmail.

It contains a single fix for the installer's test step which was broken with the last release. The update is therefore only relevant for new installations which use the installer to set up Roundcube.

CHANGELOG

• Installer: Fix regression in SMTP test section (#7417)

This is a service and security update to the stable version 1.4 of Roundcube Webmail.
It contains fixes for recently reported security vulnerabilities as well a number
of general improvements from our issue tracker. See the full changelog below.

Security fixes

• Fix XSS issue in template object 'username' (#7406)
• Fix cross-site scripting (XSS) via malicious XML attachment
• Fix a couple of XSS issues in Installer (#7406)
• Better fix for CVE-2020-12641

The latter two vulnerabilities again are related to public access to the Roundcube installer
and are therefore classified minor.

This version is considered stable and we recommend to update all productive installations
of Roundcube with it. Please do backup your data before updating!

CHANGELOG

• Fix bug in extracting required plugins from composer.json that led to spurious error in log (#7364)
• Fix so the database setup description is compatible with MySQL 8 (#7340)
• Markasjunk: Fix regression in jsevent driver (#7361)
• Fix missing flag indication on collapsed thread in Larry and Elastic (#7366)
• Fix default keyservers (use keys.openpgp.org), add note about CORS (#7373, #7367)
• Password: Fix issue with Modoboa driver (#7372)
• Mailvelope: Use sender's address to find pubkeys to check signatures (#7348)
• Mailvelope: Fix Encrypt button hidden in Elastic (#7353)
• Fix PHP warning: count(): Parameter must be an array or an object... in ID command handler (#7392)
• Fix error when user-configured skin does not exist anymore (#7271)
• Elastic: Fix aspect ratio of a contact photo in mail preview (#7339)
• Fix bug where PDF attachments marked as inline could have not been attached on mail forward (#7382)
• Security: Fix a couple of XSS issues in Installer (#7406)
• Security: Fix XSS issue in template object 'username' (#7406)
• Security: Fix cross-site scripting (XSS) via malicious XML attachment
• Security: Better fix for CVE-2020-12641

This is a service and security update to the LTS version 1.3 of Roundcube Webmail.
It contains four fixes for recently reported security vulnerabilities as well a
small number of general improvements backported from the latest stable version.
See the full changelog below.

Security fixes

• Fix XSS issue in template object 'username' (#7406)
• Fix cross-site scripting (XSS) via malicious XML attachment
• Fix a couple of XSS issues in Installer (#7406)
• Better fix for CVE-2020-12641

The latter two vulnerabilities again are related to public access to the Roundcube installer
and are therefore classified minor.

This version in considered stable and we recommend to update all productive installations
of Roundcube 1.3.x with it. Please do backup your data before updating!

CHANGELOG

• Security: Better fix for CVE-2020-12641
• Security: Fix XSS issue in template object 'username' (#7406)
• Security: Fix couple of XSS issues in Installer (#7406)
• Security: Fix cross-site scripting (XSS) via malicious XML attachment

This is a service and security update to the stable version 1.4 of Roundcube Webmail.
It contains four fixes for recently reported security vulnerabilities as well a number
of general improvements from our issue tracker. See the full changelog below.

Security fixes

• Cross-Site Scripting (XSS) via malicious HTML content
• CSRF attack can cause an authenticated user to be logged out
• Remote code execution via crafted config options
• Path traversal vulnerability allowing local file inclusion via crafted 'plugins' option

The latter two vulnerabilities are classified minor because they only affect Roundcube installations
with public access to the Roundcube installer. That's generally a high-risk situation and is expected
to be rare or practically non-existent in productive Roundcube deployments. However, the fixes are done
in core in order to also prevent from future and yet unknown attack vectors.

This version is considered stable and we recommend to update all productive installations
of Roundcube with it. Please do backup your data before updating!

CHANGELOG

• Fix bug where attachments with Content-Id were attached to the message on reply (#7122)
• Fix identity selection on reply when both sender and recipient addresses are included in identities (#7211)
• Elastic: Fix text selection with Shift+PageUp and Shift+PageDown in plain text editor when using Chrome (#7230)
• Elastic: Fix recipient input bug when using click to select a contact from autocomplete list (#7231)
• Elastic: Fix color of a folder with recent messages (#7281)
• Elastic: Restrict logo size in print view (#7275)
• Fix invalid Content-Type for messages with only html part and inline images - Mail_Mime-1.10.7 (#7261)
• Fix missing contact display name in QR Code data (#7257)
• Fix so button label in Select image/media dialogs is "Close" not "Cancel" (#7246)
• Fix regression in testing database schema on MSSQL (#7227)
• Fix cursor position after inserting a group to a recipient input using autocompletion (#7267)
• Fix string literals handling in IMAP STATUS (and various other) responses (#7290)
• Fix bug where multiple images in a message were replaced by the first one on forward/reply/edit (#7293)
• Fix handling keyservers configured with protocol prefix (#7295)
• Markasjunk: Fix marking as spam/ham on moving messages with Move menu (#7189)
• Markasjunk: Fix bug where moving to Junk was failing on messages selected with Select > All (#7206)
• Fix so imap error message is displayed to the user on folder create/update (#7245)
• Fix bug where a special folder couldn't be created if a special-use flag is not supported (#7147)
• Mailvelope: Fix bug where recipients with name were not handled properly in mail compose (#7312)
• Fix characters encoding in group rename input after group creation/rename (#7330)
• Fix bug where some message/rfc822 parts could not be attached on forward (#7323)
• Make install-jsdeps.sh script working without the file program installed (#7325)
• Fix performance issue of parsing big HTML messages by disabling HTML5 parser for these (#7331)
• Fix so Print button for PDF attachments works on Firefox >= 75 (#5125)
• Security: Fix XSS issue in handling of CDATA in HTML messages
• Security: Fix remote code execution via crafted 'im_convert_path' or 'im_identify_path' settings
• Security: Fix local file inclusion (and code execution) via crafted 'plugins' option
• Security: Fix CSRF bypass that could be used to log out an authenticated user (#7302)

This is a service and security update to the LTS version 1.3 of Roundcube Webmail.
It contains four fixes for recently reported security vulnerabilities as well a
small number of general improvements backported from the latest stable version.
See the full changelog below.

Security fixes

• Cross-Site Scripting (XSS) via malicious HTML content
• CSRF attack can cause an authenticated user to be logged out
• Remote code execution via crafted config options
• Path traversal vulnerability allowing local file inclusion via crafted 'plugins' option

The latter two vulnerabilities are classified minor because they only affect Roundcube installations
with public access to the Roundcube installer. That's generally a high-risk situation and is expected
to be rare or practically non-existent in productive Roundcube deployments. However, the fixes are done
in core in order to also prevent from future and yet unknown attack vectors.

This version in considered stable and we recommend to update all productive installations
of Roundcube 1.3.x with it. Please do backup your data before updating!

CHANGELOG

• Enigma: Fix compatibility with Mail_Mime >= 1.10.5
• Fix permissions on some folders created by bin/install-jsdeps.sh script (#6930)
• Fix bug where inline images could have been ignored if Content-Id header contained redundant spaces (#6980)
• Fix PHP Warning: Use of undefined constant LOG_EMERGE (#6991)
• Fix PHP warning: "array_merge(): Expected parameter 2 to be an array, null given in sendmail.inc (#7003)
• Security: Fix XSS issue in handling of CDATA in HTML messages
• Security: Fix remote code execution via crafted 'im_convert_path' or 'im_identify_path' settings
• Security: Fix local file inclusion (and code execution) via crafted 'plugins' option
• Security: Fix CSRF bypass that could be used to log out an authenticated user (#7302)