The Roundcube Webmail suite
GPL-3.0 License
Bot releases are hidden (Show)
Published by thomascube almost 3 years ago
This is the stable release of the next major version of Roundcube webmail.
With this milestone we introduce new features and full PHP 8.0 support.
The most noteworthy additions are:
See the full changelog below.
We also disabled the spell checking feature using spell.roundcube.net by default because some privacy concerns were raised. It now needs to be enabled explicitly by setting the enable_spellcheck
config option to true.
In case you're running Roundcube directly from source or if you're not using the complete package, you need to install 3rd party javascript modules using the bin/install-jsdeps.sh
script. In the 1.5.x series the toolchain required to build a functional package has changed a bit:
bin/jsshrink.sh
: replaced google-closure-compiler
with UglifyJSbin/cssshrink.sh
: replaced yuicompressor
with csso
lessc
>= 2.5.2 (and add support for v4) with less-plugin-clean-css
This release is considered stable and we encourage you to update your productive installations after carefully testing the upgrade scenario.
With the release of Roundcube 1.5.0, the previous stable release branches 1.4.x and 1.3.x will change into LTS low maintenance mode which means they will only receive important security updates but no longer any regular improvement updates. The 1.2.x series is no longer supported and maintained.
Published by thomascube over 3 years ago
This is the release candidate for the next major version 1.5 of Roundcube webmail.
Based on the feedback we received from the beta release and some new features from
the backlog, we have now finalized the development branch to prepare the final version.
See the changelog below for details.
Some noteworthy additions since 1.5-beta are
We believe it is production ready, but we recommend to test it on a separate environment.
And don't forget to backup your data before installing it.
rcube_mime_decode
(#7390)message_send_error
hook (#7914)oauth_login
and oauth_refresh_token
for oauth events (#8028, #8040)identity_update
hook (#8023)password_minimum_length
to 8 by default (#8003)start
and reversed
attributes of ol
tag were ignored (#8059)Published by thomascube over 3 years ago
This is a beta release for the next major version 1.5 of Roundcube webmail.
With this milestone we introduce new features and long-awaited improvements.
The most noteworthy additions are:
Adding support for PHP 8 required some deep refactoring of the Roundcube codebase which started with early PHP 5 versions. However, this refactoring also was a bit of a cleaning procedure and resulted in more testable components.
In case you're running Roundcube directly from source or if you're not using the complete package, you need to install 3rd party javascript modules using the bin/install-jsdeps.sh
script. With this release the toolchain required to build a functional package has changed a bit:
bin/jsshrink.sh
: replaced google-closure-compiler
with UglifyJSbin/cssshrink.sh
: replaced yuicompressor
with csso
lessc
>= 2.5.2 (and add support for v4) with less-plugin-clean-css
This is a beta release and we recommend to test it on a separate environment.
And don't forget to backup your data before installing it.
Published by thomascube over 3 years ago
This is a service and security update to the stable version 1.4 of Roundcube Webmail.
It provides a fix for a recently reported stored XSS vulnerability as well a some general improvements from our issue tracker. See the full changelog below.
Credits for this finding go to Mateusz Szymaniec (CERT Polska).
This version is considered stable and we recommend to update all productive installations of Roundcube with it.
Please do backup your data before updating!
Published by thomascube almost 4 years ago
This is a service and security update to the stable version 1.4 of Roundcube Webmail.
It contains a fix for a recently reported stored XSS vulnerability as well a small number
of general improvements from our issue tracker. See the full changelog below.
CVE-2020-35730
]Credits for this finding go to Alex Birnberg.
This version is considered stable and we recommend to update all productive installations
of Roundcube with it. Please do backup your data before updating!
Published by thomascube almost 4 years ago
This is a security update to the LTS version 1.3.
It fixes a recently reported stored cross-site scripting (XSS)
vulnerability via HTML or plain text messages with malicious content [CVE-2020-35730
].
Credits for this finding go to Alex Birnberg.
This version in considered stable and we strongly recommend to update all productive
installations of Roundcube 1.3.x with it. Please do backup your data before updating!
Published by thomascube almost 4 years ago
This is a security update to the LTS version 1.2.
It fixes a recently reported stored cross-site scripting (XSS)
vulnerability via HTML or plain text messages with malicious content [CVE-2020-35730
].
Credits for this finding go to Alex Birnberg.
We strongly recommend to update all productive installations of Roundcube 1.2.x
if you cannot upgrade to a more recent version. Please do backup your data before updating!
Published by thomascube about 4 years ago
This is a service update to the stable version 1.4 of Roundcube Webmail.
It contains fixes and general improvements from our issue tracker, mainly related to email composition and UI oddities in Elastic skin and with the TinyMCE richtext editor. See the full changelog below.
This version is considered stable and we recommend to update all productive installations of Roundcube with it.
Please do backup your data before updating!
jstz.min.js
installation, bump version to 1.0.7PDO::lastInsertId()
use in sqlsrv
driver (#7564)bin/jsshrink.sh
script (#7567)Published by thomascube about 4 years ago
This is a service and security update to the stable version 1.4 of Roundcube Webmail.
It contains fixes for recently reported security vulnerabilities as well a small number of general improvements from our issue tracker. See the full changelog below.
Credits for the latter two findings go to Łukasz Pilorz from Pentesters.
This version is considered stable and we recommend to update all productive installations of Roundcube with it.
Please do backup your data before updating!
format=flowed
formatting on plain text part derived from the HTML content (#7504)CVE-2020-16145
]Published by thomascube about 4 years ago
This is a security update to the LTS version 1.3.
It fixes two recently reported cross-site scripting (XSS) vulnerabilities via HTML messages with malicious svg and math contents.
Credits for these findings go to Łukasz Pilorz from Pentesters.
This version in considered stable and we strongly recommend to update all productive installations of Roundcube 1.3.x with it.
Please do backup your data before updating!
Published by thomascube about 4 years ago
This is a security update to the LTS version 1.2.
It fixes two recently reported cross-site scripting (XSS) vulnerabilities via HTML messages with malicious svg and math contents.
Credits for these findings go to Łukasz Pilorz from Pentesters.
We strongly recommend to update all productive installations of Roundcube 1.2.x if you cannot upgrade to a more recent version.
Please do backup your data before updating!
Published by thomascube over 4 years ago
This is a service and security update to the stable version 1.4 of Roundcube Webmail.
It contains a fix for recently reported security vulnerability as well a small number of general improvements from our issue tracker. See the full changelog below.
Prevent cross-site scripting (XSS) via HTML messages with malicious svg/namespace (CVE-2020-15562
)
Credits for this finding go to SSD Secure Disclosure.
This version is considered stable and we recommend to update all productive installations of Roundcube with it. Please do backup your data before updating!
Published by thomascube over 4 years ago
This is a security update to the LTS version 1.3.
It fixes a recently reported cross-site scripting (XSS) vulnerability via HTML messages with malicious svg/namespace (CVE-2020-15562
).
Credits for this finding go to SSD Secure Disclosure.
This version in considered stable and we strongly recommend to update all productive
installations of Roundcube 1.3.x with it. Please do backup your data before updating!
Published by thomascube over 4 years ago
This is a security update to the LTS version 1.2.
It fixes a recently reported cross-site scripting (XSS) vulnerability via HTML messages with malicious svg/namespace (CVE-2020-15562
).
Credits for this finding go to SSD Secure Disclosure.
We strongly recommend to update all productive installations of Roundcube 1.2.x
if you cannot upgrade to a more recent version. Please do backup your data before updating!
Published by thomascube over 4 years ago
This is a follow-up release to the recently published version 1.4.5 of Roundcube Webmail.
It contains a single fix for the installer's test step which was broken with the last release. The update is therefore only relevant for new installations which use the installer to set up Roundcube.
Published by thomascube over 4 years ago
This is a follow-up release to the recently published version 1.3.12 of Roundcube Webmail.
It contains a single fix for the installer's test step which was broken with the last release. The update is therefore only relevant for new installations which use the installer to set up Roundcube.
Published by thomascube over 4 years ago
This is a service and security update to the stable version 1.4 of Roundcube Webmail.
It contains fixes for recently reported security vulnerabilities as well a number
of general improvements from our issue tracker. See the full changelog below.
CVE-2020-12641
The latter two vulnerabilities again are related to public access to the Roundcube installer
and are therefore classified minor.
This version is considered stable and we recommend to update all productive installations
of Roundcube with it. Please do backup your data before updating!
composer.json
that led to spurious error in log (#7364)keys.openpgp.org
), add note about CORS (#7373, #7367)CVE-2020-12641
Published by thomascube over 4 years ago
This is a service and security update to the LTS version 1.3 of Roundcube Webmail.
It contains four fixes for recently reported security vulnerabilities as well a
small number of general improvements backported from the latest stable version.
See the full changelog below.
CVE-2020-12641
The latter two vulnerabilities again are related to public access to the Roundcube installer
and are therefore classified minor.
This version in considered stable and we recommend to update all productive installations
of Roundcube 1.3.x with it. Please do backup your data before updating!
Published by thomascube over 4 years ago
This is a service and security update to the stable version 1.4 of Roundcube Webmail.
It contains four fixes for recently reported security vulnerabilities as well a number
of general improvements from our issue tracker. See the full changelog below.
The latter two vulnerabilities are classified minor because they only affect Roundcube installations
with public access to the Roundcube installer. That's generally a high-risk situation and is expected
to be rare or practically non-existent in productive Roundcube deployments. However, the fixes are done
in core in order to also prevent from future and yet unknown attack vectors.
This version is considered stable and we recommend to update all productive installations
of Roundcube with it. Please do backup your data before updating!
Content-Id
were attached to the message on reply (#7122)Content-Type
for messages with only html part and inline images - Mail_Mime-1.10.7 (#7261)STATUS
(and various other) responses (#7290)special-use
flag is not supported (#7147)message/rfc822
parts could not be attached on forward (#7323)install-jsdeps.sh
script working without the file
program installed (#7325)Published by thomascube over 4 years ago
This is a service and security update to the LTS version 1.3 of Roundcube Webmail.
It contains four fixes for recently reported security vulnerabilities as well a
small number of general improvements backported from the latest stable version.
See the full changelog below.
The latter two vulnerabilities are classified minor because they only affect Roundcube installations
with public access to the Roundcube installer. That's generally a high-risk situation and is expected
to be rare or practically non-existent in productive Roundcube deployments. However, the fixes are done
in core in order to also prevent from future and yet unknown attack vectors.
This version in considered stable and we recommend to update all productive installations
of Roundcube 1.3.x with it. Please do backup your data before updating!
Mail_Mime
>= 1.10.5bin/install-jsdeps.sh
script (#6930)Content-Id
header contained redundant spaces (#6980)LOG_EMERGE
(#6991)