The Roundcube Webmail suite
GPL-3.0 License
Bot releases are hidden (Show)
Published by thomascube over 4 years ago
This is a security update to the LTS version 1.2.
It fixes four recently reported security vulnerabilities:
The latter two vulnerabilities are classified minor because they only affect Roundcube installations
with public access to the Roundcube installer. That's generally a high-risk situation and is expected
to be rare or practically non-existent in productive Roundcube deployments. However, the fixes are done
in core in order to also prevent from future and yet unknown attack vectors.
We strongly recommend to update all productive installations of Roundcube 1.2.x.
if you cannot upgrade to a more recent version. Please do backup your data before updating!
Published by thomascube over 4 years ago
This is the third service release to update the stable version 1.4 of Roundcube Webmail.
It contains general fixes and improvements to the new Elastic theme as well as some
core plugins like Enigma, Managesieve and Markasjunk. See the full changelog below.
This version is considered stable and we recommend to update all productive installations
of Roundcube with it. Please do backup your data before updating!
chpass-wrapper.py
Python 3 compatible (#7135)unix:///path/to/socket.file
in memcached driver (#7210)Published by thomascube almost 5 years ago
This is the second service release to update the stable version 1.4 of Roundcube Webmail. It contains fixes and improvements reported since the release of version 1.4.0. See the full changelog below.
This version considered stable and we recommend to update all productive installations
of Roundcube with it. Please do backup your data before updating!
install-jsdeps.sh
removes Bootstrap's sourceMappingURL (#7035)X-Forwarded-For
addresses with 'proxy_whitelist' (#7107)Published by thomascube almost 5 years ago
This is the first service release to update the new stable version 1.4.
With the recent release of Roundcube Webmail 1.4.0 we missed to mention a few breaking changes since the last stable version 1.3. We apologize for this and are now clarifying and correcting these:
(since 1.3.x)
smtp_*
config options:Upon many requests and in order to get closer to the default setup of most SMTP servers, we changed the defaults as follows:
// SMTP port (default is 587)
$config['smtp_port'] = 587;
// SMTP username (if required). %u will use the current username for login
$config['smtp_user'] = '%u';
// SMTP password (if required). %p will use the current user's password for login
$config['smtp_pass'] = '%p';
password_charset
to UTF-8:Because of many complaints, we decided to choose a more sane default that covers most setups and configurations.
The new behavior that Roundcube 1.4 returns a 401 status code if the client is not authenticated apparently was very unexpected and lead to monitoring problems. Despite not having mentioned that change in the release notes, we now partly reverted it so that 401 is only returned on login failures but not on the first request to Roundcube which by definition is unauthorized.
Besides these three major concerns we heard from your much appreciated feedback, we fixed a number of nasty bugs that sneaked into the 1.4.0 release. See the complete changelog below.
TRUNCATE TABLE <name>
and UNIQUE <name>
(#7013)Published by thomascube almost 5 years ago
This is the long awaited stable release 1.4 of Roundcube webmail.
After more than two years of hard work by Alec and other volunteer contributors, Roundcube finally gets the responsive skin with full mobile device support - the Elastic.
In addition to the new UI we introduce these new features:
Plus numerous improvements and bug fixes collected from your precious feedback as well as updates to recent versions of 3rd party libraries like jQuery and TinyMCE. See the full changelog below.
The new Elastic theme, which is the new default skin, is built with LESS and of course the sources are included. They allow a certain degree of customization by adjusting some colors and variables using the _styles.less
and _variables.less
files. Please consider customizing your Roundcube installation in order to make phishing harder. You'll find guidance in the README.md file inside the skin folder.
This release is considered stable and we encourage you to update your productive installations after carefully testing the upgrade scenario and preparing your users to the significant changes in their webmail UI. Download it from roundcube.net.
With the release of Roundcube 1.4.0, the previous stable release branches 1.3.x and 1.2.x will change into LTS low maintenance mode which means they will only receive important security updates but no longer any regular improvement updates. The 1.1.x series is no longer supported and maintained.
display_next
setting (#6795):
Published by thomascube about 5 years ago
This is the long awaited second release candidate for the next major version 1.4 of Roundcube webmail. Many fixes, improvements and final touches have gone into this since the first release candidate was published.
We strongly encourage everybody to customize the Elastic skin using the _styles.less
and _variables.less
files to blend into your corporate design. You'll find guidance for customization in the README.md file inside the skin folder.
Rolling out a new and significantly different user interface should be carefully planned and we recommend to prepare your users for the change. Therefore the Elastic theme is not set to be the default theme. Adjust your config in order to enable it by default or let your users switch themselves in the user settings.
Please note that the Classic skin will no longer be maintained and completely removed in future releases. Within the 1.4 release series, the Classic skin remains part of the package but it will not receive new features that were added to the Larry or Elastic themes.
This is still a preview release and we recommend to test it on a separate environment.
And don't forget to backup your data before installing it.
display_next
setting (#6795):
Published by thomascube about 5 years ago
This is a service release to update the stable version 1.3 of Roundcube Webmail.
It contains fixes to several bugs backported from the master branch including minor security fixes around CSS and HTML cleanup. See the complete changelog below.
This version in considered stable and we recommend to update all productive installations of Roundcube with it. Please do backup your data before updating!
rcube_utils::parse_hosts()
where %t, %d, %z could return only tld (#6746)position:fixed
CSS check in received messages (#6898)url()
style were unintentionally blocked (#6899):root
pseudo-class (#6897)href
URI check with data:application/xhtml+xml
URIs (#6896)Published by alecpl over 5 years ago
This is a service release to update the stable version 1.3 of Roundcube Webmail. It contains fixes to several bugs backported from the master branch. See the complete changelog below.
This version in considered stable and we recommend to update all productive installations
of Roundcube with it. Please do backup your data before updating!
Published by thomascube over 5 years ago
This is a first release candidate for the next major version 1.4 of Roundcube webmail which has now been in development for quite a while. Although the new responsive Elastic skin is now functional and feature complete, it still lacks the final brush-up to make it shine. We have now finally found a volunteer to work on this and once completed, a second release candidate will follow.
For now you’re all invited to give the new 1.4 version another test run. Besides the responsive theme it comes with lots of new features and improvements since the beta release. Check the Changelog below for a complete list of changes.
Please also try customizing the Elastic skin using the _styles.less
and _variables.less
files and let us know what’s missing. You'll find guidance in the README.md
file inside the skin folder.
Because we don’t yet consider the Elastic theme fully complete, it’s not set to be the default theme. Adjust your config in order to enable it with
$config['skin'] = 'elastic';
This is a beta release and we recommend to test it on a separate environment.
And don't forget to backup your data before installing it.
Published by thomascube almost 6 years ago
This is a service release to update the stable version 1.3 of Roundcube Webmail.
It contains fixes to several bugs backported from the master branch including a security fix for a reported XSS vulnerability plus updates to ensure compatibility with PHP 7.3 and recent versions of Courier-IMAP, Dovecot and MySQL 8. See the complete changelog below.
show_real_foldernames
setting wasn't respected (#6422)x_frame_options
config option (#6449)Published by thomascube about 6 years ago
This is a beta release of the next major version 1.4 of Roundcube webmail.
With this milestone we introduce some new features:
Because the new responsive skin is not yet fully completed, it's not enabled
by default. In order to make it the default for your users, change your
config.inc.php
accordingly:
$config['skin'] = 'elastic';
Although it still needs some polishing, the new skin solves the urgent need
to enable access to Roundcube for mobile devices. The plugin elastic4mobile
makes it the default for mobile devices while keeping the configured default
for desktop browsers.
The Elastic skin is built with LESS and of course the sources are included.
They allow a certain degree of customization by adjusting some color variables.
All you need is to compile your very own customized skin with lessc
.
In case you're running Roundcube directly from source or if you're not using
the complete package, you need to install 3rd party javascript modules
by executing the following install script:
$ bin/install-jsdeps.sh
This is a beta release and we recommend to test it on a separate environment.
And don't forget to backup your data before installing it.
Published by thomascube about 6 years ago
This is a service release to update the stable version 1.3 of Roundcube Webmail. It contains fixes to several bugs backported from the master branch including a security fix mitigating the EFAIL issue recently discovered in OpenPGP. See the complete changelog below.
This version in considered stable and we recommend to update all productive installations
of Roundcube with it. Please do backup your data before updating!
Published by thomascube over 6 years ago
This is a follow-up to the recent security update for the stable version 1.2. It fixes a regression that sneaked in with the IMAP command injection protection which unintentionally disabled actions that operate on all selected messages (e.g. mark all as junk).
We recommend to update all productive installations of Roundcube 1.2.8.
Please do backup your data before updating!
Published by thomascube over 6 years ago
This is a follow-up to the recent security update for the stable version 1.1. It fixes a regression that sneaked in with the IMAP command injection protection which unintentionally disabled actions that operate on all selected messages (e.g. mark all as junk).
We recommend to update all productive installations of Roundcube 1.1.11.
Please do backup your data before updating!
Published by thomascube over 6 years ago
This is a security update to the stable version 1.2. It fixes a recently reported vulnerability allowing IMAP command injection via a GET parameters. More details about this are published under CVE-2018-9846
.
The second fix is about a missed remote content blocking on HTML messages with specially crafted image and style tags.
We strongly recommend to update all productive installations of Roundcube 1.1.x.
Please do backup your data before updating!
check_request()
bypass in places using get_uids()
[CVE-2018-9846] (#6238)Published by thomascube over 6 years ago
This is a security update to the stable version 1.2. It fixes a recently reported vulnerability allowing IMAP command injection via a GET parameters. More details about this are published under CVE-2018-9846
.
The second fix is about a missed remote content blocking on HTML messages with specially crafted image and style tags.
We strongly recommend to update all productive installations of Roundcube 1.2.x.
Please do backup your data before updating!
check_request()
bypass in places using get_uids()
[CVE-2018-9846] (#6238)Published by thomascube over 6 years ago
This is a security update to the stable version 1.3. It primarily fixes a recently discovered IMAP command injection vulnerability caused by insufficient input validation within the archive plugin. Details about the vulnerability are published under CVE-2018-9846
.
Additionally, we back-ported some minor fixes from the master branch which improve PHP 7.2 compatibility as well as PGP signing and key handling for those who use the Enigma plugin. See the complete changelog below.
We strongly recommend to update all productive installations of Roundcube.
Please do backup your data before updating!
Published by thomascube over 6 years ago
This is a service release to update the stable version 1.3 of Roundcube Webmail.
It contains fixes to several bugs backported from the master branch. One can be called a minor security fix as it fixes blocking of remote content on specially crafted style tags. See the complete changelog below.
This version in considered stable and we recommend to update all productive installations
of Roundcube with it. Please do backup your data before updating!
Published by thomascube almost 7 years ago
This is a service release to update the stable version 1.3 of Roundcube Webmail.
It contains fixes to several bugs reported by our dear community members and
makes Roundcube fully compatible with PHP 7.2. See the complete changelog below.
This version considered stable and we recommend to update all productive installations
of Roundcube with it. Please do backup your data before updating!
temp_dir
misconfiguration prints an error to the log (#6045)COPYUID
responses handling - again (#5982)create_default_folders=true
mssql.initial.sql
(#6097)X-Frame-Options: ALLOW-FROM
support, remove custom click-jacking protection (#6057)Published by thomascube almost 7 years ago
This is a security update to the LTS version 1.0. It closes a potential file disclosure vulnerability discovered in the file-based attachment plugins. While there's currently no exploit path for Roundcube 1.0.x the fix was nevertheless back-ported to protect from yet unknown zero-day exploits.
It's considered stable and we recommend to update all productive installations of Roundcube 1.0.x with this version if for some reason you're not able to upgrade to the latest stable version. Please do backup your data before updating!