Announce March 2013

announce@lists.roundcube.net

1 participants
2 discussions

Security updates 0.8.6 and 0.7.3 for save-pref vulnerability
by Thomas Bruederli 27 Mar '13

27 Mar '13

After getting reports about a possible vulnerability of Roundcube which allows an attacker to modify its users preferences in a way that he/she can then read files from the server, we now published updated packages as well as patches that fix this security issue. Please update all your Roundcube installations with the new versions (0.9-rc2, 0.8.6, 0.7.4) or patch them with the published patches. Download the latest version from http://roundcube.net/download Patch for 0.9.x: http://ow.ly/jtQD0 Patch for 0.8.x: http://ow.ly/jtQHM Patch for 0.7.x: http://ow.ly/jtQK0 Patch for 0.6: http://ow.ly/jtQNd In order to find out whether one of your users has vulnerable preferences, you can run the following query on the Roundcube user database: SELECT * FROM users WHERE preferences LIKE '%generic_message_footer%' If this returns any results, you should at least clear the 'preferences' field of that user entry. Or better: entirely block the user because he or she most likely tried to exploit your system. And here's some background about the vulnerability: http://lists.roundcube.net/pipermail/dev/2013-March/022328.html Best regards, Thomas

1 0

Release candidate for version 0.9
by Thomas Bruederli 02 Mar '13

02 Mar '13

Hello all, We just published the feature-complete release candidate for the upcoming version 0.9. After adding some neat new features in 0.9-beta we now stabilized the code for the final release. Read http://trac.roundcube.net/wiki/Changelog for details. Download it from http://roundcube.net/download and update your testing systems. Use either the installto.sh or update.sh scripts to do the update as described in the UPGRADING instructions. These will take advantage of the new database schema upgrade mechanism we just added. That should make it easier and safer to keep the local database schema up-to-date with the new versions. And please report remaining bugs to our bug tracker. Best regards, Thomas

1 0

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

Announce March 2013