Dear subscribers
As a follow-up to the recent security update for the stable versions
1.2. and 1.1, we just published a new release to fix a regression that
sneaked in with the IMAP command injection protection. Roundcube
versions 1.2.8. and 1.1.11 unintentionally disable actions that
operate on all selected messages (e.g. mark all as junk).
We therefore recommend to update all productive installations of
Roundcube 1.2.8. and 1.1.11 with these new versions.
https://github.com/roundcube/roundcubemail/releases/tag/1.2.9https://github.com/roundcube/roundcubemail/releases/tag/1.1.12
Best,
Alec & Thomas
Dear subscribers
Following the recent security update for 1.3, here now come the
promised updates for the LTS versions 1.2 and 1.1. They both fix the
recently reported vulnerability allowing IMAP command injection via a
GET parameters. More details about this are published under
CVE-2018-9846.
Another fix included in these updates is about a missed remote content
blocking on HTML messages with specially crafted image and style tags.
See the full changelog in the release notes on the according Github
download pages:
- https://github.com/roundcube/roundcubemail/releases/tag/1.2.8
- https://github.com/roundcube/roundcubemail/releases/tag/1.1.11
and download the packages right from there.
We strongly recommend to update all productive installations of
Roundcube 1.2.x and 1.1.x respectively.
Please do backup your data before updating!
Kind regards
Alec & Thomas
Dear subscribers
We just published a security update to the stable version 1.3. It
primarily fixes a recently reported IMAP command injection
vulnerability caused by insufficient input validation within the
archive plugin. Details about the vulnerability are published under
CVE-2018-9846.
Additionally, we back-ported some minor fixes from the master branch
which improve PHP 7.2 compatibility as well as PGP signing and key
handling for those who use the Enigma plugin.
See the full changelog in the release notes on the Github download page:
https://github.com/roundcube/roundcubemail/releases/tag/1.3.6
We strongly recommend to update all productive installations of
Roundcube with this new version.
Updates for older LTS versions will follow soon.
And as usual: please do backup your data before updating!
Best,
Alec & Thomas