Announce April 2020

announce@lists.roundcube.net

1 participants
2 discussions

Security updates 1.4.4, 1.3.11 and 1.2.10 released
by Thomas Bruederli 29 Apr '20

29 Apr '20

Dear subscribers We just published service and security updates to the stable version 1.4 and the LTS versions 1.3 and 1.2 of Roundcube Webmail. They contain four fixes for recently reported security vulnerabilities as well a number of general improvements from our issue tracker. Security fixes: - Cross-Site Scripting (XSS) via malicious HTML content - CSRF attack can cause an authenticated user to be logged out - Remote code execution via crafted config options - Path traversal vulnerability allowing local file inclusion via crafted ‘plugins’ option The latter two vulnerabilities are classified minor because they only affect Roundcube installations with public access to the Roundcube installer. That’s generally a high-risk situation and is expected to be rare or practically non-existent in productive Roundcube deployments. However, the fixes are done in core in order to also prevent from future and yet unknown attack vectors. See the full changelogs in the release notes on the Github download pages [1]. Download the updated packages from https://roundcube.net/download We strongly recommend to update all productive installations of Roundcube with this new versions. Best, Thomas & Alec [1] https://github.com/roundcube/roundcubemail/releases

1 0

Upcoming changes in Roundcube's plugin repository
by Thomas Bruederli 11 Apr '20

11 Apr '20

Roundcube’s plugin repository is built around Composer which is used to install plugins and their dependencies. For many years we’ve been running our own plugin repository from a fork [1] of the most popular packagist.org service. Over time source code repositories like Github, Gitlab or Bitbucket as well as the Packagist codebase changed significantly which made it hard for us to maintain our fork. We therefore decided to give it up in favor of the well maintained packagist.org service. The plan is to move all Roundcube plugins currently registered at plugins.roundcube.net to packagist.org. They’re already Composer packages of type roundcube-plugin and thus don’t need any changes in their code or structure. The plugins.roundcube.net service remains active as a Composer repository but will be changed to read-only mode. So what does this mean for you? * For Roundcube users For the consumer side using Composer to pull Roundcube plugins and updates to them, nothing changes. You don’t even need to change your composer.json file as all currently registered plugins will still be listed at plugins.roundcube.net while updates will be pulled from packagist.org which is the default repository for Composer anyway. * For plugin developers Unfortunately there’s no way for us to feed all Roundcube plugins registered in our repository to packagist.org. Therefore, as a plugin developer you’re required to sign up at packagist.org [2] and then register your plugin(s) there. It’s as simple as it was on plugins.roundcube.net and only takes you a minute or two. We strongly encourage you to do so even if you’re not currently pushing new releases to your plugin. * Roadmap We’d like to make the switch on May 17th 2020. On this day, the repository data of plugins.roundcube.net will be frozen and the current Packagist service will be replaced by a read-only clone that’ll keep on serving requests from Composer to install Roundcube plugins. After that day, all updates and new registrations for Roundcube plugins need to be submitted to packagist.org. Once a plugin is listed at packagist.org, Roundcube’s plugin repository will no longer list it in order to make packagist.org the only source. We’d like to thank all plugin developers for their efforts and contributions. Only with the rich variety of plugins, Roundcube webmail became the powerful open source software product it is today. Kind regards, Thomas & Alec [1] https://roundcube.net/news/2016/08/05/plugin-repository-pimped-up [2] https://packagist.org/login/

1 0

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

Announce April 2020