Announce

announce@lists.roundcube.net

2 participants
146 discussions

Roundcube webmail 1.7 RC2 released
by Pablo Zimdahl 15 Dec '25

15 Dec '25

We just published the second release candidate for the next major version 1.7 of Roundcube webmail. This release fixes two security issues and one syntax error in a database migration file for Postgres databases. The changes are: - Fix Cross-Site-Scripting vulnerability via SVG’s animate tag reported by Valentin T., CrowdStrike. - Fix Information Disclosure vulnerability in the HTML style sanitizer reported by somerandomdev. - Fix syntax error in DDL scripts for Postgres (#10052) The tarballs can be downloaded from github.com or roundcube.net: https://github.com/roundcube/roundcubemail/releases/tag/1.7-rc2 https://roundcube.net/download/ We believe it is production ready, but we recommend to test it on a separate environment. Existing setups can be migrated with either the `installto.sh` or the `update.sh` scripts. Please don't forget to backup your data before updating! Regards, Pablo -- Pablo Zimdahl Software Engineer oOo Nextcloud - Regain control over your data pablo.zimdahl(a)nextcloud.com nextcloud.com +49 711 25 24 28 90 Nextcloud GmbH Hauptmannsreute 44A, 70192 Stuttgart, Germany GF: Frank Karlitschek HRB 227086 (AG München)

1 0

Security updates 1.5.12 and 1.6.12 released
by Aleksander Machniak 14 Dec '25

14 Dec '25

We just published security updates to the 1.6 and 1.5 LTS versions of Roundcube Webmail. They both contain fixes for recently reported two security vulnerabilities. Security fixes: - Fix Cross-Site-Scripting vulnerability via SVG's animate tag reported by Valentin T., CrowdStrike. - Fix Information Disclosure vulnerability in the HTML style sanitizer reported by somerandomdev. See the full changelogs in the release notes on the Github download pages for the updated versions 1.6.12 and 1.5.12. https://github.com/roundcube/roundcubemail/releases/tag/1.6.12 https://github.com/roundcube/roundcubemail/releases/tag/1.5.12 We strongly recommend to update all productive installations of Roundcube 1.6.x and 1.5.x with this new versions. -- Alec

1 0

Roundcube 1.7 RC released
by Pablo Zimdahl 12 Dec '25

12 Dec '25

The development team is pleased to announce the release candidate for the next major version 1.7 of Roundcube webmail! With this milestone we introduce a few breaking changes (see below) and some further improvements in comparison to 1.7-beta2. Some noteworthy changes are: * Add scope parameter to contact search (#9863) * Add ability to chose from all available contact fields on CSV import (#9419) * Add a new plugin called `markdown_editor` that provides an alternative editor to compose emails using Markdown syntax. * Add `rel=’noopener’` to all links opening in a new window to mitigate against misuse in older browsers. Breaking Changes: * Remove `contact_search_name` option in favor of `contactlist_name_template` (#9832) * Replace session attribute `changed` by `expires_at` (to allow for variable session lengths per-user in a future change). * Password: Removed the (insecure) `virtualmin` driver (#8007) For full details and download links please read the release notes: https://github.com/roundcube/roundcubemail/releases/tag/1.7-rc We believe it is production ready, but we recommend to test it on a separate environment. Migrate existing configs with either the `installto.sh` or the `update.sh` scripts. And don’t forget to backup your data before installing it! Regards, Pablo -- Pablo Zimdahl Software Engineer oOo Nextcloud - Regain control over your data pablo.zimdahl(a)nextcloud.com nextcloud.com +49 711 25 24 28 90 Nextcloud GmbH Hauptmannsreute 44A, 70192 Stuttgart, Germany GF: Frank Karlitschek HRB 227086 (AG München)

1 0

Roundcube webmail 1.7 beta2 released
by Pablo Zimdahl 01 Oct '25

01 Oct '25

The development team is pleased to announce the second beta release for the next major version 1.7 of Roundcube webmail. With this milestone we introduce some more fixes, and bring full support for the early version of PHP 8.5. It does not include breaking changes (beyond those of 1.7-beta). Some noteworthy changes are: - Support PHP v8.5(-pre) without deprecation warnings. - Support IPv6 in database DSN (#9937) - Use `htmleditor` setting also for identity signature (#9954) - Fix regression in handling of non-unicode characters in a plain text message (#9953) - Fix parsing of inline styles that aren't well-formatted (#9948) - Support early MIME types for S/MIME encrypted messages (#9973) - Only apply fix_path for href attrib in <link>s (#9943) - Show homograph-warning-icon before email address, unify warning wording (#9945) - Show full details with warning icon in case of phishing suspicion (#9945) - Prepend group-names to display-name (#9945) Thanks to coco_melon for the reporting! - Wash the `name` attribute also on more elements (#9949) – Thanks to pwn.ai by Octagon Networks for the reporting! - Sanitize filename on download (#9960) - Drop Internet Explorer from supported browsers (#9963) - Enforce leading backslash for non-namespaced non-Roundcube uses (#9935) - Use asset_url() instead of get_skin_file() for deleteicon on contact edit form (#9933) - Several changes to the test tooling. For full details please see the release notes: https://github.com/roundcube/roundcubemail/releases/tag/1.7-beta2 This is a beta release and we recommend to test it on a separate environment. Migrate existing configs with either the installto.sh or the update.sh scripts. And don't forget to backup your data before installing it! Regards, Pablo -- Pablo Zimdahl Software Engineer oOo Nextcloud - Regain control over your data pablo.zimdahl(a)nextcloud.com nextcloud.com +49 711 25 24 28 90 Nextcloud GmbH Hauptmannsreute 44A, 70192 Stuttgart, Germany GF: Frank Karlitschek HRB 227086 (AG München)

1 0

Roundcube webmail 1.7 beta released
by Pablo Zimdahl 15 Jul '25

15 Jul '25

The development team is pleased to announce the beta release for the next major version 1.7 of Roundcube webmail. With this milestone we introduce a few breaking changes, some new features, and bring full support for PHP 8.4. Some noteworthy changes are: * Make public_html/ mandatory as entry-point for HTTP daemons, protecting all installations better. * Improve support for OAuth2 (e.g. supporting OpenID Connect discovery URLs). * A Mouse-over menu on the messages list with quick action icons. * Advanced mail search syntax with more possibilities – you can now use e.g. is:unread to only match unread messages. The test file has a list of implemented keywords. * Message parts of content-type text/markdown are now rendered to HTML (if they are designated for showing). * Add a 'php' logging driver, which passes all log statements to PHP's error_log handler, allowing to unify all log output. * Requires PHP v8.1 or newer. Breaking Changes: * Dropped support for PHP < 8.1. * Removed support for MS SQL Server and Oracle (#7854) * Make public_html/ entry-point mandatory, all static resources are served via static.php (#9294, #8851) * Removed apc cache driver (replaced by apcu cache driver). * Change 'smtp_log' option default value to False For full details and downloads please see <https://github.com/roundcube/roundcubemail/releases/tag/1.7-beta>. This is a beta release and we recommend to test it on a separate environment. Migrate existing configs with either the installto.sh or the update.sh scripts. And don't forget to backup your data before installing it! Regards, Pablo -- Pablo Zimdahl Software Engineer oOo Nextcloud - Regain control over your data pablo.zimdahl(a)nextcloud.com nextcloud.com +49 711 25 24 28 90 Nextcloud GmbH Hauptmannsreute 44A, 70192 Stuttgart, Germany GF: Frank Karlitschek HRB 227086 (AG München)

1 0

[RCD] Security updates 1.5.10 and 1.6.11 released
by Aleksander Machniak 01 Jun '25

01 Jun '25

We just published security updates to the 1.6 and 1.5 LTS versions of Roundcube Webmail. They both contain a fix for recently reported security vulnerability. Security fixes: - Fix Post-Auth RCE via PHP Object Deserialization reported by firs0v. See the full changelogs in the release notes on the Github download pages for the updated versions 1.6.11 and 1.5.10. https://github.com/roundcube/roundcubemail/releases/tag/1.6.11 https://github.com/roundcube/roundcubemail/releases/tag/1.5.10 We strongly recommend to update all productive installations of Roundcube 1.6.x and 1.5.x with this new versions. -- Alec

1 0

Update 1.6.10 released
by Aleksander Machniak 08 Feb '25

08 Feb '25

This is the next service release to update the stable version 1.6. Here's the full changelog: - IMAP: Partial support for ANNOTATE-EXPERIMENT-1 extension (RFC 5257) - OAuth: Support standard authentication with short-living password received with OIDC token (#9530) - Fix PHP warnings (#9616, #9611) - Fix whitespace handling in vCard line continuation (#9637) - Fix current script state after initial scripts creation in managesieve_kolab_master mode - Fix rcube_imap::get_vendor() result (and PHP warning) on Zimbra server (#9650) - Fix regression causing inline SVG images to be missing in mail preview (#9644) - Fix plugin "virtuser_file" to handle backward slashes in username (#9668) - Fix PHP fatal error when parsing some malformed BODYSTRUCTURE responses (#9689) - Fix insert_or_update() and reading database server config on PostgreSQL (#9710) - Fix Oauth issues with use_secure_urls=true (#9722) - Fix handling of binary mail parts (e.g. PDF) encoded with quoted-printable (#9728) - Fix links in comments and config to https:// where available (#9759, #9756) - Fix decoding of attachment names encoded using both RFC2231 and RFC2047 standards (#9725) This version is considered stable and we recommend to update all productive installations of Roundcube with it. Please do backup your data before updating! https://github.com/roundcube/roundcubemail/releases/tag/1.6.10 Please do backup your data before updating! -- Alec

1 0

[RCD] Updates 1.5.9 and 1.6.9 released
by Aleksander Machniak 02 Sep '24

02 Sep '24

These are immediate service releases to fix regressions introduced in the most recent security updates. Both releases contain two following fixes: - Fix regression where printing/scaling/rotating image attachments was broken (#9571) - Fix regression where HTML messages were displayed unstyled (#9586) These releases are considered stable and we recommend to update all productive installations of Roundcube with these. Download it from roundcube.net. https://github.com/roundcube/roundcubemail/releases/tag/1.6.9 https://github.com/roundcube/roundcubemail/releases/tag/1.5.9 We strongly recommend to update all productive installations of Roundcube 1.6.x and 1.5.x with this new versions. Please do backup your data before updating! -- Alec _______________________________________________ Dev mailing list -- dev(a)lists.roundcube.net To unsubscribe send an email to dev-leave(a)lists.roundcube.net

1 0

[Roundcube Announce]Welcome back!
by Jos Poortvliet 03 Mar '24

03 Mar '24

Dear Roundcube community! You might not have seen any emails on these lists for a while, but we're back! For those not keeping a very close eye on Roundcube developments and note my @nextcloud.com email address: 👋 Hi there! Late last year, Roundcube found a new home with the Nextcloud community. You can read all about it here: <https://nextcloud.com/blog/open-source-email-pioneer-roundcube-comes-aboard…> If you have questions, I'll do my best to answer them, you can ask on the list but you can also engage on our forum: <https://help.nextcloud.com/c/roundcube/188> We are still looking for prospective Roundcube developers to join Nextcloud, so if you're looking for a position, check out: <https://nextcloud.com/jobs> and send us your resume. In the coming months, some developers will join us and take up Roundcube improvements. Once they are on-board, we will share more information here. Until then, the three mailing lists are back up and open for business: ## Announce https://lists.roundcube.net/postorius/lists/announce.lists.roundcube.net/ Read-only list with announcements of new versions, security bugs and more. ## Dev https://lists.roundcube.net/postorius/lists/dev.lists.roundcube.net/ All topics related to the development of Roundcube Webmail. ## Users https://lists.roundcube.net/postorius/lists/users.lists.roundcube.net/ All topics related to the use and administration of Roundcube Webmail. Users help each other here so please be kind! I wish you all the very best of times and let's make 2024 a great year for Roundcube - and Nextcloud! Greetings, Jos Poortvliet Director Communications oOo Nextcloud - regain control over your data jos.poortvliet(a)nextcloud.com nextcloud.com +49 171 121 7528 Nextcloud GmbH Hauptmannsreute 44A, 70192 Stuttgart Germany GF: Frank Karlitschek HRB 227086 (AG München)

1 0

Update 1.6.1 released
by Thomas Bruederli 23 Jan '23

23 Jan '23

Dear subscribers We just released the first service update to the new stable version 1.6. It provides a bunch of small fixes and improvements after getting your feedback from the 1.6.0 release. See the full changelog in the release notes <https://github.com/roundcube/roundcubemail/releases/tag/1.6.1> on the Github download page. This release is considered stable and we recommend to update all productive installations of Roundcube with this version. Download it from roundcube.net <https://roundcube.net/download>. Please do backup your data before updating! Upgrading the Complete Package Attention when upgrading Roundcube using the complete package! The installto.sh script does not update the vendor folder of the installation target. If you’re not using Composer to install plugins or other dependencies, please remove the composer.json file of your Roundcube installation before running the installto.sh script. If you have Composer installed, run composer update --no-dev to complete the upgrade. Kind regards, Thomas & Alec

1 0

Jump to page:

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

Announce