Announce

announce@lists.roundcube.net

139 discussions

Security update 1.4.11 released
by Thomas Bruederli 08 Feb '21

08 Feb '21

Dear subscribers We just published a service and security update to the stable version 1.4 of Roundcube Webmail. It provides a fix for a recently reported stored XSS vulnerability as well a some general improvements from our issue tracker. *Security fix* Fix cross-site scripting (XSS) via HTML messages with malicious CSS content Credits go to Mateusz Szymaniec (CERT Polska). See the full changelog in the release notes on the Github download page: https://github.com/roundcube/roundcubemail/releases/tag/1.4.11 This release is considered stable and we recommend to update all productive installations of Roundcube with this version. Download it from https://roundcube.net/download/ Please do backup your data before updating! Best, Alec & Thomas

1 0

Security updates 1.4.10, 1.3.16 and 1.2.13 released
by Thomas Bruederli 27 Dec '20

27 Dec '20

Dear subscribers We just published security updates to the stable version 1.4 and the LTS versions 1.3 and 1.2 of Roundcube Webmail. They all contain fixes to a recently reported stored XSS vulnerability found and kindly reported by Alex Birnberg (birnbergalex(a)gmail.com). The 1.4.10 release also contains a few general improvements from our issue tracker. See the full changelogs in the release notes on the Github download pages for the updated versions: https://github.com/roundcube/roundcubemail/releases/tag/1.4.10 https://github.com/roundcube/roundcubemail/releases/tag/1.3.16 https://github.com/roundcube/roundcubemail/releases/tag/1.2.13 We strongly recommend to update all productive installations of Roundcube with these new versions. Download them from https://roundcube.net/download/ Best wishes and a happy new year! Alec & Thomas

1 0

Roundcube Webmail 1.4.9 released
by Thomas Bruederli 28 Sep '20

28 Sep '20

Dear subscribers We proudly announce yesterday's release of version 1.4.9. It's a service update to the stable version 1.4 of Roundcube Webmail. It contains fixes and general improvements from our issue tracker, mainly related to email composition and UI oddities in Elastic skin and with the TinyMCE richtext editor. See the full changelog in the release notes on the Github download page [1]. This version is considered stable and we recommend updating all productive installations of Roundcube with it. Download the latest tarballs from https://roundcube.net/download Best, Alec & Thomas [1] https://github.com/roundcube/roundcubemail/releases/tag/1.4.9

1 0

Security updates 1.4.8, 1.3.15 and 1.2.12 released
by Thomas Bruederli 10 Aug '20

10 Aug '20

Dear subscribers We just published security updates to the stable version 1.4 and the LTS versions 1.3 and 1.2 of Roundcube Webmail. They all contain two recently reported cross-site scripting (XSS) vulnerabilities. The 1.4.8 release also contains a number of general improvements from our issue tracker [1]. Security fixes: * Fix cross-site scripting (XSS) via HTML messages with malicious svg content (CVE-2020-16145) * Fix cross-site scripting (XSS) via HTML messages with malicious math content Credits for these two findings go to Łukasz Pilorz from Pentesters [2]. See the full changelogs in the release notes on the Github download pages for the updated versions. We strongly recommend updating all productive installations of Roundcube with these new versions. Download the latest tarballs from https://roundcube.net/download Best, Alec & Thomas [1] https://github.com/roundcube/roundcubemail/releases/tag/1.4.8 [2] https://www.pentesters.pl/

1 0

Security updates 1.4.7, 1.3.14 and 1.2.11 released
by Thomas Bruederli 05 Jul '20

05 Jul '20

Dear subscribers We just published security updates to the stable version 1.4 and the LTS versions 1.3 and 1.2 of Roundcube Webmail. They all contain a recently reported cross-site scripting (XSS) vulnerability via HTML messages with malicious svg/namespace. Credits for this finding go to SSD Secure Disclosure [1]. The 1.4.7 release also contains a number of general improvements from our issue tracker. See the full changelog in the release notes on the Github download page [2]. We strongly recommend to update all productive installations of Roundcube with these new versions. Download the latest tarballs from https://roundcube.net/download Best, Alec & Thomas [1] https://ssd-disclosure.com/ [2] https://github.com/roundcube/roundcubemail/releases/tag/1.4.7

1 0

Security updates 1.4.5 and 1.3.12
by Thomas Bruederli 07 Jun '20

07 Jun '20

Dear subscribers We recently published service and security updates to the stable version 1.4 and the LTS version 1.3 of Roundcube Webmail. They contain four fixes for recently reported security vulnerabilities as well a number of general improvements from our issue tracker. Security fixes: - Fix XSS issue in template object username ** - Fix cross-site scripting (XSS) via malicious XML attachment * - Fix a couple of XSS issues in Installer ** - Better fix for CVE-2020-12641 The latter two vulnerabilities again are related to public access to the Roundcube installer and are therefore classified minor. See the full changelogs in the release notes on the Github download pages [1] and [2]. In addition to the security releases 1.4.5 and 1.3.12 we today pushed follow-up releases containing one single fix for the installer’s test step which was broken with the former security update. We strongly recommend to update all productive installations of Roundcube with this new versions. Download the latest packages from https://roundcube.net/download Best, Thomas & Alec * Credits to the security researcher Matei “Mal” Badanoiu ** Credits to the security researcher LoRexxar@knownsec 404Team [1] https://github.com/roundcube/roundcubemail/releases/tag/1.4.5 [2] https://github.com/roundcube/roundcubemail/releases/tag/1.3.12

1 0

Security updates 1.4.4, 1.3.11 and 1.2.10 released
by Thomas Bruederli 29 Apr '20

29 Apr '20

Dear subscribers We just published service and security updates to the stable version 1.4 and the LTS versions 1.3 and 1.2 of Roundcube Webmail. They contain four fixes for recently reported security vulnerabilities as well a number of general improvements from our issue tracker. Security fixes: - Cross-Site Scripting (XSS) via malicious HTML content - CSRF attack can cause an authenticated user to be logged out - Remote code execution via crafted config options - Path traversal vulnerability allowing local file inclusion via crafted ‘plugins’ option The latter two vulnerabilities are classified minor because they only affect Roundcube installations with public access to the Roundcube installer. That’s generally a high-risk situation and is expected to be rare or practically non-existent in productive Roundcube deployments. However, the fixes are done in core in order to also prevent from future and yet unknown attack vectors. See the full changelogs in the release notes on the Github download pages [1]. Download the updated packages from https://roundcube.net/download We strongly recommend to update all productive installations of Roundcube with this new versions. Best, Thomas & Alec [1] https://github.com/roundcube/roundcubemail/releases

1 0

Upcoming changes in Roundcube's plugin repository
by Thomas Bruederli 11 Apr '20

11 Apr '20

Roundcube’s plugin repository is built around Composer which is used to install plugins and their dependencies. For many years we’ve been running our own plugin repository from a fork [1] of the most popular packagist.org service. Over time source code repositories like Github, Gitlab or Bitbucket as well as the Packagist codebase changed significantly which made it hard for us to maintain our fork. We therefore decided to give it up in favor of the well maintained packagist.org service. The plan is to move all Roundcube plugins currently registered at plugins.roundcube.net to packagist.org. They’re already Composer packages of type roundcube-plugin and thus don’t need any changes in their code or structure. The plugins.roundcube.net service remains active as a Composer repository but will be changed to read-only mode. So what does this mean for you? * For Roundcube users For the consumer side using Composer to pull Roundcube plugins and updates to them, nothing changes. You don’t even need to change your composer.json file as all currently registered plugins will still be listed at plugins.roundcube.net while updates will be pulled from packagist.org which is the default repository for Composer anyway. * For plugin developers Unfortunately there’s no way for us to feed all Roundcube plugins registered in our repository to packagist.org. Therefore, as a plugin developer you’re required to sign up at packagist.org [2] and then register your plugin(s) there. It’s as simple as it was on plugins.roundcube.net and only takes you a minute or two. We strongly encourage you to do so even if you’re not currently pushing new releases to your plugin. * Roadmap We’d like to make the switch on May 17th 2020. On this day, the repository data of plugins.roundcube.net will be frozen and the current Packagist service will be replaced by a read-only clone that’ll keep on serving requests from Composer to install Roundcube plugins. After that day, all updates and new registrations for Roundcube plugins need to be submitted to packagist.org. Once a plugin is listed at packagist.org, Roundcube’s plugin repository will no longer list it in order to make packagist.org the only source. We’d like to thank all plugin developers for their efforts and contributions. Only with the rich variety of plugins, Roundcube webmail became the powerful open source software product it is today. Kind regards, Thomas & Alec [1] https://roundcube.net/news/2016/08/05/plugin-repository-pimped-up [2] https://packagist.org/login/

1 0

Update 1.4.2 released
by Thomas Bruederli 01 Jan '20

01 Jan '20

Dear subscribers We start the year 2020 with the second service release to update the brand new Roundcube Webmail version 1.4. It contains fixes and improvements reported since the release of version 1.4.0. See the full changelog in the release notes on the Github download page [1]. This release is considered stable and we recommend to update all productive installations of Roundcube with this version. Download it from https://roundcube.net/download. Please do backup your data before updating. Happy New Year everybody! Alec & Thomas [1] https://github.com/roundcube/roundcubemail/releases/tag/1.4.2

1 0

Re: [Roundcube Announce] Unsubscribe
by Johannes Schöpfer 24 Nov '19

24 Nov '19

Yes, everybody get's spammed, probably also by infected systems. At least, the list must be moderated.Am 23.11.2019 12:52 nachm. schrieb Alexander Nestorov <alexandernst(a)gmail.com>: > > ...unless you want to get spammed... > > > El 23 nov 2019, a las 12:37, sergio+announce(a)outerface.net escribió: > > > > The list MUST accept mail ONLY FROM the core team, not from subscribers! > _______________________________________________ > Roundcube Announcement mailing list > announce(a)lists.roundcube.net > http://lists.roundcube.net/mailman/listinfo/announce

2 1

Jump to page:

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

Announce