Announce

announce@lists.roundcube.net

142 discussions

Roundcube Webmail 1.5.0 released
by Thomas Bruederli 18 Oct '21

18 Oct '21

Dear subscribers We proudly announce the final release of the next major version 1.5 of Roundcube webmail. With this milestone we introduce new features and full PHP 8.0 support. The most noteworthy additions are: - Dark mode for Elastic skin - OAuth2/XOauth support (with plugin hooks) - Collected recipients and trusted senders - Moving recipients between inputs with drag & drop - Full unicode support with MySQL database - Support of IMAP LITERAL- extension RFC 7888 <https://datatracker.ietf.org/doc/html/rfc7888> - Support of RFC 2231 <https://datatracker.ietf.org/doc/html/rfc2231> encoded names - Cache refactoring See the full changelog in the release notes <https://github.com/roundcube/roundcubemail/releases/tag/1.5.0> on the Github download page. We also disabled the spell checking feature using spell.roundcube.net by default because some privacy concerns were raised. It now needs to be enabled explicitly by setting the enable_spellcheck config option to true. In case you’re running Roundcube directly from source or if you’re not using the complete package, you need to install 3rd party PHP and JavaScript modules manually. See this post for more details <https://roundcube.net/news/2021/10/18/roundcube-1.5.0-released>. This release is considered stable and we encourage you to update your productive installations after carefully testing the upgrade scenario. Download it from roundcube.net <https://roundcube.net/download>. With the release of Roundcube 1.5.0, the previous stable release branches 1.4.x and 1.3.x will change into LTS low maintenance mode which means they will only receive important security updates but no longer any regular improvement updates. The 1.2.x series is no longer supported and maintained. Kind regards Alec & Thomas

1 0

Spell checking service is back online
by Thomas Bruederli 29 Sep '21

29 Sep '21

Dear subscribers After the recent announcement <https://roundcube.net/news/2021/09/14/spell-roundcube-net-service-down> about the death of spell.roundcube.net, we received a number of offers from internet service providers around the globe who offered their support to continue the free spell checking service for Roundcube. Now we’re happy to announce that we could establish a new sponsoring with HostingU2 <https://hostingu2.nl> from the Netherlands and that spell.roundcube.net is back online. Although we can again support existing Roundcube installations with their default settings for spell checking, we still encourage you to re-configure <https://github.com/roundcube/roundcubemail/blob/master/config/defaults.inc.…> Roundcube to use PHP’s pspell <https://www.php.net/manual/en/book.pspell.php> or enchant <https://www.php.net/manual/en/book.enchant.php> API with a locally installed aspell library. We have also created a Docker image <https://hub.docker.com/r/roundcube/google-spell-pspell> allowing you to run your own instance of the former Google Spell Check service as we do. Kind regards, Thomas

1 0

Roundcube Webmail 1.5 beta released
by Thomas Bruederli 28 Feb '21

28 Feb '21

Dear subscribers We proudly announce the beta release for the next major version 1.5 of Roundcube webmail. With this milestone we introduce new features and long-awaited improvements. The most noteworthy additions are: - PHP 8.0 support - OAuth2/XOauth support - Dark mode for Elastic skin - Collected recipients and trusted senders - Moving recipients between inputs with drag & drop - Full unicode support with MySQL database - Cache refactoring Adding support for PHP 8 required some deep refactoring of the Roundcube codebase which started with early PHP 5 versions. However, this refactoring also was a bit of a cleaning procedure and resulted in more testable components. In case you’re running Roundcube directly from source or if you’re not using the complete package, you need to install 3rd party javascript modules using the bin/install-jsdeps.sh script. With this release the toolchain required to build a functional package has changed a bit: - bin/jsshrink.sh: replaced google-closure-compiler with UglifyJS - bin/cssshrink.sh: replaced yuicompressor with csso - Elastic theme: require lessc >= 2.5.2 (and add support for v4) with less-plugin-clean-css See the full changelog in the release notes <https://github.com/roundcube/roundcubemail/releases/tag/1.5-beta> on the Github download page. This is a beta release and we recommend to test it on a separate environment. And don’t forget to backup your data before installing it. Download it from roundcube.net <https://roundcube.net/download>. If you intend to test new Roundcube with OAuth2, have a look at this wiki page <https://github.com/roundcube/roundcubemail/wiki/Configuration:-OAuth2> . We also have some Docker images <https://hub.docker.com/r/roundcube/roundcubemail/tags?page=1&name=beta> available for quick testing and evaluation. Kind regards, Alec & Thomas

1 0

Security update 1.4.11 released
by Thomas Bruederli 08 Feb '21

08 Feb '21

Dear subscribers We just published a service and security update to the stable version 1.4 of Roundcube Webmail. It provides a fix for a recently reported stored XSS vulnerability as well a some general improvements from our issue tracker. *Security fix* Fix cross-site scripting (XSS) via HTML messages with malicious CSS content Credits go to Mateusz Szymaniec (CERT Polska). See the full changelog in the release notes on the Github download page: https://github.com/roundcube/roundcubemail/releases/tag/1.4.11 This release is considered stable and we recommend to update all productive installations of Roundcube with this version. Download it from https://roundcube.net/download/ Please do backup your data before updating! Best, Alec & Thomas

1 0

Security updates 1.4.10, 1.3.16 and 1.2.13 released
by Thomas Bruederli 27 Dec '20

27 Dec '20

Dear subscribers We just published security updates to the stable version 1.4 and the LTS versions 1.3 and 1.2 of Roundcube Webmail. They all contain fixes to a recently reported stored XSS vulnerability found and kindly reported by Alex Birnberg (birnbergalex(a)gmail.com). The 1.4.10 release also contains a few general improvements from our issue tracker. See the full changelogs in the release notes on the Github download pages for the updated versions: https://github.com/roundcube/roundcubemail/releases/tag/1.4.10 https://github.com/roundcube/roundcubemail/releases/tag/1.3.16 https://github.com/roundcube/roundcubemail/releases/tag/1.2.13 We strongly recommend to update all productive installations of Roundcube with these new versions. Download them from https://roundcube.net/download/ Best wishes and a happy new year! Alec & Thomas

1 0

Roundcube Webmail 1.4.9 released
by Thomas Bruederli 28 Sep '20

28 Sep '20

Dear subscribers We proudly announce yesterday's release of version 1.4.9. It's a service update to the stable version 1.4 of Roundcube Webmail. It contains fixes and general improvements from our issue tracker, mainly related to email composition and UI oddities in Elastic skin and with the TinyMCE richtext editor. See the full changelog in the release notes on the Github download page [1]. This version is considered stable and we recommend updating all productive installations of Roundcube with it. Download the latest tarballs from https://roundcube.net/download Best, Alec & Thomas [1] https://github.com/roundcube/roundcubemail/releases/tag/1.4.9

1 0

Security updates 1.4.8, 1.3.15 and 1.2.12 released
by Thomas Bruederli 10 Aug '20

10 Aug '20

Dear subscribers We just published security updates to the stable version 1.4 and the LTS versions 1.3 and 1.2 of Roundcube Webmail. They all contain two recently reported cross-site scripting (XSS) vulnerabilities. The 1.4.8 release also contains a number of general improvements from our issue tracker [1]. Security fixes: * Fix cross-site scripting (XSS) via HTML messages with malicious svg content (CVE-2020-16145) * Fix cross-site scripting (XSS) via HTML messages with malicious math content Credits for these two findings go to Łukasz Pilorz from Pentesters [2]. See the full changelogs in the release notes on the Github download pages for the updated versions. We strongly recommend updating all productive installations of Roundcube with these new versions. Download the latest tarballs from https://roundcube.net/download Best, Alec & Thomas [1] https://github.com/roundcube/roundcubemail/releases/tag/1.4.8 [2] https://www.pentesters.pl/

1 0

Security updates 1.4.7, 1.3.14 and 1.2.11 released
by Thomas Bruederli 05 Jul '20

05 Jul '20

Dear subscribers We just published security updates to the stable version 1.4 and the LTS versions 1.3 and 1.2 of Roundcube Webmail. They all contain a recently reported cross-site scripting (XSS) vulnerability via HTML messages with malicious svg/namespace. Credits for this finding go to SSD Secure Disclosure [1]. The 1.4.7 release also contains a number of general improvements from our issue tracker. See the full changelog in the release notes on the Github download page [2]. We strongly recommend to update all productive installations of Roundcube with these new versions. Download the latest tarballs from https://roundcube.net/download Best, Alec & Thomas [1] https://ssd-disclosure.com/ [2] https://github.com/roundcube/roundcubemail/releases/tag/1.4.7

1 0

Security updates 1.4.5 and 1.3.12
by Thomas Bruederli 07 Jun '20

07 Jun '20

Dear subscribers We recently published service and security updates to the stable version 1.4 and the LTS version 1.3 of Roundcube Webmail. They contain four fixes for recently reported security vulnerabilities as well a number of general improvements from our issue tracker. Security fixes: - Fix XSS issue in template object username ** - Fix cross-site scripting (XSS) via malicious XML attachment * - Fix a couple of XSS issues in Installer ** - Better fix for CVE-2020-12641 The latter two vulnerabilities again are related to public access to the Roundcube installer and are therefore classified minor. See the full changelogs in the release notes on the Github download pages [1] and [2]. In addition to the security releases 1.4.5 and 1.3.12 we today pushed follow-up releases containing one single fix for the installer’s test step which was broken with the former security update. We strongly recommend to update all productive installations of Roundcube with this new versions. Download the latest packages from https://roundcube.net/download Best, Thomas & Alec * Credits to the security researcher Matei “Mal” Badanoiu ** Credits to the security researcher LoRexxar@knownsec 404Team [1] https://github.com/roundcube/roundcubemail/releases/tag/1.4.5 [2] https://github.com/roundcube/roundcubemail/releases/tag/1.3.12

1 0

Security updates 1.4.4, 1.3.11 and 1.2.10 released
by Thomas Bruederli 29 Apr '20

29 Apr '20

Dear subscribers We just published service and security updates to the stable version 1.4 and the LTS versions 1.3 and 1.2 of Roundcube Webmail. They contain four fixes for recently reported security vulnerabilities as well a number of general improvements from our issue tracker. Security fixes: - Cross-Site Scripting (XSS) via malicious HTML content - CSRF attack can cause an authenticated user to be logged out - Remote code execution via crafted config options - Path traversal vulnerability allowing local file inclusion via crafted ‘plugins’ option The latter two vulnerabilities are classified minor because they only affect Roundcube installations with public access to the Roundcube installer. That’s generally a high-risk situation and is expected to be rare or practically non-existent in productive Roundcube deployments. However, the fixes are done in core in order to also prevent from future and yet unknown attack vectors. See the full changelogs in the release notes on the Github download pages [1]. Download the updated packages from https://roundcube.net/download We strongly recommend to update all productive installations of Roundcube with this new versions. Best, Thomas & Alec [1] https://github.com/roundcube/roundcubemail/releases

1 0

Jump to page:

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

Announce