Announce

announce@lists.roundcube.net

146 discussions

Security Update 1.3.6 released
by Thomas Bruederli 12 Apr '18

12 Apr '18

Dear subscribers We just published a security update to the stable version 1.3. It primarily fixes a recently reported IMAP command injection vulnerability caused by insufficient input validation within the archive plugin. Details about the vulnerability are published under CVE-2018-9846. Additionally, we back-ported some minor fixes from the master branch which improve PHP 7.2 compatibility as well as PGP signing and key handling for those who use the Enigma plugin. See the full changelog in the release notes on the Github download page: https://github.com/roundcube/roundcubemail/releases/tag/1.3.6 We strongly recommend to update all productive installations of Roundcube with this new version. Updates for older LTS versions will follow soon. And as usual: please do backup your data before updating! Best, Alec & Thomas

1 0

Roundcube Webmail 1.3.5 released
by Thomas Bruederli 16 Mar '18

16 Mar '18

Dear subscribers We proudly announce a new service release to update the stable version 1.3. It contains fixes to some issues which we backported from the master branch. One can be called a minor security fix as it fixes blocking of remote content on specially crafted style tags. See the full changelog in the release notes on the Github download page [1]. This release is considered stable and we recommend to update all productive installations of Roundcube with this version. Download it from https://roundcube.net. And stay tuned for the upcoming 1.4 beta release which will include a preview to the new "Elastic" theme. Apropos: we're still looking for a volunteer designer to do the final polishing on the new skin. Read about the progress of the Elastic skin in Alec's blog [2]. Best, Thomas & Alec [1] https://github.com/roundcube/roundcubemail/releases/tag/1.3.5 [2] https://kolabian.wordpress.com/tag/elastic/

1 0

Roundcube Webmail Update 1.3.4 released
by Thomas Bruederli 14 Jan '18

14 Jan '18

Dear subscribers We proudly announce the next service release to update the stable version 1.3. It contains fixes to several bugs reported by our dear community members and makes Roundcube now fully compatible with PHP 7.2. See the full changelog in the release notes [1] on our Github download page. This release is considered stable and we recommend to update all productive installations of Roundcube with this version. Download it from https://roundcube.net/download. And as usual: please do backup your data before updating! New: starting with version 1.3.3 we also publish Roundcube releases as Docker images. The images are still considered BETA and your feedback with regards to setup, configuration and documentation is much appreciated. Best, Alec & Thomas [1] https://github.com/roundcube/roundcubemail/releases/tag/1.3.4

1 0

Security updates 1.3.3, 1.2.7 and 1.1.10 released
by Thomas Bruederli 09 Nov '17

09 Nov '17

Dear subscribers We just published updates to all stable versions from 1.1.x onwards delivering fixes for a recently discovered file disclosure vulnerability in Roundcube Webmail. Apparently this zero-day exploit is already being used by hackers to read Roundcube’s configuration files. It requires a valid username/password as the exploit only works with a valid session. More details will be published soon under CVE-2017-16651. The Roundcube series 1.0.x is not affected by this vulnerability but we nevertheless back-ported the fix in order to protect from yet unknown exploits. See the full changelog for the according version in the release notes on the Github download pages: https://github.com/roundcube/roundcubemail/releases/tag/1.3.3 https://github.com/roundcube/roundcubemail/releases/tag/1.2.7 https://github.com/roundcube/roundcubemail/releases/tag/1.1.10 https://github.com/roundcube/roundcubemail/releases/tag/1.0.12 We strongly recommend to update all productive installations of Roundcube with either one of these versions. In order to check whether your Roundcube installation has been compromised check the access logs for requests like ?_task=settings&_action=upload-display&_from=timezone As mentioned above, the file disclosure only works for authenticated users and by finding such requests in the logs you should also be able to identify the account used for this unauthorized access. For mitigation we recommend to change the all credentials to external services like database or LDAP address books and preferably also the 'des_key' option in your config. Kind regards Alec & Thomas

1 0

Roundcube Webmail Update 1.3.2 released
by Thomas Bruederli 01 Nov '17

01 Nov '17

Dear subscribers We proudly announce the second service release to update the stable version 1.3. It contains fixes to several bugs reported by you, our dear community members as well as translation updates synchronized from Transifex. We also changed the wording for the setting that controls the time after which an opened message is marked as read. This was previously only affecting messages being viewed in the preview panel but now applies to all means of opening a message. That change came with 1.3.0 an apparently confused many users. Some translation work is still needed here. See the full changelog in the release notes [1] on our Github download page. This release is considered stable and we recommend to update all productive installations of Roundcube with this version. Download it from https://roundcube.net/download. And as usual: please do backup your data before updating! Best, Alec & Thomas [1] https://github.com/roundcube/roundcubemail/releases/tag/1.3.2

1 0

Update 1.2.6 released
by Thomas Bruederli 10 Sep '17

10 Sep '17

Dear subscribers We just published a service and security update to the stable version 1.2. It contains some important bug fixes and improvements which we picked from the upstream branch. See the full changelog in the release notes on the Github download page [1]. This release is considered stable and we recommend to update all productive 1.2.x installations of Roundcube with this version. Download it from Github via https://roundcube.net/download. Please remember to backup your data before updating! Cheers, Alec & Thomas [1] https://github.com/roundcube/roundcubemail/releases/tag/1.2.6

1 0

Roundcube Webmail Update 1.3.1 released
by Thomas Bruederli 05 Sep '17

05 Sep '17

Dear subscribers We just published the first service release to update the stable version 1.3 which is the result of some touching-up on the new features introduced with the 1.3.0 release. For example it brings back the double-click behavior to open messages which was reduced to the list-only view. Or because the switch to change the mail view layout was a bit hidden, we also added it to the preferences section. The update also includes fixes to reported bugs and one potential XSS vulnerability as well as optimizations to smoothly run on the latest version of PHP. See the full changelog in the release notes [1] on the Github download page. This release is considered stable and we recommend to update all productive installations of Roundcube with this version. Download it from https://roundcube.net/download. Please do backup your data before updating! Best, Alec & Thomas [1] https://github.com/roundcube/roundcubemail/releases/tag/1.3.1

1 0

Roundcube Webmail 1.3.0 released
by Thomas Bruederli 27 Jun '17

27 Jun '17

Dear subscribers We proudly announce the stable version 1.3.0 of Roundcube Webmail which is now available for download. With this milestone we introduce new features since the 1.2 version: - Widescreen layout aka Three Column View - Possibility to display QR code for contacts data - New identicon plugin [1] - Attach contact vCards to composed message - Support WEBP images and MathML preview - Preview, download and rename attachments when composing a message - Message/rfc822 attachment preview - Various Enigma (PGP) and Managesieve plugin improvements - “Flattened” the Larry theme giving it a fresher look Plus security and deployment improvements: - Improve randomness of password salts and random hashes - Fixed redundancy in sql caching system and compatibility with Galera Cluster And finally some code-cleanup: - Dropped support for legacy browsers (IE < 10; removed legacy_browser plugin) - Require PHP >= 5.4 - Removed PHP mail() support - Removed 3rd party javascript libraries from the repository - Require jQuery 3.x which has breaking changes to older versions IMPORTANT: The code-cleanup part brings major changes and possibly incompatibilities to your existing Roundcube installations. So please read the Changelog [2] carefully and thoroughly test your upgrade scenario. Please note that Roundcube 1.3 1. no longer runs on PHP 5.3 2. no longer supports IE < 10 and old versions of Firefox, Chrome and Safari 3. requires an SMTP server connection to send mails 4. uses jQuery 3.2 and will not work with current jQuery mobile plugin With the release of Roundcube 1.3.0, the previous stable release branches 1.2.x and 1.1.x will switch in to LTS low maintenance mode which means they will only receive important security updates but no longer any regular improvement updates. See the complete Changelog in our wiki [2] and download the new packages from https://roundcube.net/download. Roundcube 1.3.0 is considered stable and we recommend to update all productive installations of Roundcube. As usual, don’t forget to backup and test with your custom plugins. Best, Alec & Thomas [1] https://en.wikipedia.org/wiki/Identicon [2] https://github.com/roundcube/roundcubemail/wiki/Changelog

1 0

Security updates 1.2.5, 1.1.9 and 1.0.11 released
by Thomas Bruederli 28 Apr '17

28 Apr '17

Dear subscribers We just published updates to all stable versions 1.x delivering important bug fixes and improvements which we picked from the upstream branch. The updates primarily fix a recently discovered vulnerability in the virtualmin and sasl drivers of the password plugin (CVE-2017-8114). More details about this vulnerability will be published soon by the reporter. Security-wise the update is therefore only relevant for those installations of Roundcube using the password plugin with either one of these drivers. See the full changelog for the according version in the release notes on the Github download pages: https://github.com/roundcube/roundcubemail/releases/tag/1.2.5 https://github.com/roundcube/roundcubemail/releases/tag/1.1.9 https://github.com/roundcube/roundcubemail/releases/tag/1.0.11 All versions are considered stable and we recommend to update all productive installations of Roundcube with either of these versions. As usual, don’t forget to backup your data before updating! Kind regards, Thomas

1 0

Release Candidate for version 1.3 available for download
by Thomas Bruederli 27 Apr '17

27 Apr '17

Dear subscribers We proudly announce that the feature-complete release candidate for the next major version 1.3 of Roundcube webmail is now available for final testing. After dropping support for older browsers and PHP versions and adding some new features like the widescreen layout, the release candidate finalizes that work and also fixes two security issues (updates for stable versions will follow) plus adds improvements to the Managesieve and Enigma plugins. We also slightly polished the Larry theme to make it look a little less 2010 :-) Although the default theme still doesn’t work on mobile devices, a fully responsive skin is currently being worked on. As a reminder: if you’re installing the dependent package or run Roundcube directly from source, you now need to install the removed 3rd party javascript modules by executing the following install script: $ bin/install-jsdeps.sh With the upcoming stable release of 1.3.0 the old 1.x series will only receive important security fixes. As usual, see the complete Changelog in our wiki [1] and download the new packages from https://roundcube.net/download. Please note that this is a release candidate and we recommend to test it on a separate environment. And don’t forget to backup your data before installing it. Kind regards, Thomas [1] https://github.com/roundcube/roundcubemail/wiki/Changelog

1 0

← Newer
1
2
3
4
5
6
7
8
...
15
Older →

Jump to page:

2026

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

Announce