We just published the second release candidate for the next major version 1.7 of Roundcube webmail.

This release fixes two security issues and one syntax error in a database migration file for Postgres databases.

The changes are:

• Fix Cross-Site-Scripting vulnerability via SVG’s animate tag reported

by Valentin T., CrowdStrike.

• Fix Information Disclosure vulnerability in the HTML style sanitizer

reported by somerandomdev.

• Fix syntax error in DDL scripts for Postgres (#10052)

The tarballs can be downloaded from github.com or roundcube.net: https://github.com/roundcube/roundcubemail/releases/tag/1.7-rc2 https://roundcube.net/download/

We believe it is production ready, but we recommend to test it on a separate environment.

Existing setups can be migrated with either the installto.sh or the update.sh scripts.

Please don't forget to backup your data before updating!

Regards, Pablo