Dev

dev@lists.roundcube.net

1 participants
4293 discussions

Security updates 1.2.5, 1.1.9 and 1.0.11 released
by Thomas Bruederli 28 Apr '17

28 Apr '17

Dear subscribers We just published updates to all stable versions 1.x delivering important bug fixes and improvements which we picked from the upstream branch. The updates primarily fix a recently discovered vulnerability in the virtualmin and sasl drivers of the password plugin (CVE-2017-8114). More details about this vulnerability will be published soon by the reporter. Security-wise the update is therefore only relevant for those installations of Roundcube using the password plugin with either one of these drivers. See the full changelog for the according version in the release notes on the Github download pages: https://github.com/roundcube/roundcubemail/releases/tag/1.2.5 https://github.com/roundcube/roundcubemail/releases/tag/1.1.9 https://github.com/roundcube/roundcubemail/releases/tag/1.0.11 All versions are considered stable and we recommend to update all productive installations of Roundcube with either of these versions. As usual, don’t forget to backup your data before updating! Kind regards, Thomas

1 0

Roundcube Webmail 1.0.10 released
by Thomas Bruederli 10 Apr '17

10 Apr '17

Dear subscribers We just recently published a security update to the LTS version 1.0. It contains some important fixes and improvements we backported from the master version. See the details in the release notes [1]. This release is considered stable and we recommend to update all productive installations of Roundcube 1.0.x with this version if you're unable to upgrade to a more recent series. Download it from GitHub via https://roundcube.net/download. As usual, don’t forget to backup your data before updating! Best, Thomas [1] https://github.com/roundcube/roundcubemail/releases/tag/1.0.10

3 4

Enigma: Inline-PGP not decrypted when embedded in HTML
by Joachim Fahrner 14 Mar '17

14 Mar '17

Hi, Thunderbird creates strange Inline-PGP messages when sending HTML. I got the following mail: User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64; rv:45.0) Gecko/20100101 Thunderbird/45.8.0 MIME-Version: 1.0 Content-Type: text/html; charset=utf-8 Content-Transfer-Encoding: 8bit <html> <head> <meta content="text/html; charset=utf-8" http-equiv="Content-Type"> </head> <body bgcolor="#FFFFFF" text="#000000"> -----BEGIN PGP MESSAGE----- Charset: utf-8 Version: GnuPG v2.0.20 (MingW32) hQEMA/TVXfPpchmrAQgAmA2577rkRl7151xthejm/4p0GZyNAw+vhGSF8HmHGPJV I9q5b+c/Ul3454AsqGfSrI0MDTnv2PO2MOkC0Th6WlW/9QvOo6IutRIbxiQgnzCP 1pMCMJgj4jSpynla2Gpe41FRHxh6ZNlndZ60mq7a2xQLqjUPh9+K2BH/6tQko33N ... 2e7t2IeG/8uMkV2iPWNcxA== =KUPp -----END PGP MESSAGE----- </body> </html> It seems this strange format is not handled by Enigma. Mailvelope can decrypt these messages without problems. Regards Jochen

2 1

Updates 1.2.4 and 1.1.8 released
by Thomas Bruederli 11 Mar '17

11 Mar '17

Dear subscribers We just published another update to both stable versions 1.2 and 1.1 delivering important bug fixes and improvements which we picked from the upstream branch. Included is a fix for a recently reported XSS vulnerability within CSS styles inside an SVG tag. See the full changelog for 1.2.4 in the wiki [1] and for version 1.1.8 in the release notes [2]. Both versions are considered stable and we recommend to update all productive installations of Roundcube with either of these versions. Download them from GitHub via https://roundcube.net/download. As usual, don't forget to backup your data before updating! Best, Thomas [1] https://github.com/roundcube/roundcubemail/wiki/Changelog#release-123 [2] https://github.com/roundcube/roundcubemail/releases/tag/1.1.8

1 0

Automatic encryption of the response
by Vladimir Gorpenko 28 Feb '17

28 Feb '17

Hi! I work with my plugin for s/mime encryption. Functions of encryption and decryption are independent. I would like to release the mode when the response to the encrypted letter is by default encrypted. How I can to transfer in RC information that the letter on which the response is written was encrypted from decryption plugin to encryption plugin? -- Best regards, Vladimir Gorpenko

1 0

Plugin feedback?
by Lukas Erlacher 28 Feb '17

28 Feb '17

Hello, I've been cobbling around with roundcube for a while now (I'm also the author of https://github.com/roundcube/roundcubemail/pull/5565, which sadly I haven't really followed through with). I've now started my first "real" roundcube plugin, here: https://github.com/duk3luk3/roundcube-maintenance-banner I'd be happy to hear any feedback, especially if I'm missing some "best practices". Thanks, Luke

1 1

Current 1.3-git completely broken/unusable (eben w/o any plugins)
by Michael Heydekamp 14 Feb '17

14 Feb '17

Hello, see subject. Just login/logout, you'll see it yourself instantly. Please test your stuff before committing it. Can't access anything, interface is broken, etc. pp. Urgent fix appreciated. Win10/64, FF (but same with Edge). Cheers, -- Michael Heydekamp Co-Admin freexp.de Düsseldorf/Germany

5 21

new helper script for more secure password changing with chpasswd
by Kay Marquardt 14 Feb '17

14 Feb '17

Hi all, I updated roundcube on my new server to 1.3-beta and it worked like a charm, thanks for it. on this new server I tested the password plugin and was not pleased to allow the webserver to call "sudo chpasswd". After some investigation and testing I ended up with a new helper script to call change password via ssh using the provided and excelent expect-passwd method. Additionally I rewrote the chpasswd driver to provide the old password in a compatible way and extended it to pass error messages back to roundcube. Are you interested in my changes and whats the best way to send them for review? From my config.php: // chpasswd Driver options // --------------------- // Command to use (see "Sudo setup" in README) // 2017-02-13: Remarks by Kay Marquardt kay(a)rrr.de // allowing sudo chpasswd directly IMHO opens a security hole! // any script on the webserver can change password for every user, incl. root // $config['password_chpasswd_cmd'] = 'sudo /usr/sbin/chpasswd 2>/dev/null'; // try to be more secure and use dovecot or pam methods // if this is not possible in your setup you can increase security by // sudo to a wrapper, where you can implement some security meassures // 1. a simple wraper is provided by this plugin: helpers/chpasswrapper.py // 2. move wrapper out of default location to a random place // 3. change permissons of wrapper to root:www 770 to avoid changes by user or webserver // 4. add some security meassures, i.e. limit userids where password can be changed // 5. allow webserver sudo for wrapper only (see README) // $config['password_chpasswd_cmd'] = 'sudo /<RANDOMPATH>/roundcube/wrapper/chpass-wrapper.py'; // IMHO the most flexible and secure method for users with interactive shell access is to use ssh with an expect script // I modifed the chpasss driver to provide the old password needed, additionally it pass the script response in case of error. // 1. I wrote a wrapper for the nice expect script provided by this plugin: helpers/chpass-wrapper-expect.py // 2. move wrapper out of default location to a random place // 3. change permissons of wrapper to root:www 770 to avoid changes by user or webserver // 4. I add some security meassures and password policy, see wrapper for details // 5. remove sudo rules you may have applied (see README) $config['password_chpasswd_cmd'] = '/srv/www/database/roundcube/wrapper/chpass-wrapper-expect.py -ssh -host rrr.de'; Kay

1 0

Directly delete messages in Junk
by cor＠xs4all.nl 27 Jan '17

27 Jan '17

Hi all, over the years ive been getting more and more ‘complaints’ that roundcube “isnt directly deleting messages in Junk”. People seem to expect that that option means that spam email is simply directly discarded. Instead, it basically means “dont move messages to trash folder”. Anyone else ever get these questions? Is there possibly a better text for this option? Regards, Cor

1 0

automatically expand address book
by cor＠xs4all.nl 25 Jan '17

25 Jan '17

Hi all, im probably overlooking something obvious but is there a way to automatically expand the address book in the left bar on the compose screen in 1.2? It’s kind of silly that you have to always expand it yourself. Regards, Cor

2 2

← Newer
1
...
9
10
11
12
13
14
15
...
430
Older →

Jump to page:

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

2006

2005

Dev