Dev

dev@lists.roundcube.net

1 participants
4297 discussions

Security updates 1.4.8, 1.3.15 and 1.2.12 released
by Thomas Bruederli 10 Aug '20

10 Aug '20

Dear subscribers We just published security updates to the stable version 1.4 and the LTS versions 1.3 and 1.2 of Roundcube Webmail. They all contain two recently reported cross-site scripting (XSS) vulnerabilities. The 1.4.8 release also contains a number of general improvements from our issue tracker [1]. Security fixes: * Fix cross-site scripting (XSS) via HTML messages with malicious svg content (CVE-2020-16145) * Fix cross-site scripting (XSS) via HTML messages with malicious math content Credits for these two findings go to Łukasz Pilorz from Pentesters [2]. See the full changelogs in the release notes on the Github download pages for the updated versions. We strongly recommend updating all productive installations of Roundcube with these new versions. Download the latest tarballs from https://roundcube.net/download Best, Alec & Thomas [1] https://github.com/roundcube/roundcubemail/releases/tag/1.4.8 [2] https://www.pentesters.pl/

1 0

Security updates 1.4.7, 1.3.14 and 1.2.11 released
by Thomas Bruederli 05 Jul '20

05 Jul '20

Dear subscribers We just published security updates to the stable version 1.4 and the LTS versions 1.3 and 1.2 of Roundcube Webmail. They all contain a recently reported cross-site scripting (XSS) vulnerability via HTML messages with malicious svg/namespace. Credits for this finding go to SSD Secure Disclosure [1]. The 1.4.7 release also contains a number of general improvements from our issue tracker. See the full changelog in the release notes on the Github download page [2]. We strongly recommend to update all productive installations of Roundcube with these new versions. Download the latest tarballs from https://roundcube.net/download Best, Alec & Thomas [1] https://ssd-disclosure.com/ [2] https://github.com/roundcube/roundcubemail/releases/tag/1.4.7

1 0

Security updates 1.4.5 and 1.3.12
by Thomas Bruederli 07 Jun '20

07 Jun '20

Dear subscribers We recently published service and security updates to the stable version 1.4 and the LTS version 1.3 of Roundcube Webmail. They contain four fixes for recently reported security vulnerabilities as well a number of general improvements from our issue tracker. Security fixes: - Fix XSS issue in template object username ** - Fix cross-site scripting (XSS) via malicious XML attachment * - Fix a couple of XSS issues in Installer ** - Better fix for CVE-2020-12641 The latter two vulnerabilities again are related to public access to the Roundcube installer and are therefore classified minor. See the full changelogs in the release notes on the Github download pages [1] and [2]. In addition to the security releases 1.4.5 and 1.3.12 we today pushed follow-up releases containing one single fix for the installer’s test step which was broken with the former security update. We strongly recommend to update all productive installations of Roundcube with this new versions. Download the latest packages from https://roundcube.net/download Best, Thomas & Alec * Credits to the security researcher Matei “Mal” Badanoiu ** Credits to the security researcher LoRexxar@knownsec 404Team [1] https://github.com/roundcube/roundcubemail/releases/tag/1.4.5 [2] https://github.com/roundcube/roundcubemail/releases/tag/1.3.12

1 0

Security updates 1.4.4, 1.3.11 and 1.2.10 released
by Thomas Bruederli 29 Apr '20

29 Apr '20

Dear subscribers We just published service and security updates to the stable version 1.4 and the LTS versions 1.3 and 1.2 of Roundcube Webmail. They contain four fixes for recently reported security vulnerabilities as well a number of general improvements from our issue tracker. Security fixes: - Cross-Site Scripting (XSS) via malicious HTML content - CSRF attack can cause an authenticated user to be logged out - Remote code execution via crafted config options - Path traversal vulnerability allowing local file inclusion via crafted ‘plugins’ option The latter two vulnerabilities are classified minor because they only affect Roundcube installations with public access to the Roundcube installer. That’s generally a high-risk situation and is expected to be rare or practically non-existent in productive Roundcube deployments. However, the fixes are done in core in order to also prevent from future and yet unknown attack vectors. See the full changelogs in the release notes on the Github download pages [1]. Download the updated packages from https://roundcube.net/download We strongly recommend to update all productive installations of Roundcube with this new versions. Best, Thomas & Alec [1] https://github.com/roundcube/roundcubemail/releases

1 0

Upcoming changes in Roundcube's plugin repository
by Thomas Bruederli 11 Apr '20

11 Apr '20

Roundcube’s plugin repository is built around Composer which is used to install plugins and their dependencies. For many years we’ve been running our own plugin repository from a fork [1] of the most popular packagist.org service. Over time source code repositories like Github, Gitlab or Bitbucket as well as the Packagist codebase changed significantly which made it hard for us to maintain our fork. We therefore decided to give it up in favor of the well maintained packagist.org service. The plan is to move all Roundcube plugins currently registered at plugins.roundcube.net to packagist.org. They’re already Composer packages of type roundcube-plugin and thus don’t need any changes in their code or structure. The plugins.roundcube.net service remains active as a Composer repository but will be changed to read-only mode. So what does this mean for you? * For Roundcube users For the consumer side using Composer to pull Roundcube plugins and updates to them, nothing changes. You don’t even need to change your composer.json file as all currently registered plugins will still be listed at plugins.roundcube.net while updates will be pulled from packagist.org which is the default repository for Composer anyway. * For plugin developers Unfortunately there’s no way for us to feed all Roundcube plugins registered in our repository to packagist.org. Therefore, as a plugin developer you’re required to sign up at packagist.org [2] and then register your plugin(s) there. It’s as simple as it was on plugins.roundcube.net and only takes you a minute or two. We strongly encourage you to do so even if you’re not currently pushing new releases to your plugin. * Roadmap We’d like to make the switch on May 17th 2020. On this day, the repository data of plugins.roundcube.net will be frozen and the current Packagist service will be replaced by a read-only clone that’ll keep on serving requests from Composer to install Roundcube plugins. After that day, all updates and new registrations for Roundcube plugins need to be submitted to packagist.org. Once a plugin is listed at packagist.org, Roundcube’s plugin repository will no longer list it in order to make packagist.org the only source. We’d like to thank all plugin developers for their efforts and contributions. Only with the rich variety of plugins, Roundcube webmail became the powerful open source software product it is today. Kind regards, Thomas & Alec [1] https://roundcube.net/news/2016/08/05/plugin-repository-pimped-up [2] https://packagist.org/login/

1 0

plugin install with SQL and database prefix
by Sébastien BLAISOT 05 Jan '20

05 Jan '20

Hi dear roundcube community, First of all, I wish you all a happy new year. I am the maintainer of the automatic_addressbook plugin (or at least I used to be, as I don't have much time for it now, and I would be happy to have it integrated in roundcube default plugins if you want, but that's an other story) . I regularly get issues from users regarding database prefix when installing the plugin. I understand this is complicated to handle when installing manually, but it seems to also be the case when using composer (At least I got reports about failed SQL statements when installing with composer) As far as I can see, SQL statements in roundcube codebase have no prefix, as my sql statements in my plugin. How are database prefix handled when installing roundcube? How are they handled when installing a plugin with composer? (ok, I found how, see below) I have 2 concerns: - One is table creation (CREATE TABLE statements), on which prefix should added. Is that handled automatically by composer? (It seems to be the case) - The second one is foreign keys that reference roundcube standard tables like REFERENCES `users`(`user_id`) which should be changed to REFERENCES `PREFIX_users`(`user_id`). Is that automatically handled by composer at plugin installation? (It seems to be the missing one) Is there any documentation for plugin coders on how to properly handle plugins databases with references to standard roundcube databases regarding database prefix? As far as I can see here: https://github.com/roundcube/plugin-installer/blob/0.1.6/src/bin/rcubeinitd… This problem is already handled for CREATE DATABASE statements and for CREATE SEQUENCE statements but not for REFERENCES statements as used in the automatic_addressbook plugin here: - https://github.com/sblaisot/automatic_addressbook/blob/master/SQL/mysql.ini… - https://github.com/sblaisot/automatic_addressbook/blob/master/SQL/postgres.… I should be able to propose a PR on plugin_installer for that. Is there something more I need to be aware of before coding? Best regards and keep making such a good webmail! Sebastien

2 1

Automated in-browser tests
by Aleksander Machniak 02 Jan '20

02 Jan '20

TL;DR: We have Roundcube in-browser tests on Travis. I rewrote old Selenium-based tests created long time ago. These were not working and I guess no one payed attention to them. Now, it should be easier and better in many ways. New code uses Laravel's Dusk (and Facebook/WebDriver) with PHPUnit which is a nice and powerful framework for functional testing. This means: - setting up testing environment is very easy, - writing tests is simpler and we can do much more, - thanks to SQLite and GreenMail software you don't need a real IMAP/SMTP nor database server, you also don't need a HTTP server, - we test Elastic only, and we test all modes desktop/tablet/phone. - via Travis tests are executed on every commit and pull request. Which technicly means you don't even need PHP to write tests, just write code and do a pull request ;). Now, I would love to see pull requests coming that add some more in-browser tests. If you'd like to give it a go, I propose to start with Preferences UI tests. There's Settings/Preferences/General.php file you can use as a base for testing other Preferences sections. See also tests/Browser/README.md Happy New Year everybody! -- Aleksander Machniak Kolab Groupware Developer [https://kolab.org] Roundcube Webmail Developer [https://roundcube.net] ---------------------------------------------------- PGP: 19359DC1 # Blog: https://kolabian.wordpress.com

1 0

Update 1.4.2 released
by Thomas Bruederli 01 Jan '20

01 Jan '20

Dear subscribers We start the year 2020 with the second service release to update the brand new Roundcube Webmail version 1.4. It contains fixes and improvements reported since the release of version 1.4.0. See the full changelog in the release notes on the Github download page [1]. This release is considered stable and we recommend to update all productive installations of Roundcube with this version. Download it from https://roundcube.net/download. Please do backup your data before updating. Happy New Year everybody! Alec & Thomas [1] https://github.com/roundcube/roundcubemail/releases/tag/1.4.2

1 0

Update 1.4.1 released
by Thomas Bruederli 22 Nov '19

22 Nov '19

Dear subscribers Short time after the release of the stable version 1.4.0 of Roundcube Webmail we already publish the first service release. With the recent release we missed to mention a few breaking changes since the last stable version 1.3. We apologize for this and are now clarifying and correcting these: Breaking changes ---------------- (since 1.3.x) * new defaults for smtp_* config options: Upon many requests and in order to get closer to the default setup of most SMTP servers, we changed the defaults as follows: // SMTP port (default is 587) $config[‘smtp_port’] = 587; // SMTP username (if required). %u will use the current username for login $config[‘smtp_user’] = ‘%u’; // SMTP password (if required). %p will use the current user’s password for login $config[‘smtp_pass’] = ‘%p’; * changed default password_charset to UTF-8: Because of many complaints, we decided to choose a more sane default that covers most setups and configurations. * login page returning 401 Unauthorized status: The new behavior that Roundcube 1.4 returns a 401 status code if the client is not authenticated apparently was very unexpected and lead to monitoring problems. Despite not having mentioned that change in the release notes, we now partly reverted it so that 401 is only returned on login failures but not on the first request to Roundcube which by definition is unauthorized. Besides these three major concerns we heard from your much appreciated feedback, we fixed a number of nasty bugs that sneaked into the 1.4.0 release. See the full changelog in the release notes on the Github download page [1]. This release is considered stable and we recommend to update all productive installations of Roundcube with this version. Download it from roundcube.net [2]. Please do backup your data before updating. We'd also like to thank Phil for his steady efforts to keep our website up-to-date. Your work is much appreciated! Best, Thomas & Alec [1] https://github.com/roundcube/roundcubemail/releases/tag/1.4.1 [2] https://roundcube.net/download

1 0

Roundcube Webmail 1.4.0 - Elastic released
by Thomas Bruederli 09 Nov '19

09 Nov '19

Dear subscribers It's a big honor for me to announce the final release of the long awaited major version 1.4 of Roundcube webmail. After more than two years of hard work by Alec and other volunteer contributors, Roundcube finally gets the responsive skin with full mobile device support - the Elastic. In addition to the new UI we introduce these new features: * Email Resent (Bounce) feature * Improved [Mailvelope](https://www.mailvelope.com) integration * Support for Redis and Memcached cache * Support for SMTPUTF8 and GSSAPI Plus numerous improvements and bug fixes collected from your precious feedback as well as updates to recent versions of 3rd party libraries like jQuery and TinyMCE. See the full changelog in the release notes on the Github download page [1]. The new Elastic theme, which is the new default skin, is built with LESS and of course the sources are included. They allow a certain degree of customization by adjusting some colors and variables using the `_styles.less` and `_variables.less` files. Please consider customizing your Roundcube installation in order to make phishing [2] harder. You'll find guidance in the README.md file inside the skin folder. This release is considered stable and we encourage you to update your productive installations after carefully testing the upgrade scenario and preparing your users to the significant changes in their webmail UI. Download it from https://roundcube.net/download. With the release of Roundcube 1.4.0, the previous stable release branches 1.3.x and 1.2.x will change into LTS low maintenance mode which means they will only receive important security updates but no longer any regular improvement updates. The 1.1.x series is no longer supported and maintained. Kind regards, Thomas [1] https://github.com/roundcube/roundcubemail/releases/tag/1.4.0 [2] https://roundcube.net/news/2019/10/28/phishing-alert

1 0

← Newer
1
2
3
4
5
6
7
8
...
430
Older →

Jump to page:

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

2006

2005

Dev