Dear subscribers
There were two security issues reported which are now fixed. The first was as possible code injection using the html2text conversion script [1]. The other exploit used the unchecked size parameters of the quota image to let PHP create huge images eating up all the server memory. Thanks to Stephan for reporting this.
The two vulnerable scripts were updated in the current 0.2-beta package and for existing RoundCube installations we recommend to download the update [2] and to replace all the files with the new versions found in the archive.
Regards, Thomas
[1] http://trac.roundcube.net/ticket/1485618 [2] http://downloads.sourceforge.net/roundcubemail/roundcubemail-0.2-beta-patch.... _______________________________________________ List info: http://lists.roundcube.net/dev/