Hi,

Only 1.5.x and 1.6.x are actively supported.  I would assume 1.4.x is vulnerable.

- J

On Jun 11, 2024, at 11:36, Mike Burger <mburger@bubbanfriends.org> wrote:



The last version I see for 1.4.x update was for 1.4.16, packaged in GitHub in December of 2023.

https://github.com/roundcube/roundcubemail/releases/tag/1.4.16

On 2024-06-11 10:42, Sean McBride wrote:

Alec,

As there was no new 1.4.x release here, a couple of questions:

  • is 1.4.x vulnerable?
  • is 1.4.x EOL? No more updates ever?

I know an ISP still running 1.4.x, and if this announcement (or future ones) had answered those questions, I would have an easier time convincing them to upgrade. :)

Cheers,

Sean

On 19 May 2024, at 6:35, Aleksander Machniak wrote:

We just published security updates to the 1.6 and 1.5 LTS versions of Roundcube Webmail. They both contain fixes for recently reported security vulnerabilities.

- Fix cross-site scripting (XSS) vulnerability in handling SVG animate attributes. Credits for this finding to Valentin T. and Lutz Wolf of CrowdStrike.
- Fix cross-site scripting (XSS) vulnerability in handling list columns from user preferences. Credits for this finding to Huy Nguyễn Phạm Nhật.
- Fix command injection via crafted im_convert_path/im_identify_path on Windows. Credits for this finding to Huy Nguyễn Phạm Nhật.

See the full changelogs in the release notes on the Github download pages for the updated versions 1.6.7 and 1.5.7.

https://github.com/roundcube/roundcubemail/releases/tag/1.6.7
https://github.com/roundcube/roundcubemail/releases/tag/1.5.7

We strongly recommend to update all productive installations of Roundcube 1.6.x and 1.5.x with this new versions.

--
Alec
_______________________________________________
Users mailing list -- users@lists.roundcube.net

To unsubscribe send an email to users-leave@lists.roundcube.net


_______________________________________________
Users mailing list -- users@lists.roundcube.net
To unsubscribe send an email to users-leave@lists.roundcube.net


-- 


"It's always suicide-mission this, save-the-planet that. No one ever just stops by to say 'hi' anymore." --Colonel Jack O'Neill, SG1


_______________________________________________
Users mailing list -- users@lists.roundcube.net
To unsubscribe send an email to users-leave@lists.roundcube.net