We just published security updates to the 1.6 and 1.5 LTS versions of Roundcube Webmail. They both contain fixes for recently reported security vulnerabilities.
- Fix cross-site scripting (XSS) vulnerability in handling SVG animate
attributes. Credits for this finding to Valentin T. and Lutz Wolf of CrowdStrike.
- Fix cross-site scripting (XSS) vulnerability in handling list columns
from user preferences. Credits for this finding to Huy Nguyễn Phạm Nhật.
- Fix command injection via crafted im_convert_path/im_identify_path on
Windows. Credits for this finding to Huy Nguyễn Phạm Nhật.
See the full changelogs in the release notes on the Github download pages for the updated versions 1.6.7 and 1.5.7.
https://github.com/roundcube/roundcubemail/releases/tag/1.6.7 https://github.com/roundcube/roundcubemail/releases/tag/1.5.7
We strongly recommend to update all productive installations of Roundcube 1.6.x and 1.5.x with this new versions.
Alec,
As there was no new 1.4.x release here, a couple of questions:
- is 1.4.x vulnerable?
- is 1.4.x EOL? No more updates ever?
I know an ISP still running 1.4.x, and if this announcement (or future ones) had answered those questions, I would have an easier time convincing them to upgrade. :)
Cheers,
Sean
On 19 May 2024, at 6:35, Aleksander Machniak wrote:
We just published security updates to the 1.6 and 1.5 LTS versions of Roundcube Webmail. They both contain fixes for recently reported security vulnerabilities.
- Fix cross-site scripting (XSS) vulnerability in handling SVG animate
attributes. Credits for this finding to Valentin T. and Lutz Wolf of CrowdStrike.
- Fix cross-site scripting (XSS) vulnerability in handling list
columns from user preferences. Credits for this finding to Huy Nguyễn Phạm Nhật.
- Fix command injection via crafted im_convert_path/im_identify_path
on Windows. Credits for this finding to Huy Nguyễn Phạm Nhật.
See the full changelogs in the release notes on the Github download pages for the updated versions 1.6.7 and 1.5.7.
https://github.com/roundcube/roundcubemail/releases/tag/1.6.7 https://github.com/roundcube/roundcubemail/releases/tag/1.5.7
We strongly recommend to update all productive installations of Roundcube 1.6.x and 1.5.x with this new versions.
-- Alec _______________________________________________ Users mailing list -- users@lists.roundcube.net To unsubscribe send an email to users-leave@lists.roundcube.net
The last version I see for 1.4.x update was for 1.4.16, packaged in GitHub in December of 2023.
https://github.com/roundcube/roundcubemail/releases/tag/1.4.16
On 2024-06-11 10:42, Sean McBride wrote:
Alec,
As there was no new 1.4.x release here, a couple of questions:
- is 1.4.x vulnerable?
- is 1.4.x EOL? No more updates ever?
I know an ISP still running 1.4.x, and if this announcement (or future ones) had answered those questions, I would have an easier time convincing them to upgrade. :)
Cheers,
Sean
On 19 May 2024, at 6:35, Aleksander Machniak wrote:
We just published security updates to the 1.6 and 1.5 LTS versions of Roundcube Webmail. They both contain fixes for recently reported security vulnerabilities.
- Fix cross-site scripting (XSS) vulnerability in handling SVG animate
attributes. Credits for this finding to Valentin T. and Lutz Wolf of CrowdStrike.
- Fix cross-site scripting (XSS) vulnerability in handling list
columns from user preferences. Credits for this finding to Huy Nguyễn Phạm Nhật.
- Fix command injection via crafted im_convert_path/im_identify_path
on Windows. Credits for this finding to Huy Nguyễn Phạm Nhật.
See the full changelogs in the release notes on the Github download pages for the updated versions 1.6.7 and 1.5.7.
https://github.com/roundcube/roundcubemail/releases/tag/1.6.7 https://github.com/roundcube/roundcubemail/releases/tag/1.5.7
We strongly recommend to update all productive installations of Roundcube 1.6.x and 1.5.x with this new versions.
-- Alec _______________________________________________ Users mailing list -- users@lists.roundcube.net
To unsubscribe send an email to users-leave@lists.roundcube.net
Users mailing list -- users@lists.roundcube.net To unsubscribe send an email to users-leave@lists.roundcube.net
On 12/06/2024 00:42, Sean McBride wrote:
Alec,
As there was no new 1.4.x release here, a couple of questions:
- is 1.4.x vulnerable?
- is 1.4.x EOL? No more updates ever?
I know an ISP still running 1.4.x, and if this announcement (or future ones) had answered those questions, I would have an easier time convincing them to upgrade. :)
Seems the list server has issues, no announce list messages for 12 months, archives completely missing, so it may have been announced, EOL 1.4 but nobody got it :)
Thomas??
Noel Butler via Users skrev den 2024-06-11 23:00:
On 12/06/2024 00:42, Sean McBride wrote:
Alec,
As there was no new 1.4.x release here, a couple of questions:
- is 1.4.x vulnerable?
- is 1.4.x EOL? No more updates ever?
I know an ISP still running 1.4.x, and if this announcement (or future ones) had answered those questions, I would have an easier time convincing them to upgrade. :)
Seems the list server has issues, no announce list messages for 12 months, archives completely missing, so it may have been announced, EOL 1.4 but nobody got it :)
Thomas??
jerry ?
gentoo still only have 1.6.4 (stable) 1.6.7 (unstable)
stable in 10+ years and still missing in core rcu https://github.com/corbosman/listcommands
Hello,
On 11. Jun 2024, at 23:00, Noel Butler via Users users@lists.roundcube.net:
Seems the list server has issues, no announce list messages for 12 months, archives completely missing
FYI: The lists server had issues, which are resolved. The list's archives are now available at https://lists.roundcube.net/hyperkitty/list/announce@lists.roundcube.net/latest.
Cheers, Pablo
On 12/06/2024 18:00, Pablo Zimdahl via Users wrote:
Hello,
On 11. Jun 2024, at 23:00, Noel Butler via Users users@lists.roundcube.net:
Seems the list server has issues, no announce list messages for 12 months, archives completely missing
FYI: The lists server had issues, which are resolved. The list's archives are now available at https://lists.roundcube.net/hyperkitty/list/announce@lists.roundcube.net/latest.
Ahh ok so archives changed location, but try lists.roundcube.net I get their default debian page, and as I also pointed out, no announce list messages received, actually since January _2023_
I've had no issues with mail, but if RC did have failure of DNS or RBL entry and we rejected them hitting the max bounce limit, it surely would be this list, not announce ;)
-
Aleksander Machniak -
Benny Pedersen -
Mike Burger -
Noel Butler -
Pablo Zimdahl -
Scott Davies -
Sean McBride