Skip to content

Roundcube Webmail 1.7 RC5

Pre-release
Pre-release

Choose a tag to compare

View all tags
@alecpl alecpl released this 18 Mar 14:14
· 16 commits to master since this release
1.7-rc5
This tag was signed with the committer’s verified signature.
alecpl Aleksander Machniak
GPG key ID: BEE674A019359DC1
Verified
Learn about vigilant mode.
8e4a99b

This is hopefully the last release candidate for the next major version 1.7 of Roundcube Webmail.
It provides fixes to recently reported security vulnerabilities:

  • Fix pre-auth arbitrary file write via unsafe deserialization in redis/memcache session handler, reported by y0us.
  • Fix bug where a password could get changed without providing the old password, reported by flydragon777.
  • Fix IMAP Injection + CSRF bypass in mail search, reported by Martila Security Research Team.
  • Fix remote image blocking bypass via various SVG animate attributes, reported by nullcathedral.
  • Fix remote image blocking bypass via a crafted body background attribute, reported by nullcathedral.
  • Fix fixed position mitigation bypass via use of !important, reported by nullcathedral.
  • Fix XSS issue in a HTML attachment preview, reported by aikido_security.
  • Fix SSRF + Information Disclosure via stylesheet links to a local network hosts, reported by Georgios Tsimpidas (aka Frey), Security Researcher at https://i0.rs/.

We believe it is production ready, but we recommend to test it on a separate environment.

Migrate existing configs with either the installto.sh or the update.sh scripts.

And don't forget to backup your data before installing it!

CHANGELOG

  • Password: Add nt-binary hashing method (#10096)
  • Fix URL matching for domain names with port numbers (#10105)
  • Fix PHP fatal error when using IMAP cache (#10102)
  • Fix Postgres connection using IPv6 address (#10104)
  • Fix bug where rel=stylesheet part of a <link> could get removed
  • Security: Fix pre-auth arbitrary file write via unsafe deserialization in redis/memcache session handler
  • Security: Fix bug where a password could get changed without providing the old password
  • Security: Fix IMAP Injection + CSRF bypass in mail search
  • Security: Fix remote image blocking bypass via various SVG animate attributes
  • Security: Fix remote image blocking bypass via a crafted body background attribute
  • Security: Fix fixed position mitigation bypass via use of !important
  • Security: Fix XSS issue in a HTML attachment preview
  • Security: Fix SSRF + Information Disclosure via stylesheet links to a local network hosts
Assets 8
Loading