Roundcube 1.3.6 released

unihostbrasil

Verified User
Joined
Nov 23, 2009
Messages
208
Location
São Paulo - Brazil
This is a security update to the stable version 1.3. It primarily fixes a recently discovered IMAP command injection vulnerability caused by insufficient input validation within the archive plugin. Details about the vulnerability are published under CVE-2018-9846.

Additionally, we back-ported some minor fixes from the master branch which improve PHP 7.2 compatibility as well as PGP signing and key handling for those who use the Enigma plugin. See the complete changelog below.

https://roundcube.net/news/2018/04/11/security-update-1.3.6

CHANGELOG

Fix parsing date strings (e.g. from a Date: mail header) with comments (#6216)
Fix PHP 7.2: count(): Parameter must be an array in enchant-based spellchecker (#6234)
Fix possible IMAP command injection and type juggling vulnerabilities (#6229)
Enigma: Fix key selection for signing
Enigma: Enable keypair generation on Internet Explorer 11
Fix check_request() bypass in places using get_uids() [CVE-2018-9846] (#6238)
Fix bug where usernames without domain part could be malformed or converted to lower-case on logon (#6224)
 
After update I have blank white page on all domains (/roundcube) so I have to degraded to 1.3.5 and works... check this please.
 
After update I have blank white page on all domains (/roundcube) so I have to degraded to 1.3.5 and works... check this please.

Do you use PHP-FPM? Then you have to restart PHP-FPM after building Roundcube 1.3.6! (Otherwise, the cache is Roundcube 1.3.5) Does it work?
 
Do you use PHP-FPM? Then you have to restart PHP-FPM after building Roundcube 1.3.6! (Otherwise, the cache is Roundcube 1.3.5) Does it work?

Yes now it works! Thanks, I didn't know that because I'm using php-fpm for first time since maybe 2 weeks :) I have to do this everytime when I update webapps in custombuild?
 
Martynas has just added a quick change, where after RoundCube is installed, if opCache is enabled, then the corresponding service (php-fpm, or httpd for php cli, or litespeed) will be restarted, to clear the opCache cache. On files1 in CB2 rev 1853.

John
 
@DirectAdmin Support, It is enough to reload Apache or PHP-FPM in order to empty OPcache, it is not needed to restart those services to clear OPcache. Please change it to reload instead of restart, or give us a option to disable the restart in options.conf. Thanks.
 
Looking at the diff, it is using a reload already :)

[TABLE="class: diff, width: 1283"]
[TR]
[TD="class: diffadded, bgcolor: #BBFFBB"] [/TD]
[/TR]
[TR]
[TD="class: diffadded, bgcolor: #DDFFDD"] if [ "${OPCACHE_OPT}" = "yes" ]; then[/TD]
[/TR]
[TR]
[TD="class: diffadded, bgcolor: #DDFFDD"] if [ "${PHP1_MODE_OPT}" = "php-fpm" ]; then[/TD]
[/TR]
[TR]
[TD="class: diffadded, bgcolor: #DDFFDD"] echo "Reloading php-fpm${PHP1_SHORTRELEASE}."[/TD]
[/TR]
[TR]
[TD="class: diffadded, bgcolor: #DDFFDD"] control_service php-fpm${PHP1_SHORTRELEASE} reload[/TD]
[/TR]
[TR]
[TD="class: diffadded, bgcolor: #DDFFDD"] elif [ "${WEBSERVER_OPT}" = "apache" ] || [ "${WEBSERVER_OPT}" = "nginx_apache" ]; then[/TD]
[/TR]
[TR]
[TD="class: diffadded, bgcolor: #DDFFDD"] echo "Reloading apache."[/TD]
[/TR]
[TR]
[TD="class: diffadded, bgcolor: #DDFFDD"] control_service httpd reload[/TD]
[/TR]
[TR]
[TD="class: diffadded, bgcolor: #DDFFDD"] elif [ "${WEBSERVER_OPT}" = "litespeed" ]; then[/TD]
[/TR]
[TR]
[TD="class: diffadded, bgcolor: #DDFFDD"] echo "Reloading litespeed."[/TD]
[/TR]
[TR]
[TD="class: diffadded, bgcolor: #DDFFDD"] control_service litespeed reload[/TD]
[/TR]
[TR]
[TD="class: diffadded, bgcolor: #DDFFDD"] fi[/TD]
[/TR]
[TR]
[TD="class: diffadded, bgcolor: #DDFFDD"] fi[/TD]
[/TR]
[/TABLE]
John
 
Martynas has just added a quick change, where after RoundCube is installed, if opCache is enabled, then the corresponding service (php-fpm, or httpd for php cli, or litespeed) will be restarted, to clear the opCache cache. On files1 in CB2 rev 1853.

John

Thanks for adding Martynas and John! :)
 
Back
Top