Roundcube 1.3.6 released

unihostbrasil

Verified User
Joined
Nov 23, 2009
Messages
168
Location
São Paulo - Brazil
This is a security update to the stable version 1.3. It primarily fixes a recently discovered IMAP command injection vulnerability caused by insufficient input validation within the archive plugin. Details about the vulnerability are published under CVE-2018-9846.

Additionally, we back-ported some minor fixes from the master branch which improve PHP 7.2 compatibility as well as PGP signing and key handling for those who use the Enigma plugin. See the complete changelog below.

https://roundcube.net/news/2018/04/11/security-update-1.3.6

CHANGELOG

Fix parsing date strings (e.g. from a Date: mail header) with comments (#6216)
Fix PHP 7.2: count(): Parameter must be an array in enchant-based spellchecker (#6234)
Fix possible IMAP command injection and type juggling vulnerabilities (#6229)
Enigma: Fix key selection for signing
Enigma: Enable keypair generation on Internet Explorer 11
Fix check_request() bypass in places using get_uids() [CVE-2018-9846] (#6238)
Fix bug where usernames without domain part could be malformed or converted to lower-case on logon (#6224)
 

ShinJii

Verified User
Joined
Mar 20, 2014
Messages
94
After update I have blank white page on all domains (/roundcube) so I have to degraded to 1.3.5 and works... check this please.
 

dave097

Verified User
Joined
May 8, 2014
Messages
113
After update I have blank white page on all domains (/roundcube) so I have to degraded to 1.3.5 and works... check this please.
Do you use PHP-FPM? Then you have to restart PHP-FPM after building Roundcube 1.3.6! (Otherwise, the cache is Roundcube 1.3.5) Does it work?
 

ShinJii

Verified User
Joined
Mar 20, 2014
Messages
94
Do you use PHP-FPM? Then you have to restart PHP-FPM after building Roundcube 1.3.6! (Otherwise, the cache is Roundcube 1.3.5) Does it work?
Yes now it works! Thanks, I didn't know that because I'm using php-fpm for first time since maybe 2 weeks :) I have to do this everytime when I update webapps in custombuild?
 

DirectAdmin Support

Administrator
Staff member
Joined
Feb 27, 2003
Messages
8,961
Martynas has just added a quick change, where after RoundCube is installed, if opCache is enabled, then the corresponding service (php-fpm, or httpd for php cli, or litespeed) will be restarted, to clear the opCache cache. On files1 in CB2 rev 1853.

John
 

ditto

Verified User
Joined
Apr 27, 2009
Messages
2,513
@DirectAdmin Support, It is enough to reload Apache or PHP-FPM in order to empty OPcache, it is not needed to restart those services to clear OPcache. Please change it to reload instead of restart, or give us a option to disable the restart in options.conf. Thanks.
 

DirectAdmin Support

Administrator
Staff member
Joined
Feb 27, 2003
Messages
8,961
Looking at the diff, it is using a reload already :)

if [ "${OPCACHE_OPT}" = "yes" ]; then
if [ "${PHP1_MODE_OPT}" = "php-fpm" ]; then
echo "Reloading php-fpm${PHP1_SHORTRELEASE}."
control_service php-fpm${PHP1_SHORTRELEASE} reload
elif [ "${WEBSERVER_OPT}" = "apache" ] || [ "${WEBSERVER_OPT}" = "nginx_apache" ]; then
echo "Reloading apache."
control_service httpd reload
elif [ "${WEBSERVER_OPT}" = "litespeed" ]; then
echo "Reloading litespeed."
control_service litespeed reload
fi
fi
John
 

dave097

Verified User
Joined
May 8, 2014
Messages
113
Martynas has just added a quick change, where after RoundCube is installed, if opCache is enabled, then the corresponding service (php-fpm, or httpd for php cli, or litespeed) will be restarted, to clear the opCache cache. On files1 in CB2 rev 1853.

John
Thanks for adding Martynas and John! :)
 
Top