@fln @smtalk can you include this in the next release? 1.666?
Security updates 1.6.8 and 1.5.8 released
We just published security updates to the 1.6 and 1.5 LTS versions of Roundcube Webmail. They both contain fixes for recently reported security vulnerabilities.
Security fixes
Security updates 1.6.8 and 1.5.8 released
We just published security updates to the 1.6 and 1.5 LTS versions of Roundcube Webmail. They both contain fixes for recently reported security vulnerabilities.
Security fixes
- Fix XSS vulnerability in post-processing of sanitized HTML content [CVE-2024-42009]
- Fix XSS vulnerability in serving of attachments other than HTML or SVG [CVE-2024-42008]
- Fix information leak (access to remote content) via insufficient CSS filtering [CVE-2024-42010]
- Managesieve: Protect special scripts in managesieve_kolab_master mode
- Fix newmail_notifier notification focus in Chrome ()
- Fix fatal error when parsing some TNEF attachments ()
- Fix double scrollbar when composing a mail with many plain text lines ()
- Fix decoding mail parts with multiple base64-encoded text blocks ()
- Fix bug where some messages could get malformed in an import from a MBOX file ()
- Fix invalid line break characters in multi-line text in Sieve scripts ()
- Fix bug where "with attachment" filter could fail on some fts engines ()
- Fix bug where an unhandled exception was caused by an invalid image attachment ()
- Fix bug where a long subject title could not be displayed in some cases ()
- Fix infinite loop when parsing malformed Sieve script ()
- Fix bug where imap_conn_option's 'socket' was ignored ()
- Fix XSS vulnerability in post-processing of sanitized HTML content [CVE-2024-42009]
- Fix XSS vulnerability in serving of attachments other than HTML or SVG [CVE-2024-42008]
- Fix information leak (access to remote content) via insufficient CSS filtering [CVE-2024-42010]