JARVIS
Der beliebte Webmailer, Roundcube, erhielt in den Hauptzweigen 1.4, 1.3 und 1.2 ein wichtiges Update. Dieses schließt 4 weniger kritische Sicherheitslücken, sollte dennoch schnellst möglich installiert werden.
Roundcube 1.4.4 Security Fixes
- Cross-Site Scripting (XSS) via malicious HTML content
- CSRF attack can cause an authenticated user to be logged out
- Remote code execution via crafted config options
- Path traversal vulnerability allowing local file inclusion via crafted ‘plugins’ option
Roundcube Bugfix 1.4.4 Release Notes
- Fix bug where attachments with
Content-Idwere attached to the message on reply (#7122) - Fix identity selection on reply when both sender and recipient addresses are included in identities (#7211)
- Elastic: Fix text selection with Shift+PageUp and Shift+PageDown in plain text editor when using Chrome (#7230)
- Elastic: Fix recipient input bug when using click to select a contact from autocomplete list (#7231)
- Elastic: Fix color of a folder with recent messages (#7281)
- Elastic: Restrict logo size in print view (#7275)
- Fix invalid
Content-Typefor messages with only html part and inline images – Mail_Mime-1.10.7 (#7261) - Fix missing contact display name in QR Code data (#7257)
- Fix so button label in Select image/media dialogs is „Close“ not „Cancel“ (#7246)
- Fix regression in testing database schema on MSSQL (#7227)
- Fix cursor position after inserting a group to a recipient input using autocompletion (#7267)
- Fix string literals handling in IMAP
STATUS(and various other) responses (#7290) - Fix bug where multiple images in a message were replaced by the first one on forward/reply/edit (#7293)
- Fix handling keyservers configured with protocol prefix (#7295)
- Markasjunk: Fix marking as spam/ham on moving messages with Move menu (#7189)
- Markasjunk: Fix bug where moving to Junk was failing on messages selected with Select > All (#7206)
- Fix so imap error message is displayed to the user on folder create/update (#7245)
- Fix bug where a special folder couldn’t be created if a
special-useflag is not supported (#7147) - Mailvelope: Fix bug where recipients with name were not handled properly in mail compose (#7312)
- Fix characters encoding in group rename input after group creation/rename (#7330)
- Fix bug where some
message/rfc822parts could not be attached on forward (#7323) - Make
install-jsdeps.shscript working without thefileprogram installed (#7325) - Fix performance issue of parsing big HTML messages by disabling HTML5 parser for these (#7331)
- Fix so Print button for PDF attachments works on Firefox >= 75 (#5125)
- Security: Fix XSS issue in handling of CDATA in HTML messages
- Security: Fix remote code execution via crafted ‚im_convert_path‘ or ‚im_identify_path‘ settings
- Security: Fix local file inclusion (and code execution) via crafted ‚plugins‘ option
- Security: Fix CSRF bypass that could be used to log out an authenticated user (#7302)
Roundcube 1.3.11 Release Notes
- Enigma: Fix compatibility with
Mail_Mime>= 1.10.5 - Fix permissions on some folders created by
bin/install-jsdeps.shscript (#6930) - Fix bug where inline images could have been ignored if
Content-Idheader contained redundant spaces (#6980) - Fix PHP Warning: Use of undefined constant
LOG_EMERGE(#6991) - Fix PHP warning: „array_merge(): Expected parameter 2 to be an array, null given in sendmail.inc (#7003)
- Security: Fix XSS issue in handling of CDATA in HTML messages
- Security: Fix remote code execution via crafted ‚im_convert_path‘ or ‚im_identify_path‘ settings
- Security: Fix local file inclusion (and code execution) via crafted ‚plugins‘ option
- Security: Fix CSRF bypass that could be used to log out an authenticated user (#7302)
Roundcube 1.2.10 Release Notes
- Fix missing message-htmlpart1 class breaking inline CSS (#6493)
- Security: Fix XSS issue in handling of CDATA in HTML messages
- Security: Fix remote code execution via crafted ‚im_convert_path‘ or ‚im_identify_path‘ settings
- Security: Fix local file inclusion (and code execution) via crafted ‚plugins‘ option
- Security: Fix CSRF bypass that could be used to log out an authenticated user (#7302)
Quelle: https://github.com/roundcube/roundcubemail/releases
Interessiert in verschiedenste IT Themen, schreibe ich in diesem Blog über Software, Hardware, Smart Home, Games und vieles mehr. Ich berichte z.B. über die Installation und Konfiguration von Software als auch von Problemen mit dieser. News sind ebenso spannend, sodass ich auch über Updates, Releases und Neuigkeiten aus der IT berichte. Letztendlich nutze ich Taste-of-IT als eigene Dokumentation und Anlaufstelle bei wiederkehrenden Themen. Ich hoffe ich kann dich ebenso informieren und bei Problemen eine schnelle Lösung anbieten. Wer meinen Aufwand unterstützen möchte, kann gerne eine Tasse oder Pod Kaffe per PayPal spenden – vielen Dank.