roundcube Webmailer Bugfix und Security Release 1.5.7 und 1.6.7

Der belliebte Webmailer Roundcube erhielt das Security und Bugfix Update 1.6.7 und 1.5.7 für den 1.5er Zweig. Die Updates schließen 4 Sicherheitslücken und beheben einige Fehler die den Webmailer sicherer und stabiler machen.

roundcube 1.6.7 Release Notes

Security

• Fix cross-site scripting (XSS) vulnerability in handling SVG animate attributes.
  Reported by Valentin T. and Lutz Wolf of CrowdStrike.
• Fix cross-site scripting (XSS) vulnerability in handling list columns from user preferences.
  Reported by Huy Nguyễn Phạm Nhật.
• Fix command injection via crafted im_convert_path/im_identify_path on Windows.
  Reported by Huy Nguyễn Phạm Nhật.

Changes

• Makefile: Use phpDocumentor v3.4 for the Framework docs (#9313)
• Fix bug where HTML entities in URLs were not decoded on HTML to plain text conversion (#9312)
• Fix bug in collapsing/expanding folders with some special characters in names (#9324)
• Fix PHP8 warnings (#9363, #9365, #9429)
• Fix missing field labels in CSV import, for some locales (#9393)

Quelle: https://github.com/roundcube/roundcubemail/releases/tag/1.6.7

roundcube 1.5.7 Release Notes

Security

• Fix cross-site scripting (XSS) vulnerability in handling SVG animate attributes.
  Reported by Valentin T. and Lutz Wolf of CrowdStrike.
• Fix cross-site scripting (XSS) vulnerability in handling list columns from user preferences.
  Reported by Huy Nguyễn Phạm Nhật.
• Fix command injection via crafted im_convert_path/im_identify_path on Windows.
  Reported by Huy Nguyễn Phạm Nhật.

Changes

• Enigma: Fix finding of a private key when decrypting a message using GnuPG v2.3
• Fix TinyMCE localization installation (#9266)
• Makefile: Use phpDocumentor v3.4 for the Framework docs (#9313)

Quelle: https://github.com/roundcube/roundcubemail/releases/tag/1.5.7