[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Fwd: Roundcube Webmail 1.4.5


Roundcube have just announced a new release which includes security fixes.

What is the timeline to updated the Debian package in backports?

I would not normally be so impatient, but security vulnerabilities in a publicly facing server make me nervous...


Thanks, David.

-------- Original Message --------

Subject: [roundcube/roundcubemail] Release 1.4.5 - Roundcube Webmail 1.4.5
Date: 2020-06-02 21:31
From: "Thomas B." <notifications@github.com>
To: roundcube/roundcubemail <roundcubemail@noreply.github.com>
Copy: Subscribed <subscribed@noreply.github.com>
Reply-To: roundcube/roundcubemail <noreply@github.com>

Roundcube Webmail 1.4.5

Repository: roundcube/roundcubemail · Tag: 1.4.5 · Commit: 9898599 · Released by: thomascube

This is a service and security update to the stable version 1.4 of Roundcube Webmail.
It contains fixes for recently reported security vulnerabilities as well a number
of general improvements from our issue tracker. See the full changelog below.

Security fixes

  • Fix XSS issue in template object 'username' (#7406)
  • Fix cross-site scripting (XSS) via malicious XML attachment
  • Fix a couple of XSS issues in Installer (#7406)
  • Better fix for CVE-2020-12641

The latter two vulnerabilities again are related to public access to the Roundcube installer
and are therefore classified minor.

This version is considered stable and we recommend to update all productive installations
of Roundcube with it. Please do backup your data before updating!


  • Fix bug in extracting required plugins from composer.json that led to spurious error in log (#7364)
  • Fix so the database setup description is compatible with MySQL 8 (#7340)
  • Markasjunk: Fix regression in jsevent driver (#7361)
  • Fix missing flag indication on collapsed thread in Larry and Elastic (#7366)
  • Fix default keyservers (use keys.openpgp.org), add note about CORS (#7373, #7367)
  • Password: Fix issue with Modoboa driver (#7372)
  • Mailvelope: Use sender's address to find pubkeys to check signatures (#7348)
  • Mailvelope: Fix Encrypt button hidden in Elastic (#7353)
  • Fix PHP warning: count(): Parameter must be an array or an object... in ID command handler (#7392)
  • Fix error when user-configured skin does not exist anymore (#7271)
  • Elastic: Fix aspect ratio of a contact photo in mail preview (#7339)
  • Fix bug where PDF attachments marked as inline could have not been attached on mail forward (#7382)
  • Security: Fix a couple of XSS issues in Installer (#7406)
  • Security: Fix XSS issue in template object 'username' (#7406)
  • Security: Fix cross-site scripting (XSS) via malicious XML attachment
  • Security: Better fix for CVE-2020-12641

This release has 8 assets:

  • roundcube-framework-1.4.5.tar.gz
  • roundcube-framework-1.4.5.tar.gz.asc
  • roundcubemail-1.4.5-complete.tar.gz
  • roundcubemail-1.4.5-complete.tar.gz.asc
  • roundcubemail-1.4.5.tar.gz
  • roundcubemail-1.4.5.tar.gz.asc
  • Source code (zip)
  • Source code (tar.gz)

Visit the release page to download them.

You are receiving this because you are watching this repository.
View it on GitHub or unsubscribe from all notifications for this repository.


Reply to: