Skip to content

[Security Update] Roundcube Webmail 1.3.3
Compare
Choose a tag to compare
@thomascube thomascube released this 08 Nov 18:49
· 3973 commits to master since this release
1.3.3
This tag was signed with the committer’s verified signature.
thomascube Thomas B.
GPG key ID: D105DEA0B545B36C
Learn about vigilant mode.
d84391d

This is a security update to the stable version 1.3. It primarily fixes a recently discovered file disclosure vulnerability caused by insufficient input validation in conjunction with file-based attachment plugins, which are used by default. More details will be published under CVE-2017-16651.

We strongly recommend to update all productive installations of Roundcube.
Please do backup your data before updating!

CHANGELOG

  • Fix decoding of mailto: links with + character in HTML messages (#6020)
  • Fix false reporting of failed upgrade in installto.sh (#6019)
  • Fix file disclosure vulnerability caused by insufficient input validation (#6026)
  • Fix mangled non-ASCII characters in links in HTML messages (#6028)
Assets 8
Loading