Roundcube Webmail Project News

Update 1.3.8 released

2018-10-26T00:00:00+00:00

We proudly announce the next service release to update the stable version 1.3.

It contains fixes to several bugs backported from the master branch including a security fix for a reported XSS vulnerability plus updates to ensure compatibility with PHP 7.3 and recent versions of Courier-IMAP, Dovecot and MySQL 8.

See the full changelog in the release notes on the Github download page.

This release is considered stable and we recommend to update all productive installations of Roundcube with this version. Download it from roundcube.net.

Please do backup your data before updating!

Roundcube 1.4 beta released

2018-08-25T00:00:00+00:00

We proudly announce the beta release of the next major version 1.4 of Roundcube webmail. With this milestone we introduce some new features:

New responsive skin with mobile support
Email Resent (Bounce) feature
Improved Mailvelope integration
Support for Redis cache
Support for SMTPUTF8

Because the new responsive skin is not yet fully completed, it’s not enabled by default. In order to make it the default for your users, change your config.inc.php accordingly:

$config['skin'] = 'elastic';

Although it still needs some polishing, the new skin solves the urgent need to enable access to Roundcube for mobile devices. The plugin elastic4mobile makes it the default for mobile devices while keeping the configured default for desktop browsers.

The Elastic skin is built with LESS and of course the sources are included. They allow a certain degree of customization by adjusting some color variables. All you need is to compile your very own customized skin with lessc.

See the full changelog in the release notes on the Github download page.

This is a beta release and we recommend to test it on a separate environment. And don’t forget to backup your data before installing it. Download it from roundcube.net.

Update 1.3.7 released

2018-07-27T00:00:00+00:00

We proudly announce the next service release to update the stable version 1.3. It contains fixes to several bugs backported from the master branch including a security fix mitigating the EFAIL issue recently discovered in OpenPGP.

See the full changelog in the release notes on the Github download page.

This release is considered stable and we recommend to update all productive installations of Roundcube with this version. Download it from roundcube.net.

Please do backup your data before updating!

Updates 1.2.9 and 1.1.12 released

2018-04-29T00:00:00+00:00

As a follow-up to the recent security update for the stable versions 1.2. and 1.1, this new release fixes a regression that sneaked in with the IMAP command injection protection which unintentionally disabled actions that operate on all selected messages (e.g. mark all as junk).

We recommend to update all productive installations of Roundcube 1.2.8. and 1.1.11 with these new versions.

Security updates 1.2.8 and 1.1.11 released

2018-04-17T00:00:00+00:00

Following the recent security update for 1.3, here now come the promised updates for the LTS versions 1.2 and 1.1. They both fix the recently reported vulnerability allowing IMAP command injection via a GET parameters. More details about this are published under CVE-2018-9846.

Another fix included in these updates is about a missed remote content blocking on HTML messages with specially crafted image and style tags.

See the full changelog in the release notes on the according Github download pages:

We strongly recommend to update all productive installations of Roundcube 1.2.x and 1.1.x respectively. Please do backup your data before updating!

UPDATE

An unintended regression was added with the fix for the IMAP command injection vulnerability which has also been fixed now. We therefore recommend to update to versions 1.2.9 and 1.1.11 right away.

Security update 1.3.6 released

2018-04-11T00:00:00+00:00

We just published a security update to the stable version 1.3. It primarily fixes a recently discovered IMAP command injection vulnerability caused by insufficient input validation within the archive plugin. Details about the vulnerability are published under CVE-2018-9846.

Additionally, we back-ported some minor fixes from the master branch which improve PHP 7.2 compatibility as well as PGP signing and key handling for those who use the Enigma plugin.

See the full changelog in the release notes on the Github download page.

We strongly recommend to update all productive installations of Roundcube with this new version. Updates for older LTS versions will follow soon.

Update 1.3.5 released

2018-03-15T00:00:00+00:00

We proudly announce a new service release to update the stable version 1.3. It contains fixes to several bugs backported from the master branch. One can be called a minor security fix as it fixes blocking of remote content on specially crafted style tags.

See the full changelog in the release notes on the Github download page.

This release is considered stable and we recommend to update all productive installations of Roundcube with this version. Download it from roundcube.net.

Please do backup your data before updating!

Update 1.3.4 released

2018-01-14T00:00:00+00:00

We proudly announce the next service release to update the stable version 1.3. It contains fixes to several bugs reported by our dear community members and makes Roundcube fully compatible with PHP 7.2.

See the full changelog in the release notes on the Github download page.

This release is considered stable and we recommend to update all productive installations of Roundcube with this version. Download it from roundcube.net.

Please do backup your data before updating!

Security updates 1.3.3, 1.2.7 and 1.1.10 released

2017-11-08T00:00:00+00:00

We just published updates to all stable versions from 1.1.x onwards delivering fixes for a recently discovered file disclosure vulnerability in Roundcube Webmail.

Apparently this zero-day exploit is already being used by hackers to read Roundcube’s configuration files. It requires a valid username/password as the exploit only works with a valid session. More details will be published soon under CVE-2017-16651.

The Roundcube series 1.0.x is not affected by this vulnerability but we nevertheless back-ported the fix in order to protect from yet unknown exploits.

See the full changelog for the according version in the release notes on the Github download pages: v1.3.3, v1.2.7, v1.1.10 v1.0.12

We strongly recommend to update all productive installations of Roundcube with either one of these versions.

Mitigation

In order to check whether your Roundcube installation has been compromised check the access logs for requests like ?_task=settings&_action=upload-display&_from=timezone. As mentioned above, the file disclosure only works for authenticated users and by finding such requests in the logs you should also be able to identify the account used for this unauthorized access. For mitigation we recommend to change the all credentials to external services like database or LDAP address books and preferably also the des_key option in your config.

Update 1.3.2 released

2017-10-31T00:00:00+00:00

We proudly announce the second service release to update the stable version 1.3. It contains fixes to several bugs reported by our dear community members as well as translation updates synchronized from Transifex.

We also changed the wording for the setting that controls the time after which an opened message is marked as read. This was previously only affecting messages being viewed in the preview panel but now applies to all means of opening a message. That change came with 1.3.0 an apparently confused many users. Some translation work is still needed here.

See the full changelog in the release notes on the Github download page.

This release is considered stable and we recommend to update all productive installations of Roundcube with this version. Download it from roundcube.net.

Please do backup your data before updating!