Hi,
Thank-you.
Regards,
Sophie
> On 29 Apr 2020, at 22:06, Thomas Bruederli <[email protected]> wrote:
>
> Dear subscribers
>
> We just published service and security updates to the stable version 1.4 and
> the LTS versions 1.3 and 1.2 of Roundcube Webmail. They contain four fixes
> for recently reported security vulnerabilities as well a number of general
> improvements from our issue tracker.
>
> Security fixes:
> - Cross-Site Scripting (XSS) via malicious HTML content
> - CSRF attack can cause an authenticated user to be logged out
> - Remote code execution via crafted config options
> - Path traversal vulnerability allowing local file inclusion via crafted
> ‘plugins’ option
>
> The latter two vulnerabilities are classified minor because they only affect
> Roundcube installations with public access to the Roundcube installer. That’s
> generally a high-risk situation and is expected to be rare or practically
> non-existent in productive Roundcube deployments. However, the fixes are done
> in core in order to also prevent from future and yet unknown attack vectors.
>
> See the full changelogs in the release notes on the Github download pages [1].
> Download the updated packages from https://roundcube.net/download
> <https://roundcube.net/download>
>
> We strongly recommend to update all productive installations of Roundcube
> with this new versions.
>
> Best,
> Thomas & Alec
>
> [1] https://github.com/roundcube/roundcubemail/releases
> <https://github.com/roundcube/roundcubemail/releases>_______________________________________________
> Roundcube Users mailing list
> [email protected]
> http://lists.roundcube.net/mailman/listinfo/users
_______________________________________________
Roundcube Users mailing list
[email protected]
http://lists.roundcube.net/mailman/listinfo/users
