On 2020-06-07 16:23, Thomas Bruederli wrote:
Dear subscribers
We recently published service and security updates to the stable
version 1.4 and the LTS version 1.3 of Roundcube Webmail.
They contain four fixes for recently reported security vulnerabilities
as well a number of general improvements from our issue tracker.
Security fixes:
- Fix XSS issue in template object username **
- Fix cross-site scripting (XSS) via malicious XML attachment *
- Fix a couple of XSS issues in Installer **
- Better fix for CVE-2020-12641
The latter two vulnerabilities again are related to public access to
the Roundcube installer and are therefore classified minor. See the
full changelogs in the release notes on the Github download pages [1]
and [2].
In addition to the security releases 1.4.5 and 1.3.12 we today pushed
follow-up releases containing one single fix for the installer’s
test step which was broken with the former security update.
We strongly recommend to update all productive installations of
Roundcube with this new versions.
Download the latest packages from https://roundcube.net/download
Best,Thomas & Alec
Interesting note...it appears that the above noted version, 1.4.5, has
already been superseded and replaced by version 1.4.6.
--
Mike Burger
http://www.bubbanfriends.org
"It's always suicide-mission this, save-the-planet that. No one ever
just stops by to say 'hi' anymore." --Colonel Jack O'Neill, SG1
_______________________________________________
Roundcube Users mailing list
[email protected]
http://lists.roundcube.net/mailman/listinfo/users
