Re: Security updates 1.4.4, 1.3.11 and 1.2.10 released

classic Classic list List threaded Threaded
1 message Options
Reply | Threaded
Open this post in threaded view
|

Re: Security updates 1.4.4, 1.3.11 and 1.2.10 released

Sophie Loewenthal
Hi, 

Thank-you.

Regards,
Sophie 





On 29 Apr 2020, at 22:06, Thomas Bruederli <[hidden email]> wrote:

Dear subscribers

We just published service and security updates to the stable version 1.4 and the LTS versions 1.3 and 1.2 of Roundcube Webmail. They contain four fixes for recently reported security vulnerabilities as well a number of general improvements from our issue tracker.

Security fixes:
- Cross-Site Scripting (XSS) via malicious HTML content
- CSRF attack can cause an authenticated user to be logged out
- Remote code execution via crafted config options
- Path traversal vulnerability allowing local file inclusion via crafted ‘plugins’ option

The latter two vulnerabilities are classified minor because they only affect Roundcube installations with public access to the Roundcube installer. That’s generally a high-risk situation and is expected to be rare or practically non-existent in productive Roundcube deployments. However, the fixes are done in core in order to also prevent from future and yet unknown attack vectors.

See the full changelogs in the release notes on the Github download pages [1].
Download the updated packages from https://roundcube.net/download

We strongly recommend to update all productive installations of Roundcube with this new versions.

Best,
Thomas & Alec

_______________________________________________
Roundcube Users mailing list
[hidden email]
http://lists.roundcube.net/mailman/listinfo/users


_______________________________________________
Roundcube Users mailing list
[hidden email]
http://lists.roundcube.net/mailman/listinfo/users