File tree Expand file tree Collapse file tree
Expand file tree Collapse file tree Original file line number Diff line number Diff line change 55 "packages" : [
66 {
77 "package" : " Dependent"
8- "url" : " https://github.com/roundcube/roundcubemail/releases/download/1.7.0 /roundcubemail-1.7.0 .tar.gz"
9- "version" : " 1.7.0 "
8+ "url" : " https://github.com/roundcube/roundcubemail/releases/download/1.7.1 /roundcubemail-1.7.1 .tar.gz"
9+ "version" : " 1.7.1 "
1010 "size" : " 4.0 MB"
11- "checksum" : " d84fb637e4ec36be96f98e719f65fab3c17b1dace8d2a590f948111e51847cba "
11+ "checksum" : " b302db11a30b99870dc5c9475cc7c4cce197acb89b8c35f51d08276fdd0d2de8 "
1212 },
1313 {
1414 "package" : " Complete"
15- "url" : " https://github.com/roundcube/roundcubemail/releases/download/1.7.0 /roundcubemail-1.7.0 -complete.tar.gz"
16- "version" : " 1.7.0 "
15+ "url" : " https://github.com/roundcube/roundcubemail/releases/download/1.7.1 /roundcubemail-1.7.1 -complete.tar.gz"
16+ "version" : " 1.7.1 "
1717 "size" : " 6.0 MB"
18- "checksum" : " a34c366da2b7a24ad4a6382b4bb9a677cb581ee08bfc6304d0a9a721098e7a98 "
18+ "checksum" : " 1e0382bcefd627ab0b6285d3181ddfba5b444fdcf6d49f33f5ea15fbf97864ef "
1919 },
2020 {
2121 "package" : " Framework"
22- "url" : " https://github.com/roundcube/roundcubemail/releases/download/1.7.0 /roundcube-framework-1.7.0 .tar.gz"
23- "version" : " 1.7.0 "
24- "size" : " 1.1 MB"
25- "checksum" : " 4dab0dae47c839f1cca9daac9438d80771bb94d177aaa59dbeeb63a06e9ef4bc "
22+ "url" : " https://github.com/roundcube/roundcubemail/releases/download/1.7.1 /roundcube-framework-1.7.1 .tar.gz"
23+ "version" : " 1.7.1 "
24+ "size" : " 1.0 MB"
25+ "checksum" : " ca73d8709fc5c8fe0a748f49dc10db3554c35ab6a0cf5f9bf91e9edadb5513e2 "
2626 }
2727 ]
2828 },
3939 "packages" : [
4040 {
4141 "package" : " Complete"
42- "url" : " https://github.com/roundcube/roundcubemail/releases/download/1.6.15 /roundcubemail-1.6.15 -complete.tar.gz"
43- "version" : " 1.6.15 "
42+ "url" : " https://github.com/roundcube/roundcubemail/releases/download/1.6.16 /roundcubemail-1.6.16 -complete.tar.gz"
43+ "version" : " 1.6.16 "
4444 "size" : " 5.6 MB"
45- "checksum" : " 48c9f212c77460132491f670abaf440b765c8276268349a690913764d26afbef "
45+ "checksum" : " 554f88f642d2d709916e9fd674239a83189a956e7258ce72a1d927c84ecd7e1a "
4646 },
4747 ]
4848 },
Original file line number Diff line number Diff line change 1+ ---
2+ layout : article
3+ title : Security updates 1.6.16 and 1.7.1 released
4+ tags : releases updates security
5+ ---
6+
7+ We just published security updates to the 1.6 LTS and 1.7 versions of Roundcube Webmail.
8+ They both contain fixes for recently reported security vulnerabilities.
9+
10+ ## Security fixes
11+
12+ - Fix stored XSS/HTML/CSS injection in subject field of the draft restore dialog, reported by zazy
13+ - Fix CSS injection bypass in HTML sanitizer via SVG ` <animate attributeName="style"> ` , reported by wooseokdotkim
14+ - Fix pre-auth SQL injection in virtuser_query plugin via preg_replace backslash escape bypass, reported by skull
15+ - Fix SSRF bypass via specific local address URLs
16+ - Fix local/private URL fetch bypass when remote resources were not allowed, reported by Orange Cyberdefense Vulnerability Disclosure Team
17+ - Fix bypass of remote image blocking via CSS var(), reported by Geame
18+ - Fix pre-auth arbitrary file delete via redis/memcache session poisoning bypass, reported by valent1
19+ - Fix code injection vulnerability - remove support for code evaluation in LDAP ` autovalues ` option, reported by Glendaenri
20+
21+ See the full changelogs in the release notes on the Github download pages for the updated versions
22+ [ 1.6.16] ( https://github.com/roundcube/roundcubemail/releases/tag/1.6.16 ) and [ 1.7.1] ( https://github.com/roundcube/roundcubemail/releases/tag/1.7.1 ) .
23+
24+ We strongly recommend to update all productive installations of Roundcube 1.6.x and 1.7.x with this new versions.
You can’t perform that action at this time.
0 commit comments