Roundcube Community Forum

News and Announcements => News & Announcements => Topic started by: SKaero on June 07, 2020, 09:09:24 PM

Title: Security updates 1.4.6 and 1.3.13
Post by: SKaero on June 07, 2020, 09:09:24 PM

We recently published service and security updates to the stable version 1.4 and the LTS version 1.3 of Roundcube Webmail.
They contain four fixes for recently reported security vulnerabilities as well a number of general improvements from our issue tracker.

Security fixes:

• Fix XSS issue in template object username **
• Fix cross-site scripting (XSS) via malicious XML attachment *
• Fix a couple of XSS issues in Installer **
• Better fix for CVE-2020-12641

The latter two vulnerabilities again are related to public access to the Roundcube installer and are therefore classified minor. See the full changelogs in the release notes on the Github download pages for the updated versions 1.4.5 (https://github.com/roundcube/roundcubemail/releases/tag/1.4.5) and 1.3.12 (https://github.com/roundcube/roundcubemail/releases/tag/1.3.12).

In addition to the security releases 1.4.5 and 1.3.12 we today pushed follow-up releases containing one single fix for the installer’s test step which was broken with the former security update.

We strongly recommend to update all productive installations of Roundcube with this new versions.
Download the latest packages from https://roundcube.net/download (https://roundcube.net/download)

* Credits to the security researcher Matei “Mal” Badanoiu
** Credits to the security researcher LoRexxar@knownsec 404Team

Source: https://roundcube.net/news/2020/06/02/security-updates-1.4.5-and-1.3.12 and https://roundcube.net/news/2020/06/07/updates-1.4.6-and-1.3.13-released
Get it Now: https://roundcube.net/download