Security update for roundcubemail SUSE Patch security@suse.de SUSE Security Team openSUSE-SU-2023:0285-1 Final 1 1 2023-10-02T10:01:50Z current 2023-10-02T10:01:50Z 2023-10-02T10:01:50Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z Security update for roundcubemail This update for roundcubemail fixes the following issues: Update to 1.6.3 (boo#1215433) * Fix bug where installto.sh/update.sh scripts were removing some essential options from the config file (#9051) * Update jQuery-UI to version 1.13.2 (#9041) * Fix regression that broke use_secure_urls feature (#9052) * Fix potential PHP fatal error when opening a message with message/rfc822 part (#8953) * Fix bug where a duplicate <title> tag in HTML email could cause some parts being cut off (#9029) * Fix bug where a list of folders could have been sorted incorrectly (#9057) * Fix regression where LDAP addressbook 'filter' option was ignored (#9061) * Fix wrong order of a multi-folder search result when sorting by size (#9065) * Fix so install/update scripts do not require PEAR (#9037) * Fix regression where some mail parts could have been decoded incorrectly, or not at all (#9096) * Fix handling of an error case in Cyrus IMAP BINARY FETCH, fallback to non-binary FETCH (#9097) * Fix PHP8 deprecation warning in the reconnect plugin (#9083) * Fix 'Show source' on mobile with x_frame_options = deny (#9084) * Fix various PHP warnings (#9098) * Fix deprecated use of ldap_connect() in password's ldap_simple driver (#9060) * Fix cross-site scripting (XSS) vulnerability in handling of linkrefs in plain text messages Update to 1.6.2 * Add Uyghur localization * Fix regression in OAuth request URI caused by use of REQUEST_URI instead of SCRIPT_NAME as a default (#8878) * Fix bug where false attachment reminder was displayed on HTML mail with inline images (#8885) * Fix bug where a non-ASCII character in app.js could cause error in javascript engine (#8894) * Fix JWT decoding with url safe base64 schema (#8890) * Fix bug where .wav instead of .mp3 file was used for the new mail notification in Firefox (#8895) * Fix PHP8 warning (#8891) * Fix support for Windows-31J charset (#8869) * Fix so LDAP VLV option is disabled by default as documented (#8833) * Fix so an email address with name is supported as input to the managesieve notify :from parameter (#8918) * Fix Help plugin menu (#8898) * Fix invalid onclick handler on the logo image when using non-array skin_logo setting (#8933) * Fix duplicate recipients in 'To' and 'Cc' on reply (#8912) * Fix bug where it wasn't possible to scroll lists by clicking middle mouse button (#8942) * Fix bug where label text in a single-input dialog could be partially invisible in some locales (#8905) * Fix bug where LDAP (fulltext) search didn't work without 'search_fields' in config (#8874) * Fix extra leading newlines in plain text converted from HTML (#8973) * Fix so recipients with a domain ending with .s are allowed (#8854) * Fix so vCard output does not contain non-standard/redundant TYPE=OTHER and TYPE=INTERNET (#8838) * Fix QR code images for contacts with non-ASCII characters (#9001) * Fix PHP8 warnings when using list_flags and list_cols properties by plugins (#8998) * Fix bug where subfolders could loose subscription on parent folder rename (#8892) * Fix connecting to LDAP using an URI with ldapi:// scheme (#8990) * Fix insecure shell command params handling in cmd_learn driver of markasjunk plugin (#9005) * Fix bug where some mail headers didn't work in cmd_learn driver of markasjunk plugin (#9005) * Fix PHP fatal error when importing vcf file using PHP 8.2 (#9025) * Fix so output of log_date_format with microseconds contains time in server time zone, not UTC The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). openSUSE-2023-285 Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/FES4IKTZTYNBS3TCVPNOFHD7POSFJHYY/ E-Mail link for openSUSE-SU-2023:0285-1 https://www.suse.com/support/security/rating/ SUSE Security Ratings https://bugzilla.suse.com/1215433 SUSE Bug 1215433 SUSE Package Hub 15 SP5 openSUSE Leap 15.5 roundcubemail-1.6.3-bp155.2.3.1 roundcubemail-1.6.3-bp155.2.3.1 as a component of SUSE Package Hub 15 SP5 roundcubemail-1.6.3-bp155.2.3.1 as a component of openSUSE Leap 15.5