Fedora 22: roundcubemail Security Update 2015-11405
Summary
RoundCube Webmail is a browser-based multilingual IMAP client
with an application-like user interface. It provides full
functionality you expect from an e-mail client, including MIME
support, address book, folder manipulation, message searching
and spell checking. RoundCube Webmail is written in PHP and
requires a database: MySQL, PostgreSQL and SQLite are known to
work. The user interface is fully skinnable using XHTML and
CSS 2.
Update Information:
**Release 1.1.2** * Add new plugin hook 'identity_create_after' providing the ID of the inserted identity (#1490358) * Add option to place signature at bottom of the quoted text even in top-posting mode [sig_below] * Fix handling of %-encoded entities in mailto: URLs (#1490346) * Fix zipped messages downloads after selecting all messages in a folder (#1490339) * Fix vpopmaild driver of password plugin * Fix PHP warning: Non-static method PEAR::setErrorHandling() should not be called statically (#1490343) * Fix tables listing routine on mysql and postgres so it skips system or other database tables and views (#1490337) * Fix message list header in classic skin on window resize in Internet Explorer (#1490213) * Fix so text/calendar parts are listed as attachments even if not marked as such (#1490325) * Fix lack of signature separator for plain text signatures in html mode (#1490352) * Fix font artifact in Google Chrome on Windows (#1490353) * Fix bug where forced extwin page reload could exit from the extwin mode (#1490350) * Fix bug where some unrelated attachments in multipart/related message were not listed (#1490355) * Fix mouseup event handling when dragging a list record (#1490359) * Fix bug where preview_pane setting wasn't always saved into user preferences (#1490362) * Fix bug where messages count was not updated after message move/delete with skip_deleted=false (#1490372) * Fix security issue in contact photo handling (#1490379) * Fix possible memcache/apc cache data consistency issues (#1490390) * Fix bug where imap_conn_options were ignored in IMAP connection test (#1490392) * Fix bug where some files could have "executable" extension when stored in temp folder (#1490377) * Fix attached file path unsetting in database_attachments plugin (#1490393) * Fix issues when using moduserprefs.sh without --user argument (#1490399) * Fix potential info disclosure issue by protecting directory access (#1490378) * Fix blank image in html_signature when saving identity changes (#1490412) * Installer: Use openssl_random_pseudo_bytes() (if available) to generate des_key (#1490402) * Fix XSS vulnerability in _mbox argument handling (#1490417)
Change Log
* Wed Jul 8 2015 Remi Collet
References
[ 1 ] Bug #1241056 - CVE-2015-5381 CVE-2015-5382 CVE-2015-5383 roundcubemail: vulnerabilities fixed in 1.1.2 and 1.0.6 https://bugzilla.redhat.com/show_bug.cgi?id=1241056
Update Instructions
This update can be installed with the "yum" update program. Use su -c 'yum update roundcubemail' at the command line. For more information, refer to "Managing Software with yum", available at .