A roundcubemail security update has been released for SUSE Linux Enterprise 15 SP5.

openSUSE-SU-2023:0285-1: moderate: Security update for roundcubemail

openSUSE Security Update: Security update for roundcubemail
_______________________________

Announcement ID: openSUSE-SU-2023:0285-1
Rating: moderate
References: #1215433
Affected Products:
openSUSE Backports SLE-15-SP5
_______________________________

An update that contains security fixes can now be installed.

Description:

This update for roundcubemail fixes the following issues:

Update to 1.6.3 (boo#1215433)

* Fix bug where installto.sh/update.sh scripts were removing some
essential options from the config file (#9051)
* Update jQuery-UI to version 1.13.2 (#9041)
* Fix regression that broke use_secure_urls feature (#9052)
* Fix potential PHP fatal error when opening a message with message/rfc822
part (#8953)
* Fix bug where a duplicate tag in HTML email could cause some
parts being cut off (#9029)
* Fix bug where a list of folders could have been sorted incorrectly
(#9057)
* Fix regression where LDAP addressbook 'filter' option was ignored (#9061)
* Fix wrong order of a multi-folder search result when sorting by size
(#9065)
* Fix so install/update scripts do not require PEAR (#9037)
* Fix regression where some mail parts could have been decoded
incorrectly, or not at all (#9096)
* Fix handling of an error case in Cyrus IMAP BINARY FETCH, fallback to
non-binary FETCH (#9097)
* Fix PHP8 deprecation warning in the reconnect plugin (#9083)
* Fix "Show source" on mobile with x_frame_options = deny (#9084)
* Fix various PHP warnings (#9098)
* Fix deprecated use of ldap_connect() in password's ldap_simple driver
(#9060)
* Fix cross-site scripting (XSS) vulnerability in handling of linkrefs in
plain text messages

Update to 1.6.2

* Add Uyghur localization
* Fix regression in OAuth request URI caused by use of REQUEST_URI instead
of SCRIPT_NAME as a default (#8878)
* Fix bug where false attachment reminder was displayed on HTML mail with
inline images (#8885)
* Fix bug where a non-ASCII character in app.js could cause error in
javascript engine (#8894)
* Fix JWT decoding with url safe base64 schema (#8890)
* Fix bug where .wav instead of .mp3 file was used for the new mail
notification in Firefox (#8895)
* Fix PHP8 warning (#8891)
* Fix support for Windows-31J charset (#8869)
* Fix so LDAP VLV option is disabled by default as documented (#8833)
* Fix so an email address with name is supported as input to the
managesieve notify :from parameter (#8918)
* Fix Help plugin menu (#8898)
* Fix invalid onclick handler on the logo image when using non-array
skin_logo setting (#8933)
* Fix duplicate recipients in "To" and "Cc" on reply (#8912)
* Fix bug where it wasn't possible to scroll lists by clicking middle
mouse button (#8942)
* Fix bug where label text in a single-input dialog could be partially
invisible in some locales (#8905)
* Fix bug where LDAP (fulltext) search didn't work without 'search_fields'
in config (#8874)
* Fix extra leading newlines in plain text converted from HTML (#8973)
* Fix so recipients with a domain ending with .s are allowed (#8854)
* Fix so vCard output does not contain non-standard/redundant TYPE=OTHER
and TYPE=INTERNET (#8838)
* Fix QR code images for contacts with non-ASCII characters (#9001)
* Fix PHP8 warnings when using list_flags and list_cols properties by
plugins (#8998)
* Fix bug where subfolders could loose subscription on parent folder
rename (#8892)
* Fix connecting to LDAP using an URI with ldapi:// scheme (#8990)
* Fix insecure shell command params handling in cmd_learn driver of
markasjunk plugin (#9005)
* Fix bug where some mail headers didn't work in cmd_learn driver of
markasjunk plugin (#9005)
* Fix PHP fatal error when importing vcf file using PHP 8.2 (#9025)
* Fix so output of log_date_format with microseconds contains time in
server time zone, not UTC

Patch Instructions:

To install this openSUSE Security Update use the SUSE recommended installation methods
like YaST online_update or "zypper patch".

Alternatively you can run the command listed for your product:

- openSUSE Backports SLE-15-SP5:

zypper in -t patch openSUSE-2023-285=1

Package List:

- openSUSE Backports SLE-15-SP5 (noarch):

roundcubemail-1.6.3-bp155.2.3.1

References:

https://bugzilla.suse.com/1215433