{"affected":[{"ecosystem_specific":{"binaries":[{"roundcubemail":"1.6.3-bp155.2.3.1"}]},"package":{"ecosystem":"SUSE:Package Hub 15 SP5","name":"roundcubemail","purl":"pkg:rpm/suse/roundcubemail&distro=SUSE%20Package%20Hub%2015%20SP5"},"ranges":[{"events":[{"introduced":"0"},{"fixed":"1.6.3-bp155.2.3.1"}],"type":"ECOSYSTEM"}]},{"ecosystem_specific":{"binaries":[{"roundcubemail":"1.6.3-bp155.2.3.1"}]},"package":{"ecosystem":"openSUSE:Leap 15.5","name":"roundcubemail","purl":"pkg:rpm/opensuse/roundcubemail&distro=openSUSE%20Leap%2015.5"},"ranges":[{"events":[{"introduced":"0"},{"fixed":"1.6.3-bp155.2.3.1"}],"type":"ECOSYSTEM"}]}],"aliases":[],"details":"This update for roundcubemail fixes the following issues:\n\nUpdate to 1.6.3 (boo#1215433)\n\n* Fix bug where installto.sh/update.sh scripts were removing some\n  essential options from the config file (#9051)\n* Update jQuery-UI to version 1.13.2 (#9041)\n* Fix regression that broke use_secure_urls feature (#9052)\n* Fix potential PHP fatal error when opening a message with\n  message/rfc822 part (#8953)\n* Fix bug where a duplicate <title> tag in HTML email could cause some\n  parts being cut off (#9029)\n* Fix bug where a list of folders could have been sorted\n  incorrectly (#9057)\n* Fix regression where LDAP addressbook 'filter' option was\n  ignored (#9061)\n* Fix wrong order of a multi-folder search result when sorting by\n  size (#9065)\n* Fix so install/update scripts do not require PEAR (#9037)\n* Fix regression where some mail parts could have been decoded\n  incorrectly, or not at all (#9096)\n* Fix handling of an error case in Cyrus IMAP BINARY FETCH, fallback to\n  non-binary FETCH (#9097)\n* Fix PHP8 deprecation warning in the reconnect plugin (#9083)\n* Fix 'Show source' on mobile with x_frame_options = deny (#9084)\n* Fix various PHP warnings (#9098)\n* Fix deprecated use of ldap_connect() in password's ldap_simple driver (#9060)\n* Fix cross-site scripting (XSS) vulnerability in handling of linkrefs\n  in plain text messages\n\nUpdate to 1.6.2\n\n* Add Uyghur localization\n* Fix regression in OAuth request URI caused by use of REQUEST_URI\n  instead of SCRIPT_NAME as a default (#8878)\n* Fix bug where false attachment reminder was displayed on HTML mail\n  with inline images (#8885)\n* Fix bug where a non-ASCII character in app.js could cause error in\n  javascript engine (#8894)\n* Fix JWT decoding with url safe base64 schema (#8890)\n* Fix bug where .wav instead of .mp3 file was used for the new mail\n  notification in Firefox (#8895)\n* Fix PHP8 warning (#8891)\n* Fix support for Windows-31J charset (#8869)\n* Fix so LDAP VLV option is disabled by default as documented (#8833)\n* Fix so an email address with name is supported as input to the managesieve\n  notify :from parameter (#8918)\n* Fix Help plugin menu (#8898)\n* Fix invalid onclick handler on the logo image when using non-array\n  skin_logo setting (#8933)\n* Fix duplicate recipients in 'To' and 'Cc' on reply (#8912)\n* Fix bug where it wasn't possible to scroll lists by clicking middle\n  mouse button (#8942)\n* Fix bug where label text in a single-input dialog could be partially\n  invisible in some locales (#8905)\n* Fix bug where LDAP (fulltext) search didn't work without 'search_fields'\n  in config (#8874)\n* Fix extra leading newlines in plain text converted from HTML (#8973)\n* Fix so recipients with a domain ending with .s are allowed (#8854)\n* Fix so vCard output does not contain non-standard/redundant TYPE=OTHER\n  and TYPE=INTERNET (#8838)\n* Fix QR code images for contacts with non-ASCII characters (#9001)\n* Fix PHP8 warnings when using list_flags and list_cols properties by\n  plugins (#8998)\n* Fix bug where subfolders could loose subscription on parent folder\n  rename (#8892)\n* Fix connecting to LDAP using an URI with ldapi:// scheme (#8990)\n* Fix insecure shell command params handling in cmd_learn driver of markasjunk\n  plugin (#9005)\n* Fix bug where some mail headers didn't work in cmd_learn driver of markasjunk\n  plugin (#9005)\n* Fix PHP fatal error when importing vcf file using PHP 8.2 (#9025)\n* Fix so output of log_date_format with microseconds contains time in server\n  time zone, not UTC\n","id":"openSUSE-SU-2023:0285-1","modified":"2023-10-02T10:01:50Z","published":"2023-10-02T10:01:50Z","references":[{"type":"ADVISORY","url":"https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/FES4IKTZTYNBS3TCVPNOFHD7POSFJHYY/"},{"type":"REPORT","url":"https://bugzilla.suse.com/1215433"}],"related":[],"summary":"Security update for roundcubemail","upstream":[]}