@@ -4,12 +4,18 @@ This file includes only changes we consider noteworthy for users, admins and plu
44
55## Unreleased
66
7+ - Bump OpenPGPjs version to 6.3.0
8+ - Allow cidr (subnets) in proxy_whitelist (#7103 )
9+ - Zipdownload: Fix message date time zone in mbox export (#10147 )
10+
11+ ## 1.7-rc6
12+
713- Added support for arrays in ` smtp_user ` and ` smtp_pass ` config options (#10083 )
814- Added system health checker CLI script (#10106 )
915- Stricter recognition of an Ajax request (#10118 )
1016- Password: Added Stalwart driver (#10114 )
1117- Fix regression where some data url images could get ignored/lost (#10128 )
12- - Fix SVG Animate FUNCIRI Attribute Bypass — Remote Image Loading via fill/filter/stroke
18+ - Fix SVG Animate FUNCIRI Attribute Bypass — Remote Image Loading via fill/filter/stroke [ CVE- 2026 -35545 ]
1319
1420## 1.7-rc5
1521
@@ -18,14 +24,14 @@ This file includes only changes we consider noteworthy for users, admins and plu
1824- Fix PHP fatal error when using IMAP cache (#10102 )
1925- Fix Postgres connection using IPv6 address (#10104 )
2026- Fix bug where ` rel=stylesheet ` part of a ` <link> ` could get removed
21- - Security: Fix pre-auth arbitrary file write via unsafe deserialization in redis/memcache session handler
22- - Security: Fix bug where a password could get changed without providing the old password
23- - Security: Fix IMAP Injection + CSRF bypass in mail search
24- - Security: Fix remote image blocking bypass via various SVG animate attributes
25- - Security: Fix remote image blocking bypass via a crafted body background attribute
26- - Security: Fix fixed position mitigation bypass via use of !important
27- - Security: Fix XSS issue in a HTML attachment preview
28- - Security: Fix SSRF + Information Disclosure via stylesheet links to a local network hosts
27+ - Security: Fix pre-auth arbitrary file write via unsafe deserialization in redis/memcache session handler [ CVE- 2026 -35537 ]
28+ - Security: Fix bug where a password could get changed without providing the old password [ CVE- 2026 -35541 ]
29+ - Security: Fix IMAP Injection + CSRF bypass in mail search [ CVE- 2026 -35538 ]
30+ - Security: Fix remote image blocking bypass via various SVG animate attributes [ CVE- 2026 -35543 ]
31+ - Security: Fix remote image blocking bypass via a crafted body background attribute [ CVE- 2026 -35542 ]
32+ - Security: Fix fixed position mitigation bypass via use of !important [ CVE- 2026 -35544 ]
33+ - Security: Fix XSS issue in a HTML attachment preview [ CVE- 2026 -35539 ]
34+ - Security: Fix SSRF + Information Disclosure via stylesheet links to a local network hosts [ CVE- 2026 -35540 ]
2935
3036## 1.7-rc4
3137
@@ -43,14 +49,14 @@ This file includes only changes we consider noteworthy for users, admins and plu
4349- Password: Extend Dovecot passwdfile driver with dynamic file path support (#10036 )
4450- Fix a UI issue on using browser Back button after allowing remote resources (#10062 )
4551- Fix syntax error in DDL scripts for Postgres (#10070 )
46- - Fix remote image blocking bypass via SVG content reported by nullcathedral
47- - Fix CSS injection vulnerability reported by CERT Polska
52+ - Fix remote image blocking bypass via SVG content reported by nullcathedral [ CVE- 2026 -25916 ]
53+ - Fix CSS injection vulnerability reported by CERT Polska [ CVE- 2026 -26079 ]
4854
4955## 1.7-rc2
5056
5157- Fix syntax error in DDL scripts for Postgres (#10052 )
52- - Fix Cross-Site-Scripting vulnerability via SVG's animate tag
53- - Fix Information Disclosure vulnerability in the HTML style sanitizer
58+ - Fix Cross-Site-Scripting vulnerability via SVG's animate tag [ CVE- 2025 -68461 ]
59+ - Fix Information Disclosure vulnerability in the HTML style sanitizer [ CVE- 2025 -68460 ]
5460- Support $HasAttachment/$HasNoAttachment keywords for "With attachment" search filter (#10053 )
5561
5662## 1.7-rc
@@ -237,9 +243,9 @@ This file includes only changes we consider noteworthy for users, admins and plu
237243- Fix bug in collapsing/expanding folders with some special characters in names (#9324 )
238244- Fix PHP8 warnings (#9363 , #9365 , #9429 )
239245- Fix missing field labels in CSV import, for some locales (#9393 )
240- - Fix command injection via crafted im_convert_path/im_identify_path on Windows
241- - Fix cross-site scripting (XSS) vulnerability in handling list columns from user preferences
242- - Fix cross-site scripting (XSS) vulnerability in handling SVG animate attributes
246+ - Fix command injection via crafted im_convert_path/im_identify_path on Windows [ CVE- 2024 -37385 ]
247+ - Fix cross-site scripting (XSS) vulnerability in handling list columns from user preferences [ CVE- 2024 -37384 ]
248+ - Fix cross-site scripting (XSS) vulnerability in handling SVG animate attributes [ CVE- 2024 -37383 ]
243249
244250## Release 1.6.6
245251
@@ -263,7 +269,7 @@ This file includes only changes we consider noteworthy for users, admins and plu
263269- Fix bug where images attached to application/smil messages weren't displayed (#8870 )
264270- Fix PHP string replacement error in utils/error.php (#9185 )
265271- Fix regression where ` smtp_user ` did not allow pre/post strings before/after ` %u ` placeholder (#9162 )
266- - Fix cross-site scripting (XSS) vulnerability in setting Content-Type/Content-Disposition for attachment preview/download
272+ - Fix cross-site scripting (XSS) vulnerability in setting Content-Type/Content-Disposition for attachment preview/download [ CVE- 2023 -47272 ]
267273
268274## Release 1.6.4
269275
@@ -467,7 +473,7 @@ This file includes only changes we consider noteworthy for users, admins and plu
467473- Fix some PHP8 compatibility issues (#8363 )
468474- Fix chpass-wrapper.py helper compatibility with Python 3 (#8324 )
469475- Fix scrolling and missing Close button in the Select image dialog in Elastic/mobile (#8367 )
470- - Security: Fix cross-site scripting (XSS) via HTML messages with malicious CSS content
476+ - Security: Fix cross-site scripting (XSS) via HTML messages with malicious CSS content [ CVE- 2021 -46144 ]
471477
472478## Release 1.5.1
473479
@@ -513,8 +519,8 @@ This file includes only changes we consider noteworthy for users, admins and plu
513519- Fix a couple of PHP8 warnings (#8175 , #8176 )
514520- Fix bug where "from my contacts" and "from trusted senders" values were mixed up (#8177 )
515521- Fix password/token length check on OAuth login (#8178 )
516- - Fix XSS issue in handling attachment filename extension in mimetype mismatch warning (#8193 )
517- - Fix SQL injection via some session variables
522+ - Fix XSS issue in handling attachment filename extension in mimetype mismatch warning [ CVE- 2021 -44025 ] (#8193 )
523+ - Fix SQL injection via some session variables [ CVE- 2021 -44026 ]
518524- Fix handling of dark_mode_support: false setting in skins meta.json (#8186 )
519525- Fix security issues regarding server name and trusted_host_patterns setting
520526
@@ -664,7 +670,7 @@ This file includes only changes we consider noteworthy for users, admins and plu
664670- Elastic: Fix compatibility with Less v3 and v4 (#7813 )
665671- Fix bug with managesieve_domains in Settings > Forwarding form (#7849 )
666672- Fix errors in MSSQL database update scripts (#7853 )
667- - Security: Fix cross-site scripting (XSS) via HTML messages with malicious CSS content
673+ - Security: Fix cross-site scripting (XSS) via HTML messages with malicious CSS content [ CVE- 2021 -26925 ]
668674
669675## Release 1.4.10
670676
@@ -734,10 +740,10 @@ This file includes only changes we consider noteworthy for users, admins and plu
734740- Fix error when user-configured skin does not exist anymore (#7271 )
735741- Elastic: Fix aspect ratio of a contact photo in mail preview (#7339 )
736742- Fix bug where PDF attachments marked as inline could have not been attached on mail forward (#7382 )
737- - Security: Fix a couple of XSS issues in Installer (#7406 )
738- - Security: Fix XSS issue in template object 'username' (#7406 )
739- - Security: Better fix for CVE-2020 -12641
740- - Security: Fix cross-site scripting (XSS) via malicious XML attachment
743+ - Security: Fix a couple of XSS issues in Installer [ CVE- 2020 -18671, CVE- 2020 -18670 ] (#7406 )
744+ - Security: Fix XSS issue in template object 'username' [ CVE- 2020 -13964 ] (#7406 )
745+ - Security: Better fix for remote code execution via crafted 'im_convert_path' or 'im_identify_path' settings [ CVE-2020 -12641]
746+ - Security: Fix cross-site scripting (XSS) via malicious XML attachment [ CVE- 2020 -13965 ]
741747
742748## Release 1.4.4
743749
@@ -1063,6 +1069,7 @@ This file includes only changes we consider noteworthy for users, admins and plu
10631069- Enigma: Add button to send mail unencrypted if no key was found (#5913 )
10641070- Enigma: Add options to set PGP cipher/digest algorithms (#5645 )
10651071- Enigma: Multi-host support
1072+ - Enigma: Remove default for enigma_pgp_homedir [ CVE-2018 -1000071] (#6173 )
10661073- Managesieve: Add ability to disable filter sets and other actions (#5496 , #5898 )
10671074- Managesieve: Add option managesieve_forward to enable settings dialog for simple forwarding (#6021 )
10681075- Managesieve: Support filter action with custom IMAP flags (#6011 )
@@ -1143,7 +1150,7 @@ This file includes only changes we consider noteworthy for users, admins and plu
11431150- Fix bug where only attachments with the same name would be ignored on zip download (#6301 )
11441151- Fix bug where unicode contact names could have been broken/emptied or caused DB errors (#6299 )
11451152- Fix bug where after "mark all folders as read" action message counters were not reset (#6307 )
1146- - Enigma: [ EFAIL] Don't decrypt PGP messages with no MDC protection (#6289 )
1153+ - Enigma: [ EFAIL] Don't decrypt PGP messages with no MDC protection [ CVE- 2018 -19205 ] (#6289 )
11471154- Fix bug where some HTML comments could have been malformed by HTML parser (#6333 )
11481155
11491156## Release 1.3.6
@@ -1380,7 +1387,7 @@ This file includes only changes we consider noteworthy for users, admins and plu
13801387## Release 1.2.3
13811388
13821389- Searching in both contacts and groups when LDAP addressbook with group_filters option is used
1383- - Fix vulnerability in handling of mail()'s 5th argument
1390+ - Fix vulnerability in handling of mail()'s 5th argument [ CVE- 2016 -9920 ]
13841391- Fix To: header encoding in mail sent with mail() method (#5475 )
13851392- Fix flickering of header topline in min-mode (#5426 )
13861393- Fix bug where folders list would scroll to top when clicking on subscription checkbox (#5447 )
@@ -1459,7 +1466,7 @@ This file includes only changes we consider noteworthy for users, admins and plu
14591466- Fix bug where contact search menu fields where always unchecked in Larry skin
14601467- Fix autoloading of 'html' class
14611468- Fix bug where Encrypt button appears when switching editor to HTML (#5235 )
1462- - Fix XSS issue in href attribute on area tag (#5240 )
1469+ - Fix XSS issue in href attribute on area tag [ CVE- 2016 -4552 ] (#5240 )
14631470
14641471## Release 1.2-rc
14651472
@@ -1611,16 +1618,16 @@ This file includes only changes we consider noteworthy for users, admins and plu
16111618- Fix mouseup event handling when dragging a list record (#4808 )
16121619- Fix bug where preview_pane setting wasn't always saved into user preferences (#4809 )
16131620- Fix bug where messages count was not updated after message move/delete with skip_deleted=false (#4814 )
1614- - Fix security issue in contact photo handling (#4817 )
1621+ - Fix security issue in contact photo handling [ CVE- 2015 -8794, CVE- 2015 -5382 ] (#4817 )
16151622- Fix possible memcache/apc cache data consistency issues (#4820 )
16161623- Fix bug where imap_conn_options were ignored in IMAP connection test (#4822 )
16171624- Fix bug where some files could have "executable" extension when stored in temp folder (#4815 )
16181625- Fix attached file path unsetting in database_attachments plugin (#4823 )
16191626- Fix issues when using moduserprefs.sh without --user argument (#4825 )
1620- - Fix potential info disclosure issue by protecting directory access (#4816 )
1627+ - Fix potential info disclosure issue by protecting directory access [ CVE- 2015 -5383 ] (#4816 )
16211628- Fix blank image in html_signature when saving identity changes (#4833 )
16221629- Installer: Use openssl_random_pseudo_bytes() (if available) to generate des_key (#4827 )
1623- - Fix XSS vulnerability in _ mbox argument handling (#4837 )
1630+ - Fix XSS vulnerability in _ mbox argument handling [ CVE- 2015 -8793, CVE- 2015 -5381 ] (#4837 )
16241631
16251632## Release 1.1.1
16261633
@@ -1680,7 +1687,7 @@ This file includes only changes we consider noteworthy for users, admins and plu
16801687- Fix keyboard navigation and css in datepicker widget across many Firefox versions
16811688- Fix false warning when opening attached text/plain files (#4748 )
16821689- Fix bug where signature could have been inserted twice after plain-to-html switch (#4746 )
1683- - Fix security issue in DBMail driver of password plugin (#4757 )
1690+ - Fix security issue in DBMail driver of password plugin [ CVE- 2015 -2180 ] (#4757 )
16841691- Enable FollowSymLinks option in .htaccess file which is required by rewrite rules (#4754 )
16851692- Fix so JSON.parse() errors on localStorage items are ignored (#4752 )
16861693
@@ -2144,7 +2151,7 @@ This file includes only changes we consider noteworthy for users, admins and plu
21442151
21452152## Release 0.9-rc2
21462153
2147- - Fix security issue in save-pref command
2154+ - Fix security issue in save-pref command [ CVE- 2013 -1904 ]
21482155- Remove sig_above configuration option, use reply_mode only (#4135 )
21492156- Refresh current folder in opener window after draft save or message sent (#4132 )
21502157- Fix saving draft just after entering compose window (#4141 )
@@ -3011,7 +3018,7 @@ This file includes only changes we consider noteworthy for users, admins and plu
30113018- Fix checking for new mail: now checks unseen count of inbox (#2123 )
30123019- Improve performance by avoiding unnecessary updates to the session table (#2552 )
30133020- Fix invalid ` <font> ` tags which cause HTML message rendering problems (#2687 )
3014- - Fix CVE-2010 -0464: Disable DNS prefetching (#2639 )
3021+ - Disable DNS prefetching [ CVE-2010 -0464] (#2639 )
30153022- Fix Received headers to behave better with SpamAssassin (#2682 )
30163023- Password: Make passwords encoding consistent with core, add 'password_charset' global option (#2658 )
30173024- Fix adding contacts SQL error on mysql (#2645 )
@@ -3509,6 +3516,7 @@ This file includes only changes we consider noteworthy for users, admins and plu
35093516- Fixed some iconv/mb_string problems (#1202 )
35103517- Correctly quote mailbox name when using in URL (#1016 )
35113518- Fixed "headers already sent" errors (#1399 )
3519+ - Fix CSS Expression Input Validation Vulnerability [ CVE-2007 -6321] (#1276 )
35123520
35133521## Release 0.1-STABLE
35143522
0 commit comments