reporting E_DEPRECATED messages as there is a deprecation warning with Net_SMTP
that is unfixed upstream resulting in a lot of noise in roundcube's error log
for each sent message.
support for screen readers and more.
Note: IE7/8 no longer supported by default but can be added with the
"legacy_browser" plugin.
There is new experimental anti-CSRF code (per-session tokens in URLs making
it harder for an attacker to generate a valid URL), this is not enabled by
default (requires rewrite support from the web server), for more info see
http://trac.roundcube.net/wiki/Howto_Config/Secure_URLs
starting with "installer". Since I don't think this is possible with the
implementation for apache-httpd-openbsd just comment out the rule for now,
kirby@ agrees.
WARNING! config files have been rearranged, if upgrading an existing
system you will need to migrate your settings from old config files
(db.inc.php and main.inc.php) to the new file (config.inc.php).
"We just published new releases which fix a recently reported
vulnerability that allows an attacker to overwrite configuration
settings using user preferences. This can result in random file
access, manipulated SQL queries and even code execution. The latter
one only affects versions 0.8.6 and older."
- Fix list page reset when viewing a message in Larry skin
- Fix unintentional messages list jumps on click in Internet Explorer
- Fix handling untagged responses in IMAP FETCH - "could not load message" error
- Escape user input values when used in eval() in ldap
- Fix various text wrapping and quoting issues
- Fix possible collision in generated thumbnail cache key
Note that database access is now done via PDO, and that for users of
SQLite this requires a change to sqlite3 - see the package readme for
update instructions.
- Workaround IE<=8 bug where Content-Disposition:inline was ignored
- Fix XSS vulnerability in vbscript: and data:text links handling
- Fix cache (in)validation after setting \Deleted flag
- note that there is a new default UI 'larry', for now you can revert to
the old one by changing the option in the config file to 'classic'
- thanks Daniel, Vijay and william@ for testing.
