Roundcube Webmail 1.6-beta

This is a beta release for the next major version 1.6 of Roundcube webmail.
With this milestone we cleaned up the codebase and bring full support for PHP 8.1.
The most noteworthy changes are:

• PHP 8.1 support
• Dropped support for PHP < 7.3
• Support responses (snippets) in HTML format
• Option to purge deleted mails older than 30, 60 or 90 days
• Unified and simplified services connection config options
• Removed the Classic and Larry skins from the release packages
• SQLite: Use foreign keys, require SQLite >= 3.6.19

Adding support for PHP 8.1 again required some refactoring of the Roundcube codebase
and removing/replacing now deprecated PHP code. We also used this cleaning efforts
and simplified Roundcube's config options a bit.

Breaking Changes

The following config options have either been removed or renamed:

1. IMAP:
   • renamed default_host to imap_host
   • removed default_port option (non-standard port can be set via imap_host)
   • set "localhost:143" as a default for imap_host
2. SMTP:
   • renamed smtp_server to smtp_host
   • removed smtp_port option (non-standard port can be set via smtp_host)
   • set "localhost:587" as a default for smtp_host
3. LDAP:
   • removed port option from ldap_public array (non-standard port can be set via host)
   • removed use_tls option from ldap_public array (use tls:// prefix in host)
4. Managesieve:
   • removed managesieve_port option (non-standard port can be set via managesieve_host)
   • removed managesieve_usetls option (tls:// prefix in managesieve_host have to be used)

If you used the Larry or the Classic skin in your deployment, you need to install them manually
as they are no longer part of the release packages. They can easily be installed via Composer:

$ composer require roundcube/larry

This is a beta release and we recommend to test it on a separate environment.
Migrate existing configs with eiither the installto.sh or the update.sh scripts.
And don't forget to backup your data before installing it.

CHANGELOG

• Unified and simplified services connection options (#8310)
• Plugin API: Removed smtp_port parameter in smtp_connect hook
• Plugin API: Renamed smtp_server parameter to smtp_host in smtp_connect hook
• Plugin API: Removed port parameter in managesieve_connect hook
• Plugin API: Removed usetls parameter in managesieve_connect hook
• Added support for PHP 8.1 (#8151)
• Dropped support for PHP < 7.3 (#7976)
• Dropped support for strftime-like format (with % sign) in date and time format configuration
• Moved the Classic and Larry skins to their own repository (#8271)
• SQLite: Use foreign keys, require SQLite >= 3.6.19
• Replace Endroid QrCode with BaconQrCode (#8173)
• Support responses (snippets) in HTML format (#5315)
• Purge also subfolders of Trash (and/or messages in them) on logout (#1037)
• Add support for encryption with AEAD ciphers, e.g. aes-256-gcm (#7097)
• Add option to purge deleted mails older than 30, 60 or 90 days (#5493)
• Add ability to mark multiple messages as not deleted at once (#5133)
• Add possibility to disable line-wrapping of sent mail body (#5101)
• Improve/Fix wrapping of plain text messages on preview and reply (#6974, #8391, #8378, #8289)
• Improve searching by sender/recipient headers, support Reply-To and Followup-To (#6582)
• Add option to control links handling behavior on html to text conversion (#6485)
• Add 'loginform_content' plugin hook (#8273, #6569)
• SMTP: If requested use TLS also without authentication (#4590, #8111)
• Display a generic error page on initial DB/configuration errors (#8222)
• Display telephone numbers as tel: links (#8240)
• Elastic: Move scrollbar settings to variables (#8352)
• Elastic: Use thin scrollbars in both light and dark mode
• Elastic: Make the scrollbar color lighter in dark mode (#8345)
• Autologout: A new plugin to auto log out users with a POST request (#8270)
• Enigma: Upgrade to OpenPGP.js v5.0
• Identicon: Make background color of the image to match the current skin colors (#8256)
• Newmail_notifier: Update favicon to match the current favicon style and size (#7826)
• Password: Remove password_blowfish_cost option, in favor of password_algorithm_options
• Password: Remove support for password_algorithms crypt, hash and cram-md5
• Password: Remove support for %c, %d, %n, %q variables in password_query
• Password: Add support for passwords based on PHP's password_hash() function (#7724)
• Password: Verify current password with IMAP (#8142)
• Password: Improve handling errors on executed commands (#8200)
• Password: Add Mailcow driver (#8291)
• Fix compatibility with Referrer-Policy: "strict-origin" (#8170)
• Fix locked SQLite database for the CLI tools (#8035)
• Fix Makefile on Linux (#8211)
• Fix so PHP warnings are ignored when resizing a malformed image attachment (#8387)
• Fix various PHP8 warnings (#8392)
• Fix mail headers injection via the subject field on mail compose (#8404)
• Fix bug where small message/rfc822 parts could not be decoded (#8408)
• Fix setting HTML mode on reply/forward of a signed message (#8405)
• Fix handling of RFC2231-encoded attachment names inside of a message/rfc822 part (#8418)
• Fix bug where some mail parts (images) could have not be listed as attachments (#8425)
• Fix bug where attachment icons were stuck at the top of the messages list in Safari (#8433)

Roundcube Webmail 1.5.2

This is the second service release to update the new stable version 1.5. It provides a bunch of small fixes and improvements to the OAuth feature as well as a security fix to a recently reported XSS vulnerability. See the full changelog below.

Security fix

• Cross-site scripting (XSS) via HTML messages with malicious CSS content

This version is considered stable and we recommend to update all productive installations of Roundcube with it. Please do backup your data before updating!

CHANGELOG

• OAuth: pass 'id_token' to 'oauth_login' plugin hook (#8214)
• OAuth: fix expiration of short-lived oauth tokens (#8147)
• OAuth: fix relative path to assets if /index.php/foo/bar url is used (#8144)
• OAuth: no auto-redirect on imap login failures (#8370)
• OAuth: refresh access token in 'refresh' plugin hook (#8224)
• Fix so folder search parameters are honored by subscriptions_option plugin (#8312)
• Fix password change with Directadmin driver (#8322, #8329)
• Fix so css files in plugins/jqueryui/themes will be minified too (#8337)
• Fix handling of unicode/special characters in custom From input (#8357)
• Fix some PHP8 compatibility issues (#8363)
• Fix chpass-wrapper.py helper compatibility with Python 3 (#8324)
• Fix scrolling and missing Close button in the Select image dialog in Elastic/mobile (#8367)
• Security: fix cross-site scripting (XSS) via HTML messages with malicious CSS content

Roundcube Webmail 1.4.13

This is a security update to the stable version 1.4 of Roundcube Webmail.
It provides a fix to a recently reported XSS vulnerability:

• Cross-site scripting (XSS) via HTML messages with malicious CSS content

This version is considered stable and we recommend to update all productive installations of Roundcube 1.4.x with it. Please do backup your data before updating!

CHANGELOG

• Security: fix cross-site scripting (XSS) via HTML messages with malicious CSS content

Roundcube Webmail 1.5.1

This is the first service release to update the new stable version 1.5. It provides a bunch of small fixes and improvements after getting your feedback from the 1.5.0 release. See the full changelog below.

Important note for MySQL and MariaDB database backends

The change to full UTF-8 support in MySQL/MariaDB didn't work for everybody migrating an existing DB. Hence here's an important notice from the UPGRADING instructions:

If you use MySQL < 5.7.7 or MariaDB < 10.2.2 make sure to configure it with:

  innodb_large_prefix=1
  innodb_file_per_table=1
  innodb_file_format=Barracuda

This version is considered stable and we recommend to update all productive installations of Roundcube with it. Please do backup your data before updating!

CHANGELOG

• Fix importing contacts with no email address (#8227)
• Fix so session's search scope is not used if search is not active (#8199)
• Fix some PHP8 warnings (#8239)
• Fix so dark mode state is retained after closing the browser (#8237)
• Fix bug where new messages were not added to the list on refresh if skip_deleted=true (#8234)
• Fix colors on "Show source" page in dark mode (#8246)
• Fix handling of dark_mode_support:false setting in skins meta.json - also when devel_mode=false (#8249)
• Fix database initialization if db_prefix is a schema prefix (#8221)
• Fix undefined constant error in Installer on Windows (#8258)
• Fix installation/upgrade on MySQL 5.5 - Index column size too large (#8231)
• Fix regression in setting of contact listing name (#8260)
• Fix bug in Larry skin where headers toggle state was reset on full page preview (#8203)
• Fix bug where \u200b characters were added into the recipient input preventing mail delivery (#8269)
• Fix charset conversion errors on PHP < 8 for charsets not supported by mbstring (#8252)
• Fix bug where adding a contact to trusted senders via "Always allow from..." button didn't work (#8264, #8268)
• Fix bug with show_images setting where option 1 and 3 were swapped (#8268)
• Fix PHP fatal error on an undefined constant in contacts import action (#8277)
• Fix fetching headers of multiple message parts at once in rcube_imap_generic::fetchMIMEHeaders() (#8282)
• Fix bug where attachment download could sometimes fail with a CSRF check error (#8283)
• Fix an infinite loop when parsing environment variables with float/integer values (#8293)
• Fix so 'small-dark' logo has more priority than the 'small' logo (#8298)

Roundcube Webmail 1.4.12

This is a service and security update to the stable version 1.4 of Roundcube Webmail.
It provides fixes for two recently discovered SQL injection and XSS vulnerabilities as well a some general improvements from our issue tracker. See the full changelog below.

Security fixes

• Fix XSS issue in handling attachment filename extension in mimetype mismatch warning
• Fix possible SQL injection via some session variables

This version is considered stable and we recommend to update all productive installations of Roundcube with it. Please do backup your data before updating!

CHANGELOG

• Enigma: Fix bug where signature verification could fail for non-ascii bodies (#7919)
• Fix bug where contacts search didn't work with addressbook_search_mods set to an empty array (#7974)
• Fix bug causing some HTML message content to be not centered in Elastic skin (#7911)
• Fix bug where consecutive LDAP searches could return wrong results (#8064)
• Fix bug where plus characters in attachment filename could have been ignored (#8074)
• Fix displaying HTML body with inline images encapsulated using TNEF format (winmail.dat)
• Fix handling of custom sender addresses with names (#8106)
• Fix shift + drag'n'drop menu not working in Elastic skin with Chrome browser (#8107)
• Fix Firefox infinite loading display on mail screen (#8128)
• Fix XSS issue in handling attachment filename extension in mimetype mismatch warning (#8193)
• Fix SQL injection via some session variables

Roundcube Webmail 1.3.17

This is a security update to the LTS version 1.3.
It fixes two recently discovered vulnerabilities:

• Fix XSS issue in handling attachment filename extension in mimetype mismatch warning
• Fix possible SQL injection via some session variables

This version in considered stable and we strongly recommend to update all productive installations of Roundcube 1.3.x with it. Please do backup your data before updating!

Roundcube Webmail 1.5.0

This is the stable release of the next major version of Roundcube webmail.
With this milestone we introduce new features and full PHP 8.0 support.
The most noteworthy additions are:

• Dark mode for Elastic skin
• OAuth2/XOauth support (with plugin hooks)
• Collected recipients and trusted senders
• Moving recipients between inputs with drag & drop
• Full unicode support with MySQL database
• Support of IMAP LITERAL- extension [RFC 7888]
• Support of RFC 2231 encoded names
• Cache refactoring

See the full changelog below.

We also disabled the spell checking feature using spell.roundcube.net by default because some privacy concerns were raised. It now needs to be enabled explicitly by setting the enable_spellcheck config option to true.

In case you're running Roundcube directly from source or if you're not using the complete package, you need to install 3rd party javascript modules using the bin/install-jsdeps.sh script. In the 1.5.x series the toolchain required to build a functional package has changed a bit:

• bin/jsshrink.sh: replaced google-closure-compiler with UglifyJS
• bin/cssshrink.sh: replaced yuicompressor with csso
• Elastic theme: require lessc >= 2.5.2 (and add support for v4) with less-plugin-clean-css

This release is considered stable and we encourage you to update your productive installations after carefully testing the upgrade scenario.

With the release of Roundcube 1.5.0, the previous stable release branches 1.4.x and 1.3.x will change into LTS low maintenance mode which means they will only receive important security updates but no longer any regular improvement updates. The 1.2.x series is no longer supported and maintained.

CHANGELOG (since 1.5-rc)

• Support displaying RTF content (including encapsulated HTML) from a TNEF attachment
• Disable the default spellchecker option using spell.roundcube.net (#8182)
• Newmail_notifier: Improved the notification sound (#8155)
• Fix size of Mailvelope iframe for PGP-inlined mail, again (#8126)
• Fix handling of group names with @ character in autocomplete and contacts widget (#8098)
• Fix Firefox infinate loading display on mail screen (#8128)
• Fix converting >1MB of HTML content into plain text (#8137)
• Fix bug where expanding a group in the recipient input could corrupt the input content (#7569)
• Fix fatal error/warning on invalid input to user parameter (#8152)
• Fix changing password with dovecot_passwdfile driver (#8145)
• Fix handling of headers that occur multiple times by show_additional_headers plugin (#8157)
• Fix bug where vertical scrollbar in new HTML message bounced back on scroll (#8046)
• Fix displaying inline images with incorrectly declared content-type (#8158)
• Fix so addr-spec with missing closing angle bracket can be parsed (#8164)
• Fix handling of spellcheck connection errors (#8172)
• Fix a couple of PHP8 warnings (#8175, #8176)
• Fix bug where "from my contacts" and "from trusted senders" values were mixed up (#8177)
• Fix password/token length check on OAuth login (#8178)
• Fix XSS issue in handling attachment filename extension in mimetype mismatch warning (#8193)
• Fix SQL injection via some session variables
• Fix handling of dark_mode_support:false setting in skins meta.json (#8186)
• Fix security issues regarding server name and trusted_host_patterns setting

Roundcube Webmail 1.5-rc

This is the release candidate for the next major version 1.5 of Roundcube webmail.
Based on the feedback we received from the beta release and some new features from
the backlog, we have now finalized the development branch to prepare the final version.
See the changelog below for details.

Some noteworthy additions since 1.5-beta are

• Support of XOAUTH2 in Managesieve plugin
• Support of IMAP LITERAL- extension [RFC 7888]
• Support of RFC 2231 encoded names
• Plugin hooks for OAuth events

We believe it is production ready, but we recommend to test it on a separate environment.
And don't forget to backup your data before installing it.

CHANGELOG

• Upgrade to TinyMCE 5.8.2
• SMTP XCLIENT support (#7893, #6411)
• Add IDN homograph attack (spoofing) detection [CVE-2019-15237] (#6891)
• Add configuration options for subject prefixes (#7929, #4981)
• Support IMAP LITERAL- extension [RFC 7888] (#6878)
• Warn the user about a potential data leak on mail bounce or forward (#7993)
• Make the Empty action available for every non-empty folder, not only Trash (#7948)
• Remove (incorrect) use of Return-Receipt-To header (#8069)
• Submit various simple dialog forms with the Enter key (#7133)
• Add RFC2231 support to rcube_mime_decode (#7390)
• Plugin API: Allow modification of 'error' argument in message_send_error hook (#7914)
• OAuth: add plugin hooks oauth_login and oauth_refresh_token for oauth events (#8028, #8040)
• Debug_logger: Fix the main plugin functionality and documentation (#8041)
• Enigma: Fix bug where signature verification could fail for non-ascii bodies (#7919)
• Enigma: Fix invalid expiration dates of PGP keys on a 32bit system (#7531)
• Enigma: Display an information that public and private keys are stored on the server (#7941)
• Enigma: Optional support for passwordless keys (#7265)
• Managesieve: Fix removing nested rules in scripts (#8011)
• Managesieve: Support XOAUTH2, requires Net_Sieve 1.4.5 (#7925)
• Managesieve: Added ability to remove 'redirect' option from UI (#7922)
• New_user_dialog: Use the identity_update hook (#8023)
• Password: Fix broken 'hmail' driver (#7966)
• Password: Set password_minimum_length to 8 by default (#8003)
• Vcard_attachments: Improve handling of multiple contacts (#7027)
• Fix inserting a group from non-default source using the Insert contact(s) dialog (#8095)
• Fix invalid search fields after search scope change (#6919)
• Fix so "Always allow from..." button appears also when allow_images=3 (#7961)
• Fix Elastic's pretty select scroll position in Chrome (#7964)
• Fix bug where invalid non-unicode characters in JSON output could make the UI unresponsive (#7955)
• Fix PHP 8 fatal error when allowing images in an email (#7968)
• Fix so session expiration is more precise and do not depend on the garbage collector (#7576)
• Fix bug where imap_conn_options settings were ignored (#7912)
• Fix bug causing some HTML message content to be not centered in Elastic skin (#7911)
• Fix bug when sending an email and recipient's email address contains a trailing dot (#7899)
• Fix bug where the list page wasn't reset when changing a folder on mail view page (#7932)
• Fix so selecting the same folder to reset search resets also the page number (#7125)
• Fix login page rendering after oauth failure (#7812,#7923)
• Fix bug where assigning users to groups via menu (not drag'n'drop) could fail in Elastic theme (#7973)
• Fix HTML5 parser issue with a messy HTML code from Outlook (#7356)
• Fix handling of multiple link references with the same index in plain text message (#8021)
• Fix various actions on folders with angle brackets in name (#8037)
• Fix inconsistent fowarding actions statuses on drafts (#8039)
• Fix bug where start and reversed attributes of ol tag were ignored (#8059)
• Fix bug where consecutive LDAP searches could return wrong results (#8064)
• Fix bug where plus characters in attachment filename could have been ignored (#8074)
• Fix displaying HTML body with inline images encapsulated using TNEF format (winmail.dat)
• Fix handling of custom sender addresses with names (#8106)
• Fix shift + drag'n'drop menu not working in Elastic skin with Chrome browser (#8107)

Roundcube Webmail 1.5-beta

This is a beta release for the next major version 1.5 of Roundcube webmail.
With this milestone we introduce new features and long-awaited improvements.
The most noteworthy additions are:

• PHP 8.0 support
• OAuth2/XOauth support
• Dark mode for Elastic skin
• Collected recipients and trusted senders
• Moving recipients between inputs with drag & drop
• Full unicode support with MySQL database
• Cache refactoring

Adding support for PHP 8 required some deep refactoring of the Roundcube codebase which started with early PHP 5 versions. However, this refactoring also was a bit of a cleaning procedure and resulted in more testable components.

In case you're running Roundcube directly from source or if you're not using the complete package, you need to install 3rd party javascript modules using the bin/install-jsdeps.sh script. With this release the toolchain required to build a functional package has changed a bit:

• bin/jsshrink.sh: replaced google-closure-compiler with UglifyJS
• bin/cssshrink.sh: replaced yuicompressor with csso
• Elastic theme: require lessc >= 2.5.2 (and add support for v4) with less-plugin-clean-css

This is a beta release and we recommend to test it on a separate environment.
And don't forget to backup your data before installing it.

CHANGELOG

• Require PHP >= 5.5
• Support PHP 8.0 (#7625)
• Require php-intl
• Remove use of Net_IDNA2 package
• Require GuzzleHttp\Client
• Upgrade to TinyMCE 5.5.1
• Upgrade to jQuery 3.5.1 (#7464)
• Update build tools (#7800, #7804, #7497):
  • jsshrink.sh: Replace google-closure-compiler with UglifyJS
  • cssshrink.sh: Replace yuicompressor with csso
  • require lessc >= 2.5.2 (and add support for v4) with less-plugin-clean-css for Less files compilation
• Automatically collected recipients and trusted senders (#6904)
  • Added configurable Collected Recipients addressbook source (#4971)
  • Added configurable Trusted Senders addressbook source (#5046)
  • Added 'contact_exists' hook
  • Added separate "trusted senders" options for show_images and mdn_request preferences (#7614)
• Contact form mode: private/business (#7630)
• OAuth/XOauth support (#7425, #6933)
• Cache refactoring (#6312)
• Added special value 'email' to login_username_filter, it changes also logon input type (#7179)
• Allow array in smtp_host config (#7296)
• Support proxy for server-side HTTP requests (#7658)
• By default do not set the User-Agent header (#7731)
• Add posibility to (re-)define field mapping on contacts import from a CSV file (#7045, #6668)
• Move "On request for return receipt" from "Mailbox View" to "Displaying Messages" (#7614)
• Support RFC8438: IMAP STATUS=SIZE - for faster folder size calculation (#7269)
• MySQL: Use utf8mb4 charset and utf8mb4_unicode_ci collation (#6535, #7113)
• Allow NULL in users.preferences column in postgres and sqlite db, the same as for other engines (#7767)
• Support for language codes up to 16 chars long (e.g. es-419) in database schema (#6851)
• Relaxed domain name validation for extended TLDs support (#5588)
• Allow opening application/octet-stream attachments according to filename extension (#6821)
• Added support for INSERT OR REPLACE queries (#6771)
• Allow skins to define which layout options they support (#7235)
• Extract RFC2231 attachment name from message headers (#6729, #6783)
• Add support for SameSite cookie attribute via session_samesite option (req PHP >= 7.3.0) (#6772)
• Change folders sorting so shared/other users namespaces are listed last (#5012)
• Display a warning and do not try to open empty attachments (#7332)
• Return 204 rather than 404 on missing contact photo (#7777)
• Add 'reconnect' plugin to retry IMAP connection (#7844)
• Plugin API: Added 'message' argument to 'message_compose_body' hook
• Plugin API: Added 'preferences' parameter to 'user_create' hook (#7692)
• Elastic: Dark mode (#6709)
• Elastic: Display email size on the list of messages (#7162)
• Elastic: Replace properties sidebar with a dialog on the attachment preview page (#7635)
• Elastic: Minimize forms/colors blink on page load
• Elastic: Improve mail header "detailed mode" (#7224)
• Elastic: Moving single recipients between recipient inputs with drag-n-drop (#5069)
• Elastic: Display a special icon for other users and shared namespace roots (#5012)
• Elastic: Support space-separated email addresses in recipient input (#6529, #6457)
• Elastic: Remember list checkbox selection state (#7148)
• Elastic: Add "Open in new window" in mail compose (#7260)
• Elastic: Make custom less files optional (#7497)
• Elastic: Prevent from opening mail preview in a new window on touch devices using double tap (#7732)
• Templates: Add support for expressions in object attributes (#7237)
• Templates: Add support for nested if conditions (#6818)
• Templates: Make [space][slash] ending of condition objects optional (#6954)
• Mailvelope: Fix size of iframe for PGP-inlined mail (#7348)
• Mailvelope: Add config option to use Main Keyring (#7348, #7157)
• Mailvelope: Add config option to set the size for new keys (#7348)
• Mailvelope: Always ask before discarding email currently being composed (#7348)
• Mailvelope: Fix unnecessary warning to re-add attachments when restoring a draft (#7348)
• Archive: Added options to split archive by year or year+month and folder (#7216)
• Enigma: Support ECC key generation - when using GnuPG >= 2.1.7 (#6853)
• Managesieve: Add support for 'spamtest' extension - RFC3685 (#6950)
• Managesieve: Allow display name with email address in vacation :from field (#6760)
• Managesieve: Improve UX on custom header input (#7207)
• Managesieve: Fix bug where activation of forward/vacation rule could activate a wrong script (#7423)
• Managesieve: Fix bug where forward/vacation rule could end up being duplicated (#7349)
• new_user_identity: Fix missing password for user-specific LDAP operations (#7667)
• Password: Added 'pwned' password strength driver (#7274)
• Password: Added Mail-in-a-Box (miab) driver (#7824)
• Password: Added TinyCP driver (#7510)
• Password: Added httpapi driver to connect to generic HTTP/HTTPS APIs (#7439)
• Password: Added dovecot_passwdfile driver (#5786)
• Password: Removed old 'cpanel' driver, 'cpanel_webmail' driver renamed to 'cpanel' (#7780)
• Fix handling of address groups in email headers by ignoring their names (#7663)
• Fix so message flags are updated on refresh also for multifolder search results (#7774)
• Fix so IMAP ID command is send only after authentication (#7517)
• Fix bug where it wasn't possible to save Spanish (Latin America) locale preference (#7784)
• Fix mail search error on invalid search_mods definition (#7789)
• Fix error when dealing with message/rfc822 attachments using Gmail IMAP (#6854)
• Fix ISO-2022-JP-MS encoding issues (#7091)
• Fix so messages in threads with no root aren't displayed separately (#4999)
• Fix so anchor tags without href attribute are not modified (#7413)
• Fix invalid IMAP SEARCH command in some rare case on messages cache synchronization (#7895)
• Fix so allowing remote resources does not add an entry to browser history (#6620)

Roundcube Webmail 1.4.11

This is a service and security update to the stable version 1.4 of Roundcube Webmail.
It provides a fix for a recently reported stored XSS vulnerability as well a some general improvements from our issue tracker. See the full changelog below.

Security fix

• Fix cross-site scripting (XSS) via HTML messages with malicious CSS content

Credits for this finding go to Mateusz Szymaniec (CERT Polska).

This version is considered stable and we recommend to update all productive installations of Roundcube with it.
Please do backup your data before updating!

CHANGELOG

• Display a nice error informing about no PHP8 support
• Elastic: Fix compatibility with Less v3 and v4 (#7813)
• Fix bug with managesieve_domains in Settings > Forwarding form (#7849)
• Fix errors in MSSQL database update scripts (#7853)
• Security: Fix cross-site scripting (XSS) via HTML messages with malicious CSS content