phpMyAdmin 4.7.4 SQL injection vulnerability

  • Bekomme folgende Meldung beim update:

    server certificate verification failed. CAfile: /etc/ssl/certs/ca-certificates.crt CRLfile: none


    Erledigt.

    Jetzt diese Meldung:

    [Exception]

    Version check failed! kolab/calendar requires Roundcube version >= 1.4.0.0, 1.2.5.0 was detected.


    Sorry, alles gut. Hatte den Thread nicht von Beginn an gelesen. Also Step 1 Roundcube aktualisieren und dann die Plugins.

    Edited 3 times, last by Bulli ().

  • Updates 1.4.6 and 1.3.13 released

    07 June 2020


    We just published two follow-up releases to the recently published versions 1.4.5 and 1.3.12 of Roundcube Webmail.

    They contain only a single fix for the installer’s test step which was broken with the last release. The update is therefore only relevant for new installations which use the installer to set up Roundcube.

    Changelog

    • Installer: Fix regression in SMTP test section (#7417)


    rouncube 1.4.6.PNG

    my System :



    - Distribution: Debian | Release: 9.8 | Codename: wheezy
    - i-MSCP Version: i-MSCP 1.5.3| Build: 20181208 | Codename: Ennio Morricone
    - Plugins installed: ClamAV (v. 1.2.1), Mailgraph (v 1.1.1), OpenDKIM (v 1.1.3), PanelRedirect (v 1.1.5) & SpamAssassin (v 1.1.1)
    - LetsEncrypt (v3.3.0), PhpSwitcher (v 4.0.1), RoundcubePlugins (v 2.0.1)

    Edited once, last by Speddy ().

  • Security updates 1.4.7, 1.3.14 and 1.2.11 released

    05 July 2020

    We just published security updates to the stable version 1.4 and the LTS versions 1.3 and 1.2 of Roundcube Webmail. They all contain a recently reported cross-site scripting (XSS) vulnerability. The 1.4.7 release also contains a number of general improvements from our issue tracker.

    Security fix

    Prevent cross-site scripting (XSS) via HTML messages with malicious svg/namespace. Credits for this finding go to SSD Secure Disclosure.

    See the full changelogs in the release notes on the Github download pages for the updated versions 1.4.7, 1.3.14 and 1.2.11.

    We strongly recommend to update all productive installations of Roundcube with this new versions.

    Return to News overview

    Files

    my System :



    - Distribution: Debian | Release: 9.8 | Codename: wheezy
    - i-MSCP Version: i-MSCP 1.5.3| Build: 20181208 | Codename: Ennio Morricone
    - Plugins installed: ClamAV (v. 1.2.1), Mailgraph (v 1.1.1), OpenDKIM (v 1.1.3), PanelRedirect (v 1.1.5) & SpamAssassin (v 1.1.1)
    - LetsEncrypt (v3.3.0), PhpSwitcher (v 4.0.1), RoundcubePlugins (v 2.0.1)

  • Security updates 1.4.8, 1.3.15 and 1.2.12 released

    10 August 2020

    We just published security updates to the stable version 1.4 and the LTS versions 1.3 and 1.2 of Roundcube Webmail. They all contain two recently reported cross-site scripting (XSS) vulnerabilities. The 1.4.8 release also contains a number of general improvements from our issue tracker.

    Security fixes

    • Fix cross-site scripting (XSS) via HTML messages with malicious svg content (CVE-2020-16145)
    • Fix cross-site scripting (XSS) via HTML messages with malicious math content

    Credits for these two findings go to Łukasz Pilorz from Pentesters.

    See the full changelogs in the release notes on the Github download pages for the updated versions 1.4.8, 1.3.15 and 1.2.12.

    We strongly recommend to update all productive installations of Roundcube with this new versions.

    Return to News overview



    rouncube.PNG

    my System :



    - Distribution: Debian | Release: 9.8 | Codename: wheezy
    - i-MSCP Version: i-MSCP 1.5.3| Build: 20181208 | Codename: Ennio Morricone
    - Plugins installed: ClamAV (v. 1.2.1), Mailgraph (v 1.1.1), OpenDKIM (v 1.1.3), PanelRedirect (v 1.1.5) & SpamAssassin (v 1.1.1)
    - LetsEncrypt (v3.3.0), PhpSwitcher (v 4.0.1), RoundcubePlugins (v 2.0.1)

    Edited once, last by Speddy ().

  • Update 1.4.9 released

    27 September 2020

    We proudly announce the next service release to update the stable version 1.4.

    It contains fixes and general improvements from our issue tracker, mainly related to email composition and UI oddities in Elastic skin and with the TinyMCE richtext editor.

    See the full changelog in the release notes on the Github download page.

    This release is considered stable and we recommend to update all productive installations of Roundcube with this version. Download it from roundcube.net.

    Please do backup your data before updating!



    rouncube 1.4.9.PNG

    my System :



    - Distribution: Debian | Release: 9.8 | Codename: wheezy
    - i-MSCP Version: i-MSCP 1.5.3| Build: 20181208 | Codename: Ennio Morricone
    - Plugins installed: ClamAV (v. 1.2.1), Mailgraph (v 1.1.1), OpenDKIM (v 1.1.3), PanelRedirect (v 1.1.5) & SpamAssassin (v 1.1.1)
    - LetsEncrypt (v3.3.0), PhpSwitcher (v 4.0.1), RoundcubePlugins (v 2.0.1)

    Edited once, last by Speddy ().

  • Hi? How can i install the roundcube plugins? The responder is not active.

    Hi Bulli


    I'll see what I can do.



    phpMyAdmin 4.9.6 and 5.0.3 are released

    2020-10-10

    Hello,

    The phpMyAdmin team announces the release of both phpMyAdmin versions 4.9.6 and 5.0.3.

    Both versions contain several important security fixes:

    • PMASA-2020-5 XSS vulnerability with transformation feature
    • PMASA-2020-6 SQL injection vulnerability with the search feature

    In addition, 5.0.3 contains many bugfixes. Some of the highlights include:

    • Fix an error message about htmlspecialchars() when attempting to export XML
    • Support double tapping to edit on mobile
    • Fix the error message "Use of undefined constant MYSQLI_TYPE_JSON" when using mysqlnd
    • Fix fatal JS error on index creation after using Enter key to submit the form
    • Fix "axis-order" to swap latitude and longitude on MySQL 8.1 or newer
    • Fix an error when overwriting an existing query bookmark
    • Fix some warnings that appear with PHP 8
    • Fix alter user privileges query when editing an account with MySQL 8.0.11 and newer
    • Fix issues regarding TIMESTAMP columns with default CURRENT_TIMESTAMP in MySQL 8.0.13 and newer
    • Fix a message that "Warning: error_reporting() has been disabled for security reasons" on php 7.x

    There are many other bugs fixes, please see the ChangeLog file included with this release for full details.

    Known shortcomings:

    Due to changes in the MySQL authentication method, PHP versions prior to 7.4 are unable to authenticate to a MySQL 8.0 or newer server (our tests show the problem actually began with MySQL 8.0.11). This relates to a PHP bug https://bugs.php.net/bug.php?id=76243. There is a workaround, that is to set your user account to use the current-style password hash method, mysql_native_password. This unfortunate lack of coordination has caused the incompatibility to affect all PHP applications, not just phpMyAdmin. For more details, you can see our bug tracker item at https://github.com/phpmyadmin/phpmyadmin/issues/14220. We suggest upgrading your PHP installation to take advantage of the upgraded authentication methods.

    Downloads are available now at https://phpmyadmin.net/downloads/

    my System :



    - Distribution: Debian | Release: 9.8 | Codename: wheezy
    - i-MSCP Version: i-MSCP 1.5.3| Build: 20181208 | Codename: Ennio Morricone
    - Plugins installed: ClamAV (v. 1.2.1), Mailgraph (v 1.1.1), OpenDKIM (v 1.1.3), PanelRedirect (v 1.1.5) & SpamAssassin (v 1.1.1)
    - LetsEncrypt (v3.3.0), PhpSwitcher (v 4.0.1), RoundcubePlugins (v 2.0.1)

  • phpMyAdmin 4.9.7 and 5.0.4 are released

    2020-10-15

    Welcome to the release of phpMyAdmin version 4.9.7 and 5.0.4. These are bug fix releases to address packaging problems with 4.9.6 and 5.0.3. Version 5.0.3 includes a few other minor bugs as well.

    Fixed in both:

    • Two factor authentication was broken
    • Incompatibilities with older PHP versions.

    Additional fixes in 5.0.3:

    • Fix for cleared search values when a Zoom search fails
    • Fix a PHP error when reporting a certain JavaScript error
    • Fixed latitude and longitude swap for geometries in edit mode
    • Fix CREATE TABLE not being tracked when auto tracking is enabled

    Sorry for the inconvenience.

    This is expected to be the last release of 5.0, we have scheduled 5.1.0 as the next phpMyAdmin release.

    This is a reminder that phpMyAdmin 4.9 is in the long-term support phase where it will only get important security fixes and critical bug fixes. Users are suggested to migrate to version 5.

    Downloads are available now at https://phpmyadmin.net/downloads/

    For the phpMyAdmin team, Isaac



    Unbenannt.PNG

    my System :



    - Distribution: Debian | Release: 9.8 | Codename: wheezy
    - i-MSCP Version: i-MSCP 1.5.3| Build: 20181208 | Codename: Ennio Morricone
    - Plugins installed: ClamAV (v. 1.2.1), Mailgraph (v 1.1.1), OpenDKIM (v 1.1.3), PanelRedirect (v 1.1.5) & SpamAssassin (v 1.1.1)
    - LetsEncrypt (v3.3.0), PhpSwitcher (v 4.0.1), RoundcubePlugins (v 2.0.1)