Log Message:
mail/roundcube: update to 1.6.8

1.6.8 (2024-08-04)

This is a security update to the stable version 1.6 of Roundcube Webmail.
It provides fixes to recently reported security vulnerabilities:

* Fix XSS vulnerability in post-processing of sanitized HTML content
  [CVE-2024-42009]

* Fix XSS vulnerability in serving of attachments other than HTML or SVG
  [CVE-2024-42008]

* Fix information leak (access to remote content) via insufficient CSS
  filtering [CVE-2024-42010]

Credits to Oskar Zeino-Mahmalat (Sonar) for all these findings and thanks
for providing a very detailed report in a private communication.

This version is considered stable and we recommend to update all productive
installations of Roundcube 1.6.x with it.  Please do backup your data before
updating!

CHANGELOG

* Managesieve: Protect special scripts in managesieve_kolab_master mode
* Fix newmail_notifier notification focus in Chrome (#9467)
* Fix fatal error when parsing some TNEF attachments (#9462)
* Fix double scrollbar when composing a mail with many plain text lines
  (#7760)
* Fix decoding mail parts with multiple base64-encoded text blocks (#9290)
* Fix bug where some messages could get malformed in an import from a MBOX
  file (#9510)
* Fix invalid line break characters in multi-line text in Sieve scripts
  (#9543)
* Fix bug where "with attachment" filter could fail on some fts engines
  (#9514)
* Fix bug where an unhandled exception was caused by an invalid image
  attachment (#9475)
* Fix bug where a long subject title could not be displayed in some cases
  (#9416)
* Fix infinite loop when parsing malformed Sieve script (#9562)
* Fix bug where imap_conn_option's 'socket' was ignored (#9566)
* Fix XSS vulnerability in post-processing of sanitized HTML content
  [CVE-2024-42009]
* Fix XSS vulnerability in serving of attachments other than HTML or SVG
  [CVE-2024-42008]
* Fix information leak (access to remote content) via insufficient CSS
  filtering [CVE-2024-42010]