=====================================================================
                                    CERT-Renater

                         Note d'Information No. 2011/VULN314
_____________________________________________________________________

DATE                      : 12/04/2011

HARDWARE PLATFORM(S)      : /

OPERATING SYSTEM(S)       : Systems running Roundcube Webmail versions prior to 0.5.1.

======================================================================
http://trac.roundcube.net/wiki/Changelog
______________________________________________________________________

CHANGELOG
Release 0.5.1

     * Use IMAP's ID extension (RFC2971) to print more info into debug log
     * Security: add optional referer check to prevent CSRF in GET requests
     * Fix email_dns_check setting not used for identities/contacts (#1487740)
     * Fix ICANN example addresses doesn't validate (#1487742)
     * Security: protect login form submission from CSRF
     * Security: prevent from relaying malicious requests through modcss.inc
     * Fix handling of non-image attachments in multipart/related messages (#1487750)
     * Fix IDNA support when IDN/INTL modules are in use (#1487742)
     * Fix handling of invalid HTML comments in messages (#1487759)
     * Fix parsing FETCH response for very long headers (#1487753)
     * Fix add/remove columns in message list when message_sort_order isn't set (#1487751)
     * Check mime headers before attempt to parse them (#1487745)
     * Quote header values in show_additional_headers plugin (#1487744)
     * Fix settings UI on IE 6 (#1487724)
     * Remove double borders in folder listing (#1487713)
     * Separate full message headers UI element from headers table (#1487715)
     * Add part MIME ID to message_part_* hooks (#1487718)
     * Improve parsing of MS Outlook vCards (#1487716)
     * Updated PEAR::Net_Socket to 1.0.10
     * Updated PEAR::Net_IDNA2 to 0.1.1
     * Fix handling of comments inside an email address spec. (#1487673)
     * Show full mail subject as title when hovering a cut subject link (#1487128)
     * Fix randomly disappearing folders list in IE (#1487704)
     * Fix list column add/removal in IE (#1487703)
     * Fix login redirect issues (#1487686)
     * Require PHP 5.2.1 or greater
     * Fix %h/%z variables in username_domain option (#1487701)
     * Workaround for setting charset in case of malformed bodystructure response (#1487700)
     * Fix impossible to subscribe to protected folders (#1487656)
     * Fix setting timezone in Preferences (#1487705)



======================================================================

           =========================================================
           Les serveurs de référence du CERT-Renater
           http://www.urec.fr/securite
           http://www.cru.fr/securite
           http://www.renater.fr
           =========================================================
           + CERT-RENATER          | tel : 01-53-94-20-44          +
           + 23 - 25 Rue Daviel    | fax : 01-53-94-20-41          +
           + 75013 Paris           | email: certsvp@renater.fr     +
           =========================================================