Release 1.5.8 and 1.6.8

Author: alecpl

_data/releases.json

@@ -1,25 +1,25 @@
 {
     "stable": {
         "name": "Stable version",
-        "version": "1.6.7",
+        "version": "1.6.8",
         "sources": [
             {
                 "package": "Dependent",
-                "url": "https://github.com/roundcube/roundcubemail/releases/download/1.6.7/roundcubemail-1.6.7.tar.gz",
+                "url": "https://github.com/roundcube/roundcubemail/releases/download/1.6.8/roundcubemail-1.6.8.tar.gz",
                 "size": "3.8 MB",
-                "checksum": "b12c4f9f84890830ce10e470ac0d698b7de00d29f432a9326b4cf8c590e558de"
+                "checksum": "939c9cd46281bf5bfb2dd932680b18ee1706035a5806dc08d8b414971cea91f7"
             },
             {
                 "package": "Complete",
-                "url": "https://github.com/roundcube/roundcubemail/releases/download/1.6.7/roundcubemail-1.6.7-complete.tar.gz",
+                "url": "https://github.com/roundcube/roundcubemail/releases/download/1.6.8/roundcubemail-1.6.8-complete.tar.gz",
                 "size": "5.6 MB",
-                "checksum": "cf52515e65b2818cb02fd7a202c766367b8c54d8b7fea27dda9c81aa7ce1d3a6"
+                "checksum": "8468be0204a734c574adef4be01578c7dc4fab9c2fe34003bf341a2bd20efd2a"
             },
             {
                 "package": "Framework",
-                "url": "https://github.com/roundcube/roundcubemail/releases/download/1.6.7/roundcube-framework-1.6.7.tar.gz",
-                "size": "1.8 MB",
-                "checksum": "8c2934fbc9951f886305de84534822eaab1bd6a59e96a98dab380ad42ee5f30f"
+                "url": "https://github.com/roundcube/roundcubemail/releases/download/1.6.8/roundcube-framework-1.6.8.tar.gz",
+                "size": "1.1 MB",
+                "checksum": "0adb5599d4640b8dcdd8ce1c4e27264a7cd009084fe2659aada5fbd33b591d94"
             }
         ]
     },
@@ -33,10 +33,10 @@
         "name": "LTS versions",
         "sources": [
             {
-                "package": "1.5.7 - Complete",
-                "url": "https://github.com/roundcube/roundcubemail/releases/download/1.5.7/roundcubemail-1.5.7-complete.tar.gz",
-                "size": "7.5 MB",
-                "checksum": "e7ed921c0b1774a3b7d7e375d8b8916393f2cbcd62e91fb4d8eb69e6ec528fd2"
+                "package": "1.5.8 - Complete",
+                "url": "https://github.com/roundcube/roundcubemail/releases/download/1.5.8/roundcubemail-1.5.8-complete.tar.gz",
+                "size": "7.4 MB",
+                "checksum": "f3b51374d85d9f8eb9976d7184797ac71a5e1520d47f819c5ba669ca6d6903c9"
             }
         ]
     },

_posts/2024-08-04-security-updates-1.6.8-and-1.5.8.md

@@ -0,0 +1,21 @@
+---
+layout: article
+title: Security updates 1.6.8 and 1.5.8 released
+tags: releases updates security
+---
+
+We just published security updates to the 1.6 and 1.5 LTS versions of Roundcube Webmail.
+They both contain fixes for recently reported security vulnerabilities.
+
+## Security fixes
+
+- Fix XSS vulnerability in post-processing of sanitized HTML content [CVE-2024-42009]
+- Fix XSS vulnerability in serving of attachments other than HTML or SVG [CVE-2024-42008]
+- Fix information leak (access to remote content) via insufficient CSS filtering [CVE-2024-42010]
+
+Credits to Oskar Zeino-Mahmalat ([Sonar](https://www.sonarsource.com/)) for all these findings and thanks for providing a very detailed report in a private communication.
+
+See the full changelogs in the release notes on the Github download pages for the updated versions
+[1.6.8](https://github.com/roundcube/roundcubemail/releases/tag/1.6.8) and [1.5.8](https://github.com/roundcube/roundcubemail/releases/tag/1.5.8).
+
+We strongly recommend to update all productive installations of Roundcube 1.6.x and 1.5.x with this new versions.