An XSS vulnerability has been reported, and fixed in roundcube.
I have applied this fix to Kolab 3.4 Updates:
I also prepared an update for Kolab 16:
(I had to do the branch and submit request from the command line,
because today the SSL certificate for obs.kolabsys.com expired, which
breaks the login through the browser interface. UPDATE: SSL certificate has been updated).
I do have commit permissions for Kolab 3.4, but I don’t have commit
permissions for Kolab 16.
I have asked on IRC, but probably due to a holiday weekend in parts of Germany and Switzerland, I did not get an immediate reply. That is fair enough.
UPDATE: Jeroen has reviewed and accepted the submit request, so the security patch has been applied to Roundcube in Kolab16! Thank you!
I have asked the question now on the developers’ mailing list, with CC to Jeroen: https://lists.kolab.org/pipermail/devel/2016-May/015446.html
Now that the community and the enterprise version have been merged, we
still need a way to provide security updates for the community.
Please join the discussion on the mailing list. Or should we use https://kolab.org/hub/ instead?