An XSS vulnerability has been reported, and fixed in roundcube.

I have applied this fix to Kolab 3.4 Updates:

I also prepared an update for Kolab 16:
(I had to do the branch and submit request from the command line,
because today the SSL certificate for expired, which
breaks the login through the browser interface. UPDATE: SSL certificate has been updated).

I do have commit permissions for Kolab 3.4, but I don’t have commit
permissions for Kolab 16.

I have asked on IRC, but probably due to a holiday weekend in parts of Germany and Switzerland, I did not get an immediate reply. That is fair enough.

UPDATE: Jeroen has reviewed and accepted the submit request, so the security patch has been applied to Roundcube in Kolab16! Thank you!

I have asked the question now on the developers’ mailing list, with CC to Jeroen:

Now that the community and the enterprise version have been merged, we
still need a way to provide security updates for the community.

Please join the discussion on the mailing list. Or should we use instead?

Security Update for XSS vulnerability CVE-2016-5103 in Roundcube for Kolab 3.4 and for Kolab 16
Tagged on: