ReleaseNotes deprecated

Aggregated Release Notes for 7.8.3

Last Update: 2017-07-07

Patch Release 4223 (2017-06-26)

Shipped Components and Versions

  • Open-Xchange AppSuite backend 7.8.3-rev27
  • Open-Xchange AppSuite frontend 7.8.3-rev24

Fixed Bugs

54315 Incompatibility with SIEVE rules

When running OX App Suite 7.8.3 and 7.8.4 against a shared mail environment, SIEVE filter rules could unintentionally affect each other, for example auto-forward and vacation notice. This got fixed by retaining commented script content which is unknown to the 7.8.4 implementation.

54309 Re-authorizing a oAuth account led to errors

When re-authorizing a oAuth account, for example after changing its password or revoking access, a runtime exception was thrown. This got fixed by considering empty authorization tokens.

54181 Config-cascade inconsistency for value pairs

Certain value pairs where not correctly distributed by the config cascade mechanism, especially those related to services that use oAuth for authentication. We solved this by making those properties config-cascade aware.

54174 Unexpected oAuth option for external accounts

When having external mail access via oAuth disabled, the corresponding option was not properly hidden. This got solved to immediately start the non-oAuth wizard instead.

54136 Incorrect permission restriction when moving folders in Drive

When moving/copying a folder from a external storage service to folder of the primary OX Drive storage service, a permission related error was thrown. This got solved by properly setting administrator privileges to the creator of a OX Drive folder while copying/moving in folders from external services.

54133 Sharing dialog stuck when sharing locked file

When attempting to share a file which is locked, the sharing dialog did not close when canceling the operation. This got solved by handling potential errors related to locks when trying to share a file.

54069 Fuzzy fallback for unsupported languages

In certain cases the frontend language did fall back to german instead of english. This got fixed by setting a explicit fallback to en_US if the browser provides a unsupported language and no previously set OX language cookie.

54067 Outdated "unsupported browsers" message

OX App Suite UI did display incorrect recommendations for mobile browsers when using such as a desktop browser. This has been solved and we're now showing recommendations for mobile browsers only when using a mobile device.

54042 Unable to update dates with Japanese locale

When defining start/end dates at the calendar on mobile browsers, the supplied data did not get taken over to the appointment. This was caused by incompatibility of a date/time format library with specific languages and has been fixed by making sure the same date/time format is used at all related components.

54041 Missing schema information for database timeout errors

In case a database connection reported a communication failure or timeout, the specific database schema was not part of the exception. This has now been added to allow simple debugging of affected database clusters.

In case a IMAP backend did close a connection due to technical issues or timeouts, the resulting stack-trace at OX App Suite middleware was rather generic. This has been improved in a way that we now show the related IMAP command to allow better debugging. This issue has to be validated in production environments that show such unexpected behavior.

53945 Duplicate paste on certain systems

On few macOS based systems images were pasted twice to mail compose when using the operating systems copy&paste feature and hitting a specific timing pattern. Additional checks were added to avoid importing duplicate content.

53923 Quick reply disappears after the first reply

When using "quick reply" to answer a mail, this option will disappear. We changed the behavior in a way that the option stays available after using it.

53916 Adding local files opens camera App on iOS

When using OX App Suite UI with Safari on iOS, the action to add a local attachment resulted in immediate launch of the camera App. We now trigger a selection menu which offers to either use the camera or access existing photos on the device.

53688 Contacts with Katakana "yomi" fields were sorted as "other"

When using Japanese language settings and subsequently "yomi" contact fields, those contacts were sorted incorrectly as "other", which got solved.

53671 Specific mails produced empty printouts

When printing specific mails that define CSS, the created print version did not show substantial content. This got fixed by dropping certain CSS elements from our whitelist that could lead to broken layouts. See Change #4204.

53649 Folder IDs were shown in PIM objects attachment details

For PIM objects with attachments we did show the hyperlinks pointing to OX Drive instead of the corresponding App. To avoid confusion we did visually remove those links as they provide almost no functionality.

53474 Duplicate recipients when sending mail

When sending a mail to all appointment participants the resulting mail compose did contain duplicates of the expected recipients. This got solved by detecting and removing the currently logged in user from that list.

53437 Inconsistency for thumbnails and image preview

Certain file formats (tiff, psd, pbm) were shown as thumbnail preview while not being supported in image preview. To ensure consistency we added support for tiff and psd files to image preview.

52633 Adding huge photos to HTML mail led to high CPU load

When checking for validity of a uploaded image, the size limitations were not considered, which in turn led to higher than expected processing effort. The logic got changed to apply limitations prior to analyze validity of an image. If that action fails, the affected image is being removed from mail compose and a error is logged.

Patch Release 4186 (2017-06-12)

Shipped Components and Versions

  • Open-Xchange AppSuite backend 7.8.3-rev26
  • Open-Xchange AppSuite frontend 7.8.3-rev23
  • Open-Xchange EAS 7.8.3-rev8

Fixed Bugs

53900 1st (out of two) Google Mail Account does not work after adding 2nd (out of two) Google Calender Abo

When updating an OAuth account (applying a new name), the enabled scopes was accidentally reseted.This has been solved by not touching OAuth account's enabled scopes when updating its name.

53795 POP3 External account: messages retrieved are duplicated

Certain POP3 server's do not obey to advertise UIDLs with at max. 70 characters.This has been fixed by extending the "uidl" column in "pop3_storage_ids" and "pop3_storage_deleted" tables from 70 to 128 characters as some POP3 server advertise bigger UIDL values. An Updatetask will be triggered with this fix.

53690 Fields considered for sorting / categorizing contacts inconsistent

A contact's (yomi-) firstname was not taken into account during sort name generation in case no (yomi-) lastname was set.This has been solved by using combination of (yomi-) last- and firstname per default as sort name.

53689 Yomi fields not available / visible with non-Japanese language setting

Missing feature for other languages.Added new setting and feature to make yomi fields with other languages.

53688 Contacts with Katakana "yomi" fields are sorted and categorized as "other"

Only hiragana in sorting table.Extend table with katakana to solve the first part. When yomi was given with Half-width Katakana it is still not sorted correctly, this will be fixed with an upcomming patch.

53674 Japanese attachment filenames broken for some sender MUAs

"name" and "filename" values were parsed in a wrong way from parameter list of Content-Type and Content-Disposition headers.This has been fixed by properly parsing file name from MIME part headers.

53524 Japanese translation: Inconsistent translation for the word "all"

Some are translated with Kanji and the others with Hiragana, which gives the end users inconsistent look and feel.Now all are translated with Hiragana.

53340 Appointment status of participant not updated via EAS

The list of confirmations was not part of the USM sync-state.USM syncs now the list of confirmations from the backend to solve this issue.

53233 No appropriate folder storage for tree identifier "0" and folder identifier "label"

Used dummy folder_id 'label'.This has been fixed by using 'virtual/label' now to avoid that an invalid ID is used in server requests.

Patch Release 4176 (2017-05-19)

Shipped Components and Versions

  • Open-Xchange AppSuite backend 7.8.3-rev24

Fixed Bugs

53833 After latest OX update the documentconverter-server is no longer working

Due to unnecessary package imports the documentconverter was not running.This has been fixed by removing those imports.

Patch Release 4161 (2017-05-29)

Shipped Components and Versions

  • Open-Xchange AppSuite backend 7.8.3-rev25
  • Open-Xchange AppSuite frontend 7.8.3-rev22

Fixed Bugs

53790 Problem with executing SQL: Deadlock found when trying to get lock

Possible dead lock situation through concurrent context create operations that imply to add data to "contextAttribute" table in context-associated payload database.This has been solved by adding retry strategy with exponential back-off and added optional lock to 'contextAttribute' table to ultimately serialize concurrent write operations. Whether the lock is supposed to be acquired is controlled through newly introduced "LOCK_ON_WRITE_CONTEXT_INTO_PAYLOAD_DB" property in file ''. Default is "false".

53521 Japanese translation for "Save to Drive" has superfluous letters "()"

Fixed superfluous trailing letters for Japanese.

53456 Mail content not displayed with broken content type

Corrupt/broken Content-Type header in a MIME part breaks parsing of a mail message.This has been solved by dealing with corrupt/broken Content-Type header when parsing a MIME part.

53267 Folder-mapping for external IMAP accounts won't be temporary shown after password change and a new 'Sent objects' folder gets created

Wrong look-up of standard folder in session-associated cache, which contains wrong entries in case password has been changed.This has been fixed by simply loading mail account data as-is and do not consider any caches.

53249 Not possible to delete pop3 account

The server tried to remove the pop3 folders multiple times.Now let the server remove pop3 folders only once.

53095 OAuth accounts broken after downgrade from Groupware to PIM role

Need of improvement in case access to OAuth-backed data is not/should not be possible as per configuration and missing scope authorization.Solution: Explicitly check whether OAuth provider has been enabled (OAUTH-0044), required scope(s) is/are available (OAUTH-0043), and required scope(s) is/are enabled/authorized (OAUTH-0042). Also added new error codes to the UI.

52633 Drag & drop of a huge picture into a HTML-Mail will cause the JVM to OOM/ up until OS swapped

Improved logging behavior in case image upload gets denied due to size/resolution restrictions.

50804 vCard Attachment can not be deselected

Unported API change in Dropdown mini-views let to this behavior.Ported API call to new version to solve this issue.

Patch Release 4138 (2017-05-18)

Shipped Components and Versions

  • Open-Xchange Updater 7.8.3-rev6
  • Connector for Microsoft Outlook 7.2.25

Fixed Bugs

53115 OLOX20: saving a mailfilter rule with no condition, no action but only a stop rule is not possible

It was not possible to create a stop mailfilter rule.Now it is possible to save a rule with no condition and action if "Process subsequent rules" is disabled.

Patch Release 4132 (2017-05-18)

Shipped Components and Versions

  • Open-Xchange AppSuite backend 7.8.3-rev23
  • Open-Xchange AppSuite frontend 7.8.3-rev21
  • Open-Xchange Office 7.8.3-rev9
  • Open-Xchange Office-web 7.8.3-rev8

Fixed Vulnerabilities

53077 CVE-2017-8340

CVSS: 3.1 (CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N)

53073 CVE-2017-8340

CVSS: 3.1 (CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N)

52843 CVE-2017-8340

CVSS: 3.1 (CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:L/A:N)

52066 CVE-2017-8341

CVSS: 3.1 (CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:L/A:N)

52040 CVE-2017-6913

CVSS: 5.3 (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N)

Fixed Bugs

53368 UI does not load but also not redirect to unsupported.html for MSIE 9.0

Latest code changes make IE9 unusable.Now sending MSIE 9 users to the unsupported HTML file.

53352 OX address book image does not load on connect voice portal

Image content were not accessible via OAuth.This has been solved by allowing OAuth-wise access to image content.

53188 IMAP plugin improvements for Comcast

Appsuite had no support/failover strategy in case an IMAP host is resolvable to multiple IP addresses.This has been fixed by refactoring socket handling to act as fail-over strategy in case host is resolvable to multiple IP addresses.

53168 Twitter account not shown

If mail account and twitter account had the same id the twitter account was not displayed.This has been solved by constructing new ids for this collection to avoid duplicates.

Missing check if task folder is private.Added missing check to solve this issue.

53087 Second Google calendar subscription does not show calendar contents

The actual OAuth account associated with a subscription has not been considered, but always the default Google OAuth account was referenced.Solution: Consider the actual OAuth account that is associated with a subscription. Info: Popup Blocker may not be active.

52712 Twitter stream not shown after configuration

Missing event in Keychain api led to this issue.This has been fixed by adding an additional event, so portal plugins update correctly.

52123 Not possible to change name in email settings with custom MAL bundle

Wrong mail provider was initialized for this special case.This has been solved by loading proper mail provider in case global mail server is configured.

51755 Long running script on huge list of TO: addresses in compose

Too many unnecessary request while adding huge distribution lists.This has been fixed by using already available display names and prevent needless fetching/redraw.

Patch Release 4113 (2017-05-02)

Shipped Components and Versions

  • Open-Xchange AppSuite backend 7.8.3-rev22
  • Open-Xchange AppSuite frontend 7.8.3-rev20

Fixed Bugs

53100 Mail is not beeing displayed, blocking other from beeing displayed in INBOX

This was due to missing recovery for an unsupported character-encoding.This has been solved by handling possible unsupported character-encoding.

53023 Message with truncated subject

Subsequent base64-encoded strings are not combineable if individual values end with padding '=' character.This has been fixed by not combine padded base64-encoded values, but decode them separately.

53008 HTML content is invalid and cannot be displayed

Weird start tag segments in real-world HTML messes-up HTML parser refusing to process the content any further.Solution: Better deal with malformed start tags in real-world HTML content.

52928 Attachment not shown

In email with attachments which have different cid and id it was not possible to show all attachments.Make sure attachments do not have a cid attribute when added to a collection to solve this issue.

52797 Autoconfiguration fails for hotmail/yahoo/live domains

Thunderbird's ISPDB for auto-configuration changed.Changed default value for property "com.openexchange.mail.autoconfig.ispdb" in file '' from "" to

52727 UI/Browser blocked / stalled when dealig with huge amounts of appointments

To many operations in domtree if having much appointments.This has been fixed by disabling some functionality for a large Number of appointments.

52633 Drag & drop of a huge picture into a HTML-Mail will cause the JVM to OOM/ up until OS swapped

Configured image limitations were not tested when checking for validity of an uploaded image.This has been solved by testing for image limitations when checking for validity of an uploaded image.

51801 "Drop inline images here" not translated

Added missing translation.

50759 All messages in unified inbox say "No subject" when using threads

With this fix the Subject is displayed for unified inbox conversations.

Patch Release 4084 (2017-04-18)

Shipped Components and Versions

  • Open-Xchange AppSuite backend 7.8.3-rev21
  • Open-Xchange AppSuite frontend 7.8.3-rev19
  • Open-Xchange Office 7.8.3-rev8
  • Open-Xchange Documentconverter 7.8.3-rev8
  • Open-Xchange USM 7.8.3-rev8
  • Open-Xchange EAS 7.8.3-rev7

Fixed Bugs

52756 Twitter can not be configured anymore;Case-sensitive look-up for an OAuth API: "Twitter" is not equal to "twitter"

Case-sensitive look-up for an OAuth API: "Twitter" is not equal to "twitter".Perform ignore-case look-up by OAuth API identifier to solve this issue.

52751 Creating external accounts does not work anymore

Wrong detection if a mail account action was targeted for primary mail account.Reliably check specified account identifier to determine primary account to solve this problem.

52675 Html mail not displayed at all

Some mails were not displayed because style tag does not get closed while sanitizing mail's HTML content.This has been fixed by orderly closing the style tag while sanitizing HTML content.

52606 Show hidden files setting does not work at all

Hidden files were not displayed because filter extensions for files were never called.Invoked filter extension point to post process file list to solve this issue.

52534 Disableschema: SessiondService is used but not registered in the activator

Required SessionD service was not orderly tracked.This has been solved by properly tracking needed SessionD service.

52530 Pop3 access to external account is not logged by AuditLog

The tracked instance of AuditLogService was not orderly put into utilized service registry.This has been fixed by properly putting tracked service into service registry.

52402 Drag and Drop not working with chrome on windows 10 Touch

It was recognized as a touch device and DND was disabled.This has been solved by adding an additional check.

52391 Empty Page in UI settings section after update

Js error in yell function and only a empty settings page were displayed.Made yell function more robust, so Settings do not break anymore.

52348 Logging issue after appsuite update

Open-xchange-osgi didn´t conatin the latest logback extension.Defined explicit dependency to newest open-xchange-osgi containing the latest logback extension.

52101 'Folder "9" is not visible to user "X" in context "YY"

Caused by the changes for favorite folders, where favorite folders for every module were added to the collection pool. The favorite folder for drive has the parent with id "9". When the ui is refreshed, all parents of all folders are listed. That causes every refresh to request the folder with id "9".This has been fixed by only adding favorite folders for modules with granted permission.

51757 When the first mail filter rule is created for a user, it does not show in the mail filter list

The filter collection does not handle an initial add correctly.Now the filter collection handles an initial add correctly.

50798 Renaming a root level folder which contains a Favorite Folder will lead to "Mailfolder not found on IMAP Server"

Caused by missing checks if parent folders get renamed or removed.This has been solved by looking for rename or removal of parent folders.

50478 Impossible to add two or more different Gmail accounts

Initial assumption to re-use OAuth credentials was wrong.Now OAuth credentials are not re-use when adding mail accounts.

Patch Release 4078 (2017-04-04)

Shipped Components and Versions

  • Open-Xchange usm 7.8.3-rev7

Fixed Bugs

51967 Missing distribution lists in Outlook

When syncing Outlook using USM, certain amounts and combinations of contacts and distribution lists could lead to a situation where only a subset of contacts but not all distribution lists got synced. This has been solved by sorting the type of object (contact, distribution list) prior to performing the sync operation. This way the kind of objects retrieved at the client side stays consistent in case the total amount of objects exceeds the chunk size for one sync operation.

51399 Repeated mail sending when using Outlook

In case a backend error did occur, like downtime of the mail storage, there could be situations where Outlook clients using USM get into a sending-loop, resulting to duplicated E-Mail. Those kind of errors are now handled by the USM API in accordance to the OX App Suite middleware error code. Backend version 7.8.3-rev20 or higher is needed for this fix.

Patch Release 4050 (2017-04-03)

Shipped Components and Versions

  • Open-Xchange AppSuite backend 7.8.3-rev20
  • Open-Xchange AppSuite frontend 7.8.3-rev18
  • Open-Xchange Office 7.8.3-rev7

Fixed Vulnerabilities

52255 CVE-2017-6912

CVSS: 4.3 (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N)

51863 CVE-2017-6913

CVSS: 5.3 (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N)

51667 CVE-2016-10078


51622 CVE-2017-6912

CVSS: 6.5 (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N)

Fixed Bugs

52518 Compatibility fix for Debian and systemd

The Debian project did rename the initial process from systemd to init when moving to Debian 8.7. Some areas of our startup scripts depend on this name to determine whether systemd is used or not. We're now querying /proc/1/comm to figure out the kind and name of process that takes care about inits.

52437 oxsysreport tries to read nonexisting files

When running oxsysreport while having OX Guard installed, false-positives for password blacklisting could occur. As a result errors were reported by the oxsysreport tool, which has been solved by adjusting the regular expression for parameter blacklisting.

52314 Unicode decoding fails for multi-line mail subjects

In case a E-Mail subject spans multiple lines where each consists of UTF-8 mail-safe base64 encoded characters, decoding partly failed and Unicode characters were displayed in a scrambled way. This has been solved by properly handling such split subjects and encoding each part independently.

52238 Typo at NRFILES property at startscript

A typo at the /opt/open-xchange/sbin/open-xchange script led to a situation where custom configured "nofiles" limits where not correctly applied to the process. This has been solved by correcting the properties name and adding a log message to open-xchange-console.log in case the process fails to set this limit.

52235 Missing custom favicons

Newer versions of Firefox use the largest icon presented as as favicon, which defaults to a unbranded OX icon. Originally this handling was introduced to set a "homescreen" icon when using the appropriate functionality on mobile operating systems. This was solved by removing the corresponding tag when using desktop operating systems.

52198 Applying OX Drive folder permissions recursively

A feature backport has been performed to allow recursive inheritance of OX Drive folder permissions when changing a parent folder.

52181 Firefox drop-zone overlaps mail list

When using a specific series of gestures while importing a .eml file to a mailbox, a Firefox bug on Windows and macOS got triggered which kept the "drop zone" visible after dropping the file outside of the browser window. This subsequently blocked other user interaction with the mail list. We added a workaround for this browser bug in a way that clicking outside the drop zone will revert its state.

52161 Missing mails on mobile devices when using mail categories

When using mail categories with a desktop browser and moving mails to specific categories, those mails would not be displayed at Inbox anymore when using the same account using a mobile browser. We solved this by avoiding categorization Inbox if the corresponding feature set is not available on the currently used platforms.

52157 IMAP master-auth user name provided to client

In case of specific IMAP errors related to EXPUNGE commands, a detailed error message was returned to the user, which could contain a user-name for IMAP master authentication. This was solved by removing detailed error message contents for that IMAP command.

52151 Drop zone for .eml not disappearing if a file is not dropped with firefox on Windows

Firefox does not trigger dragleave or mouseout correctly.This has been fixed by using mouseenter to remove the dropzone when the mouse enter the window without dragged files.

52123 Unable to change mail account name with certain mail configurations

If a user was changing its mail account displayname while the middleware uses a "global" mailServerSource setting, incorrect host names were applied. As a result the displayname could not be changed. We solved this by applying the appropriate host name to avoid erroneous responses during the operation.

52104 Untraceable database timeouts during share cleanup

Once the PeriodicCleaner task for shares was executed, potential SQL errors could not be traced since the related schema name was unknown. To allow further debugging we addedcom.openexchange.database.schema as parameter for this cleanup run. It will highlight which database schema triggered timeouts or other errors.

51997 Shares created via Drivemail requested credentials

When sending a mail attachment and using "Drive Mail" a password was requested even though a user did not enable this option. This could happen in cases where a user first specified a password but then un-ticked the related option. We solved this by checking the options state more carefully prior to creating the related share.

51967 Missing distribution lists in Outlook

When syncing Outlook using USM, certain amounts and combinations of contacts and distribution lists could lead to a situation where only a subset of contacts but not all distribution lists got synced. This has been solved by sorting the type of object (contact, distribution list) prior to performing the sync operation. This way the kind of objects retrieved at the client side stays consistent in case the total amount of objects exceeds the chunk size for one sync operation.

51918 Calendar conflicts with UTC+12 timezones

During conflict detection, the floating time-span of full-day appointments was calculated using the servers timezone (usually UTC) while other appointments used the timezone configured by the user. In cases where a large offset to UTC is present, there has been a 50/50 chance that appointments would conflict with full-day appointments at the previous or next day. We're now calculating both values using the users specific timezone for conflict handling. This should bring down the probability of incorrect conflicts considerably.

51839 Certain serious (non UCE/UBE) HTML mail is not displayed

Too greedy check for possibly malicious content led to this issue.This has been solved by allowing properly parsed start tag.

51462 Full-day appointments could not be converted with Lightning

When using Thunderbird/Lightning and CalDAV of OX App Suite, full-day appointments could not be converted back to normal appointments using the CalDAV client. The reason for this was a client-specific CalDAV header used to indicate full-day appointments which caused issues with Lightning. We removed this header if the associated user-agent does not expect it.

51399 Repeated mail sending when using Outlook

In case a backend error did occur, like downtime of the mail storage, there could be situations where Outlook clients using USM get into a sending-loop, resulting to duplicated E-Mail. Those kind of errors are now handled by the USM API in accordance to the OX App Suite middleware error code.

51222 Long loading times for documents with certain storages

In case a large document gets requested off a slow cloud storage, very long loading times could happen and expected timeouts were not considered. This has been solved by adding additional timeouts that will kick in if a API request to the storage layer takes longer than anticipated.

51074 Encoding issues with passwords

In case certain operating systems got configured incorrectly, specifically RHEL6 and SLES11, usage of the open-xchange-passwordchange-script plugin could lead to incorrectly encoded passwords passed over to a script. This has been solved by adding an optional parameter as described by Change #4022 to allow base64 encoded transfer. Additionally, unexpected encoding configurations will get logged to open-xchange-console.log to alert operators about potential follow-up issues.

50918 Timezone issues with task start/due dates on negative timezone offsets

When defining a start or due date for tasks while using a negative UTC offset, the selected date would be reported incorrectly. This has been solved by adjusting the full-day handling for tasks to the calendar implementation which uses UTC.

49236 Messages regarding missing E-Mail

Some OX App Suite UI requests did lead to error messages regarding E-Mail which could not be found. After analyzing the situation, we suspect that there is a issue with obfuscated folder names. A fallback has been added in case decoding a folder name failed.

Patch Release 4016 (2017-03-20)

Shipped Components and Versions

  • Open-Xchange AppSuite backend 7.8.3-rev18
  • Open-Xchange AppSuite frontend 7.8.3-rev17

Fixed Bugs

52013 Enhancements to IMAP host detection and logging

To allow better debugging and monitoring of interaction between OX App Suite and IMAP backends, a new parameter was added to parse the IMAP backends "greeting" and provide it as part of the OX App Suite log. This behaviour is configurable and described within release notes. When rolling out this Patch Release.

51910 Optimizing IMAP IDLE handling and Hazelcast lookups

When using IMAP IDLE in larger deployments (which OX does not recommend) it might happen that threads are getting blocked by attempts to look up and close associated push listeners in a cluster once a user closes a session. Using synchonization protocols like Exchange Active Sync triggers many sessions to be opened and closed in a relatively short period of time. While there might be configurations where only one IMAP IDLE push listener per user is allowed, in many cases this level of consistency is excessive and could lead to outages. Therefor we changed the behaviour to only look up "local" sessions rather than querying the whole cluster. This behaviour is configurable and described within release notes. When rolling out this Patch Release please have a close look to IMAP IDLE session count and modify the configuration in accordance to the environments requirements. To enhance overall performance of session lookups, a index has been added to the Hazelcast "sessions" map. As a result, clusters need to be completely updated and restarted when applying this patch release, the "sessions" map is not compatible with its earlier version.

51847 Enhanced IMAP request tracking

Logging has been extended to allow tracking individual IMAP activities/requests for a OX App Suite session which might use several IMAP connections. The new logging property is

51772 Unable to modify users own data

In cases where the contact associated to the user account was created by the "oxadmin" account rather than the user itself, the user was unable to change its own contact data. Such situations may arise in specific provisioning implementations. Changing the contacts data is now possible again by correcting the mechanism to look up the oxadmin account as potential creator for the own contact.

51755 Long-running script warnings when sending mail to huge recipient list

When composing a mail to a list of several hundreds of recipients, browser warnings about unresponsive scripts occurred when trying to parse and tokenize the recipient list. The handling has been improved by 2-3x to allow a larger number of recipients.

51610 Desktop notifications are not shown for negative timezone offsets

When configuring a negative timezone offset (e.g. UTC-5), desktop notifications would not be shown since the timestamp of newly received mails was checked against UTC rather than the users timezone.

51602 Incorrect encoding when using IMAP "plain" authentication

In case mailbox login names allow multi-byte unicode characters, the login process would fail when using OX App Suite. This has been solved by applying the correct charset when performing the login procedure for mailboxes.

51207 Error message shown if "default app" setting is empty

In cases where a users configuration was damaged and the default app "none" has been selected, subsequent logins led to error messages. We're now falling back to the global default app if the provided app cannot be found.

50982 Empty "file count" for external cloud storage folders

Some external cloud storage providers do not provide the amount of files within a folder, in such cases OX App Suite would should "0" for any folder at that storage. A new internal capability per storage has been added to signal wether the storage does provide that information without executing expensive computation or storage access. According to that capability, OX App Suite UI will remove the "object count" indicator at folder details.

Patch Release 3994 (2017-02-24)

Shipped Components and Versions

  • Open-Xchange AppSuite backend 7.8.3-rev16

Fixed Bugs

51859 Changed API behaviour leads to issues with file uploads

An earlier bugfix introduced a significant change to HTTP API behaviour, any change to the MIME-Type parameter has been rejected as a result. While OX clients were unaffected, this led to an incompatibility with third-party clients when using the "infostore" API for uploading and modifying files. We reduced the scope of the change to block MIME-Types that start with "multipart" instead, this should not affect the vast majority of use-cases for this API.

Patch Release 3985 (2017-03-08)

Shipped Components and Versions

  • Open-Xchange AppSuite backend 7.8.3-rev17
  • Open-Xchange AppSuite frontend 7.8.3-rev15
  • Open-Xchange Office-Web 7.8.3-rev7

Fixed Bugs

51910 Huge amount of threads stops OX

Did some improvemnts to avoid a crashing OX. Utilize a user-scoped lock mechanism to avoid having a global lock that might affect unrelated threads unnecessarily. Avoid duplicate remote session look-up.

51898 Mail with invalid MIME type attachment cannot be displayed

When you try to display or import an email which contains an attachment with an invalid MIME type as content type, an error was thrown.This has been fixed and it is possible to import and display the mail.

51727 Mail icon stills appears in UI even though mail is not enabled

Caused by missing capability check for disabling and hiding.This has been fixed by adding the missing check.

51572 Moving files with and without description not working in drive

Appsuite UI just redid the same operation.Solution: Appsuite UI checks which files caused conflicts and only tries to redo those.

51570 Only one warning for copy multiple files with description in drive

Multiple response was not fully processed.This has been fixed by processing full array.

51569 Primary mail address and aliases cannot be changed at the same time if the old primary mail address should be an alias

During the createuser command an alias for the primary mail account is already added. This alias is equal to the upper case notation used in the create command. The change command now tries to add the same alias but with only lower case letters. This isn't recognized and therefore the middleware tries to insert this alias to the db again which results in the duplicate entry error.Solution: Do a case independent check when comparing the old with the new aliases.

51548 Moving files which already exist result in duplicate files with google drive

There was no name check performed for the move operations.This has been fixed by adding the name check to the move operation.

51357 After last update to 7.8.3 no participants can be added in Scheduling with IE11

IE has problems with flexbox styles.This has been solved by changing styles to fix the problem.

51222 Big text file load endless with the UI

The client request didn't get a response.With these changes the Viewer displays an error message if the file is too big to be loaded.

Patch Release 3952 (2017-02-20)

Shipped Components and Versions

  • Open-Xchange AppSuite backend 7.8.3-rev14
  • Open-Xchange AppSuite frontend 7.8.3-rev13
  • Open-Xchange Office 7.8.3-rev6
  • Open-Xchange Office-Web 7.8.3-rev6

Fixed Vulnerabilities

51480 CVE-2017-5864

CVSS: 5.4 (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N)

51474 CVE-2017-5864

CVSS: 4.3 (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N)

51464 CVE-2017-5864

CVSS: 3.5 (CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:N/A:N)

51219 CVE-2017-5864

CVSS: 5.4 (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N)

51202 CVE-2017-5864

CVSS: 5.4 (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N)

51164 CVE-2017-5210

CVSS: 3.6 (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N)

51069 CVE-2017-5863

CVSS: 4.3 (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N)

51058 CVE-2016-10078


51039 CVE-2017-5864

CVSS: 3.3 (CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:N/A:N)

51038 CVE-2017-5863

CVSS: 4.3 (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N)

50849 CVE-2017-5213

CVSS: 3.1 (CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N)

50716 CVE-2016-10077

CVSS: 4.3 (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N)

50715 CVE-2016-10078

CVSS: 5.3 (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N)

Fixed Bugs

51700 Guided tours showing for users even though the package was not installed

Document tours are contained in documents-ui package, existence of standard tours package was not checked there.This has been solved by adding check for existence of standard tours package, do not show tours automatically if missing, hide settings menu entry.

51368 Bursts of WARN Messages: filemanagement.internal.ManagedFileManagementImpl ..Temporary file could not be deleted about 800-1000/day

Delete attempt does not check whether file is non-existing.This has been fixed by properly checking if attempt is made to delete a non-existing file changed logging appropriately.

51357 No participants can be added in Scheduling with ie11 after an update

IE has problems with flexbox styles.This has been fixed by changing styles to fix the problem.

51101 Showruntimestats -a errors: No suche cache: OXIMAPConCache

OXIMAPConCache is an obsolete JCS cache. The StatisticTools was querying the JCSCacheInformation for that particular non existing cache. The same applies for MailConnectionCache and SessionCache.This has been solved by removing the obsolete calls and corrected the error message.

51091 Upload to external filestorage account folder does not abort if overquota and fails

Missing error handling for overquota in multiple file upload.This has been solved by checking error FLS-0024 and stop queue if this error appears. Also check for rate limit error. If one of those errors appear, the upload queue stops and removes all files from the queue.

51053 Appointment invitations get duplicated by adding attachments

Deactivated Notification pool combined with multiple uploads of attachments result in a single notification mail for each attachment.Solution: Keep track of a batch of attachment uploads during the whole stack.

50693 Content pane folder name not refreshed when renamed on external storage

Error handling is now done inside the apps. If errors with external storages (or other folder errors) appear and that folder is currently selected, the app will change to the default folder and reload the parent folder.

50689 Possible to lock files in external storages when not supported

The 'locks' capability was not correct for some external storages.Changed behaviour: The file lock feature is disabled for every external storage. Lock does only work in the internal ox fileStore now.

50414 Birthdays in the portal widget/sidepopup are sometimes a day off

Birthday calculation was slightly different in both views and apart from that even not correct for all cases.This has been solved by using the same code for both views and also using a correct approach.

50039 Problem with folder rename of external storage providers

Dropbox identifies the folder through the path. New Files create all folders in their path by default. This is a special Dropbox behavior.This has been solved by checking for folder existence before storing a file and return default "folder does not exist exception".

48361 Login not possible if folder limit is reached

This has been fixed by adding missing handling for this special case. Now the login is working and the user gets notified about this error.

Patch Release 3925 (2017-01-26)

Shipped Components and Versions

  • Open-Xchange AppSuite backend 7.8.3-rev12

Fixed Bugs

51263 Missing function returned in case requested files could not be found

A earlier fix changed the response content when requesting a frontend related file. Instead of a function and a error message, just a error message was returned. As a result the web frontend could get stuck in case a file was not found. This has been solved by providing a similar response than earlier, just with obfuscated payload.

Patch Release 3918 (2017-02-06)

Shipped Components and Versions

  • Open-Xchange AppSuite backend 7.8.3-rev13
  • Open-Xchange AppSuite frontend 7.8.3-rev12
  • Open-Xchange USM 7.8.3-rev6

Fixed Bugs

51018 Munin warning updating config_ox_java_heap

Non-existing mbean raised an error.This has been fixed by removing mbean.

51017 Munin error updating last-error in ox_grizzly_TCPNIOTransport

Last error value was not a simple signed integer.Check for "N/A", will return 0 instead of "N/A" with this fix and will only fix the problem for ox_grizzly_TCPNIOTransport.

50997 Searching inside of sent mail folder always shows senders name in results column

This has been solved by adding special handling in find app.

50991 Exception generating imap URI

A possible scheme/port information in "com.openexchange.mail.mailServer" or"com.openexchange.mail.transportServer" property was not properly handled.This has been solved by using a structured object for the global mail/transport server configuration setting to also apply protocol, port, etc. (if specified).

50987 AutoStart is not working with io.ox/settings or portal

Settings is not a favorite app and is therefore ignored as autolaunch.This has been solved by adding a special case for settings. Settings will not appear in the dropdown but can be set by the provider as default autoStart app.

50982 External Cloud Storage: number of Items in folder not displayed - '0' all the time

Some file storage implementations are not returning a file count.With this fix the filecount isn´t dispalyed if the external storage returns no value for file count.

50965 Restore compose application pop up not loading with 7.8.3 upgrade

Introduced new value for ox.serverConfig.persistence: "always". Only works with adjustment in custom bundles.

50837 Birthday on 1.1.1970 not displayed

Timestamp for 1.1.1970 were interpreted as timestamp 0. Adjusted calculation from Birth Dates to solve this issue.

50798 Renaming a root level folder which contains a Favorite Folder will lead to "Mailfolder not found on IMAP Server"

Missing checks if parent folders get renamed or removed.This has been solved by looking for rename or removal of parent folders. On rename: anticipate changed path and keep folder. On remove: immediately remove affected favorites. This doesn't work if triggered by another client.

50714 OXtender synchronization fails with Couldn't determine extra fields in object with errors

The ical analysis of an external invitation delivers an json object "users" without sub fields, especially without confirmation. This was unexpected by USM and produced an error, which led to a general sync error with OLOX.Now the missing confirmation is accepted and initialized by USM with 0.

50674 Deleting 2 Users at a time via SOAP results in a database deadlock

Possible database deadlock on concurrent delete attempts for users in the same context.Solution: Acquire a lock on user deletion to enforce enqueueing of concurrent delete calls.

50258 Categories - select all in one of the tabs - info message that not all mails are selected is missing

Missing translations were added.

50041 Moving files with description to external storage not working

Missing translations were added.

50016 When composing an email, the signatures do not get refreshed, when adding initial/new one

This has been fixed by using standard listener.

Patch Release 3879 (2017-01-23)

Shipped Components and Versions

  • Open-Xchange AppSuite backend 7.8.3-rev11
  • Open-Xchange AppSuite frontend 7.8.3-rev11

Fixed Vulnerabilities

50943 CVE-2016-10077

CVSS: 5.4 (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N)

50940 CVE-2017-5211

CVSS: 7.1 (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:L/A:N)

50893 CVE-2017-5211

CVSS: 4.3 (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N)

50764 CVE-2017-5210

CVSS: 4.8 (CVSS:3.0/AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:N/A:N)

50760 CVE-2017-5211

CVSS: 7.1 (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:L/A:N)

50748 CVE-2017-5213

CVSS: 4.3 (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L)

50739 CVE-2017-5212

CVSS: 6.4 (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N)

50737 CVE-2017-5213

CVSS: 2.2 (CVSS:3.0/AV:L/AC:H/PR:L/UI:R/S:U/C:L/I:N/A:N)

50734 CVE-2016-10077

CVSS: 5.4 (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N)

50733 CVE-2016-10078

CVSSv3: 3.6 (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N/CR:L)

50723 CVE-2016-10077

CVSS: 4.3 (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N)

50721 CVE-2017-5211

CVSS: 4.3 (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N)

50382 CVE-2016-10077

CVSS: 5.4 (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N)

Fixed Bugs

50835 Report doesn't terminate if contexts are broken

In case of a context that never existed on the system, a lookup for all contexts in the same schema lead to endless attempts to get those contexts.This has been fixed by adding the initial context to context list, if the database returns no values for the given context id. Add potential errors to output report.

50738 Not possible to import multiple mappings with csv file

Addmapping value was not split by comma when supplying multiple login mappings via csv file at create context.Now split multiple login mappings by comma during context creation from csv file to solve this issue.

50706 OX APP Creates too many IMAP connections and not closing them

Unnecessary global lock that leads to stacking up threads.This has been solved by removing unnecessary global lock from'' class for improved throughput.

50625 Setting "Automatically delete the invitation email after the appointment has been accepted or declined" has no impact on the email

The mails were only deleted for internal appointment invitations.This has been solved by adding the deletion logic to the external invitation display and to internal task invitations.

50258 Categories - select all in one of the tabs - info message that no all mails all selected is missing

Added new message for "select all" in tabbed inbox, some translation will be provided with the next patch.

50176 Dragging an email from desktop to mail-category tab is not working

No Handling for Drag & Drop in mail-categories.Added the missing Handling, first the mail is imported to the inbox and then moved to the category.

Patch Release 3849 (2017-01-09)

Shipped Components and Versions

  • Open-Xchange AppSuite backend 7.8.3-rev10
  • Open-Xchange AppSuite frontend 7.8.3-rev9

Fixed Bugs

50627 Mail content not displayed

Malformed conditional comment (CC) causes to greedy detection of such a CC pattern in HTML content during sanitizing.This has been fixed by dealing with malformed conditional comments.

50621 OX crashed - one node/JVM permanently on GC/100% CPU - after creating an heapdump error looked different but OX still does not react

Really weird HTML content inside a mail containing over 700 nested body start tag segments renders the routine running mad that tries to replace body tags with div tags for embedded display inside App Suite UI.This has been fixed by avoiding excessive replacements of body tags inside such a really weird HTML content.

50570 Not possible to change name in email settings if global configuration is used

MailConfig values were overwritten with wrong values.This has been fixed by preventing overwriting in specific situations.

50527 MySQL databases refuses connection because of Too Many connections from single groupware servers

Incrementing use-count for a lot of contacts associated with a certain E-Mail address causes too many INSERT statements to be issued, that do flood the MySQL service.This has been solved by accumulating use-count incrementation through a batch statement and limit the number of updated contacts that are associated with the same address. That limit is configurable through property "com.openexchange.contactcollector.searchLimit" and defaults to "5".

50519 Not possible to find group in calendar permissions dialog

Groups where not drawn due to a limit.Now applying limit by result type so groups are drawn.

50518 Email module - Burger Menu - Create filter rule is not responding

Due to the deactivation of the "address" mailfilter the default values were not available.This has been fixed by introducing a fallback to the former "header" filter if "address" is not available.

50514 MoveDBSchemas replayschema step, the migrated contexts have 'read_db_pool_id' set to '0'

The read-write pool is not set as read-only one as fall-back in case no dedicated read-only pool is set in associated DB cluster.Assume the identifier for the write-pool as read-only one in case no explicit read-pool is set in referenced 'db_cluster' entry to solve this issue.

Inputfield overlapps cc/bcc buttons and the links were not placed correctly.This has been fixed by applying padding dynamically depending on button width.

50342 Calendar colors get lost on printouts

No custom label colors applied to template.This has been solved by passing colorLabel identifier to html output.

50303 No error message regarding "No such snippet found for identifier:" when filestore not available on login

This was caused by a missing hint that a file associated with a snippet/signature is (temporary) not available.Restored logging in case the file associated with a snippet/signature is (temporary) not available: "Missing file for snippet 1 for user X in context ctx_ID. Maybe file storage is (temporary) not available."

50300 Mail "burger" context menu in H-View not on top of all layers

Mail "burger" context menu was partially hidden by the upper layer.Fixed z-index issue to solve this.

50213 Edit draft loads endlessly

Recognizing HTML input wasn´t working correctly in all cases.Now wrapping content with div.../div in those cases to solve this issue.

49265 Dropbox Integration - "Add description" can be used, but is useless

Requirements were not requested before drawing.Fixed drawing of viewer sidebar sections. Sections now look for requirements before drawing.

Patch Release 3814 (2016-12-19)

Shipped Components and Versions

  • Open-Xchange AppSuite backend 7.8.3-rev8
  • Open-Xchange AppSuite frontend 7.8.3-rev8
  • Open-Xchange Driverestricted 7.8.3-rev6

Fixed Bugs

50461 HTTPClientActivator never calls Services#setServiceRegistry

Services class was not initialized.This has been solved by properly initialize the Services class.

50412 Edit incorrect email address in to or cc generates duplicate entries and phantom entries

Collection and tokenfield state gets messed up cause models ‘token’ attribute get updated within the ‘tokenfield:createtoken’ handler.This has been fixed by redrawing Tokens only when the display name has changed.

50244 Task title truncated / does not use all available space

Media queries were not flexible enough.This has been solved by using flex layout to use available space better (private and due time appear in this row too if set).

50232 Renaming a folder which is present in Favorites removes it from Favorites

The folder ID changes, therefore the folder was lost on page reload.This has been fixed by listining to ID changes and update and store favorites.

50135 Help not context sensitive in settings

The app did not contain any information about contextual help.This has been solved by showing context sensitive help in settings. External apps can also register their help pages on the extension point 'io.ox/settings/help/mapping' in the function list.

50043 Possible to add version info to external storage files

Was caused by missing capability check for version comments.This has been fixed by adding capability check for version comments.

50040 Content pane not refreshed

After deleting a folder in a external storage account the view wasn´t updated.With this fix the view is updated after deleting a folder.

49083 E-Mail-Folder Action 'delete all messages' ignores OVERQUOTA

Move command not used in case msg count greater than block size.This has been fixed by using move command in case msg count block size.

Patch Release 3775 (2016-12-07)

Shipped Components and Versions

  • Open-Xchange AppSuite backend 7.8.3-rev6
  • Open-Xchange AppSuite frontend 7.8.3-rev6
  • Open-Xchange EAS 7.8.3-rev6
  • Open-Xchange Documentconverter 7.8.3-rev6

Fixed Bugs

49989 Onboarding Wizard Connect Device Tile does not fit into frame

Max-width were applied on whole container.This has solved by applying max-width for description only.

49979 Guest users don't get deleted

Guest user deletion triggers push listener removal for guests even if they might not have any push listener registered.Solution: Consider webmail permission before removing push listeners within the user deletion process.

49864 Full-day appointment will be displayed as a regular 24h appointment on Android

Specific clients rely on a certain order of the EAS protocol elements. AllDayEvent shall be sent after StartTime,EndTime. Microsoft Exchange Server for example does this.Now sending AllDayEvent after StartTime,EndTime to solve this issue.

49781 Email list: email address displayed instead of display name when DISPLAYFROM is enabled

Now show display name if DISPLAYFROM is set.

49091 Show requests for read receipts setting is not hidden when protected

Configurability for all settings is not available.Extend checkbox-related code in mail settings pane to consider configurability for this setting.

Release 7.8.3 (2016-11-30)

Shipped Components and Versions

  • Open-Xchange middleware 7.8.3-rev5
  • Open-Xchange AppSuite frontend 7.8.3-rev5
  • Open-Xchange OX6 frontend 6.22.13-rev5
  • Open-Xchange USM 7.8.3-rev5
  • Open-Xchange EAS 7.8.3-rev5
  • Open-Xchange Updater 7.8.3-rev5 (6.18.33)
  • Open-Xchange Drive restricted 7.8.3-rev5
  • Open-Xchange Documents 7.8.3-rev5
  • Open-Xchange Documents Frontend 7.8.3-rev5
  • Open-Xchange Readerengine 7.8.3-rev5 (5.2.3)
  • Open-Xchange Documentconverter 7.8.3-rev5
  • Open-Xchange Documentconverter API 7.8.3-rev5
  • Open-Xchange OXtender for Microsoft Outlook 7.2.24
  • Open-Xchange Notifier 1.0.6

Fixed Vulnerabilities

49912 CVE-2016-9309

CVSS: 4.3, Credits to Lukas Reschke

49848 CVE-2016-9308

CVSS: 5.7, Credits to Hugh Davenport (

49847 CVE-2016-9309

CVSS: 3.7, Credits to Hugh Davenport (

49639 CVE-2016-9308

CVSS: 2.5

49439 CVE-2016-9308

CVSS: 4.1

49159 CVE-2016-8857

CVSS: 5.3

49015 CVE-2016-8857

CVSS: 3.5, Credits to secator

49014 CVE-2016-8857

CVSS: 5.3, Credits to Zeeshan (@z33_5h4n)

49005 CVE-2016-8857

CVSS: 5.3

48843 CVE-2016-7546

CVSS: 3.1, Credits to Abdullah Hussam (@Abdulahhusam)

48559 XSS with SVG when altering media-type

A bypass for existing sanitizer rules were found by modifying the media-type of a stored SVG file. This got solved by letting the sanitizer detect the files media-type regardless of the user-provided media-type. CVE-2016-7546, Credits to secator.

48282 Self-XSS when pasting script code to OX Text

Fixed the regex to control pasted content, made it more generic to capture script code. CVE-2016-7546, Credits to Sumit Sahoo.

48282 Self-XSS with pasted HTML content

When copying a specific pattern of script code to mail compose, included script code gets executed. This has been solved by extending the frontend-side sanitizer at OX Documents. CVE-2016-7546, Credits to Sumit Sahoo.

48231 Self-XSS with pasted HTML content

When copying a specific pattern of script code to mail compose, included script code gets executed. This has been solved by extending the frontend-side sanitizer. CVE-2016-7546, Credits to Joel Melegrito.

48230 XSS for Mail and Drive files

A bypass has been found for the existing sanitizer, using malformed content-types and base64 encoded payload of "data:" references. This was solved by extending the sanitizer and removing certain types of hyperlinks. CVE-2016-7546, Credits to Zeeshan (@z33_5h4n).

48173 Self-XSS with signature source-code

When creating signatures its possible to enter HTML code straight away. Since that code did not get sanitized by the frontend it allows to execute script code as well. We're now sanitizing the content at the frontend in addition to the existing sanitizer at the middleware. CVE-2016-7546, Credits to XSS01.

48083 XSS for Drive and Mail attachments

A new pattern was discovered that allowed a bypass of the existing sanitizer and execute script code payload within HTML files. It got fixed by adapting the sanitizer. CVE-2016-6850, Credits to kltdwd.

Check for valid URL schemes when pasting hyperlinks to avoid inclusion of malicious links.

47916 Tabnapping in OX Documents

Added rel="noopener" when creating button markup for external links at OX Text and Spreadsheet. CVE-2016-6849.

47898 XSS with mp3 album covers

MP3 audio files allow to store inline images to represent album covers. When using SVG with included Javascript it was possible to create links to malicious files that would execute script code. This got solved by sanitizing album cover images. CVE-2016-6847, Credits to mateuszg.

47891 RSS reader allows local file discovery

By providing local paths as RSS resource, attackers could validate the existence of arbitrary files based on the returned error code. This has been solved by adding a whitelist for valid protocols and also returning uniform error codes. CVE-2016-6852, Credits to mateuszg.

47824 XSS with user pictures

When using SVG images as user picture, script code may get embedded and executed when forging specific links. This got solved by denying SVG content as picture and sanitizing existing data. CVE-2016-6850, Credits to kltdwd.

47822 Reflected file download for API calls

GET requests to API endpoints can be modified in a way that a download is triggered that contains reflected content from the request. This may be used to run malicious code on client devices and got solved by removing the ability to trigger such downloads. CVE-2016-6848, Credits to Abdullah Hussam (@Abdulahhusam).

47790 Tabnapping for mail and drive

Hyperlinks within user-generated content can be used to influct tabnapping attacks. We solved that by adding parameters like rel="noopener" to links. CVE-2016-6849, Credits to Zeeshan (@z33_5h4n).

Malicious hyperlinks containing JavaScript as payload were not correctly sanitized, this has been solved by also inspecting encoded content for malicious code and dropping support for certain types of hyperlinks. CVE-2016-6845, Credits to Zeeshan (@z33_5h4n).

47779 Content-spoofing at App loader

When triggering a direct request to the app loader, provided input gets reflected to the requesting client. This can be used for content spoofing and got fixed by removing user input at error responses. Credits to Ahmed Abdalla.

47774 URL input gets reflected on error pages

When requesting a API path that does not exist, the requested path is returned as an error page. That could be used for content-spoofing attacks and has been fixed in a way that we don't return user input on such error pages. CVE-2016-6846, Credits to hackys.

47770 XSS for SVG attachments in mail

Nested JavaScript code within a SVG "image" file was executed when opening those files within the browser. We've extended sanitizing of SVG content. CVE-2016-6844, Credits to bugdisclose.

47602 XSS when creating a group

When changing a users name parameter to contain script code, that code got executed when creating a group. The corresponding place now uses a sanitized representation of the users data. CVE-2016-6843.

47601 XSS on the document setting

Useing a escepape method when loading data for OX Documents settings. CVE-2016-6842.

46897 Using log sanitization methods

Enabling LogSanitisingConverter by setting the %sanitisedMessage token for OX Documents. Use CVE-2016-5741.

46025 XSS at Charts

HTML-signs replaced with the respective HTML entities at OX Spreadsheet. CVE-2016-5124, Credits to sasi2103.

45811 XSS when dropping external content

Removed insecure mark-up from incoming HTML before processing it in OX Text. CVE-2016-5124.

45386 XXE while opening doc files in Drive

Now explicitly using own XMLStreamReader to avoid entity expansion when converting and working with spreadsheets. CVE-2016-4047, Credits to Deepanker Chawla.

45363 XSS at user name in Review Comments

Adding HTML escaping for date, uid and author in HTML fast load string for OX Text. CVE-2016-4045, Credits to Saeed Hashem (@SaeedHashem4).

Fixed Bugs

50203 Too many open files

When using systemd instead of sysv, the configurable limit of "open files" was not correctly applied. This has been solved in combination with Change #3773.

50174 Empty mail addresses lead to validation errors

When storing empty values as mail address, certain provisioning code failed when changing a different parameter. This has been solved by allowing empty values in addition of NULL values when validating a change.

50101 Vague error messages when uploading versions to Dropbox

Some storage providers use file path as that files unique identifier. When adding a new version of the same file but with a different filename in OX Drive, that version will be created as a new file at the storage service and return vague error messages. We solved this by using unique names of additional files when adding a version. At the same time we dropped support for versioning, see Change #3756.

50094 IMAP ghost-folders cannot be unsubscribed

Depending on the mailbox format, folders might contain only other folders but no mails. When subscribing a subfolder and then deleting the parent folder, the subfolders remain subscribed and cannot be removed in App Suite. This has been solved by extending the IMAP folder consistency check.

50091 Parsing errors for broken HTML mails

Converting certain broken HTML mail to their plain-text representation failed due to compatibility issues with the used library. This has been solved by extending conversion support for that kind of mail.

50078 Exception when changing passwords using override

In case the oxadminmaster account is configured to override oxadmin accounts, changing the password for oxadmin failed with a NPE. This was caused by incorrect cache invalidation in case oxadminmaster credentials werde used and got fixed accordingly.

When using sharing links that contain a expiration date, recipient and password, some links fail to generate and are not sent. This was caused by a incompatible order of database statements and has been solved.

50038 Incorrect expires header for fallback pictures

When requesting a fallback image for a contact, for example when reading mail, the corresponding value of the expires response header was incorrectly set to a past date. This disabled caching of the response and led to unnecessary resource consumption. The problem has been solved by setting a future (+1 hour) date as value for the expires header.

49964 Drive mails using main account name instead of alias

Display name is always determined by associated user.Now choosing proper full name by given mail address.

49958 Print preview of mail is always HTML

Despite the users configuration print previews for mails were always using the HTML part of the message. This has been changed to respect the users configuration with regards to displaying HTML mail.

49937 Pasting multiple address result in single recipient

When taking over Email addresses from popular Office productivity suites by copy&paste, those were detected as single recipient. This happened since that software does not detect the kind of data but simply provides a string without delimiters. We've added support for more delimiters than comma and semicolon to work around this issue.

49920 Quote get single lined when using drive mail

Wrong text formatting on explicit plain text transport.Solution: Proper text formatting in case user wants to send a plain-text message.

49909 Filenname encoding wrong in drive mail

File name contains possible mail-safe encoding rendering shared item unreadable to user.Safety check for possible mail-safe encoding and appropriate decoding solved this issue.

49903 Recipient missing in to: on reply-to action the second time

If the lastname of the user is set to a single whitespace, the displayname was set to a single whitespace too. Tokens are trimmed and therefore, this token was not shown but still attached to the mail.This has been fixed by trimming participant display name before checking emptiness and add email address to tokenfield if displayname is empty.

49869 Upsell not triggered in onboard wizard for updater

No handling for caps with digits.Adjusts regex and adds error message when trying to use commas in params.

49832 Geotagging issues for CalDAV

When importing CalDAV events with geolocation information, parsing failed in case float values were used for longitude and latitude. We made parsing less strict in this regard to allow importing.

49799 Accept/decline buttons are preserved in Mail

When using the "Accept/Decline" buttons in mail and switching mails, those buttons kept showing up despite the appointments status has already been updated. This was solved by properly redrawing mails that offer those buttons.

49693 OX error- Message could not be found in the folder

Adjusted logging to not flood log files and have a more adequate log level for common cases in which an image cannot be retrieved.

49575 Google drive: filename in version info not updated

Wrong file-name/title advertised to client when querying version/revision history for a file.This has been fixed by setting proper file-name/title when retrieving version/revision information for a file.

49572 Dropbox/ upload a new version overwrites file

Add new version overwrote the original file.Properly add new file revision in case of explicit "Add new version" call and make "file_versions" capability available via folder API through field "supported_capabilities".

49543 Show hidden files and folders is not hidden when protected

No generic support to hide each user setting.This has been solved by adding support for this particular setting.

49491 IMAP session Timeouts after switching the IMAP backends

Mutually exclusive access to shared instances of 'javax.mail.internet.MailDateFormat' prevent concurrent threads to parse IMAP INTERNALDATE/ENVELOPE fetch responses.Deal with possible locked shared instances of 'javax.mail.internet.MailDateFormat' to not block concurrent threads that attempt to parse IMAP INTERNALDATE/ENVELOPE fetch responses.

49417 IMAP issue with empty x-originating-ip content

When sending NIL values for the "x-originating-ip" parameter, certain IMAP servers run into problems. This has been worked around to ensue no NIL values are sent by App Suite.

49374 Bad organizer mail address when inviting through the calendar

Under certain circumstances, the organizer value was built from the user's display name when serializing to iCal.This has been fixed by using the user's e-mail address as organizer value if "primaryMail" is configured.

49304 Crash on all Groupware Nodes

A newly introduced login handler stored an user attribute on each login operation, and the corresponding cache invalidation event was distributed remotely throughout the cluster, which lead to an increased number of unnecessary events.This has been updated by only updating user attribute if it actually was changed, skip cluster-wide invalidation.

49265 Dropbox storage offers to add descriptions

When including Dropbox as a storage account, Drive did offer to add descriptions to files, which is unsupported by Dropbox. We're now adapting available Drive features in accordance to capabilities of those external storage providers.

49259 Attachment corrupted when open in browser

Generic detection for possible XML content leads to accidental XML escaping.This has been fixed by excluding application content from XML escaping.

49254 ShareService not starting up

In certain cases the ShareService did shut down during bundle startup, this has been handled to avoid signalling "stop" events during startup.

49236 Huge amount of Mail folder could not be found on mail server messages for non-existing folders

The message for "Mail folder could not be found on mail server" were known, actually by design, but not expected to happen that often.The fix just excludes the inbox from the obfuscation, to reduce the amount of error messages.

49231 Filter rules: From condition "is exactly" doesn't work on email addresses

To filter for email addresses in a more comfortable way "Sender address" were included as condition type.

49210 Marked mail(s) disappear when hitting # 1 key on Numpad

Appsuite using a shared keypress handler for the numpad key and the 'a'. In combination with ctrl or another special key all messages get selected. A missing check in archive action allowed to archive a message with the numpad key.Now checking for 'a' key before archive.

49207 Missing filenames for pasted screenshots

When passing a screenshot to mail compose, a attachment without filename got created. We now assign a default filename to such content to avoid compatibility issues.

49196 Users can not be added to group

It was not possible to add an user to a group containing a space in the name and were created by the command line tool.This has been solved by using CHECK_GROUP_UID_REGEXP property for group name validation during http-api calls.

49141 Mail content only displayed on reply/forward

Mail content were not visible in all mails, actual mail content nested inside head element, which is removed for embedded display of foreign HTML content.Transfer non-head child elements to body to make the content visible.

49103 No additional address books loaded in picker on mail compose

Too many contacts thus hitting the default limit of 10000 contacts.Now exclude the global address book from the picker to avoid an unresponsive dialog. New settings is: io.ox/contacts//picker/globalAddressBook=true/false.

49091 Show requests for read receipts setting is not hidden when protected

Configurability for all settings is not available.Extend checkbox-related code in mail settings pane to consider configurability for this setting.

49086 About 1600 Mails can not be deleted at once, Script Timeout in Browser

Removing the mails one by one takes very long.With this fix all mails are handled together and it is quite faster.

49083 E-Mail-Folder Action 'delete all messages' ignores OVERQUOTA

Copy command was able to run into overquota.This has been fixed by using move operation for clear folder command in case move operation is supported by IMAP server.

49074 Appointment cancellation mail loop with iOS

In rare cases the iOS Mail/Calendar clients decide to send out repeated cancellation mails. While the behaviour is triggered by the client we try to counter this behaviour by blocking cancellation mails at replies at OX App Suite when synchronizing.

49057 Incorrect dates provided by WebDAV clients

When mounting Drive using WebDAV, some clients provide incorrect creation times for files. This was caused by a incompatible date format and has been fixed by providing RFC1123 dates instead.

49055 FLD-0008 exception 'Folder 0 does not exist in context 1'

Appointment object is missing the action folder id.This has been solved by adding action folder id to appointment object.

49007 Address picker shows inaccessible folders

When using the recipient picker for Email the second time while not having access to public and shared folders, those were shown as an option nonetheless. We fixed that by cleaning caches so the correct folders are provided as options.

48949 Sometimes printing fails with "Drucken ist beim Starten des Druckvorgangs fehlgeschlagen." on Preview

Only affects calendar views as they are external, i.e. loaded from the server and was quite rare.This has been solved by implementing a delay to let the browser breathe. The delay is not really perceivable so it won't annoy end-users.

48940 Autologout setting is not hidden when protected

Not all settings are implemented to configure via yml-File.Now this setting is supported for property- and yml-file.

48928 Customization for contacts identity circle

In order keep the list at the address-book picker in sync with the Contacts app, identity circles can now be customized with regards to color. See SCR #3602.

48927 Customization for contacts identity circle

In order keep the list at the address-book picker in sync with the Contacts app, identity circles can now be customized with regards to name initials. See SCR #3602.

48883 logconf -l com.openexchange.usm does not filter for UID/CID

The logback filtering works in conjunction with the MDC properties, meaning that in order for a log filter to work, the userId, contextId and (optionally) sessionId have to be present in the MDC. In this case, the previous mentioned MDC properties were only applied upon a login request, hence the only DEBUG log entry that was visible in the log was that of the login request.This has been fixed by applying the MDC properties 'userId', 'contextId' and 'sessionId' (that is the USM session id and not OX session id) to the MDC when getting the USM session from the SessionStorage (which happens on every USM/EAS request).

48851 Zero-minute reminders not respected in public calendars

When using public calendars and setting reminders to "0", this value is treated as "no reminder". This has been solved by signalling 0 as a legal value for appointments at such folders.

48778 Contacts tab opens with ~20 Seconds Delay, Display-Errors after Tab Change Contacts to Calendar and back

The new user setting "Start in global address book" (default: true) conflicts with an extremely slow loading of address book.This has been solved by checking if the user setting is configurable. If not, the user doesn't see the setting. This fix neither accelerates the loading process nor does it avoid the invalid UI state if users go back and forth.

48748 Distribution list view inconsistent, saving such a list does not work

The error is cause by two update operations on a contact off the distribution list. If a contact off the distribution list is within the address-book of the user, then the entry within the distribution list will reference this contact. In case the email address referenced by the distribution list is removed the entry within the distribution list is also updated (now empty). If then in a next step the contact is deleted the entry within the distribution list will be changed to a contact without a reference. In this case the mail address within the distribution list will be used, which is still be empty. In this case the distribution list is invalid because of this missing mail address.The exception message now tells the user which contact is causing the error and therefore he is able to solve the issue himself.

48729 Archive folder visibility

In case users got provisioned with a specific name for the "Archive" folder, there was no way to remove that information afterwards. We've removed a sanitiy check for empty folder names and instead add "null" to the users mail configuration in case that folder shall be empty. As a result no folder will show up as "Archive" anymore. Note that using this functionality makes it mandatory to disable archive functionality as a capability for the user. Otherwise there will be inconsistencies and unexpected behaviour on the user-interface level, including re-creation of the "Archive" folder with its default values.

48687 Carddav data with xD at the end of all lines

The underlying org.jdom library adjusts line endings during serialization, for inline vCards in multistatus responses this led to duplicated carriage return characters. While usually the receiving side is in charge to normalize line endings during parsing, one particular client is not able to do so.Solution: Serialize inline vCards in CARDDAV:address-data property as CDATA.

48681 Mail not displayed correctly on Android

The mail contains two parts of type text/plain. The second part contains the greetings. USM handles only the first part for sending the mail in plain text format to the client (used by Android).With this fix USM concatenates all text/plain parts together.

48663 No signature selected in settings after upgrade

Missing signature handling for update.Introduced central helper function which considers the different states, value of defaultSignature (compose/reply) is now used as new default value for 'defaultReplyForwardSignature'.

48654 SpamExperts GUI page not displaying fully for SpamPanel

The container element of settings pages doesn't have a fixed height. This broke percentage-based height specification of its children.This has been fixed by using absolute positioning to make percentage-based heights work again.

48631 Unexpected compression headers for SAML

When using HTTP redirect bindings for single logout responses, our implementation did expect zlib headers while raw gzip was returned. This has been solved by handling this kind of input.

48630 Missing attachment preview for very special mails

When sending a mail to a mailing list and using a X.509 signature plus another attachment, that attachment could not get previewed in App Suite. This has been solved by avoiding to fetch ignorable parts of the mail.

48629 Appointment jumps one day back if time changed more than 12h

Local date instead of internal utc date were used in one calculation.This has been fixed by sticking to utc-based calculations.

48618 Portal tiles show hidden files

After displaying "hidden" files was disabled, they did still show up at the Drive portal tile of App Suite. This got solved by applying the correct filter to the tile as well.

48598 Incomplete delete events sent when removing appointment series

When deleting a recurring appointment, the related event mechanism did distribute events which refer to the recurring appointment but did not contain any pointers to exceptions of that series. We're now sending more sophisticated objects that allow to gather references to exceptions of that recurring appointment.

48495 New arriving mails are sorted somewhere into existing mails in list view

Sort handler was called before models were drawn and list were messed up.This has been solved by skipping sort when queue contains items and sort manually once the queue has been processed.

48463 Multiple honorific prefixes are comma-separated

When using honorific prefixes, suffices or additional names at contacts, those details were transferred and serialized as individual attributes which led to display issues on some CardDAV clients. This has been solved by putting this information to single attribute.

48438 Inconcistent folder order in Archive

The Archive folder did list subfolders in descending date order to make sure the most recent folders are on top. However this did conflict with certain use-cases and added inconsistency, therefor we switched to alphabetically ascending order for all folders except numeric ones.

48394 DOS encoding for paths.perfMap

The file paths.perfMap was delivered with CRLF linebreaks, which of course does not make sense on Unix-style environments. We applied proper linebreaks again.

48380 Unable to remove a directory in Drive

In case a directory contained a hidden subfolder without permissions to the deleting users, removal of that enclosing folder failed without a sufficient error message. We've extended the OX Drive protocol to handle this situation and make clients aware of the root cause.

48364 Unable to save mail to "Sent" folder after sending

Getting the standard folders (e.g. for "Sent") failed in case a spam/ham folders where absent but expected. The code has been hardened to deal with situations like this, which may occur when using custom spam handler implementations or configuration.

48349 'AVERAGE_USER_SIZE' not found in file /opt/open-xchange/etc

The method getProperties was used.This was fixed by using getUserProperties.

48348 Reporting issues with multiple registered servers

When having contexts spread across different middleware clusters but using the same database backends, the report client did not finish its execution. This has been solved by considering such configurations and general hardening of the report functionality in this regard.

48344 User is not able to sent email to users on the same cluster after account is added as external

No filtering based on transport_url for added email accounts.Only list sender addresses from accounts that have a transport_url now.

48292 Usercopy fails with "Unexpected problem occurred"

UseCountCopyTask used a wrong mapping object and tried to copy use counts of internal users and usercopy failed.This has been fixed by using the correct mapping object and skip use counts of internal users.

48248 Unable to copy/move mail if target lacks flag compatibility

When copying or moving a mail from a mail backend that supports more IMAP user-flags than the target backend, an error was raised. This has been solved by checking existing flags and convert them in a compatible way.

48243 Report clients stops for corrupt guest users

In case a guest user has a reference to a deleted user, running reports did not deliver any results. This has been solved by handling the absence of the referenced user.

48242 Unable to delete appointment from cancelation mail

When using a CalDAV client like eMClient, some cancellation mails could not be used to delete the related appointment since their ID was missing. We solved that by avoiding a fallback to the "Publish" method when synchronizing.

48205 Issues when switching SMTP-Auth

When configuring a external mail accounts SMTP credentials as "As incoming mail server" and changing this configuration to specific credentials, the old credentials were maintained. This has been fixed.

48195 External appointment "You have confirmed this appointment", but is not accepted

New external appointments were displayed as accepted, but are nor accepted.Now new external appointments are not displayed as accepted.

48133 Malformed mail causes warnings

In case a E-Mail contains illegal references to multiparts, such as attachments, a warning was raised at the log. To avoid log flooding the situation is being handled in the code without logging a verbose message.

48118 Upsell I-Frame does not open in Firefox and IE

Click delegate on premium container didn't worked as expecting.This has been solved by using default select handler and call upsell method via custom trigger.

48109 Special IMAP folders are re-set on first login

When defining special-use flags for IMAP folders, those were not considered when logging in for the first time. The behaviour has been made configurable by change #3524. Now we're considering those pre-defined special-use folders.

48089 Weekend days were hardly readable

In case the current day is a Sunday, the date label was hardly readable since several shades of red were applied. This has been solved by correcting the priority of shades when displaying the calendar month view.

48075 vCard export fails when missing references

In case vCard data information is stored to a external service and that service becomes unavailable, exporting fails. This has been addressed by adding a check if all referenced information is present and accessible before starting to export.

48073 Hover on mail folders is missing after update to 7.8.2

No hover message reporting the total messages and unread messages in email folder.The missing title is added again is now visible on hovering.

48047 Random OOM during parsing mail

This was caused by excessive creation of (sub-)strings while trying to re-parse a weird, but possible start tag segment.This has been fixed by improving detection of possibly contained HTML start tag and changed re-parse routine to avoid sub-string creation where possible.

48006 IMAP ID is sent after login instead of before

"ID" command gets issued after login happened, breaking Dovecot's session tracing.This has been fixed by moving signalling IMAP session identifier through "ID" command to pre-login state.

47992 Mail content incorrectly displayed

As a side-effect of content sanitization certain invalid E-Mail structures, in this case broken tags like "<" were removed which led to follow-up issues when displaying the mail. We've made the sanitizer more flexible to avoid such false-positive cases.

47967 High CPU usage by Java process

An infinite loop while trying to determine a folder's reverse path to root folder caused the excessive creation of folder instances all kept in a wrapping java.util.ArrayList instance. It turned out that while loading the path for a folder from a subscribed external IMAP account, the special INBOX folder references itself as parent, consequently rendering the traversing loop infinite.This has been solved by introducing several safety checks (in case a folder references itself as parent) and guards to prevent from possible such an infinite loop when trying to determine a folder's path to root folder.

47944 Error when storing data to Swift backend

When creating a file on a Swift storage backend, the service might respond with HTTP Status 201 instead of 200 which was unexpected. This got fixed by handling this status as well.

47932 No free mailstore found causes configdb inconsitencies

When deploying a new cluster, having not yet registered a mailstore, creating a context caused inconsistencies in the configdb.This has been solved by running delete method of all registered plugins in case of a failure in postCreate of any of the registered plugins.

47893 Folders with dots in their names are not queried correctly

It was not possible to retrieving informations from cloud storage folder if they contain a dot in foldername.Now cid method removed all '.' from the ids to fix this issue.

47888 NPE when trying to edit the description of a file in a Dropbox account within the AppSuite

Edit the description of a file in a Dropbox account were not possible with the Appsuite-UI.Un-mangle the file identifier to fix this.

47873 Filename information is lost when moving files between different file storages

Now setting the filename when moving files across different file storages to solve this issue.

47785 Rate-limit triggered when handling huge distribution list

When working with large distribution lists, usually more than 500 members, OX App Suite UI triggered a lot of unnecessary requests to get member information. Depending on the workflow and amount of members this could exceed the default rate-limit and effectively lock-out a user for several minutes. We have optimized which and how many calls are triggered when editing distribution lists to avoid this scenario.

47720 Missing check for filter rules capability

In case the mailfilter package is not installed, the frontend was missing a capability check and offered to create mailfilters based on existing E-Mail nonetheless. This was fixed by considering those capabilities.

47683 Mail is not displayed correctly - 2 instead of three attachments

The regex pattern to identify the uuencoding wasn't able to handle umlauts.This has been fixed by improving the regex pattern to recognize umlauts.

47678 OX Drive standalone: Remove "Add to Portal"

added permission for portal

In case a user account is configured to only use OX Drive, some functionality was offered that would require the Contacts app to be present, for example contact details. These issues have been resolved by removing links at invite guests or permission dialogs.

47664 Empty object_permission table causes stale RDBMS connections

A database connection was not returned to the pool under specific circumstances.This has been solved by ensuring database connection is returned to pool.

47656 Sort menu not fully visible in horizontal mode

Sort menu was hidden by mail detail view if this part was to small.Now the menu is always on top.

47587 Cancelled appointment in Outlook not updated

When cancelling a group appointment in Outlook as organizer, the appointment for participants was not removed in case those participants did have "PIM" access permissions. This was caused by a server-client state conflict and has been solved.

47576 Rename of OX6 distribution lists not fully working in appsuite

OX6 sets display name and last name while creating a new distribution list.Solution for distribution lists: if display name is updated last name is set to the same value.

47575 Modifications to logback configuration re-set

When updating OX App Suite, recent default configurations changes to logback.xml were reset. Packaging now considers those changes and makes sure the defaults are maintained when updating.

47510 Mobile Web uI only: Mail folder can not be added on Root-Level

Adding an IMAP folder via Mobile Web UI on root level (beside INBOX) does not work.This has been fixed by changing check for virtual folders to allow contextmenu and deny pagechange.

47504 OX Documents offers contacts functionality even if contacts are disabled; If contacts is not available the usernames are not longer clickable

47503 OX Documents offers email functionality even if webmail is disabled

sendmail button and/or send mail sub items of button group will be disabled from now as soon as there is webmail not available.

47467 Menu is displayed wrong

Email option menu was displayed wrong if the topbanner was active.This has been fixed by adding proper z-index to top banner.

47438 Standard group guest delete and edit buttons active

Standard group guest delete and edit buttons were active.Now edit or delete for guest group is disabled.

47429 Vacation rule jumps to top

The position of the vacation notice was reseted to the top if this rule has changed.Now the position is kept if the rule was edited.

47417 Listing large folders results in IE11 issues

When listing folders with more than 10.000 E-Mails and scrolling through them, IE11 did report script warnings. Those warnings were triggered by long-running JS actions. We optimized the handling of pagination when dealing with lots of mails to avoid triggering those warnings. On very slow machines this might still happen though.

47378 Contact csv import: error message very vague

The csv parser is configured to be tolerant and accepts rows in csv files with columns sizes lower than the number of title columns. If a row does not contain enough columns it will add empty columns at the end of the row. If a column in the middle of the row is missing all other entries will be shifted to the left. This leads to an error for the distribution list column, because the importer uses the data of another column for this field.This has been fixed by adding a new parameter "line_number" to the response result entry in case of an error, because it's impossible to improve the handling of defective csv files.

47348 Password dialog for external accounts after update

For some users the "recovery/secret?action=check" call permanently signals that the currently used password is outdated and the new one is prompted.Various DEBUG logging was added to class 'com.openexchange.secret.impl.CryptoSecretEncryptionService', which is supposed to be enabled to affected users using '/opt/open-xchange/sbin/lofconf' command-line tool, also did some other improvements for this. Also see Software Change 3482 below.

47325 User-fields not mentioned as option for search facet

It's now possible to include "optional" fields at contacts to the search facet. This allows searching for those parameters values.

47279 Incorrect findings of checkconfigconsistency

The checkconfigconsistency tool did report some incorrect findings at cache.ccf. This has been solved by considering directories when comparing configuration file content.

47184 Forwarding mails with cc-recipients automatically opens cc field in mail compose

On model creation data from the original mail was propagated that should have been omitted.This has been fixed by omitting original mail data, now the cc filed is not open automatically.

47182 Separate email addresses with semicolon not working

Separate email addresses with semicolon after two or more were added as one didn't work.This has been fixed by stopping edit more after first model update.

47166 Redirect to logoutLocation does not work anymore

Redirect to loginLocation and logoutLocation does not work.With this fix, the custom login and logout Locations are working again.

47157 SOAP API does not list guest users

includeGuests and excludeUsers parameters was missing in soap interfaces.This has been solved by adding includeGuests and excludeUsers parameters to soap interfaces.

47101 Misleading information on truncated HTML messages

If a HTML Email message exceeds limits for processing, a truncated representation is provided to the user. We added some more details and less confusing description about why this is the case and how a user can handle the situation.

47083 Incorrect translation for mail filter rules

The polish translation for mail filter rules had some flaws, those were solved by updating the specific translation.

47025 Shared mail folders are not displayed

When applying very specific folder permissions, a issue was observed that folders are not show via OX App Suite while being expected to show up. This was caused by a incomplete permission check and got solved by correcting this check.

46970 Linked appointment and task within an email cannot be displayed

If an user click on an invalid appointment/task link, he got the spinner.With this fix, the appointment is displayed or the link is displaying the folder from the link.

46968 Upsell-Trigger within "onboarding-wizard" not working

Upsell i-Frame for onboarding wizard didn't working.Added missing capability fiele to solve this.

46837 Incorrect translation for quota

The polish translation for quota levels had some flaws, those were solved by updating the specific translation.

46677 While subscribing to mail-folders not all "subscribable" folders get displayed

After a Appsuite refresh some "subscribable" folders disappeared.This has been fixed by dropping "subfolders" attribute if all=false to avoid bad model updates.

46482 Unable to read mail in Outlook

Email messages with multiple different Content-Transfer-Encoding headers did cause errors with Outlook. Such malformed messages are now sanitized before delivering them to the client.

46443 Unable to view specific mails

When forwarding a specific mail structure multiple times, the corresponding sequence ID was miscalculated. As a result some mails could not be displayed anymore. This glitch has been solved by correcting the calculation for nested messages and attachments.

46346 Smtp account information not shown

In the account settings for mail the smtp settings are displayed, but username and password were not shown.Fixed an enum issue to solve this.

46285 docx failed to load for editing, Binder not available for this docx,

ignoring this attribute via xslt transformation

46189 Unable to see Halo or who reserved a resource within the Scheduling tool

No single general solution for all different use cases in this scenario.Solution: Introduced ui setting 'io.ox/calendar//freeBusyStrict' (default: true), when NOT in strict mode detail view is available, details for appointments are not displayed.

46098 Logging of invalid cookies on autologin

When enabling the "auto login" functionality, error messages were logged regarding incorrect cookie information. Since users that have not been logged in before will accidentally trigger this message, it has been removed from the default loglevel.

45457 Incomplete documentation on "filestorage"

Existing documentation about the topic of filestores was party missing and inconclusive. This has been solved by migrating to a new documentation system and workflow. Please use as reference for technical documentation.

45101 pdf2svg using boundless memory

Added a new config item 'com.openexchange.documentconverter.pdftoolMaxVMemMB' has been added to the '' configuration file. The implementation uses this value to limit the amount of memory for the PDF tool

44943 Instant termination of DC backend processes when OSGi bundle is stopped;When stopping the DC server bundle, every single, currently running job is interrupted and terminated

in addition, all DC joib queues are cleared

44275 Improved queue handling for DocumentConverter to avoid pending jobs

Some DocumentConverter jobs never got processed by the DocumentConverter backend and remained within the job queue forever due to a missing unlock of the job after the first conversion. This happened under certain conditions like same job conversions for the same source document in parallel. When pending or blocked jobs are within the DocumentConverter queue due to a parallel processing of the same conversion, it is ensured, that those jobs get unlocked after the first conversion of this kind of jobs happened, giving a fast processing and removal of all pending jobs with the same characteristics.

43342 Resources are not handled with ActiveSync

We've added rudimentary support for resources when using the Exchange ActiveSync (EAS) protocol. The Email address of a resource will be delivered to the client to allow scheduling.

31404 Incomplete documentation on "quota"

Existing documentation about the topic of different quota levels and configuration was party missing and inconclusive. This has been solved by migrating to a new documentation system and workflow. Please use as reference for technical documentation.

23639 Messaging accounts not removed instantly

When removing oAuth credentials for a messaging account, e.g. Twitter, the related entry at the main menu did not get removed. This has been solved by refactoring the oAuth implementation.