Last Update: 2024-04-23
CVSS:3.1
CVSS:3.1
CVSS:3.1
CVSS:3.1
CVSS:3.1
CVSS:3.1
CVSS:3.1
CVSS:3.1
CVSS:3.1
CVSS:3.1
CVSS:3.1
CVSS:3.1
Remove handlers all work on same list of points regardless of the fact one of those handlers already removed a point, was caused by a race condition.This has been improved by maintaining a list of deleted ids and further removeRestorePoint calls remove those points again if needed.
Current value of the From field not respected when checking for customized sender name.This has been fixed by only unsing fall back value if current value is empty.
This has been solved by preventing remotely received being aggregated into another local event and thus re-distributed remotely again though immediate processing of remotely received events (with a separate thread).
Wrong module guessed from system folder (system does not have favorites).This has been solved by using module information from the actual folder view instead of the module information from the folder model. Only fall back to old behaviour if no information is available. This way it should always be possible to remove folders from the folder view directly.
Missing appointment list in day printing view.This has been fixed by adding list again (also includes location).
Wrong version number for current version was assumed when auto-deleting file versions.This has been solved by passing proper current version number to auto-delete routine.
The caldav servlet doesn’t support operations on recurring tasks, but it also doesn’t filter recurring tasks out.This has been resolved by just filtering thoes recurring tasks.
A NPE was triggered if start_time is not set(null).This has been fixed by using correct variable to determine UTC time difference.
CVSS: 3.1
CVSS: 3.1
CVSS: 3.1
CVSS: 2.2
CVSS: 2.2
CVSS: 5.0
CVSS: 5.0
Actually undefined properties are cached at the “configuration” provider of the config cascade once they’ve been queried for the first time. This happens implicitly when the final scope is determined for a property that was picked up at another level of the config cascade. In case such properties are prefixed with “com.openexchange.capability.”, they’re also considered and evaluated to “false” when constructing the capability set for any other user, potentially overriding module permissions if they’ve been used in a discouraged way of using the permission identifier as capability property name.This has been fixed by ignoring undefined capability properties when building the capability set, added debug logging to reveal problematic configurations.
Virtual keyboard was restored to often.This has been fixed by checking for shift key to avoid restoring keyboard.
Scrollbar on right side is gone in case editing text in signature editor.This has been solved by not applying overflow hidden for siganture editor.
Mix-up of folder to account association when composing JSON response.This has been fixed by accessing folder in proper account.
Unit was not considered when checking size.This has been solved by adjusting check accordingly.
For events where the (external) organizer is not attending, the timezone is not set explicitly and falls back to the system default.This has been solved by prefering event timezone in notification mails for external organizer that does not attend the meeting.
CVSS: 5.0
CVSS: 5.0
CVSS: 7.7
CVSS: 5.0
CVSS: 5.0
CVSS: 5.0
CVSS: 6.5
DateFormatCache was not threadsafe.This has been fixed by using a synchronized map.
that’s fixed. In addition, we set the sender now to extra-bold and dark black (#000) in order to have another visual decoration beyond the blue dot.
Avoid loading context data when checking user validity.
Change listener called too frequent.Debounce execution waiting for 30ms without further call to solve this.
The existing iOS Push certificate expires on Dec 5th. This Patch renew the cerificate.
Caused by missing ‘overflow:hidden’ rule.This has been fixed by adding ‘overflow:hidden’.
Invoke javax.servlet.http.HttpServletRequest.getSession(boolean) in SAML and OIDC implementations to maintain route to the right Middleware node, which spawned the Open-Xchange session.
An error inside a single folder stopped UI from working.Solution: Only look for specific errors when stopping further processing of appointments. That will automatically trigger some error handling which will remove all failing folders.
Check if action ‘vacation’ exists was missing.This has been solved by calling mailfilter api to check for this vacation action before rendering the vacation notice button.
This was caused by DOMPurify removes src=“blob:…”This has been solved by using data uri instead.
Memory gets flooded with many regular untagged IMAP responses, which are actually of no use.This has been solved by adding mechanism to drop regular untagged IMAP responses on command execution to avoid flooding memory with unused IMAP responses.
This is only not working for the context admin while being created with ‘createcontext’, not for users commonly. Was caused by accessing context properties while context is created.This has been fixed by falling back to server level configuration if context is not yet created.
Caused by separate handling for savepoints on smartphones and other devices.This has been fixed by extending initial fix to also cover smartphones.
This was caused by missing CSS.This has been fixed by adding missing css ellipsis.
Some jQuery functions got stuck and prevented further code execution.This has been fixed by using native functions.
When a concatenated input stream for the chunks of a document is not consumed entirely, and the reference to the next scality document was already initialized, resources were not released orderly.This has been fixed by ensuring to release underlying stream.
This has been solved by adjusting translation.
Detail view buttons shown despite having broken functionality.Don’t show buttons in the detailview if opened from a mail to solve this issue. There are buttons in the mail itself.
CVSS: 3.1
CVSS: 2.2
CVSS: 2.2
There is a check to test if a file actually holds data based on some heuristics. That check leads to false-positive for the inline image attachments of the affected E-Mail.Fixed check for possibly empty file data.
Accept upper-case ASCII characters as well for ACE->IDN conversion to solve this issue.
Address string was interpreted as a group name in case host is NIL when parsing an ENVELOPE address string.This has been fixed by aligning behavior of Open-Xchange Middleware according to common IMAP server one. Assume “missing-domain” as host part of an E-Mail address in case host is NIL when parsing an ENVELOPE address string.
This was caused by a different used iTIP method.This has been fixed by adjusting used iTIP method.
Was caused by wrong detection whether a move or a rename needs to be performed.Fixed check whether a move or a rename needs to be performed to solve this issue.
Unable to handle vCard v4 partian dates.Now handling PartialDate for Birthday and Anniversary to solve this issue.
Alarm is not sent in case only the trigger time changes. If a new alarm is added alongside, both changes are saved.This has been fixed by using deep copy to avoid attributes that are bound by reference.
This wasn´t a bug, it was a wording problem.This has been solved by changing wording for the avatar dropdown of “Change Password” for guests. Was confusing with Guard Guest emails. Changed to “Add login password” or “Change login password”. Adjusted title and button of dialog.
Same request parameters lead to same responses from the MW #getDocument Ajax handler. In case the request parameters don’t change after revisionless save, the response will be the unchanged one.This has been fixed by providing ‘revtag’ parameter when creating the attachment.
This has been solved by ensuring a valid address is passed to “Disposition-Notification-To” header and that only a valid E-Mail address is accepted for “disp_notification_to” in JSON field.
Broken encoding in style tag caused js error.This has been solved by making sanitizer more robust so no error occurs.
Properties menu was disabled for tasks and extension points where not working with tasks.This has been solved by re enabling properties menu and adjusted extension points to support tasks again.
Specify user’s locale when outputting detected limitation violations to show translated error messages.
Stick to active short-term sessions when re-injecting a push listener to solve this issue.
The JVM’s default locale was used when processing the template for appointment reminder mails.This has been fixed by using the receiving user’s locale when processing the template for appointment reminder mails.
Data truncation while trying to store a quite long subject to database.Solution: Enlarged “subject” field in “compositionSpace” table from 256 to 512 character. Moreover, added user-friendly error messages in case such a data truncation occurs.
Avoid unnecessary “GROUP BY” clause in SQL SELECT statement to prevent errors with
strict ONLY_FULL_GROUP_BY mode.
Runtime error in Edge when using popup.close() stopped code execution.This has been fixed by closing popup at the very end to limit any impact on the promise chain itself.
Mark guidedtours.properties as configfile now.
When opening a restorepoint, the id is incremented. But for objects from the jslobs, the object reference is still pointing to the object in the jslobs. Therefore, the id in the cache is also changed and the object with the old id cannot be found and deleted. Work on a copy of the object to prevent to overwrite the id in the jslobs object.
TinyMCE cannot handle floating point numbers and therefore, size computation fails. Manually force tinymce to accept floating point pixels when necessary.
write permissions in terms of mail folder means user is allowed to set flags other than seen/unseen and “mark as deleted”.
Wrong value “Medium” used to signal normal importance. Set “Importance” MIME message header according to https://tools.ietf.org/html/rfc4021#page-32. (Values: High, normal, or low).
Task query uses “GROUP BY” clause and conflicts with ONLY_FULL_GROUP_BY mode of the database. Avoid “GROUP BY” clause in SQL statement, but filter possible duplicate tasks in application.
Trying to delete location/directory from source file storage failed. Due to that, context information has not been properly updated.Solved by fail-safe deletion of source location in file storage. Note: Filestore identifier of affected contexts need to be manually adjusted in database.
Custom mail css did not work correctly because of missing class.This has been fixed by adding the missing class.
This has been solved by adding comments when “View” should be used as a verb.
This was caused by broken mapping of dependency and reference.Mapping has been fixed by removing unused reference.
When the default internal calendar account gets auto-provisioned concurrently when first being accessed simultaneously, a database error may be raised under certain circumstances.This has been solved by re-checking pending auto-provisioning operations after conflicting insertions.
String was not translated correctly.Fixed typo to solve this issue.
It was used screensize instead of “real” smartphone detection.This has been solved by switching to .smartphone class.
According to RFC 822 the local part needs to be quoted in some cases. Since this was only done in the mw the value could not be interpreted correctly.If the local part needs to be quoted this is now also considered in the Appsuite UI.
Changed translation to solve this.
Table height:100% breaks mail detail view.This has been fixed by adding style to reset table height in mail detail view.
CVSS: 6.4
CVSS: 5.4
CVSS: 5.4
CVSS: 3.1
CVSS: 3.1
CVSS: 2.2
Uploaded files are directly streamed to destination storage with the consequence that reading from stream blocks possible file storage resources (e.g. connection in connection pool) for the time the actual upload is in progress. That behavior leads to more and more threads stacking up awaiting connections from connection pool. That huge amount of threads lets “VM Thread” run permanently leading to constant “stop the world” pauses making machine unresponsive.Solution: Spool uploaded files to temporary file to not block storage resources (e.g. connection pool) by possibly slow upload. Introduced a timeout (default is 30 seconds) when waiting for an available connection in HTTP connection pool. Changed filestore connectors to be responsive to ConnectionPoolTimeoutException.
This was caused by wrong root folder.This has been solved by always using the default (personal calendar) folder as root folder.
This has been solved by introducing locale/format to allow country specific address formatting.
A problem in the serialization logic for extended properties of calendar components caused non-ASCII characters being corrupted during saving.Properly encode extended properties of calendar components during saving to solve this issue.
A superfluous check led to the “unregisterdatabase” utility reporting that also read-only schemas are possibly “in use”.This has been solved by performing “in use” check during “unregisterdatabase” for master database only.
Regular expression in link parser was too greedy which led the parser to not append the appropriate attributes target and rel attributes to the link.This has been solved by fixing the regular expression.
In case multiple transport mails are supposed to be sent, the whole operation fails in case send attempt for one mail fails.Solution: Do not abort sending multiple transport mails if send attempt for one mail fails.
Corrupted mail with invalid multipart delimiters and invalid charset name quoting leads to failure when parsing/displaying the affected mail.Solution: Deal with possibly quoted charset names on charset look-up. This fixes the exception when looking-up charset by charset name, but does not display reasonable content since multipart delimiters are corrupt in mail’s source. The user sees: This mail has no content.
Threads piling up in push registration framework due to excessive locking in turn leading to unresponsiveness of the system.This has been solved by removing that lock by using higher level concurrency mechanisms and optimized to avoid unnecessary remote session look-up.
If the organizer is no attendee (Outlook), the locale for the notification recipient was not set.This has been fixed by adding the acting users locale in this case.
Edge was recognized as IE with higher version.This has been fixed by improving the browser check.
Incorrect initialization of in-memory byte array when transferring nested message’s data to new message. The generated byte array contains a 0-byte remainder.Solution: Proper initialization of in-memory byte array, which prevents from 0-byte remainder.
CID URLs in iMIP were not encoded and decoded correctly, so that the referenced MIME part could not be looked up successfully.This has been solved by correcting encoding and decoding of “cid” URLs in invitation mails.
Appointment color was only considered if the user is the owner of an event such that the user can select the color for the whole public folder.Now the appointment colors are considered for organizers and organizers_on_behalf.
CVSS: 5.4
Growing inconsistencies in general cache causing a massive amount of log messages keeping CPUs constantly busy.Improved general caching to use a single map instead of trying to manage two resources (map & queue) for implementing LRU behavior.
Also signatures with whitespaces were filtered.This has been solved by adjusting the filter for signatures.
Callback function was expecting a string.This has been solved by making it work with strings and error objects.
Feedback button was located in io-ox-core.This has been fixed by moving Feedback button to io-ox-screens.
There is an issue in the hunspell library which cannot cope with composed utf-16 characters. As we use the library in-process the SIGSEGV causes a complete crash of the process.This has been fixed by filtering out all composed utf-16 characters to prevent possible crashes in the hunspell library.
Invoke a “post deletion” call-back to reseller plug-in to let reseller information being cleared when context has been successfully removed.
CVSS: 5.4
CVSS: 5.4
CVSS: 6.5
CVSS: 3.3
This has been solved by fixing broken collection invalidation.
IMAP server advertises multiple public namespaces, but Open-Xchange Middleware only checks for one.This has been solved by paying respect to possibly multiple public namespaces when determining proper ACL identifier.
Util function sent undefined instead of empty object.This has been fixed by returning the correct value. Now it is possible to create an appointment from email without getting an error.
During the closing process the Address Picker was not properly reseted.Now the folder selection is reseted during the closing of the address picker.
The default copyright is now displayed correctly.
Some misinterpretation of CSS from IE 11 caused this issue.This has been solved by adding a CSS fix only for IE11 to handle this issue.
This is just an improvement for signatures: Signature with empty content (only whitespace) will not be added anymore.
In contrast to the main activation button the little toggle is considering the date range.The little toggle now only depends on the active state of the rule.
Dropping images to an iframe caused the browser to reload the whole view which might lead to data loss. Since no easy fix was found, we disabled drag and drop.Reenable drag and drop by attaching listeners inside the iframe which will prevent reload of the page with the dropped content on the one hand and on the other hand correctly uploads image based on the previous mechanisms.
Spam/ham information advertised mail account data even though no spam handler was available or concrete spam handler tells to not create such folders.This has been fixed by suppressing spam/ham information in mail account data if spam is disabled or no such folders are supposed to be created according to spam handler specification.
Response format was strangely encoded HTML.This has been solved by forcing response format to be correct HTML with JSON data.
The fix for this bug ensures that no duplicate entries are left in “filestore2user” table when trying to change its PRIMARY KEY.
The menu entry for “What’s new” and “Guided Tour” wasn’t disabled for guest.
This was caused by a vacation notice which makes use of the date range (current date test) and the zone option in this test is missing. This happens if the vacation notice was created with a older appsuite version. A missing zone option will now be compensated based on the current values.
The root cause seems to be a bad token used for list query against the google api. Now a full sync as fallback is done in case of bad sync tokens.
Fixed wrong comparing on server side.
Reenable drag and drop which was disabled because dropping images to an iframe caused the browser to reload the whole view.
Backend writes configuration for recently opened documents while the tour is running. This (wrongly) deletes the “shown” flag of the tour. After the tour has been finished, the “shown” flag will be saved again to the configuration now.
Added a workaround for IE11 in the appcontrol.
CVSS: 7.1
Update process is triggered automatically when loading a context and context-associated DB schema has pending update tasks. Solution: Do not trigger update if context is disabled.
In case context-associated server does not match the server associated with target node a CTX-0012 error is thrown, which initiates automatic redirection to another node (as configured through “com.openexchange.server.migrationRedirectURL” property).Solution: Do not throw CTX-0012 error in case context is disabled to avoid automatic redirection to another node. Instead, outer logic recognizes tat context is disabled through authorization service.
Links opened by blankshield are blocked due to security reasons.Solution: Open links with rel=“noopener” directly in chrome 72 and above. Note that this is just an intermediate fix and will be replaced as soon as the issue is fixed in blankshield.
UpdateTask was missing an index exists check.Solution: Added an index exists check.
Bundling orginal tokenfield file (static) lead to loading it’s content twice and custom ‘prototype’ fixes in our tokenfiled.js was overwritten by the second load.Solution: Clean up bundle.
The reminder was not parsed properly since a recent change.
Fallback name was html encoded.Solution: Use available attendee data as fallback.
The unified mail storage returned normal mail ids instead of unified ones for copy/move commands.Solution: Return proper unified mail ids.
CSS background-size’s implicit height value ‘auto’.Solution: Use 100% as value for height.
If in ‘Settings -> Mail -> Signatures’ the option “Add signature above quoted text” is selected, the signature in forwarded mail is not above, it’s placed at the bottom of mail.Solution: Added “com.openexchange.mail.forwardUnquoted” setting to JSlob under path “io.ox/mail//forwardunquoted” and use different ‘selector’ in forwarding context when mail are forwarded unquoted.
Web accessibility steals the focus on clicking into the subject field on Internet Explorer.Do not apply refocus on click because this should only happen with keyboard navigation to solve this issue.
UI was too restrictive regarding move action.This has been solved by enabling move action but grey out unsupported folders.
Only checked weekdays and not if it’s the same week.This has been solved by adding check if it overlapps into next week.
Wrong use of plural form.This has been fixed by using singular form now.
Not considered the special case for all-day events which were then printed the day before they started and the day after.This has been solved by filtering correctly for all-day appointments.
UI accidentally used ‘noimg’ or ‘trusted’ as value for api parameter ‘view’. In case ‘Allow html formatted emails’ is disabled the only valid value is ‘text’, this was adjusted to fix this issue.
The “select all” button has no effect on the vacation notice model due to a wrong naming.This has been fixed by changing the attribute name accordingly so the model can be handled correctly.
Removes button ‘manual’ cause is it used as fallback in case autodiscover fails and should not be handled as a separate option for ux reasons.
Out Of Memory when importing large iCal files.This has been solved by reducing the used heap space. Detailed informations about the import limit “com.openexchange.imort.ical.limit” are available here:See https://documentation.open-xchange.com/components/middleware/config/7.10.1/index.html#mode=features&feature=Import/Export .
This has been improved by some adjustments: For guest users first try the com.openexchange.share.migrationRedirectURL property and then fall-back (if necessary) to com.openexchange.server.migrationRedirectURL. Moved the check of the potentially absent c.o.share.migrationRedirectURL in the SegmentedUpdateService.
This driverestricted patch includes a new server key to enable fcm Push for Drive Android and a new iOS Push certificate.
Too generic approach in the recurrence view. All timezones with negative offset are affected. In detail, the timezone of a task (utc) wasn’t considered when creating the recurrence rule.This has been solved by considering different timezones when using calendar or task. StartDate of calendar knows its timezone whereas tasks are always in utc.
Size calculation was not correctly taking external files into account.This has been fixed by changing the calculation to respect all sizes of the attached files including external files.
Settings considered all apps which where rendered in the launcher and did no dedicated capability check.Filter for apps, which are disabled by capabilities but might be visible due to upsell to solve this issue.
The defined dependency of the update task (com.openexchange.groupware.update.tasks.ContextAttributeConvertUtf8ToUtf8mb4Task) might be excluded and could not be solved.This has been fixed by setting dependency to com.openexchange.groupware.update.tasks.CreateIndexOnContextAttributesTask.
The rule title was missing the translation capability.This has been solved by adding the translation capability.
Account name may be cryptic in special mail environments.Added a new feature toggle to explicitly use the “My Folders” string for private mail folders. This solves an issue for customers where the account name is generated during provisioning and may not match the real user name/mail. Added new feature toggle ‘io.ox/mail//features/usePrimaryAccountNameInTree’, default is “true”.
UNTIL in the recurrence rule has been interpreted as a date value by the UI, whereas it should be a datetime value.The UNTIL part of the recurrence rule now contain as a datetime value. Therefore, the zulu timestamp in UNTIL is now after the startdate of the last occurrence.
Wrong root folder selected after removing a folder.This has been solved by removing superfluous event trigger and fixed regular expression.
The three dots shown at the end of the shortened message were hidden by the close icon.This has been solved by adjusting the padding to prevent the overlapping.
Adjusted reload/relogin hint and added translations.
In cases where the user did not enable “stay signed in” but did reload the browser it appeared as if the session would have been terminated since a login prompt was shown. However, existing cookies were maintained and allow API actions for the users account. This situation was caused by trying to automatically login, which fails in this scenario, but not removing existing cookies in case the login failed. Thanks to amalyoman.
Importing iCal files allowed to reference attachments at other users appointments. Those references were not correctly checked for permissions, which could be exploited to extract confidential data from other users within the same context. CVE-2018-18464, thanks to stemcloud.
The API to sync mobile and desktop OX Drive clients allowed to modify a files media-type to an arbitrary value. This could be used to bypass sanitizers that apply rules based on a files media-type. We added a method to recognize and reject such changes using the Drive API. CVE-2018-18462, thanks to secator.
When using a specific set of quotes and links at plain-text mails, those would be converted to HTML entities but not sanitized. Opening the content could then execute mailicious script code. We now make sure to sanitize and purify such content after processing plain-text mails. CVE-2018-18462, thanks to secator.
As random parameters at requests to the Documentconverter components were not checked, a client-side request forgery attack was possible. This could be used to extract confidential information from documents when being used in combination with a social engineering attack. CVE-2018-18463, thanks to stemcloud.
The calendar API did expose unnecessary information about appointments flagged as “secret” at shared folders. When haing access to a shared calendar, this could be used to get metadata about this kind of appointment. We reduced the amount of information provided for such appointments significantly so that no actual information is leaked. CVE-2018-18464, thanks to stemcloud.
Certain HTML content at mail attachment file names was detected and used as parameter by the “bootstrap” frontend component. This could lead to script execution when hovering the attachment as the file name would be injected to DOM (to show a tooltip) but not be sanitized. CVE-2018-13104, thanks to s1ck-sec.
Attachment file names for PIM objects (like appointments, contacts) were appended without ensuring they do not contain any markup. This could lead to script execution when checking the objects attachments. We now transform attachment names to text nodes before using them as dropdown labels to prevent markup injection into the DOM. CVE-2018-13104, thanks to Zhihua Yao.
Plain-text URLs at appointment descriptions were injected as HTML without further processing, which could lead to script execution if those URLs contain script code. We now use existing mechanisms to generate safe URLs.
HTML-to-text conversion of mail bodies could take a long time, potentially leading to excessively long running threads. We added a new timeout for this operation which defaults to 10 seconds.
The oAuth2 spec defines the “scope” parameter as optional in case the grant type is authorization_code. We adjusted our implementation to be compliant to this.
In some cases database updates to the calendar could leave a schema in “locked” state. Unlocking such schemas could fail due to database read timeouts. We now detect such timeouts and invalidate context cache nevertheless, which means schemas would get unlocked properly.
We added improvements to avoid empty calendar exports in some special cases and find the actual root cause.
A fallback path mapping for CalDAV clients that synchronize a single static collection causes calendars to appear duplicated in another 3rd party client that does not remove no longer advertised collections automatically. We now try a fallback to legacy collection name only for Thunderbird/Lightning but not all clients.
When running database update-tasks with long duration, errors could be thrown as it was attempted to commit to an idle database connection that was already closed on database side in the meantime. We removed the need for this commit command and don’t use any surrounding database connection if the intermediateCommits setting is enabled.
In cases where the global address book was disabled, the users profile picture was not shown. This has been solved by de-coupling access to the own contact picture from GAB permissions.
The automatic sign-out feature redirects the user to the default login page and was not considering a custom logout location configuration. This got fixed.
Wrong PRIMARY KEY specified for “filestore2user” table, which allows duplicate entries per user.This has been solved by avoiding duplicate entries in “filestore2user” table when moving user’s file storage.
When a CalDAV client performs a listing of all child resources in an event collection, some specific event properties need to be queried from the storage that were not yet whitelisted when checking against the configured maximum list of returned results. This led to an internal error, which was indicated as HTTP 400 for the client. We now allow unlimited result lists when getting CalDAV-specific meta properties from events.
When removing a DAV client as active session, using closesession or changing the users password, DAV sessions were maintained until service restart even though they are expected to be invalidated. We now look up those sessions and close them properly.
The AddOriginColumnToInfostoreDocumentTable database update-task had an incomplete check for existing table columns. This could lead to situations where a column would be added again, leading to SQL errors. We added a check for this.
Missing conversion when receiving clients of family webdav. Until now, the CalDAV/CardDAV fallback was used.This has been solved by showing WebDAV for webdav clients in the UI.
No closing on resizing let to this issue.This has been fixed by adding event handler to close dropdowns on resize.
Wrong function was used to get the translated text.Now using correct function to get the right translation.
The dialog to define size related mail filter conditions has been updated to be more usable and specific with regards to size units.
Also fixed by the Bugfix from #61044.
Also fixed by the Bugfix from #61044.
It was not possible to export a calendar.This has been fixed by avoiding IAE when TimeZone can’t be found by adding NullGuard.
Transferring deprecated “clusterWeight” element leads to a SOAP fault.This has been solved by ignoring deprecated “clusterWeight” element in incoming SOAP request.
In case the malpoll bundle was installed earlier, certain database tables would be created. After removing this component, the context mover routine would stumble upon those now unknown tables. We solved that by catching the error and warn about unknown tables that would not be moved instead of failing.
Missed possibility to check if a context exists in a certain server.This has been solved by adding possibility to check a context’s existence in the scope of the registered server, in which the called provisioning node is running in. Thus the client is able to check before-hand, in which setup a context exists.
Naming changed from drive_folder_mode to drive_user_folder_mode. Solution: Accept and output alternative drive_folder_mode element for passing drive_user_folder_mode.
Missing fail handler for savepoints.Solution: Being robust when savepoints are incomplete and remove savepoints of deleted draft mails.
The feature has been designed to only serve one migrationRedirect URL. This has been solved by adding the possibility to configure the migrationRedirectURL on a per-host basis via as-config.yml.
The LOCATED_IN_ANOTHER_SERVER exception was not properly handled in the ShareServlet. This has been fixed by handling the exception properly, i.e. redirect the client to the appropriate node. Introduced a new migrationRedirectURL property for the servlet to use in order to send a redirect to the correct node.
Documentation was not up to date about newly added update tasks. Updated Documentation.
No explicit change of column length in keys on liquibase changesets. This has been fixed by changing key definition.
Simplified the message when quota was exceeded. Message may not be translated in every language yet.
No differentiation between keyboard “clicks” and touch/mouse “clicks”.Support autoselect only for keyboard navigation to solve this.
When running in legacy calendar mode, certain user accounts could not be deleted due to constraints at their calendar data. This was solved by handling half-migrated data on the legacy storage.
When disabling a capability to access Drive, the corresponding icon was shown at the top bar (used for upsell) but the settings area was available too. We removed the ability to access settings for “upsell” features.
The vacation notice rule was not properly translated and sorted (should always be on top) when viewing the mail filter overview. This has been fixed.
The error handler for errors like this was missing.This has been solved by adding the missing error handler. If an account is unfunctional a popup appears announcing the error. In case of a pop3 account this happens after the configured refresh interval.
When composing mail and selecting specific mail addresses through autocomplete, an error was thrown. This was related to the sort order for relevancy of individual contacts. We solved that by using a fall-back sort order in such cases.
Increase robustness for mail by using loader information directly instead of a derived property value. Now the folder is always displayed in a search result.
When the same email address is set as an alias for multiple users, a calendar user address URI may get resolved to the wrong user. We now prefer the referenced users addresses when resolving calendar user addresses to solve this issue.
Dutch translation contained a double pipe (||) which was used in a regular expression which matches all strings.This has been solved by making the code more robust against empty strings.
OX changed its headquarter to lovely Cologne, we updated this information at the “About” dialog as well.
Sortname was the same with multiple contacts, so no clear sorting order.This has been fixed by adding the first valid mail address as second sorting criteria, if sortnames are the same.
Even though password recovery was disabled, the process was launched in some cases where we incorrectly detected “Unified Mail” constructs as external mail accounts. This has been solved by ignoring such constructs when checking for external accounts.
Wrong vCard file name representations are compared. This has been solved by checking proper vCard file name representations.
This has been solved by increasing MaxLength for password.
Changing the email address with the command line tools led to error messages. This has been solved by checking if passed user reference contains updated email addresses or aliases.
X-ForwardWebsocket request didn’t consider the X-Forward header. We’re now properly considering the header and configured whitelisted IPs.
Sanitizer removed attributes needed for mail styling.This has been solved by improving sanitizer so styles are preserved.
When working with mails saved as draft, the read receipt setting was not considered. This could lead to unexpected read receipts.
oauthAccountsThe oauthAccounts table of new database schemas was still using the legacy 3-byte UTF-8 encoding default. This has been updated to utf8mb4 by adding explicit assignments of CHARSET and COLLATION.
Proper cleanup in case of runtime exceptions while writing to filestore.
Content type with upper case letters do not pass the attachment check for inlineimages.Made content type check case-insensitve for inline images to solve this issue.
The date is stored in UTC but was converted to a localized date by momentjs which could lead to a wrong date in some cases.This has been fixed by converting the rule to a date in utc time to prevent timezone offsets to display a different date.
Selected mail not scrolled into view.Now scroll selected mail into view to have this mail displayed.
Frontend passed wrong information to middleware in case personal part of “From” address contains brackets as a workaround for another old issue. This has been solved by removing the workaround.
It was not possible to update the “anniversary” parameter for contacts when using the changeuser command-line tool. This has been updated to mimic the “birthday” parameter in terms of date format.
When leaving the mail body empty and using Dutch translation, an empty string was part of the warning message. This has been solved by updating the related translation.
Documentation for theming was incorrect with regards to a background image. This has been updated.
Grizzly access logging did incorrectly use day of year instead of day of month. This has been fixed by adjusting the corresponding libraries date pattern.
When creating the auto-forward rule it was not checked if the used sieve action “copy” exists.Now, if the sieve action “copy” is not available the combination “redirect” / “keep” is retained to solve this issue.
The lsub entry couldn’t be resolved because of a naming mismatch: “Inbox” vs “INBOX”. This has been fixed by storing lsub entries also under the original fullname, so no error is displayed while moving mails from external accounts.
The hostname was is used to create the octets. If the hostname is not an IP address the conversion failed. This has been solved by using host address instead of hostname to calculate octets.
Trying to issue an EXAMINE command against a non-existent folder yields a FolderNotFoundException. This has been fixed by treating a possible exception as folder cannot be opened.
The “vcard” parameter was parsed and written differently when dealing with draft mails. Solution: Lenient evaluation of “vcard” parameter.
Mailfilter information was requested on each automatic or manual global refresh. We modified this to save some connections and reduce latency, mailfilter information will now be updated only when working at the respective settings page.
It was not possible to display messages fetched from IMAP having a corrupt BODYSTRUCTURE information. More robust handling with IMAP messages having a corrupt BODYSTRUCTURE information solves this issue.
When a search for contacts or other objects would not return a result, the corresponding list would just be empty. We changed that in a way that a descriptive text is used to inform that no items were found.
Due to a library update, credentials were sent in a different encoding. This led to a compatibility issue with a former workaround, which now got removed.
Buttons for contact selection and appointment visibility were lacking aria labels. This has been fixed.
We added new roles and attributes to the mail toolbar, enabling actions to be identified as buttons.
Malformed organizer/principal data in the legacy calendar storage caused a runtime exception when encoding extended organizer properties for the new storage. This has been solved by detecting and omitting invalid organizer “SENT-BY” data.
The tasks toolbar and its buttons were not providing correct aria information, this has been solved by adding a new role and handling the case where no button would be visible.
aria-labelThe buttons to minimize, maximize or close a floating window were using generic “Button” aria-label attributes instead of defining their actual usage. This has been changed and we now provide information what those buttons would do.
Loading IMAP part by reference failed for mails generated by certain scripts. The IMAP server did signal zero bytes when using relative section identifier “TEXT” in such cases. This has been solved by retrying to fetch IMAP part in case no specific section identifier was used. Using specific section identifier works without problems.
When using a screen reader and focusing the message body frame, “escape” would not return to the message list. This has been solved.
When using a screen reader, the “unread” counter for mailboxes would contain a msgstr placeholder instead of the actual number of unread messages. We solved this by updating the translation file.
When using upper-case mail addresses the referenced contact image was not always shown. We solved this by matching addresses in a case insensitive way.
Custom logo was intentionally hidden on smartphones.Show logo on smartphone again to solve this issue.
Multiple IMAP-IDLE listeners spawned for a user in a cluster for unknown reason. This has been solved by changing handling of IMAP-IDLE listeners: Extended logging to check why a new IMAP-IDLE listener was spawned, more aggressive refreshing of acquired cluster lock and avoiding (remotely) checking existence of sessions for existing cluster lock entries and immediately tear-down of an IMAP-IDLE listener once it times out.
In cases where mails contained empty strings as reference headers, such mails could be sorted into conversations where they don’t belong. We solved this by only considering non-empty references headers when building mail threads.
Mailbox order was off in case a user defined “Inbox” to be the archive folder. We added some robustness to make sure folders cannot be duplicates and lead to odd sort decisions.
When trying to export the “birthday” calendar, a exception was raised in some edge cases. We have added additional logging to find the root cause for this.
When using reset on a backbone collection with plain js objects, the reset function removes objects which looks like to have the same identifier and only one attachment was displayed.Prevent this by creating models first and then use reset.
We added a check to make sure the “View” button for attachments only gets displayed if the Viewer can display the file.
Root cause: The concept has changed. If the view button is shown now depends on if the Viewer can display the file.
The cause of this issue was that the origin folder was used for capability checks instead of the destination folder. This has been solved by using the destination folder instead when doing “move” operations.
When using search at external drive accounts for the first time, an error could occur. This has been solved by always adding a “account” facet to be sure the right account is provided for the search request.
No filtering and yells for those emails.This has been solved by adding yells and filtering.
The wrong name has been stored as the fullname (e.g. ‘Spam123’ instead of ‘subfolder.Spam123’) and this folder was created on the root level. This has been solved by using the proper fullname instead of the short name.
Only direct subfolders were unsubscribed. We now properly unsubscribe all subfolders to solve this issue.
Concurrent loading of stale data into cache while deletion is not yet committed caused a problem. This has been fixed by introducing a cache eviction listener and its respective registry. Implemented listeners to evict folder cache entries after the database transaction is committed.
We added a workaround for IE11 to enable scrollbars for contacts.
In cases where a plain-text attachment name was too short to allow reliable charset detection (8bytes), a fallback to ANSI was used. We improved this by always advertising the charset parameter for such attachments as a more likely fallback.
Specific broken mails contain broken encodings for senders, this led to user-facing error messages even though users can’t solve the issue. We improved the check for illegal charsets in such cases and now catch the error.
Changes that were made for release 7.10.0 to improve provisioning have been made on the wrong assumption that the primary key for the table contextAttribute is defined as ( but it was configured to be cid,name)( which allowed to specify multiple values. This has been fixed by adjusting primary key to be cid,name,value)( and properly prepare content before.cid,name)
Failed to read value for config-tree path warnings when opening share links. We no longer apply shared compose settings if not available to solve this issue.
Mail compose did not unregister its logout extension point if startup fails. This causes the logout to abort as the extension is still there for a non-existing mail compose instance.This has been fixed by removing logout extension if app startup fails.
In case permanent mail push listeners get registered at an excessive rate, for example when redirecting proxy traffic, deadlocks could occur. We reduced the need for locking to prevent this situation.
A missing “participants” array in the updated appointment data was misinterpreted so that participants got removed.Take over original participant data in case they’re not explicitly set by the client.
After hiding and showing your name, it is was still hidden.This has been fixed by storing current account “displayname” right from the start and keep in updated every time a instance of mail compose is created.
Guest quota was not working as expected.This has been solved by removing frontend quota check.
Guest quota was not working as expected. This has been solved by removing a frontend quota check.