Last Update: 2025-07-08
CVSS:3.1
CVSS:3.1
CVSS:3.1
CVSS:3.1
CVSS:3.1
CVSS:3.1
CVSS:3.1
CVSS:3.1
In case of several broken calendars, the error of the second calendar will be overwritten by the error of the first one.It was ensured that the correct error is always displayed.
Regex to detect phone numbers was not strict enough.This has been fixed by reworking regex to detect phone numbers better.
A mail account is not necessary linked to linked to a transport account. Thus no transport server information can be obtained.This has been solved by checking if mail account is linked to a transport account when testing if transport server settings are about to be updated.
Existing mechanism to periodically perform a clean-up task for expired composition spaces might not trigger actual clean-up often enough.This has been solved by choosing another mechanism to periodically perform a clean-up task for expired composition spaces.
When ‘search’ collection get’s expired via expire() the ‘expire’ property got reverted immediately.This has been solved by manipulating ‘expired’ property directly.
Missing support for “reply_to” field in new mail compose implementation.This has been fixed by adding support for “reply_to” field in new mail compose implementation.
There is a little time gap between the POST /compose/:id/attachment to state to have a progress of 100% and the fact, that the upload call resolves. This is the time, the server needs to finally store the attachment somewhere. If the mail is send in exactly this gap, a race condition between sending and attaching the image to the mail might occur.Wait until the attachment-upload has been resolved before the mail send process can be started is solving this issue.
Action command parser was missing.This has been solved by adding action command parser for set action.
Internal cache in IMAP bundle used to held in-memory structure of IMAP server’s LIST/LSUB output steadily fills up over several months as long as enough active session are present. Moreover, accumulation of unused/stale IMAP store containers managed in IMAP connection cache also due to vast number of active sessions.Let cached entries expire (and remove from cache) after reasonable amount of idle time as well as drop unused/stale IMAP store containers managed in IMAP connection cache to solve this issue.
Possible shutdown not detected and an annoying error message gets logged.This has been solved by detecting shutdown and avoid that error message.
There is a little time gap between the POST /compose/:id/attachment to state to have a progress of 100% and the fact, that the upload call resolves. This is the time, the server needs to finally store the attachment somewhere. If the mail is send in exactly this gap, a race condition between sending and attaching the image to the mail might occur.Wait until the attachment-upload has been resolved before the mail send process can be started.
No unique information for the TOTP account.Added the user’s login to the TOTP account.
A missing value within the legacy series pattern causes an unhandled exception when trying to convert it into a recurrence rule.Fall back to “first” week when converting monthly_2/yearly_2 patterns if not specified.
A bogus series pattern was converted into a recurrence rule that produces no occurrences. Automatically correct invalid “yearly 2” and “monthly 2” patterns during conversion, handle possible IllegalStateException properly.
CVSS:3.1
CVSS:3.1
CVSS:3.1
CVSS:3.1
CVSS:3.1
CVSS:3.1
CVSS:3.1
CVSS:3.1
CVSS:3.1
Because the root cause is not known this is just an improvement: Handle symptom after the rate limiter has blocked further login requests and try to avoid retries by the client. Currently USM returns HTTP status 200 (with error status content in the EAS protocol response). Now USM returns 429 with header “Retry-After” with the same time period as returned by the backend.
The e-mail address of the user with umlauts in the domain name is directly used as from address for sending the e-mail. USM does replace the from address in the e-mail delivered by the client with the internally set e-mail address.This has been fixed by converting the domain part of the users e-mail address to punny code when building the EAS-configuration.
Caused by UI urlify function (detect links in plain text). This function did some wrong encoding.This has been fixed by removing useless encoding.
IE11 has sometimes issues with calculating dropdown dimensions.This has been fixed by using fixed width in IE11.
Was casued by wrong Blocknode detection.This has been solved by adjusting Blocknode detection.
Backdrop added for dropdowns on mobile catches clicks and is not removed after dropdown closed.This has been solved by making sure backdrop element gets removed if dropdowns close.
Error message did not prevent saving, success message from saving overwrote the error message.This has been solved by stopping saving if there is an error so the user has a chance to notice the error message.
Remove handlers all work on same list of points regardless of the fact one of those handlers already removed a point, was caused by a race condition.This has been improved by maintaining a list of deleted ids and further removeRestorePoint calls remove those points again if needed.
Accumulation of HTTP sessions through massive number of incoming HTTP requests steadily spawning a new HTTP session. For example, if the server used only cookie-based sessions, and the client had disabled the use of cookies, then a session would be new on each request.This has been solved by avoiding accumulation of HTTP sessions through massive number of incoming requests. Invalidate unused/unjoined as well as non-authenticated HTTP session. Moreover, ensure removal of invalid session cookies.
Internal device helper function identifies Edge also as IE.This has been solved by adjusting check for ‘edit image’ feature to enable for chrome based edge (Version 79 >=).
Second notification overwrote the first error message.Only show one proper error message to solve this issue.
Current value of the From field not respected when checking for customized sender name.This has been fixed by only unsing fall back value if current value is empty.
Error message did not prevent saving, success message from saving overwrote the error message.Solution: Stop saving if there is an error so the user has a chance to notice the error message. This is not yet fixed for safari, will be fixed in upcomming public patch.
Sanitizer was only run for text/html type. The sanitizer strips the doctype part.This has been fixed by also using the sanitizer for multipart/alternative.
UI code did not check, if indexeddb is still present or in a closing state. Therefore, these error where not catched and the UI hung up.This has been fixed by catching error and continue without a indexeddb. This will not cache any files for the next page load but prevent the UI from stalling.
This has been solved by preventing remotely received being aggregated into another local event and thus re-distributed remotely again though immediate processing of remotely received events (with a separate thread).
Event data was only stored partly when an unexpected error occurred during saving of supplementary data like alarms.This has been solved by importing each calendar object resource within separate transaction, extended alarm validity check.
UnifiedInboxManagement
OSGi service was not added to bundle’s needed/tracked services, which is required to check if an account is the special Unified Mail account.Solution: Orderly track UnifiedInboxManagement
OSGi service to check if an account is the special Unified Mail account.
Drive document has been accounted to upload quota, but shouldn’t.This has been solved by do not throw upload quota exceeded error in case file attachment is a Drive document.
ToolbarView’s selection change did not trigger a redraw (strict: true).This has been fixed by just setting strict to false.
Wrong module guessed from system folder (system does not have favorites).This has been solved by using module information from the actual folder view instead of the module information from the folder model. Only fall back to old behaviour if no information is available. This way it should always be possible to remove folders from the folder view directly.
Missing appointment list in day printing view.This has been fixed by adding list again (also includes location).
Wrong comparative operator was used.This has been fixed by adjusting the comparative operator.
Error thrown Reply-To header can’t be parsed, actually the In-Reply-To header should be used.This has been solved by using the In-Reply-To header.
The problem is that SMTP server in question uses the reserved return code 552 “Exceeded storage allocation” incorrectly to advertise that message to send has been blocked due to spam/phishing detection. Unfortunately, there is no deterministic detection possible since the accompanying text for the 552 return code may be arbitrarily chosen. Only a heuristic can be used here.Check accompanying text for the 552 return code for occurrences of “virus” or “spam” to interpret message as being blocked e.g. due to triggering a filter such as a URL in the message being found in a domain black list.
In case less than 3 account types are available, the dialog was misplaced due to a broken selector.This has been solved by fixing selector for those cases.
Wrong version number for current version was assumed when auto-deleting file versions.This has been solved by passing proper current version number to auto-delete routine.
The caldav servlet doesn’t support operations on recurring tasks, but it also doesn’t filter recurring tasks out.This has been resolved by just filtering thoes recurring tasks.
Websocket push using Socket.IO in combination with Grizzly TLS causes deadlocks in Grizzly selector threads.This has been solved by reducing lock scope in original implementation. Furthermore offer a whole different Socket.IO implementation that uses less locking overall.
A NPE was triggered if start_time is not set(null).This has been fixed by using correct variable to determine UTC time difference.
Firefox has some issues with visibility hidden and descenders.This has been fixed by adjusting css with padding and negative margins.
CVSS: 3.1
CVSS: 3.1
CVSS: 3.1
CVSS: 2.2
CVSS: 2.2
CVSS: 5.0
CVSS: 5.0
CVSS: 5.0
Drag and drop event handler was missing the quotacheck. Convert add local file function to a general helper function and also use it for drag and drop.This has been fixed by converting add local file function to a general helper function and also use it for drag and drop.
Quoting has been done server side before mail compose rewrite and the mechanics were not transferred to the client side code.This has been solved by adding/removing quoting according to the setting in the UI.
During toggling between normal and thread view the collection gets reset but the complete flag stays on ‘true’. So no collection will be loaded as long there aren’t enough mails for pagination in the current folder that triggers the incompleteness.This has been solved by setting the complete flag to ‘false’ manually so that a reload will be triggered.
Timezone Lib needed update because of the change in dst handling in sao paolo. Seehttps://github.com/moment/moment-timezone/issues/805This has been solved by updating the moment-timezone Libary-File.
Sync-token property was not calculated correctly and a fallback to the folder’s last modification date was used, regardless of changes of the contents.This has been fixed by correctly determining sync-token for task collections.
Some model changes might trigger long running redraw actions, which block the browser and might even lead to “long running script”-warning.This has been solved by preventing browsers from redrawing the whole list where possible.
Duplicate task leads to abortion of user copy operation.Solution: Do not hard fail on duplicate task, but handle it gracefully.
When using Google cache’s ´get(key, loader)´ method, the passed loader must not return null.Don’t return null in passed CacheLoader instance to solve this issue.
Actually undefined properties are cached at the “configuration” provider of the config cascade once they’ve been queried for the first time. This happens implicitly when the final scope is determined for a property that was picked up at another level of the config cascade. In case such properties are prefixed with “com.openexchange.capability.”, they’re also considered and evaluated to “false” when constructing the capability set for any other user, potentially overriding module permissions if they’ve been used in a discouraged way of using the permission identifier as capability property name.This has been fixed by ignoring undefined capability properties when building the capability set, added debug logging to reveal problematic configurations.
A change exception where the series master event could no longer be looked caused a runtime exception when converting the data to an appointment as used by the legacy calendar API.Now do not fail if the recurrence identifier cannot be converted to the corresponding recurrence (date) position.
Folder properties are protected, but the UI does not respect that.This has been solved by disabling the checkmark if the sync property is protected such that the user will not be able to sync google calendars for example.
Don’t attempt to re-encode subject string given by ENVELOPE fetch item to solve the cyrillic encoding issue.
This has been fixed by adding missing handling for this special case.
Accounts get’s refreshed now once a related folder get’s updated to solve this issue.
Name of external account name was not offered after adding a new external mailaccount.This has been solved by adding handling for an active mail compose window when a mail account get’s added/removed.
iOS works with full day dates only. The different interpretation of full day dates for iOS and backend caused this issue.USM now reconstructs the time values of tasks known by the backend and translates the different interpretation. More improved Task handling will come with the next public patch.
No support for contentType multipart/alternative with initial new compose api.This has been solved by adding support for it, Appsuite UI now send this as a parameter. The MW will then create a html/text part from the html part.
Segoe UI Font baseline issue.This has been solved by changing line-height and margin value to fix this on windows.
Virtual keyboard was restored to often.This has been fixed by checking for shift key to avoid restoring keyboard.
Scrollbar on right side is gone in case editing text in signature editor.This has been solved by not applying overflow hidden for siganture editor.
Default color is fixed with this bugfix. Other font issues will be handled in other bug fixes.
Was caused by missing cache update.This has been solved by always fetching up to date data.
Too many messages loading into memory to perform in-application sorting.This has been solved by not loading all messages into memory but manage a sorted range instead.
Missing capability check before sending requests to the API.This has been solved by adding “global” capability check in internal API module.
URIs in href-elements within a PROPFIND request from a client may get decoded two times under certain circumstances, which might lead to a runtime exception whenever the original URI contains the percent sign ‘%’.Solution: Ensure to decode percent-encoded values only once.
The contacts application in the latest macOS release introduced a bug where the current user’s privileges were derived from the virtual root, and not the actual contacts collection.This has been fixed by indicating privileges from default folder also for root collection for macOS client.
Now a popup is displayed if maxlimit for the addresspicker is reached and “admin=false” parameter is respected if applying index range.
Overlapping addresses were not correctly handled.This has been fixed by adjusting associated css.
Every rule in the stylesheet was treated as a css rule.This has been solved by treating rules according to rule type.
Chrome 77 and higher have a bug in the offscreenCanvas function causing a red-blue shift for all images resized with the canvas. This is the case for mail compose attachment previews and resized images.As long as the bug is not fixed we disable the offscreenCanvas which will make is slower on Chrome but prevent wrong colors.
This has been adjusted and for error code OAUTH-0013 button “Try again” is replaced by “Edit accounts” that links to corresponding settings pane.
Now the default sender is changed to the marked account.
OX-vacation object does not support the EAS features “AppliesToInternal”, “AppliesToExternalKnown”, “AppliesToExternalUnknown”.This has been fixed by only transfering “AppliesToExternalUnknown” to server and only sending “AppliesToExternalKnown” and “AppliesToExternalUnknown” to client with same content.
Client does not handle unlimited vacation, despite of the EAS protocol allows it.This has been solved by ignoring start and end dates from client if the server version has an unlimited vacation.
Subject of server variant was not treated.Now subject is copied from server variant into client variant and updated onto the server.
No rule name was set.Now set rule name fix to “vacation notice”.
Unit was not considered when checking size.This has been solved by adjusting check accordingly.
The exit status of the last command in a scriptlet determines its exit status and at the same time a return value of 1 from ox_scr_todo signals that there’s nothing left to do for a given SCR. For this bug ox_scr_todo was the last statement from the scriptlet and thus after the first update of open-xchange-oauth that contained SCR-316 there was nothing left to do at the end of the postinstall/update and rpm handled this like an error.This has been solved by switching from expressions and condititionals to if lists to get proper return value.
Scroll behavior in enter key listener changed selection.This has been solved by checking shift key too and prevent execution in that case.
Deny support for folders carrying reserved name as full name.
Sortable plugin from jquery-ui takes a lot of time to run.This has been fixed by replacing sortable with native drag and drop support.
Action command was not checked for drop down in mail toolbar.This has been solved by checking vacation action before rendering dropdown link.
For events where the (external) organizer is not attending, the timezone is not set explicitly and falls back to the system default.This has been solved by prefering event timezone in notification mails for external organizer that does not attend the meeting.
CVSS: 5.0
CVSS: 5.0
CVSS: 7.7
CVSS: 5.0
CVSS: 5.0
CVSS: 5.0
CVSS: 6.5
Certain Hindi characters were dropped on Internet email address parsing.This has been solved by maintaining Hindi characters on Internet email address parsing.
Was caused by missing backbone model.This has been solved by adding Backbone model.
DateFormatCache was not threadsafe.This has been fixed by using a synchronized map.
Organizer was replaced by creator and organizer was excluded from list of participants.List of participants contains now the organizer, organizer is not replaced by creator anymore.
Caused by changed logging behavior in v7.10.xThis has been solved by changing log level to INFO and include effective schema strategy in log message.
that’s fixed. In addition, we set the sender now to extra-bold and dark black (#000) in order to have another visual decoration beyond the blue dot.
This was caused by bugs in googles reconfiguration code.This has been fixed by adjusting google reconfiguration.
Avoid loading context data when checking user validity.
A wrong check, in combination with a not updated sequence number led to the situation where a CalDAV client was re-creating change exceptions from the “detached” part of a previously split event series.Correctly check validity of recurrence identifiers, ensure to increment sequence number after series split.
Caused by missing ‘overflow:hidden’ rule.This has been fixed by adding ‘overflow:hidden’.
Members couldn’t be add to existing group.This has been fixed by using correct group when updating.
Unexpected null dereference when examining an HTML tag’s attribute value.Fixed possible null dereference when examining an HTML tag’s attribute value.
Invoke javax.servlet.http.HttpServletRequest.getSession(boolean)
in SAML and OIDC implementations to maintain route to the right Middleware node, which spawned the Open-Xchange session.
Missing CSS rules for mobile devices.This has been solved by introducing some CSS rules for mobile devices (e.g. put checkbox in new line).
An error inside a single folder stopped UI from working.Solution: Only look for specific errors when stopping further processing of appointments. That will automatically trigger some error handling which will remove all failing folders.
Duplicate task leads to abortion of user copy operation.Solution: Do not hard fail on duplicate task, but handle it gracefully.
Check if action ‘vacation’ exists was missing.This has been solved by calling mailfilter api to check for this vacation action before rendering the vacation notice button.
This was caused by DOMPurify removes src=“blob:…”This has been solved by using data uri instead.
Memory gets flooded with many regular untagged IMAP responses, which are actually of no use.This has been solved by adding mechanism to drop regular untagged IMAP responses on command execution to avoid flooding memory with unused IMAP responses.
Redundant online help information in popup.This has been solved by removing popup icon as information is also located in the online help.
Missing handling for empty display name (recipient) when quoting a message.This has been solved by adding handling for empty display name.
Wrong “API” parameter was used.This has been fixed by adding correct API string to the request.
Feedback button pushed appsuite out of view when displayed on the left side.This has been fixed by changing css and moved feedback button up again.
When a concatenated input stream for the chunks of a document is not consumed entirely, and the reference to the next scality document was already initialized, resources were not released orderly.This has been fixed by ensuring to release underlying stream.
Expect at least a non-empt address string to solve this issue.
This has been solved by adjusting translation.
This was caused by DOMPurify removes src=“blob:…”This has been solved by using data uri instead.
This is only not working for the context admin while being created with ‘createcontext’, not for users commonly. Was caused by accessing context properties while context is created.This has been fixed by falling back to server level configuration if context is not yet created.
Clientwise specified “max_size” parameter has not been applied to plain text.Now applying given “max_size” to plain text as well.
Image transformation failed because Java image reader is unable to parse PNG image binary.This has been fixed by handling special javax.imageio.IIOException
hinting to Java image reader failed to parse image binary. Return image non-transformed instead.
Read connection used for table cleanup.This has been solved by using write connection for table cleanup.
Mail was filtered out because it was interpreted as appointment invitation mail.Now mail is analyzed whether the appointment was created “on behalf” and then synced to client, but this works only for the main calendar of the “manager”.
CVSS: 3.1
CVSS: 2.2
CVSS: 2.2
There is a check to test if a file actually holds data based on some heuristics. That check leads to false-positive for the inline image attachments of the affected E-Mail.Fixed check for possibly empty file data.
Accept upper-case ASCII characters as well for ACE->IDN conversion to solve this issue.
This has been solved by enabling print preview for embedded mail.
Inconsistent data for organizer/principal in the legacy storage was converted to a representation of the organizer that assumed an external entity.This has been solved by ignoring principal if equal to organizer when reading from legacy storage, correct sent-by in organizer for already migrated events. Please mind that the update task to correct the wrong data in the storage is disabled by default in the hotfix, but can be enabled manually by setting the property “com.openexchange.calendar.enableCalendarEventCorrectOrganizerSentByTask” to “true” if needed.
Address string was interpreted as a group name in case host is NIL when parsing an ENVELOPE address string.This has been fixed by aligning behavior of Open-Xchange Middleware according to common IMAP server one. Assume “missing-domain” as host part of an E-Mail address in case host is NIL when parsing an ENVELOPE address string.
Change listener called too frequent.Solution: debounce execution waiting for 30ms without further call.
This was caused by a different used iTIP method.This has been fixed by adjusting used iTIP method.
Was caused by wrong detection whether a move or a rename needs to be performed.Fixed check whether a move or a rename needs to be performed to solve this issue.
For CalDAV collections with many contained resources where the initial synchronization result gets truncated before a specific point in time, consecutive DAV:sync-collection requests with this intermediate token would get answered with HTTP 403 Forbidden due to the token being assumed out of range.This has been fixed by encoding additional flags into generated sync-tokens to properly resume intermediate truncated responses.
Some jQuery functions got stuck and prevented further code execution.This has been fixed by using native functions.
Unable to handle vCard v4 partian dates.Now handling PartialDate for Birthday and Anniversary to solve this issue.
It is now possible to use the documentconverter version 7.10.2 with older appsuite-backends.
Windows sends a mousemove event when only a mousedown event should be triggered resulting in the monthview to enter drag mode.This has been fixed by introducing a deadzone of 5px before dragging is enabled.
This wasn´t a bug, it was a wording problem.This has been solved by changing wording for the avatar dropdown of “Change Password” for guests. Was confusing with Guard Guest emails. Changed to “Add login password” or “Change login password”. Adjusted title and button of dialog.
Same request parameters lead to same responses from the MW #getDocument Ajax handler. In case the request parameters don’t change after revisionless save, the response will be the unchanged one.This has been fixed by providing ‘revtag’ parameter when creating the attachment.
This has been solved by ensuring a valid address is passed to “Disposition-Notification-To” header and that only a valid E-Mail address is accepted for “disp_notification_to” in JSON field.
Specify user’s locale when outputting detected limitation violations to show translated error messages.
Stick to active short-term sessions when re-injecting a push listener to solve this issue.
The “Lock-Token” header was not sent correctly to the client during the LOCK response, so that a consecutive UNLOCK request could not be performed successfully.This has been solved by using correct format for the “Lock-Token” response header.
The JVM’s default locale was used when processing the template for appointment reminder mails.This has been fixed by using the receiving user’s locale when processing the template for appointment reminder mails.
Data truncation while trying to store a quite long subject to database.Solution: Enlarged “subject” field in “compositionSpace” table from 256 to 512 character. Moreover, added user-friendly error messages in case such a data truncation occurs.
Avoid unnecessary “GROUP BY” clause in SQL SELECT statement to prevent errors with
strict ONLY_FULL_GROUP_BY mode.
Runtime error in Edge when using popup.close() stopped code execution.This has been fixed by closing popup at the very end to limit any impact on the promise chain itself.
Adjusted appearance like described in ““Google” Text” in the branding guideline.
Mark guidedtours.properties as configfile now.
When opening a restorepoint, the id is incremented. But for objects from the jslobs, the object reference is still pointing to the object in the jslobs. Therefore, the id in the cache is also changed and the object with the old id cannot be found and deleted. Work on a copy of the object to prevent to overwrite the id in the jslobs object.
TinyMCE cannot handle floating point numbers and therefore, size computation fails. Manually force tinymce to accept floating point pixels when necessary.
write permissions in terms of mail folder means user is allowed to set flags other than seen/unseen and “mark as deleted”.
Wrong value “Medium” used to signal normal importance. Set “Importance” MIME message header according to https://tools.ietf.org/html/rfc4021#page-32. (Values: High, normal, or low).
Task query uses “GROUP BY” clause and conflicts with ONLY_FULL_GROUP_BY mode of the database. Avoid “GROUP BY” clause in SQL statement, but filter possible duplicate tasks in application.
A mismatch between the derived and registered class definitions may lead to a serialization error when using the Hazelcast-backed token login container. Use defined order of field definitions during (de-)serialization of portable sessions.
Trying to delete location/directory from source file storage failed. Due to that, context information has not been properly updated.Solved by fail-safe deletion of source location in file storage. Note: Filestore identifier of affected contexts need to be manually adjusted in database.
Custom mail css did not work correctly because of missing class.This has been fixed by adding the missing class.
This has been solved by adding comments when “View” should be used as a verb.
A pending request blocked the window.This has been solved by correctly handling the error and unblock the window. Also added documentation for this.
When the default internal calendar account gets auto-provisioned concurrently when first being accessed simultaneously, a database error may be raised under certain circumstances.This has been solved by re-checking pending auto-provisioning operations after conflicting insertions.
String was not translated correctly.Fixed typo to solve this issue.
It was used screensize instead of “real” smartphone detection.This has been solved by switching to .smartphone class.
According to RFC 822 the local part needs to be quoted in some cases. Since this was only done in the mw the value could not be interpreted correctly.If the local part needs to be quoted this is now also considered in the Appsuite UI.
Changed translation to solve this.
Table height:100% breaks mail detail view.This has been fixed by adding style to reset table height in mail detail view.
Threads piling up in push registration framework due to excessive locking in turn leading to unresponsiveness of the system.This has been solved by removing that lock by using higher level concurrency mechanisms and optimized to avoid unnecessary remote session look-up.
If the organizer is no attendee (Outlook), the locale for the notification recipient was not set.This has been fixed by adding the acting users locale in this case.
Edge was recognized as IE with higher version.This has been fixed by improving the browser check.
It was not possible to map feedback app names to custom names.This has been improved by adding new extension point to process feedback data, now it can be added in customizations.
New base64 method does not accept url-base64-encoded strings.This has been solved by using previous method to decode base64 data, which seamlessly accepts both variants (plain base64 and URL base64).
Incorrect initialization of in-memory byte array when transferring nested message’s data to new message. The generated byte array contains a 0-byte remainder.Solution: Proper initialization of in-memory byte array, which prevents from 0-byte remainder.
CID URLs in iMIP were not encoded and decoded correctly, so that the referenced MIME part could not be looked up successfully.This has been solved by correcting encoding and decoding of “cid” URLs in invitation mails.
Appointment color was only considered if the user is the owner of an event such that the user can select the color for the whole public folder.Now the appointment colors are considered for organizers and organizers_on_behalf.
Internet explorer lacks the function.name property and therefore tries to compute the function name out of source code. If the function has no name due to minified code, this regex will fail and therefore has no result.This has been solved by increasing robustness of code to work minified and not minified.
CVSS: 5.4
CVSS: 5.4
CVSS: 6.5
CVSS: 3.3
CVSS: 4.1
CVSS: 7.1
Different checks for folder name equality may cause the INSERT statement to fail during folder creation under certain circumstances.This has been fixed by using lowercased binary collation when comparing names during folder creation.
This has been solved by fixing broken collection invalidation.
The copy task for events failed in case there is an event without an organizer.Adjusted the behavior to make copy possible for this scenario.
The last-modified / timestamp handling for WebDAV documents in the middleware could not be used reliably by some clients to detect if a file contents was changed.This has been solved by considering sequence number during ETag generation / Map {DAV:}getlastmodified to the sequence number property / Write out “Last-Modified” HTTP header in GET/HEAD responses by default / Actively set “last-modified” during updates unless overridden by client / Added support for commonly used {DAV:}lastmodified to read/write an infostore document’s last modified property.
IMAP server advertises multiple public namespaces, but Open-Xchange Middleware only checks for one.This has been solved by paying respect to possibly multiple public namespaces when determining proper ACL identifier.
If model was not in pool, it was not requested by the API.Fixed boolean expression for filter.
Local timestamp was used in one check.This has been solved by using correct utc timestamp.
Ensure to follow redirects when retrieving updated timezone definitions to solve this.
Race condition during app start. The app was initialized and resumed at the same time.Do not resume apps that are currently starting anyway to solve this issue.
When an iMIP request is received whose organizer can be resolved to an internal user within the current context, he was treated as internal entity. As creating events such events is forbidden, an error was raised when reypling to such an event.This has been solved by not resolving organizer when importing event from iTIP message.
Duplicate re-parsing of the corrupt message avoid further processing.Re-parse a message only one time to prvent this error.
If an attendee removes himself from one occurrence of an externally organized event series, and a consecutive organizer update to the series is applied later on, a check preventing from reinstantiating previously deleted occurrences kicks in and a permission denied error is raised.This has been fixed by taking over delete exception dates from externally organized events as-is.
In certain CalDAV reports, calendar object resources consisting of multiple events were listed multiple times in responses.Only include a calendar object resource once in responses.
Ensure no duplicate entries are left in “filestore2user” table when trying to change its PRIMARY KEY to prevent this issue.
External images are erroneously considered during content id extraction.Now ignore external images to solve this..
Move only updates are not ignored within itip handling.This has been fixed by ignoring move only updates within itip handling.
Java’s date format parsing routine does not work when a partial timezone defintion is used.Retry parsing using a built-in timezone definition in case of parsing errors as a workaround.
The contents of all message-mapped file attachments were queried that matches a client-given search expression.Solution: Try to map given sort criteria to an IMAP sort term to perform a filtered sort command. Extract the requested chunk (…&limit=10) from that sorted result set to only fetch the content of relevant messages.
This was caused by a combination of invalid data and unnecessary email address parsing.Invalid data cannot be fixed by OX, but we disabled the check for mail addresses.
During the closing process the Address Picker was not properly reseted.Now the folder selection is reseted during the closing of the address picker.
The default copyright is now displayed correctly.
All html entities below 255 do not require a semicolon. Therefore " × £ etc. are encoded.This has been fixed by encoding ampersand to prevent encoding of html entities.
The menu entry for “What’s new” and “Guided Tour” wasn’t disabled for guest.
Some misinterpretation of CSS from IE 11 caused this issue.This has been solved by adding a CSS fix only for IE11 to handle this issue.
This was caused by a vacation notice which makes use of the date range (current date test) and the zone option in this test is missing. This happens if the vacation notice was created with a older appsuite version. A missing zone option will now be compensated based on the current values.
For initial values or changes of recurrence type, the other field does not need to be explicitedly set to null. In fact, the middleware throws an error if it is set.Solution: Only set these values to null if the recurrence type is set to never.
This is just an improvement for signatures: Signature with empty content (only whitespace) will not be added anymore.
The root cause seems to be a bad token used for list query against the google api. Now a full sync as fallback is done in case of bad sync tokens.
Conditional headers have only been matched on resources with an entity tag present (i.e. not for collections that have no body).Solution: Also match conditional headers against resources without entity.
Remote parameter names were not correctly initialized when fetching a session representation from Hazelcast IMDG.This has been solved by orderly initializing remote parameter names when fetching a session representation from Hazelcast IMDG.
Update process is triggered automatically when loading a context and context-associated DB schema has pending update tasks.Solution: Do not trigger update if context is disabled.
In case context-associated server does not match the server associated with target node a CTX-0012 error is thrown, which initiates automatic redirection to another node (as configured through “com.openexchange.server.migrationRedirectURL”
property).Solution: Do not throw CTX-0012 error in case context is disabled to avoid automatic redirection to another node. Instead, outer logic recognizes tat context is disabled through authorization service.
Broken encoding in style tag caused js error.This has been fixed by making sanitizer more robust so no error occurs.
Links opened by blankshield are blocked due to security reasons.Solution: Open links with rel=“noopener” directly in chrome 72 and above. Note that this is just an intermediate fix and will be replaced as soon as the issue is fixed in blankshield.
Fixed wrong comparing on server side.
UpdateTask was missing an index exists check.Solution: Added an index exists check.
In contrast to the main activation button the little toggle is considering the date range.The little toggle now only depends on the active state of the rule.
Bundling orginal tokenfield file (static) lead to loading it’s content twice and custom ‘prototype’ fixes in our tokenfiled.js was overwritten by the second load.Solution: Clean up bundle.
The reminder was not parsed properly since a recent change.
Savepoints were created in old versions (7.8.3), that were not supposed to be created.Solution: Cleanup savepoints once in any higher version than 7.8.3
User input was translated to SQL wildcard.This has been solved by avoiding wildcard in special contact search.
By adding poppler-data content to the open-xchange-pdftool package and using the correct data path, approprioate unicode code points can be displayed when rendering PDF pages. The package license has been changed to GPL in order to be compliant.
The security attribute is always reapplied even if there is no previous object.This has been solved by making sure that at least an empty object as previous object exists.
The unified mail storage returned normal mail ids instead of unified ones for copy/move commands.Solution: Return proper unified mail ids.
Updated the User Docu to have all needed informations.
Dropping images to an iframe caused the browser to reload the whole view which might lead to data loss. Since no easy fix was found, we disabled drag and drop.Reenable drag and drop by attaching listeners inside the iframe which will prevent reload of the page with the dropped content on the one hand and on the other hand correctly uploads image based on the previous mechanisms.
There was no check to determine whether the ‘contexts_per_dbschema’ table contained any schemata of a database object, before beginning with the insertion of the schemata tied to that database object.This has been fixed by performing a check to determine whether the ‘contexts_per_dbschema’ table contains any schemata of a database object before blindly beginning with the insertion.
Web accessibility steals the focus on clicking into the subject field on Internet Explorer.Do not apply refocus on click because this should only happen with keyboard navigation to solve this issue.
Some *DAV-clients were not detected and used wrong fallback.This has been fixed by improving detection of *DAV-clients and set correct fallback by checking session’s origin.
UI was too restrictive regarding move action.This has been solved by enabling move action but grey out unsupported folders.
Backend writes configuration for recently opened documents while the tour is running. This (wrongly) deletes the “shown” flag of the tour. After the tour has been finished, the “shown” flag will be saved again to the configuration.
Added a workaround for IE11 in the appcontrol.
Only checked weekdays and not if it’s the same week.This has been solved by adding check if it overlapps into next week.
Pasting a value into an input field triggered no validation and may result in a disabled save button.
The causing exception was hidden, which has been changed to find the root cause of this bug.
Always used UTC as the timezone to calculate the recurrence position of an task.This has been solved by using server default timezone instead.
Print used own format of address where it was not possible to internationalize the address.This has been fixed by using internationalization approach which is already used to display the address in the contacts detail pane.
does not use CertificateRetrieval within ResolveRecipients, but EAS expected it (is allowed in 12.1).This has been solved by improving parsing of ResolveRecipients (according to 12.1) and GetItemEstimate (according to 14.0).
Caused by trying to access IMAP via an unconnected socket due to a previous I/O error (socket closed unexpectedly by remote host/IMAP).Now a re-connect to IMAP server on unexpected socket closure is done.
In case the account details for the internal is hidden default values (null) were send to validate call.This is fixed by extending the list of properties that do not have to be verified by all folder-fullname properties
Invoke a “post deletion” call-back to reseller plug-in to let reseller information being cleared when context has been successfully removed, to solve this issue.
Two wrong translations were adjusted to fix this.
When the arguments of the action commands ‘enotify’, ‘vacation’ and ‘pgp_encrypt’ are extending over multiple lines and those action commands have more than one arguments, then only the first argument was considered while counting.Solution: Iterate over all arguments of the previous mentioned action commands.
Adobe external CMaps were not copied to the build folder and pdf.js was not configure to use them.This has been fixed by adding CMaps folder to the thirdparty copy script and configured pdf.js to use them.
Disablecontext throws exception if context was already disabled.Solution: Idempotent handling of disablecontext which means each call results in a db statement like “UPDATE context SET enabled = 0, reason_id = 42 WHERE cid = 1”.
UI accidentally used ‘noimg’ or ‘trusted’ as value for api parameter ‘view’. In case ‘Allow html formatted emails’ is disabled the only valid value is ‘text’, this was adjusted to fix this issue.
The “select all” button has no effect on the vacation notice model due to a wrong naming.This has been fixed by changing the attribute name accordingly so the model can be handled correctly.
This has been solved by changing the href property to ‘mailto:’ in the from widget (mail compose) an the participants widget (calendar, tasks) so only the mail address get’s pasted.
Root cause: Long overflow during calculation of the rate limit window.Solution: Don’t always double the window on each consecutive login attempt.
Config option “com.openexchange.servlet.maxInactiveInterval” is not orderly applied to spawned HTTP sessions and therefore they don’t get removed.This has been fixed by orderly setting timeout for HTTP sessions.
The Moment and moment-interval framework used inconsistent time formats in japanese. Update locales in moment-interval plugin to be consistent.
Removes button ‘manual’ cause is it used as fallback in case autodiscover fails and should not be handled as a separate option for ux reasons.
Added support for importing encrypted ical files.
Missing sortname for list members.Address picker issue has been fixed, Distributionlist issue is still there, because backendpart cannot be backported, this will be available with 7.10.2.
Too generic approach in the recurrence view. All timezones with negative offset are affected. In detail, the timezone of a task (utc) wasn’t considered when creating the recurrence rule.This has been solved by considering different timezones when using calendar or task. StartDate of calendar knows its timezone whereas tasks are always in utc.
Size calculation was not correctly taking external files into account.This has been fixed by changing the calculation to respect all sizes of the attached files including external files.
UI waits for timeout of the middleware which might take a lot of time.This has been solved by introducing a timeout for snippets which aborts the request after 15 seconds. Nevertheless, this is still a workaround since the actual issue is the slow/non-responding S3.
Settings considered all apps which where rendered in the launcher and did no dedicated capability check.Filter for apps, which are disabled by capabilities but might be visible due to upsell to solve this issue.
CSS background-size’s implicit height value ‘auto’.Solution: Use 100% as value for height.
Not considered the special case for all-day events which were then printed the day before they started and the day after.This has been solved by filtering correctly for all-day appointments.
Running the PDFTool, the internally used poppler library had no access to externally provided poppler-data character classes. By adding poppler-data content to the open-xchange-pdftool package and using the correct data path, approprioate unicode code points can be displayed when rendering PDF pages. The package license has been changed to GPL in order to be compliant.
The defined dependency of the update task (com.openexchange.groupware.update.tasks.ContextAttributeConvertUtf8ToUtf8mb4Task) might be excluded and could not be solved.This has been fixed by setting dependency to com.openexchange.groupware.update.tasks.CreateIndexOnContextAttributesTask.
The rule title was missing the translation capability.This has been solved by adding the translation capability.
Adjusted translation for place.
#beginConvert
There persistent and runtime memory leaks in some kind of user environment, related to stateful requests, for which the final endConvert call is not performed. A new mechanism has been added to the DC server code base in order to be able to automatically finalize stateful beginConvert/getPage/../endConvert call sequences in cases, the final endConvert is not called at all (e.g. routed to the wrong DC server node. a broken HTTP connection, …
Out Of Memory when importing large iCal files.This has been solved by reducing the used heap space. Detailed informations about the import limit “com.openexchange.imort.ical.limit” are available here:See https://documentation.open-xchange.com/components/middleware/config/7.10.1/index.html#mode=features&feature=Import/Export.
When replying to an encrypted email, the compose dialog shows the ENCRYPTED mail rather than the proper decrypted content. This also breaks the Guest replies. This is limited to Customer that have the feature setting io.ox/mail//features/fixContentType=true.Now it is possible to reply to Guard emails also io.ox/mail//features/fixContentType is “true”.
UNTIL in the recurrence rule has been interpreted as a date value by the UI, whereas it should be a datetime value.The UNTIL part of the recurrence rule now contain as a datetime value. Therefore, the zulu timestamp in UNTIL is now after the startdate of the last occurrence.
The OX permission model requires the “DAV:read-acl” and “DAV:read-current-user-privilege-set” privileges to be granted in each ACE. When attempting to set an ACE without those privileges, a “DAV:not-supported-privilege” error is raised.This has been solved by automatically assume “DAV:read-acl” and “DAV:read-current-user-privilege-set” if missing instead of throwing an error.
Tis was casued by using of cached data.This has been solved by clearing cache on import.
This was caused by a timeout because guest sessions were not synced between servers.Now guest sessions are synced between hazelcast server.
Cache generated smart date catalogue only for current day.
Parsed date wrong for IMAP results.Now just one date is used for results. This is just a partial fix. A full solution would be to request a longer timeframe and to do the slicing manually. But this rather requires a larger change to the search module and can not be handled inside a patch.
The EMAIL mapping for vCards ignored a third email address in case there are others explicitly marked as HOME or WORK.This has been fixed by using first non work/home/other address as fallback if no distinguishing e-mail type found.
Wrong root folder selected after removing a folder.This has been solved by removing superfluous event trigger and fixed regular expression.
It was not possible to send an email to an appointment participant if he had only a secondary emails address entered inside the address book.This has been fixed by using provided data instead of fetching everything.
Proper check if mail account can be connected to with respect to possible OAuth authentication type has been added.
The three dots shown at the end of the shortened message were hidden by the close icon.This has been solved by adjusting the padding to prevent the overlapping.
Index overflow (day 8 instead of 1) let to a non-red marked Sunday.Now using correct modulo to display the Sunday in red.
Properties menu was disabled for tasks and extension points where not working with tasks.This has been solved by reenabling properties menu and adjusted extension points to support tasks again.
The reason for this is that the default implementation of the google calendar is a read only provider and therefore requires an activated calendar_ro module. You can find the info here: https://documentation.open-xchange.com/7.10.1/middleware/components/calendar/implementation_details.html#google-calendar. Even though it is stated that the ‘calendar_ro’ module is required, it isn’t clear that the ‘calendar’ module is not applicable here. Therefore improved the documentation on this part.
When a language with a different start of the week than sunday was selected, the loop to generate the days was not generic enough.This has been fixed by creating week-days more generic depending on the start of the week.
Detail view set mail to read although the selection did not change.After manually setting to unread keep unread state until selection changes to solve this issue.
Adjusted reload/relogin hint and added translations.
When a second modal dialog is opened, the focusin-listener of the second dialog is registered before the listener of the previous dialog is removed. Since the keepFocus function is bound to the prototype of the dialog, the unregistration removes the listeners for all instances. Therefore, the keepfocus function is not correctly registered and will not keep the dropdown open when the dialog loses focus. That leads to the problem, that no click events are triggered on the elements of the dropdown and thereforce, no model updates are triggered.This has been solved by adjusting focusin events, so they are also correctly registered for the second (or third or fourth) modal dialog. Therefore, bind keepFocus to the current this value and make it unique.
If in ‘Settings -> Mail -> Signatures’ the option “Add signature above quoted text” is selected, the signature in forwarded mail is not above, it’s placed at the bottom of mail.Solution: Added “com.openexchange.mail.forwardUnquoted”
setting to JSlob under path “io.ox/mail//forwardunquoted”
and use different ‘selector’ in forwarding context when mail are forwarded unquoted.
Spam/ham information advertised mail account data even though no spam handler was available or concrete spam handler tells to not create such folders.This has been fixed by suppressing spam/ham information in mail account data if spam is disabled or no such folders are supposed to be created according to spam handler specification.
Editing the size condition is not intuitive since there is no hint how to handle different units.This has been solved by adding the possible units next to the comparison dropdown.
The LOCATED_IN_ANOTHER_SERVER
exception was not properly handled in the ShareServlet
. This has been fixed by handling the exception properly, i.e. redirect the client to the appropriate node. Introduced a new migrationRedirectURL
property for the servlet to use in order to send a redirect to the correct node.
Selected mail not scrolled into view.Now scroll selected mail into view to have this mail displayed.
We adjusted this now to properly respond with the CALDAV:no-uid-conflict precondition, see https://tools.ietf.org/html/rfc4791#section-5.3.2.1 for details. With these changes the client at least no longer crashed in our tests. However, creating different calendar object resources with the same UID value is still not allowed.
Response format was strangely encoded HTML.This has been solved by forcing response format to be correct HTML with JSON data.