Last Update: 2024-04-23
CVSS:8.2
CVSS:3.1
CVSS:3.1
CVSS:3.1
CVSS:3.1
Draft was saved before all delete requests were processed.This has been solved by waiting for all delete requests to be resolved, also if draft gets deleted.
Missing special handling for error codes that advertise actual transport succeeded, but append to standard sent folder failed.This has been fixed by adding special handling for error codes that advertise actual transport succeeded, but append to standard sent folder failed.
Equal exceptions chained multiple times.This has been solved by avoiding chaining equal exceptions multiple times.
Too many occurrences of low-level HTTP end-point pools for initialized Sproxyd clients.This has been fixed by adding cache for low-level Sproxyd HTTP end-point pools.
The caches implemented by ConcurrentMaps are never cleaned and can leak for e.g. requests that include rest-like endpoints like mail attachment downloads.This has been fixed by using Google cache with expiration of 30 minutes on non-accessed instead of a regular map, which holds entries forever once put into it. Moreover, several caches storing information grabbed from DispatcherNotes are folded into one cache.
Collection of context-associated time stamps might grow constantly.This has been fixed by clearing collection of context-associated time stamps when last session for a certain context terminates.
Was caused by inefficient max. size restriction of in-memory folder cache.This has been solved by using the SessionD events when the short term sessions are removed and use the Guava cache’s expireAfterAccess method with a decent max time that should only remove stale entries.
The filter cannot evaluate type ‘auto’ for text colors in shapes (Presentation and Spreadsheet, ooxml).Solution: Instead of sending ‘auto’ when the user selects ‘Auto’ as a text color, the best text color is evaluated corresponding to the shape background. This calculated color is sent to the filter.
When an image is inserted via the buttons in template drawings, the mousedown happens on the content root node, but the mouseup does not. But these events are registered for an optional scrolling. Therefore the scroll position was not correctly adapted, when the user changes the slide using the slide pane and does not click at least once into the document after inserting the image.This has been solved by checking the target nodes for mousedown and mouseup events that are required for scrolling.
Document was not flushed before the copy was created in Drive. Flushing causes to save all pending changes which, in Spreadsheet, includes to commit the cell edit mode.Solution: Flush document before starting to copy the file in Drive for user actions “Save As” and “Save As Template”.
Templates contained more than 5 different languages on XML level.This has been fixed on XML level, replaced all (western) lang attrs to be only en-US for EN templates, de-DE for DE templates.
Event listerners were still listening on an old collection.This has been fixed by adjusting event listeners after folder rename.
Buttons were not enabled after dialog gets idle.This has been solved by setting dialog to idle also when cropped image can’t be loaded.
Sender’s full name for introduction in drive mail notifications escaped twice.This has been fixed by escaping sender’s full name for introduction in drive mail notifications only once.
Equal exceptions chained multiple times.This has been solved by avoiding chaining equal exceptions multiple times.
Possible concurrent modification of storage objects is quitted with “HTTP/1.1 423 Locked” status response leading to abortion of request processing.This has been fixed by introducing retry mechanism with exponential back-off in case Sproxyd service quits request with “HTTP/1.1 423 Locked”.
Intermediate clean-up task unexpectedly dropped file storage resources.This has been solved by not running clean-up task when there are currently running data export tasks.
CVSS:3.1
CVSS:3.1
CVSS:3.1
CVSS:3.1
CVSS:3.1
CVSS:3.1
CVSS:3.1
CVSS:3.0
CVSS:3.1
ForwardUnquoted was not recognized by plaintext editor.This has been solved by adding forwardUnquoted detection for plaintext editor.
Primary address was used in all cases.This has been fixed by adding recipient parameter when calling api.ack and in case mail was send to alias address also this one is used for ack.
With WebSockets disabled, desktop notifications for mail didn’t fetch a contact image.This has been solved by refactoring mail desktop notifications to use the same message style as with WebSockets enabled.
Possible stack overflow (application recursed too deeply) while parsing addresses from an E-Mail header, which was syntactically broken.This has been fixed by avoiding possible stack overflow (application recursed too deeply) while parsing addresses from an E-Mail header, which is syntactically broken. Display that message as well as possible.
Built-in retry mechanism does not work in case a MySQL deadlock error occurs, which suggests to restart transaction.This has been solved by orderly passing SQLException as cause to wrapping StorageException to let built-in retry mechanism kick-in.
Copyright notice in as-config-defaults.yml file was not aligned to current year.This has been solved by changing copyright notice in as-config-defaults.yml file.
Checked for the wrong attribute when trying to detect if forwardUnquoted is set to true.This has been solved by checking for the right attribute.
Appsuite uses link text as display name.Appsuite now uses the address as display name because it is not sure that the text is the name.
iOS date input style causes odd side effects with our autocorrect mechanics.This has been solved by disabling autocorrect mechanics on iOS devices.
Internal detection of Mac OS address book not working anymore after latest upgrade of client OS.Indicate privileges from default folder also for root collection if aggregated collection is used to solve this issue.
Clean-up task does only work for active users since a session is needed. Those belonging to inactive ones are not considered and might therefore remain.This has been solved by refactoring clean-up task for expired composition spaces to have a global task considering any open composition space.
Possible HTTP proxy not correctly considered when establishing a socket connection to IMAP, SMTP or POP3 end-point.This has been fixed by orderly using JavaMail utility class for establishing a socket to ensure HTTP proxy is correctly considered.
Was caused by possible leftover files during data export run.This has been fixed by explicitly checking for possible orphaned data export files during runtime.
Was caused by wrong showAdmin check for contact count.This has been fixed by adjusting the check.
e.g. when there are multiple “cell” or “home” numbers, the “pref” parameter will still be set.
CVSS:3.1
CVSS:3.1
CVSS:3.1
CVSS:3.1
No conversion to default time zone when printing in month and week view.This has been fixed by adding time zone conversion.
Null check for relay state was not sufficient.This has been solved by properly checking for empty relay state.
Mozilla changed the user-agent string to no longer contain Lightning, probably because the previous calendar plugin is now integrated into the Thunderbird core.We adjusted our documentation to handle this:https://documentation.open-xchange.com/7.10.4/middleware/miscellaneous/caldav_carddav.html
Possible web proxy configuration not always considered when establishing a mail/transport connection.Orderly consider possible web proxy configuration when establishing mail/transport connections to solve this.
Added INFO logging to APN/APNS HTTP/2 transport.
Was caused by wrong package name.This has been solved by using correct package name.
Carriage return in encoded value of organizer property prevents the reference to the deleted user being discovered correctly.This has been solved by Disabling line folding when encoding organizer value, fix already stored values via update task.
Due to the backport of the Advisory Lock feature a small part was missed.This has been fixed by adding the necessary part to the PresenterDocProcessor to handle the REQUEST_JOIN correctly.
Starting a new node can very seldomly lead to a merge situation, where Hazelcast changes its own uuid. That’s unexpected behavior and was not detected before.The OX Documents monitor implementation now checks the lifecycle events from Hazelcast more carefully and detects that a merge has been done. This is handled and internal classes are re-initialized to work with the new Hazelcast uuid (especially the JMS queue names are derived from it).
Missing editor event propagation when just pasting to editor on smartphones.
Wrong timezone was selected when parsing date input.This has been solved by using default timezone when parsing the date input.
The old value of autoOpenNotification was falsely used when changing the setting.This has been solved by using the new value instead.
When spam folder is empty and you move a mail to it (via “mark as spam”) folder count was still 0.This has been solved by adding a refresh of the folder.
Orphaned change exceptions without corresponding series master event cause errors when being edited or deleted.This has been solved by checking if series master exists before showing the dialog.
Utc timezone was used instead of local time.This has been fixed by using local time when no timezone is given.
Primary address was unnecessary checked.Don’t require primary address when checking mail account connectivity to solve this issue.
Using multifactor authentication has broken the usage of USM/EAS, because USM/EAS does not support it. The error message does not contain enough details to recognize this problem.To recognize this issue we improved error details by adding the json result of the usm-json communication to the error message in case of OXCommunicationException or AuthenticationFailedException.
Configured character-set encoding not honored by IMAP “LOGIN” command.This has been fixed by using proper character-set encoding for IMAP “LOGIN” command.
Address to notify not checked if covered by user’s aliases. if so, not notification should be sent.Do not advertise “disp_notification_to” field in a mail’s JSON representation if the address to notify is covered by user’s aliases to solve this issue.
Requests with session-id/cookie mismatch led to cookies being overridden. In case of two browser tabs resulting from subsequent login attempts, both sessions would cross-invalidate themselves.This has been solved by only dropping session (and cookies) in case session could not be accessed due to an IP check error (request’s IP address differs from the one stored in session and IP check is enabled).
Back when the sorting order was changed to descending one case was not adjusted.This has been fixed by using desc sorting order when not using imap search.
When we receive a jms message we check if all header keys are valid. If it is not the case we will stop processing the message.This has been solved by changing the behavior in case there is an invalid header in the jms message. This event is locked, but processing of this message is not stopped.
Some error messages have been ignored by start script and pid file has not been removed.This has been adjusted to be more verbose on errors, and killing the pid-file.
Was caused by custom print rule of individual mail applies.This has been fixed by overwriting css page property.
In some cases not the “total” value of a folder was used for display but a calculation. If the setting “com.openexchange.showAdmin” is set to false the displayed value differs from the actual number.If the folder supports the “total” value this value will be used now. If the setting “com.openexchange.showAdmin” is set to false, the displayed value is calculated accordingly.
Request always added DISPLAY type alarms even if not supported.This has been solved by adding DISPLAY if supported otherwise using first supported type in the provided array.
Was caused by post-processing after calendar import is triggered per event group.This has been solved by importing post-process results in single task, enqueue long running import jobs.
Default delimiter was used.This has been fixed by removing delimiter to “none” for search/find.
Case-sensitive check if provided E-Mail addresses are contained in set of user aliases.This has been solved by ignore-case checking if provided E-Mail addresses are contained in set of user aliases.
To less logging to track down validation failures and abortion of overall batch import/insert operation in case a single event cannot be added.This has been solved by enhancing logging for those events that cannot inserted due to validation failure and make the destination calendar storage used by the user-copy operation “resilient”.
Superfluous logging of “Property “com.openexchange.imap.storeContainerType” is set to “unbounded”, but…“.This has been fixd by dropping that superfluous logging.
Exchange uses non-standard timezones in it’s ical. We did not adjust these timezones when subscribing to an ical feed.This has been solved by also adjusting Exchange timezones to olson timezones when subscribing to an ical feed.
The recurrence rule is invalid. It has a full-time (floating) start date but a Zulu Time Until value.This has been fixed by using the same recurrence rule adjustment as for the import path.
Slightly different attachment check for get and all requests. In case the content-disposition header is missing the get request in contrast to the all request considers the name attribute of the content-type header to identify attachments.This has been solved by considering the name attribute during all requests as well.
Inconsistent composition space state referencing to non-existing resources in (S3) file storage.This has been fixed by orderly advertising error code “MSGCS-0006” (NO_SUCH_ATTACHMENT_RESOURCE) if read attempt from storage yields “FLS-0017” (FILE_NOT_FOUND) error and drop the non-existent attachment from parental composition space.
This has been fixed by considering credentials optional in case authentication is disabled.
It was impossible to specify HTTP read/connect timeouts for outbound HTTP communication of the OpenId round-trip.This has been solved by adding options to specify HTTP read/connect timeouts for outbound HTTP communication of the OpenId round-trip.com.openexchange.oidc.http.outbound.connectTimeout The connect timeout in milliseconds. If establishing a new HTTP connection to a certain host exceeds this value, a timeout exception is thrown. Default is 5000.com.openexchange.oidc.http.outbound.readTimeout The socket read timeout in milliseconds. If waiting for the next expected TCP packet exceeds this value, a timeout exception is thrown. Default is 15000.
CVSS: 3.1
CVSS: 3.1
Firefox has od focus behavior, scrolls to bottom on focus, and ignores scroll top function.This has been solved by deferring scroll top to fix firefox focus bug.
Action was checking device guest, which doesn’t work obviously.This has been fixed by adjusting check so it checks for capability guest.
In calendars list view not all appointments get deleted in case of used option “Select all”.Now all the selected appointments will be deleted.
Missing handling when a date in the list collection changes.This has been solved by listening for startDate changes and change labels accordingly.
Possible endless loop when the task iterator is initialized from an already interrupted thread.This has been solved by abort waiting for pre-reader if the current thread was already interrupted.
Excessively long-running operation to look-up a subsequence/pattern in HTML content.This has been solved by adding conditions for early abort and ultimately shield from too excessive matcher execution.
Only a user’s own “collected addresses” folder was considered for translation.This has been solved by dynamically translating special collected addresses folders from requesting user’s point of view.
“pref” parameter is used by the server to differentiate between multiple numbers of the same type, while the client only recognized one “pref”, as general preference.This has been fixed by only adding “pref” parameter when exporting TEL properties if required. Note that this is only a mitigation, e.g. when there are multiple “cell” or “home” numbers, the “pref” parameter will still be set.
Unreachable snippet/signature causes send attempt to fail.Don’t let send attempt fails if a snippet/signature cannot be found.
The disable check for the ‘create folder’ button was not working correctly, therefore it displayed the enabled button for cases where it’s not possible. When creating a folder in these not working cases, the error occurred.This has been fixed by adjusting the enable/disable state of the ‘create folder’ button. Therefore, the button is not clickable in wrong cases, the error can’t happen anymore.
In Customer integrated Drive the fileId is unique for each user so we are not able to detect that two users edit the same document.This has been solved by extracting the part of the Id which is only unique for the file.
A recent change altered the tinymce editor content was changed from raw to html, which led to stlying issues.This has been solved by using html format when saving signatures but keep raw format for compose actions.
Firefox was not recognized to have native noopener support.This has been fixed by adding Firefox (with versions greater than 66) to supported noopener detection - Also changed the behaviour for unsupported browsers, so that deep links are no longer deactived.
Coding error when attempting to delete from files storage on user/context deletion.This has been solved by avoiding java.lang.ArrayStoreException by passing proper argument when attempting to delete from files storage on user/context deletion.
This was caused by inaccessible contacts. E.g. some contact which was once shared but the permissions has been revoked in the meantime.This has been solved by dropping alarms and also alarm triggers silently for the birthday calendar in case the uderlying contact is missing or is inaccessible.
This was caused by a wrong PDF.js library version.This has been fixed by updating the PDF.js library version.
This was caused by a wrong PDF.js library version.This has been fixed by updating the PDF.js library version.
Folder api tried to request virtual folders via path request.This has been solved by adding an early check to prevent the error. Also fix code that expected the error. Note: This is mostly a cosmetic fix so there is no error in the logs. The UI switches back to the default folder in case an invalid folder was requested and a user can work normaly again.
Null connection returned to the DatabaseService.Don’t return null connection to the DatabaseService to solve this issue.
Internal notification mails are only sent to user attendees.This has been solved by sending notifications mails to resource attendees by default, configurable through com.openexchange.calendar.notifyResourceAttendees.
Slightly different attachment check for get and all requests. In case the content-disposition header is missing the get request in contrast to the all request considers the name attribute of the content-type header to identify attachments.Now consider the name attribute during all requests as well to solve this issue.
Incorrect Sender/From address returned when replying to a message residing in “Sent” folder.Advertise correct Sender/From address when replying to a message residing in “Sent” folder to solve this.
This has been solved by restoring accidentally removed update task.
User timezone not considered when formatting event start date for subject.Now consider user timezone when formatting event start date in subject of alarm mail to solve this.
Unsafe E-Mail address checks based on string representation.This has been fixed by correcting E-Mail address checks based on parser.
The OX Documents Collaboration Framework contains some kind of garbage collection to find and resolve stale resources. There was a special situation where this algorithm didn’t find stale resources that could lead to a non-loadable document (stale atomic long in Hazelcast which was not retrievable by getDistributedObjects() and a removed entry in the DocOnNodeMap).This has been solved by adding detection code to resolve the described situation to enable the user to open his/her document.
The adding of the primary key was the third change set in liquibase, it has to be the first one.This has been fixed by adding of primary key in table DATABASECHANGELOG is now the first changeset.
The table DATABASECHANGELOG needs no primary key, but a custom product use needs this key.This has been solved by adding a primary key to table DATABASECHANGELOG.
Listview time was not drawn in currently selected timezone.This has been solved by drawing Listview time in currently selected timezone.
Basic detection of Edge was added a while back, but noopener feature has not been adjusted.This has been solved by reporting noopener support for Edge based on Chromium in internal functions.
Appsuite UI side limit that request user details only for at most 1000 members, this limit only affects the settings pane “Groups”.This has been fixed by introducing customizable setting and now also inform user when limit was hit.
Preview currency was hardcoded to EUR.This is only used to display number formats, so Just removing EUR works fine in this case.
Editor content was not part of new/update requests when oximage tinymce plugin wasn’t loaded.This has been solved by ensuring editor content is used.
Using a dedicated filestore for mail compose attachments did not work with Scality Sproxyd based ones. The Sproxyd connector stores object references in a database, but in this case no appropriate database was ever found at runtime.This was fixed by selecting the according UserDB schema.
For marshalling the calendar-data property in XML response bodies, the iCalendar data is put into CDATA section. Now, a property in the iCalendar file contains a CDATA section, too, which is apparently not properly escaped.Now properly escape XML element content of calendar-data element to solve this issue.
No validation of context identifier value.Ensures that a context with identifier zero can be deleted. Workaround: Also a context with ID zero can be removed now, the -N option has to be used. If the -c option is used, the zero value is interpreted as absent. This can’t be changed in the method causing the error (see description) because dozen of other classes use this method and expect zero to be interpreted as absent or rather unset. Therefore the deletion of the context with ID 0 must use the -N option as the ID will then be found by the server itself and deletion works.
Signature snippet is attempted being created without a content.This has been fixed by handling possible absent content when creating a signature snippet. Assume empty string instead.
USM can not send an error message, the communication is restricted to the http return code for a failed login.Increased logging: Increase the level for those kind of log messages from DEBUG to INFO.
Was caused by separate handling for savepoints on smartphones and other devices.This has been solved by extending initial fix to also cover smartphones.
Non-chromium-based browser was applied for chromium-based browser.This has been fixed by differentiating detected edge browser by version number (79+ represents chrome-based).
This was caused by missing blur event on input field.This has been fixed by adding missing blur event.
Missing property that identifies open read receipts for seen messages.This has been solved by providing property for seen messages also now (unless read receipt was send). Additionally flag 512 can be used to identify a already send read receipt.
Was caused by a missing translation backport.This has been solved by adding the missing translation.
Using the “Copy Picture” functionality copies the picture 2 times to the clipboard as html and file. Both were added to the dom.This has been solved by only copying the image file to the dom, html part is not needed.
Open-xchange-session cookie was not set on successful /login?action=tokens response even though it should.This has been solved by writing session cookie on token login.
The jSoup library used in this version causes those extra line-breaks/white-spaces being added.This has been solved by updating jSoup library from v1.11.3 to v1.13.1.
It was possible to pass alternative Open-Xchange image end-point when creating a snippet (signature).This has been solved by accepting other image URIs pointing to alternative Open-Xchange image end-points when creating a snippet (signature).
Setting “com.openexchange.forceHTTPS” not considered when getting WSDL.This has been solved by respecting setting “com.openexchange.forceHTTPS” when getting WSDL.
Followup for this Bugfix: Recurrent taks in caldav are not supported, so creation of those tasks via caldav are not allowed. Added a check for this. Now an error is thrown in case a client tries to create or update a tasks with a recurrence rule.
In singleTab mode the tabApi was disabled.This has been solved by preventing the tabapi.openBlank function from being disabled.
Insufficient handling of terminated sessions.This has been fixed by sending an error response and listening for session removed events.
CVSS:3.1
CVSS:3.1
CVSS:3.1
CVSS:3.1
CVSS:3.1
CVSS:3.1
CVSS:3.1
CVSS:3.1
In case of several broken calendars, the error of the second calendar will be overwritten by the error of the first one.It was ensured that the correct error is always displayed.
Regex to detect phone numbers was not strict enough.This has been fixed by reworking regex to detect phone numbers better.
Rounding does not work well for big quotas.This has been solved by adding smart display for quotas. Values below 1GB do not have decimal places. Values above 1GB have 0-3 decimal places as needed.
Check for no other participants was changed, apparently it missed a negation here.This has been fixed by adding negation to the check, so appointments where you are the only participant can be moved to a shared calendar. The calendar owner becomes the participant then, same as if created on behalf of the shared calendar owner.
Collecting metrics about HTTP communication to remote/internal HTTP end-points steadily fills up heap since each metric is exposed as MBean (but never removed) filling up a registration map.Middleware now accepts property “com.openexchange.httpclient.monitoring.enabled”, which allows to enable/disable collecting metrics about HTTP communication of Open-Xchange Middleware to HTTP end-points. By default it is disabled since it tends to fill up the heap, which is a flaw in the pre 7.10.4 metrics implementation.
Flag “includeUnsubscribed” not properly interpreted on calendar data export.Correctly interpret “includeUnsubscribed” flag on calendar data export to solve this issue.
A mail account is not necessary linked to linked to a transport account. Thus no transport server information can be obtained.This has been solved by checking if mail account is linked to a transport account when testing if transport server settings are about to be updated.
This was caused by a missing update event.This has been solved by triggering event to update the view.
When ‘search’ collection get’s expired via expire() the ‘expire’ property got reverted immediately.This has been solved by manipulating ‘expired’ property directly.
The user fields 1 to 20 were not provided in the Edit dialog.The user fields 1 to 20 have been added to the Edit dialog to solve this issue.
Missing support for “reply_to” field in new mail compose implementation.This has been fixed by adding support for “reply_to” field in new mail compose implementation.
There is a little time gap between the POST /compose/:id/attachment to state to have a progress of 100% and the fact, that the upload call resolves. This is the time, the server needs to finally store the attachment somewhere. If the mail is send in exactly this gap, a race condition between sending and attaching the image to the mail might occur.Wait until the attachment-upload has been resolved before the mail send process can be started is solving this issue.
Misinterpreted “includeUnsubscribed” boolean flag on mail data export.Solution: Properly interpret “includeUnsubscribed” boolean flag on mail data export.
Action command parser was missing.This has been solved by adding action command parser for set action.
Internal cache in IMAP bundle used to held in-memory structure of IMAP server’s LIST/LSUB output steadily fills up over several months as long as enough active session are present. Moreover, accumulation of unused/stale IMAP store containers managed in IMAP connection cache also due to vast number of active sessions.Let cached entries expire (and remove from cache) after reasonable amount of idle time as well as drop unused/stale IMAP store containers managed in IMAP connection cache to solve this issue.
Permission was not checked when adding a guest permission to a mail folder.This has been solved by orderly checking permissions and deny operation.
The table DATABASECHANGELOG needs no primary key, but the product strato uses needs this key. The reason for this is not clear.This has been fixed by adding a primary key to table DATABASECHANGELOG.
The button “Ignore Warnings” was configured incorrectly.
Settings was moved out of the dropdown. It has it’s own launcher icon now. Tour was not updated.Tour uses the new icon instead of looking for the missing dropdown link.
A dialog automatically removes all “disabled” properties when it is made visible.The attribute “data-manual” was added to prevent this.
There is a little time gap between the POST /compose/:id/attachment to state to have a progress of 100% and the fact, that the upload call resolves. This is the time, the server needs to finally store the attachment somewhere. If the mail is send in exactly this gap, a race condition between sending and attaching the image to the mail might occur.Wait until the attachment-upload has been resolved before the mail send process can be started.
No unique information for the TOTP account.Added the user’s login to the TOTP account.
No appropriate error returned to client in case an invalid E-Mail address is passed.Orderly advertise error code “MSG-1008” in case an invalid address was given.
A missing value within the legacy series pattern causes an unhandled exception when trying to convert it into a recurrence rule.Fall back to “first” week when converting monthly_2/yearly_2 patterns if not specified.
CVSS:3.1
CVSS:3.1
CVSS:3.1
CVSS:3.1
CVSS:3.1
CVSS:3.1
CVSS:3.1
CVSS:3.1
CVSS:3.1
Because the root cause is not known this is just an improvement: Handle symptom after the rate limiter has blocked further login requests and try to avoid retries by the client. Currently USM returns HTTP status 200 (with error status content in the EAS protocol response). Now USM returns 429 with header “Retry-After” with the same time period as returned by the backend.
The e-mail address of the user with umlauts in the domain name is directly used as from address for sending the e-mail. USM does replace the from address in the e-mail delivered by the client with the internally set e-mail address.This has been fixed by converting the domain part of the users e-mail address to punny code when building the EAS-configuration.
Caused by UI urlify function (detect links in plain text). This function did some wrong encoding.This has been fixed by removing useless encoding.
IE11 has sometimes issues with calculating dropdown dimensions.This has been fixed by using fixed width in IE11.
Was casued by wrong Blocknode detection.This has been solved by adjusting Blocknode detection.
Backdrop added for dropdowns on mobile catches clicks and is not removed after dropdown closed.This has been solved by making sure backdrop element gets removed if dropdowns close.
Error message did not prevent saving, success message from saving overwrote the error message.This has been solved by stopping saving if there is an error so the user has a chance to notice the error message.
Remove handlers all work on same list of points regardless of the fact one of those handlers already removed a point, was caused by a race condition.This has been improved by maintaining a list of deleted ids and further removeRestorePoint calls remove those points again if needed.
Missing upgrade package for hazelcast enterprise.This has been fixed by adding a hazelcast enterprise upgrade package: open-xchange-cluster-enterprise-upgrade-from-7102.
Accumulation of HTTP sessions through massive number of incoming HTTP requests steadily spawning a new HTTP session. For example, if the server used only cookie-based sessions, and the client had disabled the use of cookies, then a session would be new on each request.This has been solved by avoiding accumulation of HTTP sessions through massive number of incoming requests. Invalidate unused/unjoined as well as non-authenticated HTTP session. Moreover, ensure removal of invalid session cookies.
Internal device helper function identifies Edge also as IE.This has been solved by adjusting check for ‘edit image’ feature to enable for chrome based edge (Version 79 >=).
Check for disabled capability bit was missing for mail folders.This has been fixed by adding check for the permission capability bit for mail folders.
Was caused by too much padding.This has been fixed by reducing padding on demand.
Second notification overwrote the first error message.Only show one proper error message to solve this issue.
Current value of the From field not respected when checking for customized sender name.This has been fixed by only unsing fall back value if current value is empty.
Error message did not prevent saving, success message from saving overwrote the error message.Solution: Stop saving if there is an error so the user has a chance to notice the error message. This is not yet fixed for safari, will be fixed in upcomming public patch.
Sent dispensable timezone during GET request to backend which caused a wrong time calculation.This has been solved by only sending needed data instead of the whole task object with the GET request.
Special computation of font/line-spacing of Mozilla Firefox caused cut off descenders in contact summary.This has been solved by adjusting CSS-properties (line-height and margin).
Items not appearing in Trash folder in reasonable time.This has been solved by invalidating trash folder caches correctly.
Sanitizer was only run for text/html type. The sanitizer strips the doctype part.This has been fixed by also using the sanitizer for multipart/alternative.
UI code did not check, if indexeddb is still present or in a closing state. Therefore, these error where not catched and the UI hung up.This has been fixed by catching error and continue without a indexeddb. This will not cache any files for the next page load but prevent the UI from stalling.
This has been solved by preventing remotely received being aggregated into another local event and thus re-distributed remotely again though immediate processing of remotely received events (with a separate thread).
Event data was only stored partly when an unexpected error occurred during saving of supplementary data like alarms.This has been solved by importing each calendar object resource within separate transaction, extended alarm validity check.
UnifiedInboxManagement OSGi service was not added to bundle’s needed/tracked services, which is required to check if an account is the special Unified Mail account.Solution: Orderly track UnifiedInboxManagement OSGi service to check if an account is the special Unified Mail account.
Drive document has been accounted to upload quota, but shouldn’t.This has been solved by do not throw upload quota exceeded error in case file attachment is a Drive document.
Capabilities are not set right so early at start in the frontend. Therefore the tab api i.e. the session handling was disabled.This has been solved by don’t check for Office capabilities at login to determine whether the tab API is enabled.
ToolbarView’s selection change did not trigger a redraw (strict: true).This has been fixed by just setting strict to false.
Wrong module guessed from system folder (system does not have favorites).This has been solved by using module information from the actual folder view instead of the module information from the folder model. Only fall back to old behaviour if no information is available. This way it should always be possible to remove folders from the folder view directly.
Missing appointment list in day printing view.This has been fixed by adding list again (also includes location).
Wrong comparative operator was used.This has been fixed by adjusting the comparative operator.
Mail content was read for detection of non-inline parts, which are supposed to be passed to document-converter service (that might be absent).Don’ t trigger document preview if associated capability is absent and avoid reading mail text for detection of non-inline MIME parts. Note: In case Document-Converter is deployed on customer’s installation, accessing MIME message’s file attachments is done by intention.
Error thrown Reply-To header can’t be parsed, actually the In-Reply-To header should be used.This has been solved by using the In-Reply-To header.
Detected & applied wrong start time range to scheduler of GDPR data export tasks.Detect & apply correct start time range to scheduler of GDPR data export tasks to solve this issue.
In case less than 3 account types are available, the dialog was misplaced due to a broken selector.This has been solved by fixing selector for those cases.
Wrong version number for current version was assumed when auto-deleting file versions.This has been solved by passing proper current version number to auto-delete routine.
The caldav servlet doesn’t support operations on recurring tasks, but it also doesn’t filter recurring tasks out.This has been resolved by just filtering thoes recurring tasks.
Websocket push using Socket.IO in combination with Grizzly TLS causes deadlocks in Grizzly selector threads.This has been solved by reducing lock scope in original implementation. Furthermore offer a whole different Socket.IO implementation that uses less locking overall.
A NPE was triggered if start_time is not set(null).This has been fixed by using correct variable to determine UTC time difference.
Firefox has some issues with visibility hidden and descenders.This has been fixed by adjusting css with padding and negative margins.
CVSS: 3.1
CVSS: 3.1
CVSS: 3.1
CVSS: 2.2
CVSS: 2.2
CVSS: 5.0
CVSS: 5.0
CVSS: 5.0
Bash’s set -e combined with a failing conditional expression as last step of a postinstall script caused fresh installs to fail.This has been solved by switching from expressions and conditionals to if lists to get proper return value.
Drag and drop event handler was missing the quotacheck. Convert add local file function to a general helper function and also use it for drag and drop.This has been fixed by converting add local file function to a general helper function and also use it for drag and drop.
Quoting has been done server side before mail compose rewrite and the mechanics were not transferred to the client side code.This has been solved by adding/removing quoting according to the setting in the UI.
During toggling between normal and thread view the collection gets reset but the complete flag stays on ‘true’. So no collection will be loaded as long there aren’t enough mails for pagination in the current folder that triggers the incompleteness.This has been solved by setting the complete flag to ‘false’ manually so that a reload will be triggered.
Timezone Lib needed update because of the change in dst handling in sao paolo. See https://github.com/moment/moment-timezone/issues/805This has been solved by updating the moment-timezone Libary-File.
Sync-token property was not calculated correctly and a fallback to the folder’s last modification date was used, regardless of changes of the contents.This has been fixed by correctly determining sync-token for task collections.
Some model changes might trigger long running redraw actions, which block the browser and might even lead to “long running script”-warning.This has been solved by preventing browsers from redrawing the whole list where possible.
Dependent on MAL implementation, an absent subject is returned as null, which confuses App Suite UI.Solution: Advertise a missing subject as an empty string within output layer.
Duplicate task leads to abortion of user copy operation.Solution: Do not hard fail on duplicate task, but handle it gracefully.
When using Google cache’s ´get(key, loader)´ method, the passed loader must not return null.Don’t return null in passed CacheLoader instance to solve this issue.
Actually undefined properties are cached at the “configuration” provider of the config cascade once they’ve been queried for the first time. This happens implicitly when the final scope is determined for a property that was picked up at another level of the config cascade. In case such properties are prefixed with “com.openexchange.capability.”, they’re also considered and evaluated to “false” when constructing the capability set for any other user, potentially overriding module permissions if they’ve been used in a discouraged way of using the permission identifier as capability property name.This has been fixed by ignoring undefined capability properties when building the capability set, added debug logging to reveal problematic configurations.
A change exception where the series master event could no longer be looked caused a runtime exception when converting the data to an appointment as used by the legacy calendar API.Now do not fail if the recurrence identifier cannot be converted to the corresponding recurrence (date) position.
Folder properties are protected, but the UI does not respect that.This has been solved by disabling the checkmark if the sync property is protected such that the user will not be able to sync google calendars for example.
Don’t attempt to re-encode subject string given by ENVELOPE fetch item to solve the cyrillic encoding issue.
This has been fixed by adding missing handling for this special case.
Accounts get’s refreshed now once a related folder get’s updated to solve this issue.
Name of external account name was not offered after adding a new external mailaccount.This has been solved by adding handling for an active mail compose window when a mail account get’s added/removed.
iOS works with full day dates only. The different interpretation of full day dates for iOS and backend caused this issue.USM now reconstructs the time values of tasks known by the backend and translates the different interpretation. More improved Task handling will come with the next public patch.
No support for contentType multipart/alternative with initial new compose api.This has been solved by adding support for it, Appsuite UI now send this as a parameter. The MW will then create a html/text part from the html part.
Segoe UI Font baseline issue.This has been solved by changing line-height and margin value to fix this on windows.
Missing capability check before sending requests to the API.This has been solved by adding “global” capability check in internal API module.
URIs in href-elements within a PROPFIND request from a client may get decoded two times under certain circumstances, which might lead to a runtime exception whenever the original URI contains the percent sign ‘%’.Solution: Ensure to decode percent-encoded values only once.
The contacts application in the latest macOS release introduced a bug where the current user’s privileges were derived from the virtual root, and not the actual contacts collection.This has been fixed by indicating privileges from default folder also for root collection for macOS client.
Now a popup is displayed if maxlimit for the addresspicker is reached and “admin=false” parameter is respected if applying index range.
Mix-up of folder to account association when composing JSON response.This has been fixed by accessing folder in proper account.
Overlapping addresses were not correctly handled.This has been fixed by adjusting associated css.
Every rule in the stylesheet was treated as a css rule.This has been solved by treating rules according to rule type.
This has been adjusted and for error code OAUTH-0013 button “Try again” is replaced by “Edit accounts” that links to corresponding settings pane.
Unit was not considered when checking size.This has been solved by adjusting check accordingly.
The exit status of the last command in a scriptlet determines its exit status and at the same time a return value of 1 from ox_scr_todo signals that there’s nothing left to do for a given SCR. For this bug ox_scr_todo was the last statement from the scriptlet and thus after the first update of open-xchange-oauth that contained SCR-316 there was nothing left to do at the end of the postinstall/update and rpm handled this like an error.This has been solved by switching from expressions and condititionals to if lists to get proper return value.
Scroll behavior in enter key listener changed selection.This has been solved by checking shift key too and prevent execution in that case.
Action command was not checked for drop down in mail toolbar.This has been solved by checking vacation action before rendering dropdown link.
The “!important” CSS style value was dropped.This has been solved by keeping the “!important” CSS style value is dropped.
For events where the (external) organizer is not attending, the timezone is not set explicitly and falls back to the system default.This has been solved by prefering event timezone in notification mails for external organizer that does not attend the meeting.
CVSS: 5.0
CVSS: 5.0
CVSS: 7.7
CVSS: 5.0
CVSS: 5.0
CVSS: 5.0
CVSS: 5.0
CVSS: 6.5
CVSS: 3.1
CVSS: 2.2
CVSS: 2.2
CVSS: 6.4
CVSS: 5.4
CVSS: 5.4
CVSS: 3.1
CVSS: 3.1
CVSS: 2.2
CVSS: 2.2
CVSS: 5.4
Hindi characters were dropped on Internet email address parsing and are now maintained.
OX is missing the support for the EAS feature , , .Only the will be transfered to the server and and with the same content will be send to the server.
The client didn’t handled unlimited vacation, despite of the EAS protocol allows it.Fixed by ignoring the start and end date if the server reports an unlimited vacation rule.
The subject of the vacation rule wasn’t used. It will be shown and updated now.
The rule name, which wasn’t set before, is now set fix to “vacation notice”.
The dropdown action was missing the appointment data due to a missing backbone model.
DateFormatCache was not threadsafe and has been replaced with a synchronized map.
The organizer is no longer replaced by the creator. This was introduced for an older bugfix and has been removed.
Changed log level to INFO and include effective schema strategy in log message.
Fixed a CSS issue on MacOS.
Deny support for folders carrying reserved name as full name.
Fixed different bugs in the google reconfiguration code.
Unexpected null dereference when examining an HTML tag’s attribute value.Fixed possible null dereference when examining an HTML tag’s attribute value.
Choose another category for error code MSGCS-0007 (‘Found no such composition space for identifier: XYZ’) to achieve more lean logging behaviour.
Sortable plugin from jquery-ui takes a lot of time to run.It has been replaced with native drag and drop support.
Invoke javax.servlet.http.HttpServletRequest.getSession(boolean) in SAML and OIDC implementations to maintain route to the right Middleware node, which spawned the Open-Xchange session.
Missing CSS rules for mobile devices.This has been solved by introducing some CSS rules for mobile devices (e.g. put checkbox in new line).
It was a problem of restoring the selection on Android. Avoiding setting superfluous Android selection.
Duplicate task leads to abortion of user copy operation.Solution: Do not hard fail on duplicate task, but handle it gracefully.
Redundant fallback value for REPLY-TO header.Leave REPLY-TO unset now if it defaults to the same value as FROM.
Check if action ‘vacation’ exists was missing.This has been solved by calling mailfilter api to check for this vacation action before rendering the vacation notice button.
Also consider application header and empty mails with just an attachment.
Added missing user readable error message to exception.
Adjusts settings tree label.
This was caused by DOMPurify removes src=“blob:…”This has been solved by using data uri instead.
Renaming file name to invitebutton.js
Memory gets flooded with many regular untagged IMAP responses, which are actually of no use.This has been solved by adding mechanism to drop regular untagged IMAP responses on command execution to avoid flooding memory with unused IMAP responses.
This is only not working for the context admin while being created with ‘createcontext’, not for users commonly. Was caused by accessing context properties while context is created.This has been fixed by falling back to server level configuration if context is not yet created.
Clientwise specified “max_size” parameter has not been applied to plain text.Now applying given “max_size” to plain text as well.
Image transformation failed because Java image reader is unable to parse PNG image binary.This has been fixed by handling special javax.imageio.IIOException hinting to Java image reader failed to parse image binary. Return image non-transformed instead.
Read connection used for table cleanup.This has been solved by using write connection for table cleanup.
Firefox still not enabled secure noopener handling.This has been fixed by not using blankshield for deeplinks.
Don’t fail to transport a message composed as reply/forward if original message does no more exist.
Default temp directory (“java.io.tmpdir”) used internally by JRE’s ImageIO and JNA module.Set configured upload directory as working/caching directory for both - ImageIO and JNA.
Improved UX by use different naming and description.
Send error response with the CALDAV:max-date-time / min-date-time precondition when client attempts to create an event outside of synchronized time range. This was missing before.
Made the hard coded limit for future appointments of 3 years configurable in eas.properties with com.openexchange.usm.eas.appointments.future.time_limit.
Extended DEBUG logging for Dovecot push and avoid rescheduling on registration of a new permanent push listener.
Missing handling for empty display name (recipient) when quoting a message.This has been solved by adding handling for empty display name.
In case of so many files, it floods require with requests. The problem is that all these requests stays pending, because the first ones is not resolved quickly. Therefore the cache to return the data for the following requests seems not to be used. Depending on the amount of files, these long list of requests to require can runs into the require timeout.Preload the view types that require can always use the cache. All type definitions combined are about 30k minimized (for comparison, every single page that is shown is the viewer is a lot larger). So the benefit from loading single types on demand is not that great regarding bandwidth. We tried also to filter all used types and just preload these, but the added complexity and overhead due to the filtering was not worth the benefits.
There is a check to test if a file actually holds data based on some heuristics. That check leads to false-positive for the inline image attachments of the affected E-Mail.Fixed check for possibly empty file data.
Mail was filtered out because it was interpreted as appointment invitation mail.Now mail is analyzed whether the appointment was created “on behalf” and then synced to client, but this works only for the main calendar of the “manager”.
Accept upper-case ASCII characters as well for ACE->IDN conversion to solve this issue.
This has been solved by enabling print preview for embedded mail.
Inconsistent data for organizer/principal in the legacy storage was converted to a representation of the organizer that assumed an external entity.This has been solved by ignoring principal if equal to organizer when reading from legacy storage, correct sent-by in organizer for already migrated events. Please mind that the update task to correct the wrong data in the storage is disabled by default in the hotfix, but can be enabled manually by setting the property “com.openexchange.calendar.enableCalendarEventCorrectOrganizerSentByTask” to “true” if needed.
Address string was interpreted as a group name in case host is NIL when parsing an ENVELOPE address string.This has been fixed by aligning behavior of Open-Xchange Middleware according to common IMAP server one. Assume “missing-domain” as host part of an E-Mail address in case host is NIL when parsing an ENVELOPE address string.
Change listener called too frequent.Solution: debounce execution waiting for 30ms without further call.
Was caused by wrong detection whether a move or a rename needs to be performed.Fixed check whether a move or a rename needs to be performed to solve this issue.
The create copy/delete original fallback after a failed move operation of a CalDAV client may cause the event resource being deleted, since the copy was interpreted as update under special circumstances.Do not try to update event as fallback after an UID conflict was detected.
DOMPurify returns by default a TrustedHTML object on Chrome 77 instead of a simple String. This is caused by an experimental API beeing enabled in Chrome 77 by default.Added a simple typecheck to cast the TrustedHTML back to string if needed.
For CalDAV collections with many contained resources where the initial synchronization result gets truncated before a specific point in time, consecutive DAV:sync-collection requests with this intermediate token would get answered with HTTP 403 Forbidden due to the token being assumed out of range.This has been fixed by encoding additional flags into generated sync-tokens to properly resume intermediate truncated responses.
Some jQuery functions got stuck and prevented further code execution.This has been fixed by using native functions.
The image isn’t converted to png anymore, switched to JPEG.
Unable to handle vCard v4 partian dates.Now handling PartialDate for Birthday and Anniversary to solve this issue.
Ensuring that current DocumentConverter server release works flawlessly with previous DocumentConverter client/middleware releases.
Wrong “API” parameter was used.This has been fixed by adding correct API string to the request.
Specify user’s locale when outputting detected limitation violations to show translated error messages.
Stick to active short-term sessions when re-injecting a push listener to solve this issue.
The “Lock-Token” header was not sent correctly to the client during the LOCK response, so that a consecutive UNLOCK request could not be performed successfully.This has been solved by using correct format for the “Lock-Token” response header.
The JVM’s default locale was used when processing the template for appointment reminder mails.This has been fixed by using the receiving user’s locale when processing the template for appointment reminder mails.
Rrule was always using full time format.Now local format without time is used.
Data truncation while trying to store a quite long subject to database.Solution: Enlarged “subject” field in “compositionSpace” table from 256 to 512 character. Moreover, added user-friendly error messages in case such a data truncation occurs.
Introduce configurable fetch limit io.ox/contacts//toolbar/limits/fetch.
Mark guidedtours.properties as configfile now.
Indicate proper status for mail accounts with OAuth-related issues.
When opening a restorepoint, the id is incremented. But for objects from the jslobs, the object reference is still pointing to the object in the jslobs. Therefore, the id in the cache is also changed and the object with the old id cannot be found and deleted.Work on a copy of the object to prevent to overwrite the id in the jslobs object.
TinyMCE cannot handle floating point numbers and therefore, size computation fails.Manually force tinymce to accept floating point pixels when necessary.
write permissions in terms of mail folder means user is allowed to set flags other than seen/unseen and “mark as deleted”.
Fixed German translation.
Fixed translation.
Windows sends a mousemove event when only a mousedown event should be triggered resulting in the monthview to enter drag mode.This has been fixed by introducing a deadzone of 5px before dragging is enabled.
Wrong value “Medium” used to signal normal importance.Set “Importance” MIME message header according to https://tools.ietf.org/html/rfc4021#page-32. (Values: High, normal, or low).
Task query uses “GROUP BY” clause and conflicts with ONLY_FULL_GROUP_BY mode of the database.Avoid “GROUP BY” clause in SQL statement, but filter possible duplicate tasks in application.
A bogus series pattern was converted into a recurrence rule that produces no occurrences.Automatically correct invalid “yearly 2” and “monthly 2” patterns during conversion, handle possible IllegalStateException properly now.
Trying to delete location/directory from source file storage failed. Due to that, context information has not been properly updated.Solved by fail-safe deletion of source location in file storage. Note: Filestore identifier of affected contexts need to be manually adjusted in database.
This wasn’t a bug, it was a wording problem.This has been solved by changing wording for the avatar dropdown of “Change Password” for guests. Was confusing with Guard Guest emails. Changed to “Add login password” or “Change login password”. Adjusted title and button of dialog.
Changed ‘Broodtekst’ to ‘Berichtinhoud’.
Custom mail css did not work correctly because of missing class.This has been fixed by adding the missing class.
Do not apply overflow hidden for signature editor.
Missing user infostore folder not handled and regression of bug 64811.Handle missing folder and reuse existing tooling when looking up folder names.
A pending request blocked the window.This has been solved by correctly handling the error and unblock the window. Also added documentation for this.
This has been solved by adding comments when “View” should be used as a verb.
When the default internal calendar account gets auto-provisioned concurrently when first being accessed simultaneously, a database error may be raised under certain circumstances.This has been solved by re-checking pending auto-provisioning operations after conflicting insertions.
Update favorite folders on account removal. Also react to error code FLD-1004 Storage account was removed for this folder.
String was not translated correctly.Fixed typo to solve this issue.
evaluating a new ‘revtag’ request parameter in MW Ajax handler to detect a change underlying content of request after revisionless save without adjusted ‘version’ parameter.
Not a real fix, but added null guard when searching for mails.
Uploaded files are directly streamed to destination storage with the consequence that reading from stream blocks possible file storage resources (e.g. connection in connection pool) for the time the actual upload is in progress. That behavior leads to more and more threads stacking up awaiting connections from connection pool. That huge amount of threads lets “VM Thread” run permanently leading to constant “stop the world” pauses making machine unresponsive.Solution: Spool uploaded files to temporary file to not block storage resources (e.g. connection pool) by possibly slow upload. Introduced a timeout (default is 30 seconds) when waiting for an available connection in HTTP connection pool. Changed filestore connectors to be responsive to ConnectionPoolTimeoutException.
Runtime error in Edge when using popup.close() stopped code execution.This has been fixed by closing popup at the very end to limit any impact on the promise chain itself.
This was caused by wrong root folder.This has been solved by always using the default (personal calendar) folder as root folder.
It was used screensize instead of “real” smartphone detection.This has been solved by switching to .smartphone class.
Fixed user documentation.
Fixed a wrong choosen folder title.
This has been solved by ensuring a valid address is passed to “Disposition-Notification-To” header and that only a valid E-Mail address is accepted for “disp_notification_to” in JSON field.
Adjusted appearance like described in ““Google” Text” in the branding guideline.
Fix used default color.
Due to a bug in the folder clear logic that is invoked when a folder with many events is deleted, some entries were not deleted from the database. Those orphaned events with stale references to no longer existing folders cause problems whenever all events of a user are requested, e.g. from the portal widget of the App Suite client.The folder clear logic was fixed, an update task cleans those orphaned entries up in the database.
A problem in the serialization logic for extended properties of calendar components caused non-ASCII characters being corrupted during saving.Properly encode extended properties of calendar components during saving to solve this issue.
A superfluous check led to the “unregisterdatabase” utility reporting that also read-only schemas are possibly “in use”.This has been solved by performing “in use” check during “unregisterdatabase” for master database only.
Besides moving external rootfolders also moving subfolders was prevented.The query has been modified to allow moving of external subfolders.
No delimiting CRLF when appending successive plain/text content.Fixed by properly append successive plain/text content.
Added platform specific and version agnostic alert texts for supported browsers.
Threads piling up in push registration framework due to excessive locking in turn leading to unresponsiveness of the system.This has been solved by removing that lock by using higher level concurrency mechanisms and optimized to avoid unnecessary remote session look-up.
According to RFC 822 the local part needs to be quoted in some cases. Since this was only done in the mw the value could not be interpreted correctly.If the local part needs to be quoted this is now also considered in the Appsuite UI.
Changed translation to solve this.
Table height:100% breaks mail detail view.This has been fixed by adding style to reset table height in mail detail view.
A mismatch between the derived and registered class definitions may lead to a serialization error when using the Hazelcast-backed token login container.Use defined order of field definitions during (de-)serialization of portable sessions.
Incorrect initialization of in-memory byte array when transferring nested message’s data to new message. The generated byte array contains a 0-byte remainder.Solution: Proper initialization of in-memory byte array, which prevents from 0-byte remainder.
If the organiser is no attendee (Outlook), the locale for the notification recipient was not set.This has been fixed by adding the acting users locale in this case.
Edge recognized as IE with higher version.This has been fixed by improving the browser check.
The search in USM was restricted to three fields.Added more fields to search for: email1, email2, email3, nickname, second_name.
It was not possible to map feedback app names to custom names.This has been improved by adding new extension point to process feedback data, now it can be added in customizations.
Allow change and overwrite user agent when using tokenlogin.
Regular expression in link parser was too greedy which led the parser to not append the appropriate attributes target and rel attributes to the link.This has been solved by fixing the regular expression.
In case multiple transport mails are supposed to be sent, the whole operation fails in case send attempt for one mail fails.Solution: Do not abort sending multiple transport mails if send attempt for one mail fails.
Avoid possible StringIndexOutOfBoundsException when URL-decoding a string.
CID URLs in iMIP were not encoded and decoded correctly, so that the referenced MIME part could not be looked up successfully.This has been solved by correcting encoding and decoding of “cid” URLs in invitation mails.
Corrupted mail with invalid multipart delimiters and invalid charset name quoting leads to failure when parsing/displaying the affected mail.Solution: Deal with possibly quoted charset names on charset look-up. This fixes the exception when looking-up charset by charset name, but does not display reasonable content since multipart delimiters are corrupt in mail’s source. The user sees: This mail has no content.
Appointment color was only considered if the user is the owner of an event such that the user can select the color for the whole public folder.Now the appointment colors are considered for organizers and organizers_on_behalf.
When mail.loginSource=name, the userLoginInfo is returned for mailConfig.login, which for Guests is null, which throws Missing error.Fixed by null value allowed for Guests.
Avoid possible java.lang.StringIndexOutOfBoundsException when parsing SIEVE script.
Setting to disable the birthday calendar did not check capabilities.
Growing inconsistencies in general cache causing a massive amount of log messages keeping CPUs constantly busy.Improved general caching to use a single map instead of trying to manage two resources (map & queue) for implementing LRU behavior.
Also signatures with whitespaces were filtered.This has been solved by adjusting the filter for signatures.
Added an index for column “filestore_id” to “filestore2user” table to not examine every row of the column.
Internet explorer lacks the function.name property and therefore tries to compute the function name out of source code. If the function has no name due to minified code, this regex will fail and therefore has no result.This has been solved by increasing robustness of code to work minified and not minified.
Reordered delete statements in the Update Tasks.
Requested date was converted by the backend and also a second time by frontend.Now the UTC date is requested from the backend.
Folder names were translated based on the locale of the sharing user.Now they are translated based on the local of the guest user instead.
This fix has been reverted because as a user I can create appointments without organizer in public calendars now.
Callback function was expecting a string.This has been solved by making it work with strings and error objects.
Chrome blocked blankshield plugin. Do not use blankshield in chrome (supports noopener so it’s not needed).
Feedback button was located in io-ox-core.This has been fixed by moving Feedback button to io-ox-screens.
Regional settings (e.g. decimal separator) were bound to login language. Regional settings can be changed manually in user settings.
Middleware’s Sproxyd connector refused to store an empty file to Sproxyd end-point and Hard fail when trying to delete a non-existing file.This has been solved by allowing to store an empty file to Sproxydend-point and Do not fail when trying to delete a non-existing file from Sproxydend-point.
“ISO-8859-1” charset is assumed for every string value in MAPI properties of a TNEF-encoded attachment.This has been solved by detecting proper charset (e.g. by code page attribute) and use that to get the string value.