Last Update: 2024-04-16
CVSS:8.2
CVSS:3.1
CVSS:3.1
CVSS:3.1
CVSS:3.1
CVSS:3.1
CVSS:3.1
CVSS:3.1
CVSS:3.1
CVSS:3.1
CVSS:3.1
Selector for icon accidentally used translated string.Use static string instead.
SMTP host information advertised as “None” in case SMTP authentication is disabled through configuration.Now do not advertise SMTP host information as “None” in case SMTP authentication is disabled through configuration.
CVSS:5.3
CVSS:5.3
CVSS:3.1
CVSS:3.1
Warning was not added to baton and therefore not processed.Warning gets added to baton now.
Was caused by missing convert of‘\n’ to ‘br‘
when html is preferred mode for mails.This has been fixed by adding the missing convert.
Unexpected premature termination of byte stream when reading content from S3 end-point. When having two folders named e.g. “resumé” and “resume” only one folder gets into the data export.This has been solved by adding an option to enable conversion of Unicode characters in ZIP archive entry names with somewhat reasonable ASCII7-only characters:com.openexchange.gdpr.dataexport.replaceUnicodeWithAscii
Default value is false. So, when setting it to true ZIP archive names like “résumé” are converted to “resume”.
Incompatible timezone identifier gets cached along with overridden instances, which causes problems when re-loading the data from the cache.Normalize recurrence identifiers prior processing events from external iCalendar source to solve this.
Priority not kept when restoring a compose window from formerly saved draft message.This has been solved by keeping priority when editing draft messages.
Print as PDF did only work for Office files and PDF files.This has been fixed by enabling that images can be printed via “Print as PDF” too. Plain .txt files are enabled now too for “Print as PDF”, which was also not possible before.
Focus was not set to list after action.This has been fixed by setting focus to next list item after action.
Several fallback machnisms led to duplicate entries.This has been fixed by just avoid importing an already existing email.
Remaining whitespace in tokenized query after non-word characters have been replaced.This has been solved by trimming pattern after replacing non-word characters in client-supplied token.
Generic error returned when vCards exceed the maximum size during bulk import.This has been solved by explicitly handling too large vCard during bulk import requests.
Missing log message for failed authentication attempts against primary mail/transport server.This has been solved by adding logging failed authentication attempts against primary mail/transport server.
Missing convert of ‘\n’
to ‘br‘
when html is preferred mode for mails.This has been solved by adding missing convert of ‘\n’
to ‘br‘
.
Button was drawn but not visible.This has been fixed by triggering ‘complete’ to adjust height again.
For some cases, the resolving of the index targets seems to fail for html output, while it works for pdf output.This has been solved by adapting the DocBook source code so the resolving of the link targets works also for html in all cases.
Wrong data from external calendar source taken over as-is.This has been fixed by adjusting bogus all-day dates prior to storing event data from subscriptions.
Too low settings for HTTP connection pools for both - auto-config server and ISPDB end-point.This has been solved by increasing settings for HTTP connection pool of both - auto-config server and ISPDB end-point - while lowering values for read and connect timeout.
SMTP host information advertised as “None” in case SMTP authentication is disabled through configuration.Now do not advertise SMTP host information as “None” in case SMTP authentication is disabled through configuration.
Possible java.lang.StringIndexOutOfBoundsException
when trying to decode subject string obtained from ENVELOPE fetch item.Fixed possible java.lang.StringIndexOutOfBoundsException
when trying to decode subject string obtained from ENVELOPE fetch item.
Lock entry not cleansed from database in case temporary database outage/inaccessibility occurs.This has been solved by enhancing acquired lock by a time stamp that gets periodically touched (every minute). Consider lock as expired if not touch for more than 5 minutes.
“[ ]” were not part of suffix characters we use in our regex to detect the end of links, similar to “, . ?” etc.This has been fixed by adding “[ ]” to possible suffix characters.
Capabilities were not used correctly, selectors were no longer valid and tour accidentally opened the chat app.This has been solved by adjusting selectors and capabilities and no longer open the chat app.
The local time zone was used to render the timestamp in the filter rule.This has been solved by now using UTC for rendering.
Wrong selection of day with certain (work)week settings.This has been fixed by removing basic setting dependent .startOf(‘week’) and replace with startOf(‘isoWeek’) in addition to a small adjustment for choosing the correct day.
Settings were not updated and may contain old account name.This has been solved by updating settings correctly.
A broken image link leads to failure of send/transport attempt.Solution: Don’t let failed image URI resolution prevent from sending a mail.
Existent data export tasks silently deleted if associated user/context do no more exist.This has been fixed by not deleting such “orphaned” data export tasks when invoking listdataexports
command-line tool.
Unexpected premature termination of byte stream when reading content from S3 end-point.This has been solved by resuming reading content.
A translation from a previous bugfix was missing.This has been solved by adding the missing translation.
CVSS:3.1
CVSS:3.1
CVSS:3.1
Lifetime of USM sessions to the OX backend are much shorter now for the OX backend as expected by USM.This has been fixed by setting parameter staySignedIn=true at http-api call for login.
A combination of changes and streamlining caused loss of firstname and lastname, company was used as fallback.This has been solved by adding available data were possible so company name is not used as fallback, prefer display name over company name for external participants.
Draft was saved before all delete requests were processed.This has been solved by waiting for all delete requests to be resolved, also if draft gets deleted.
Was caused by possible long-running Matcher.find() invocation.This has been fixed by adding fast plausibility check & introduced a timeout-aware matcher alternative that respects a passed timeout whenever matching the input sequence or finding a certain sub-sequence is requested to avoid possibly long-running matcher invocations.
Missing mapping for “use count” field.This has been solved by adding missing mapping for “use count” field.
Context names are checked case-insensitive for equality when attempting to change a context’s name and thus changing to the same context name, but different cases was considered as a no-op.This has been solved by checking case-sensitive for equal context names when attempting to change a context’s name.
No response status distinction for read-only operations in If-None-Match/If-Match checks.This has been solved by using HTTP 304 response during If-Match/If-None-Match checks for GET and HEAD.
Missing special handling for error codes that advertise actual transport succeeded, but append to standard sent folder failed.This has been fixed by adding special handling for error codes that advertise actual transport succeeded, but append to standard sent folder failed.
Inconsistent translation of ‘notes’.This has been fixed by adjusting translations.
Too many occurrences of low-level HTTP end-point pools for initialized Sproxyd clients.This has been fixed by adding cache for low-level Sproxyd HTTP end-point pools.
The caches implemented by ConcurrentMaps are never cleaned and can leak for e.g. requests that include rest-like endpoints like mail attachment downloads.This has been fixed by using Google cache with expiration of 30 minutes on non-accessed instead of a regular map, which holds entries forever once put into it. Moreover, several caches storing information grabbed from DispatcherNotes are folded into one cache.
Collection of context-associated time stamps might grow constantly.This has been fixed by clearing collection of context-associated time stamps when last session for a certain context terminates.
Inefficient max. size restriction of in-memory folder cache.This has been fixed by using the SessionD events when the short term sessions are removed and use the Guava cache’s expireAfterAccess method with a decent max time that should only remove stale entries.
The filter cannot evaluate type ‘auto’ for text colors in shapes (Presentation and Spreadsheet, ooxml).Solution: Instead of sending ‘auto’ when the user selects ‘Auto’ as a text color, the best text color is evaluated corresponding to the shape background. This calculated color is sent to the filter.
When an image is inserted via the buttons in template drawings, the mousedown happens on the content root node, but the mouseup does not. But these events are registered for an optional scrolling. Therefore the scroll position was not correctly adapted, when the user changes the slide using the slide pane and does not click at least once into the document after inserting the image.This has been solved by checking the target nodes for mousedown and mouseup events that are required for scrolling.
Document was not flushed before the copy was created in Drive. Flushing causes to save all pending changes which, in Spreadsheet, includes to commit the cell edit mode.Solution: Flush document before starting to copy the file in Drive for user actions “Save As” and “Save As Template”.
Templates contained more than 5 different languages on XML level.This has been fixed on XML level, replaced all (western) lang attrs to be only en-US for EN templates, de-DE for DE templates.
Event listerners were still listening on an old collection.This has been fixed by adjusting event listeners after folder rename.
Single and double clicks on the same element were competing and led to inconsistent behavior.This has been fixed by treating double clicks as single clicks on list elements in list layouts.
Timing issue with extension point and DOM events.This has been solved by explicitly updating token field view after all extensions have been executed.
Buttons were not enabled after dialog gets idle.This has been solved by setting dialog to idle also when cropped image can’t be loaded.
Different generation of fallback attachment filename extension.This has been solved by using the common method to yield fall-back name with a reasonable file extension.
Unexpected trigger of update task for a schema that is currently checked for possible expired composition spaces.Skip clean-up of expired composition spaces for those schemas that are currently updated or need an update to solve this.
Sender’s full name for introduction in drive mail notifications escaped twice.This has been fixed by escaping sender’s full name for introduction in drive mail notifications only once.
MacOS client sends unconditional DELETE for no longer listed vCard resources after list of synchronized folders changes.This has been solved by using variable path to special aggregated collection with different modes for macOS clients, introduced new modes for folders in aggregated collection.
Missing package import for com.adobe.internal.xmp.impl in c.o.server bundles’ manifest file leads to errors when parsing special kind of image metada via metadata-xtractor.This has been solved by adding com.adobe.internal.xmp.impl to ‘Imported packages’ section of c.o.server manifest file.
Equal exceptions chained multiple times.This has been solved by avoiding chaining equal exceptions multiple times.
Possible concurrent modification of storage objects is quitted with “HTTP/1.1 423 Locked” status response leading to abortion of request processing.This has been fixed by introducing retry mechanism with exponential back-off in case Sproxyd service quits request with “HTTP/1.1 423 Locked”.
Intermediate clean-up task unexpectedly dropped file storage resources.This has been solved by not running clean-up task when there are currently running data export tasks.
CVSS:3.1
CVSS:3.1
CVSS:3.1
CVSS:3.1
Was caused by missing check for admin rights.This has been fixed by not filtering the calendar if the user has still admin rights.
ForwardUnquoted was not recognized by plaintext editor.This has been solved by adding forwardUnquoted detection for plaintext editor.
Intermediate clean-up task unexpectedly drops file storage resources.This has been solved by not running clean-up task when there are currently running data export tasks.
In the specified environment, the comment ID was transferred to OX Presentation, but it was not found in the parameters of the application launcher.This has been solved by finding and evaluating the transferred comment ID in application launcher for OX Presentation.
PDFTool does not return at all with some rare, yet unknown PDF documents.A maximum runtime needs to be introduced for each call to the PDFTool (similar to watchdog for RE processes), returning an error after the configured jobExecution timeout time and responding to the appropriate request in time.
Primary address was used in all cases.This has been fixed by adding recipient parameter when calling api.ack and in case mail sent to alias address also this one is used for ack.
With WebSockets disabled, desktop notifications for mail didn’t fetched a contact image.This has been solved by refactoring mail desktop notifications to use the same message style as with WebSockets enabled.
Was caused by missing listener to detect, whether the vcard is attached or not.This has been fixed by introducing missing listeners.
This was caused by a missing trigger and listener for reset events.This has been solved by adding missing trigger and listener for reset events.
Settings pane for account was not updated when recovering passwords.This has been fixed by adding listener to refresh and update the account settings pane.
The header and footer were absolute positioned, which doesn’t play nice with a flex layout.This has been solved by refactoring markup to use flex layout as it is intended.
The signature content was not correctly recognized when switching from plain text to html editor.This has been solved by removing signature on editor toggle and append it again afterward.
Personal part taken over from referenced message, which might be manipulated by sender.This has been fixed by discarding personal part when pre-filling the “From” address.
A modified “subscribed” or “usedforsync” status in one of the underlying folders is not recognized during the incremental synchronization of the aggregated collection in CardDAV.This has been fixed by including folder state in sync-token of aggregated collection for CardDAV.
Possible stack overflow (application recursed too deeply) while parsing addresses from an E-Mail header, which was syntactically broken.This has been fixed by avoiding possible stack overflow (application recursed too deeply) while parsing addresses from an E-Mail header, which is syntactically broken. Display that message as well as possible.
Unknown timezone in invitation not interpreted correctly.More sophisticated comparison of parsed timezone observances during import.
Deletion of data export task fails due to missing/absent user/context entities when querying appropriate schema reference for a user to operate on correct database.This has been solved by making config-cascade robust towards missing/absent user/context entity.
A user is not able to update an event that was initially organized externally.Solution: Allow attendee changes if assumed to be initiated by an external organizer.
Probably update for German for a 7.10.4 bug fix was not applied.This has been solved by adding missing translation.
The short drag started the drag and drop mechanism of the appointment. Usually, this will not be a problem, but if the appointment is not within the displayed timeframe, the drag and drop mechanism does not work.This has been solved by disabling drag and drop for appointments, that are not within the visible timeframe.
Theme has been translated with Design and Design has also been translated with Design.This has been solved by changing the translation of Theme from Design to Theme.
The header and footer were absolute positioned, which doesn’t look nice with a flex layout.This has been fixed by refactoring markup to use flex layout as it is intended.
Built-in retry mechanism does not work in case a MySQL deadlock error occurs, which suggests to restart transaction.This has been solved by orderly passing SQLException as cause to wrapping StorageException to let built-in retry mechanism kick-in.
Copyright notice in as-config-defaults.yml file was not aligned to current year.This has been solved by changing copyright notice in as-config-defaults.yml file.
Due to incorrectly linked events, the portal widget does not always detect when events are changed.The incorrectly linked events were adjusted accordingly to solve this issue.
Checked for the wrong attribute when trying to detect if forwardUnquoted is set to true.This has been solved by checking for the right attribute.
No conversion to default time zone when printing in month and week view.This has been solved by adding time zone conversion.
UI was not updated after recovering accounts.This has been fixed by triggering an UI update, when accounts are recovered.
Appsuite uses link text as display name.Appsuite now uses the address as display name because it is not sure that the text is the name.
iOS date input style causes odd side effects with our autocorrect mechanics.This has been solved by disabling autocorrect mechanics on iOS devices.
Firefox has od focus behavior, scrolls to bottom on focus, and ignores scroll top function.Defer scroll top to fix firefox focus bug.
Added DEBUG logging to track opened, modified, and listed composition spaces.
That change introduced debug logging whenever a composition space is created/deleted. To be enabled with:
The company and department fields were not checked if they were set in the actual contact object.This has been solved by checking if the company and department are set in the actual contact before adding them to the vcard file.
Internal detection of Mac OS address book not working anymore after latest upgrade of client OS.Indicate privileges from default folder also for root collection if aggregated collection is used to solve this issue.
Clean-up task does only work for active users since a session is needed. Those belonging to inactive ones are not considered and might therefore remain.This has been solved by refactoring clean-up task for expired composition spaces to have a global task considering any open composition space.
Possible HTTP proxy not correctly considered when establishing a socket connection to IMAP, SMTP or POP3 end-point.This has been fixed by orderly using JavaMail utility class for establishing a socket to ensure HTTP proxy is correctly considered.
Was caused by possible leftover files during data export run.This has been fixed by explicitly checking for possible orphaned data export files during runtime.
Decoding with URLDecoder caused the plus sign to be converted into a space character.This has been solved by fixing the URI decoding.
Was caused by wrong showAdmin check for contact count.This has been fixed by adjusting the check.
Likely a database error happens when trying to create or modify an appointment, but unfortunately the clean-up code itself raises an error that overlays the original one. Thus it is not possible to see the database error causing the failing create/update.Don’t overlay possible exceptions when performing clean-up stuff. The associated change cannot be considered as a fix for this issue. However, it is necessary to detect what is really going wrong when attempting to create or modify an appointment.
Standard display message advertised to client in case error “PSW-0001” (“Cannot change password…”) occurs when user’s attempts to change his/her password.This has been solved by adding better understandable display message when error code “PSW-0001” (“Cannot change password…”) is advertised by Open-Xchange Middleware.
Very big HTML content does not fit into a single packet transferred from Middleware to database due to ‘max_allowed_packet’ setting.This has been solved by paying respect to ‘max_allowed_packet’ setting and introduced disk-based volatile file cache for storing big message contents that do not fit into database (or into transport packet).
e.g. when there are multiple “cell” or “home” numbers, the “pref” parameter will still be set.
CVSS:3.1
CVSS:3.1
CVSS:3.1
CVSS:3.1
No conversion to default time zone when printing in month and week view.This has been fixed by adding time zone conversion.
Null check for relay state was not sufficient.This has been solved by properly checking for empty relay state.
Mozilla changed the user-agent string to no longer contain Lightning, probably because the previous calendar plugin is now integrated into the Thunderbird core.We adjusted our documentation to handle this:https://documentation.open-xchange.com/7.10.4/middleware/miscellaneous/caldav_carddav.html
Possible web proxy configuration not always considered when establishing a mail/transport connection.Orderly consider possible web proxy configuration when establishing mail/transport connections to solve this.
Added INFO logging to APN/APNS HTTP/2 transport.
Was caused by wrong package name.This has been solved by using correct package name.
Carriage return in encoded value of organizer property prevents the reference to the deleted user being discovered correctly.This has been solved by Disabling line folding when encoding organizer value, fix already stored values via update task.
Due to the backport of the Advisory Lock feature a small part was missed.This has been fixed by adding the necessary part to the PresenterDocProcessor to handle the REQUEST_JOIN correctly.
The z-index of the topbar was set to 2 because of another fix for Internet Explorer 11.This has been solved by not setting the z-index of the topbar to 2 and fixing the IE11 bug in an other way.
Starting a new node can very seldomly lead to a merge situation, where Hazelcast changes its own uuid. That’s unexpected behavior and was not detected before.The OX Documents monitor implementation now checks the lifecycle events from Hazelcast more carefully and detects that a merge has been done. This is handled and internal classes are re-initialized to work with the new Hazelcast uuid (especially the JMS queue names are derived from it).
Wrong timezone was selected when parsing date input.This has been solved by using default timezone when parsing the date input.
The old value of autoOpenNotification was falsely used when changing the setting.This has been solved by using the new value instead.
When spam folder is empty and you move a mail to it (via “mark as spam”) folder count was still 0.This has been solved by adding a refresh of the folder.
Utc timezone was used instead of local time.This has been fixed by using local time when no timezone is given.
Primary address was unnecessary checked.Don’t require primary address when checking mail account connectivity to solve this issue.
Missing SENDER field and no option to use a separate no-reply account for imip mails.This has been fixed by adding new configuration parameter to use no-reply account for imip mails and added session user as SENDER to mail headers.
Check for duplicate account associated with same provider’s user identifier fails due to previously performed PW change (w/o restoration) because user-sensitive data can no more be decrypted.This has been solved by loading OAuth account meta-data w/o secrets (token & secret) when checking for existence.
Very big HTML content does not fit into a single packet transferred from Middleware to database due to ‘max_allowed_packet’ setting.This has been solved by paying respect to ‘max_allowed_packet’ setting and introduced disk-based volatile file cache for storing big message contents that do not fit into database (or into transport packet).
Using multifactor authentication has broken the usage of USM/EAS, because USM/EAS does not support it. The error message does not contain enough details to recognize this problem.To recognize this issue we improved error details by adding the json result of the usm-json communication to the error message in case of OXCommunicationException or AuthenticationFailedException.
Orphaned change exceptions w/o corresponding series master event cause errors when being edited or deleted. Dialog was shown before UI checked if a series master existedThis has been fixed by checking if series master exists before showing the dialog.
Feed sometimes wrongly uses numeric character reference instead of char.This has been solved by adding a rule to replace those occurrences with simple quotes.
Quota usage was retrieved after the guest accounts were already created in the database, leading to the wrong number of “current” usage.This has been solved by retrieving actual amount quota before provisioning guest accounts.
Configured character-set encoding not honored by IMAP “LOGIN” command.This has been fixed by using proper character-set encoding for IMAP “LOGIN” command.
Address to notify not checked if covered by user’s aliases. if so, not notification should be sent.Do not advertise “disp_notification_to” field in a mail’s JSON representation if address to notify is covered by user’s aliases to solve this issue.
Requests with session-id/cookie mismatch led to cookies being overridden. In case of two browser tabs resulting from subsequent login attempts, both sessions would cross-invalidate themselves.This has been solved by only dropping session (and cookies) in case session could not be accessed due to an IP check error (request’s IP address differs from the one stored in session and IP check is enabled).
Back when the sorting order was changed to descending one case was not adjusted.This has been fixed by using desc sorting order when not using imap search.
When we receive a jms message we check if all header keys are valid. If it is not the case we will stop processing the message.This has been solved by changing the behavior in case there is an invalid header in the jms message. This event is locked, but processing of this message is not stopped.
Some error messages have been ignored by start script and pid file has not been removed.This has been adjusted to be more verbose on errors, and killing the pid-file.
Was caused by custom print rule of individual mail applies.This has been fixed by overwriting css page property.
The dropdown overlaped the viewport.Now, when overlap is detected make dropdown scrollable.
In some cases not the “total” value of a folder was used for display but a calculation. If the setting “com.openexchange.showAdmin” is set to false the displayed value differs from the actual number.If the folder supports the “total” value this value will be used now. If the setting “com.openexchange.showAdmin” is set to false, the displayed value is calculated accordingly.
Request always added DISPLAY type alarms even if not supported.This has been solved by adding DISPLAY if supported otherwise using first supported type in the provided array.
Was caused by post-processing after calendar import is triggered per event group.This has been solved by importing post-process results in single task, enqueue long running import jobs.
Default delimiter was used.This has been fixed by removing delimiter to “none” for search/find.
CSS rule for overflow was overruled.This has been solved by improving selector so overflow rule is active again.
Case-sensitive check if provided E-Mail addresses are contained in set of user aliases.This has been solved by ignore-case checking if provided E-Mail addresses are contained in set of user aliases.
To less logging to track down validation failures and abortion of overall batch import/insert operation in case a single event cannot be added.This has been solved by enhancing logging for those events that cannot inserted due to validation failure and make the destination calendar storage used by the user-copy operation “resilient”.
Exchange uses non-standard timezones in it’s ical. We did not adjust these timezones when subscribing to an ical feed.This has been solved by also adjusting Exchange timezones to olson timezones when subscribing to an ical feed.
The recurrence rule is invalid. It has a full-time (floating) start date but a Zulu Time Until value.This has been fixed by using the same recurrence rule adjustment as for the import path.
Inconsistent composition space state referencing to non-existing resources in (S3) file storage.This has been fixed by orderly advertising error code “MSGCS-0006” (NO_SUCH_ATTACHMENT_RESOURCE) if read attempt from storage yields “FLS-0017” (FILE_NOT_FOUND) error and drop the non-existent attachment from parental composition space.
This has been fixed by considering credentials optional in case authentication is disabled.
Was caused by missing check for zoom support.This has been solved by adding check for zoom support.
Connection was not reused and Keep-Alive not set.This has been solved by enabeling connection keepAlive and setting a ConnectionReuseStrategy so that connection keep alive duration will be considered and a “Keep-Alive” will be set in the request.
Some images doesn’t contain a timezone in addition to the capture date. In those cases the library which extracts the capture date uses the GMT timezone as a fallback in case the timezone information is missing in the exif data.This has been solved by using the user’s timezone as a fallback for the capture date instead. Please be aware that this is still not a perfect solution for this problem. For example it depends on the timezone configuration of the appsuite when the image has been uploaded. So for example in case the timezone between the camera and the appsuite is different this leads to similar problems. Or in case the timezone of the appsuite is changed then images uploaded before and after the change have a different offset. Also this fix only applies to newly uploaded files. Existing files are still going to show the capture date based on the previous calculation which used the GMT timezone.
CVSS: 3.1
CVSS: 3.1
CVSS: 3.1
CVSS: 3.1
CVSS: 3.1
CVSS: 3.1
CVSS: 3.1
Action was checking device guest, which doesn’t work obviously.This has been fixed by adjusting check so it checks for capability guest.
Missing handling when a date in the list collection changes.This has been solved by listening for startDate changes and change labels accordingly.
Possible endless loop when the task iterator is initialized from an already interrupted thread.This has been solved by abort waiting for pre-reader if the current thread was already interrupted.
Excessively long-running operation to look-up a subsequence/pattern in HTML content.This has been solved by adding conditions for early abort and ultimately shield from too excessive matcher execution.
Only a user’s own “collected addresses” folder was considered for translation.This has been solved by dynamically translating special collected addresses folders from requesting user’s point of view.
“pref” parameter is used by the server to differentiate between multiple numbers of the same type, while the client only recognized one “pref”, as general preference.This has been fixed by only adding “pref” parameter when exporting TEL properties if required. Note that this is only a mitigation, e.g. when there are multiple “cell” or “home” numbers, the “pref” parameter will still be set.
The disable check for the ‘create folder’ button was not working correctly, therefore it displayed the enabled button for cases where it’s not possible. When creating a folder in these not working cases, the error occurred.This has been fixed by adjusting the enable/disable state of the ‘create folder’ button. Therefore, the button is not clickable in wrong cases, the error can’t happen anymore.
In Customer integrated Drive the fileId is unique for each user so we are not able to detect that two users edit the same document.This has been solved by extracting the part of the Id which is only unique for the file.
A recent change altered the tinymce editor content was changed from raw to html, which led to stlying issues.This has been solved by using html format when saving signatures but keep raw format for compose actions.
Text was set to 100%. Translation part: “Speicherplatz” was changed to “Kontingent” to cover both Email storage and number of Emails. But as we talk about storage here, I changed it back (also in other cases).This has been solved by using actual numbers instead of 100%. Translation part: Changed “Kontingent” to “Speicherplatz”.
Folder api tried to request virtual folders via path request.This has been solved by adding an early check to prevent the error. Also fix code that expected the error. Note: This is mostly a cosmetic fix so there is no error in the logs. The UI switches back to the default folder in case an invalid folder was requested and a user can work normaly again.
Coding error when attempting to delete from files storage on user/context deletion.This has been solved by avoiding java.lang.ArrayStoreException by passing proper argument when attempting to delete from files storage on user/context deletion.
This was caused by inaccessible contacts. E.g. some contact which was once shared but the permissions has been revoked in the meantime.This has been solved by dropping alarms and also alarm triggers silently for the birthday calendar in case the uderlying contact is missing or is inaccessible.
Internal notification mails are only sent to user attendees.This has been solved by sending notifications mails to resource attendees by default, configurable through com.openexchange.calendar.notifyResourceAttendees.
Slightly different attachment check for get and all requests. In case the content-disposition header is missing the get request in contrast to the all request considers the name attribute of the content-type header to identify attachments.This has been solved by considering the name attribute during all requests as well.
Update task accidentally removed when updating update task framework, although it was used as dependency for other tasks.This has been fixed by restoring removed update task.
User timezone not considered when formatting event start date for subject.This has been fixed by considering user timezone when formatting event start date in subject of alarm mail.
CVSS:3.1
ToolbarView’s selection change did not trigger a redraw (strict: true).This has been fixed by just setting strict to false.
Missing frontend counterpart of backend feature.This has been solved by adding 610 as unsupported sort option with fallback 661.
This was caused by missing context.This was solved by changing to suggested message.
Basic detection of Edge was added a while back, but noopener feature has not been adjusted.This has been solved by reporting noopener support for Edge based on Chromium in internal functions.
Non-chromium-based browser was applied for chromium-based browser.This has been fixed by differentiating detected edge browser by version number (79+ represents chrome-based).
Appsuite UI side limit that request user details only for at most 1000 members, this limit only affects the settings pane “Groups”.This has been fixed by introducing customizable setting and now also inform user when limit was hit.
Missing property that identifies open read receipts for seen messages.This has been solved by providing property for seen messages also now (unless read receipt was send). Additionally flag 512 can be used to identify a already send read receipt.
Editor content was not part of new/update requests when oximage tinymce plugin wasn’t loaded.This has been solved by ensuring editor content is used.
During toggling between normal and thread view the collection gets reset but the complete flag stays on ‘true’. So no collection will be loaded as long there aren’t enough mails for pagination in the current folder that triggers the incompleteness.This has been solved by setting the complete flag to ‘false’ manually so that a reload will be triggered.
When ‘search’ collection get’s expired via expire() the ‘expire’ property got reverted immediately.This has been solved by manipulating ‘expired’ property directly.
There is a little time gap between the POST /compose/:id/attachment to state to have a progress of 100% and the fact, that the upload call resolves. This is the time, the server needs to finally store the attachment somewhere. If the mail is send in exactly this gap, a race condition between sending and attaching the image to the mail might occur.Wait until the attachment-upload has been resolved before the mail send process can be started is solving this issue.
Wrong comparative operator was used.This has been fixed by adjusting the comparative operator.
Detected & applied wrong start time range to scheduler of GDPR data export tasks.Detect & apply correct start time range to scheduler of GDPR data export tasks to solve this issue.
Calendarserver-subscribed is always announced to CalDAV clients.This has been solved by only announcing the ical subscription capability for CalDAV client with “calendarserver-subscribed” when the fitting property, “com.openexchange.calendar.ical.enabled”, is enabled AND the corresponding services are available.
Custom MAL implementation does not orderly mark the standard folders.Now manually check for possible standard sent folder in case marker is absent for com.openexchange.mail.dataobjects.MailFolder instance to solve this issue.
Mail content was read for detection of non-inline parts, which are supposed to be passed to document-converter service (that might be absent).Don’ t trigger document preview if associated capability is absent and avoid reading mail text for detection of non-inline MIME parts. Note: In case Document-Converter is deployed on customer’s installation, accessing MIME message’s file attachments is done by intention.
Error thrown Reply-To header can’t be parsed, actually the In-Reply-To header should be used.This has been solved by using the In-Reply-To header.
The problem is that SMTP server in question uses the reserved return code 552 “Exceeded storage allocation” incorrectly to advertise that message to send has been blocked due to spam/phishing detection. Unfortunately, there is no deterministic detection possible since the accompanying text for the 552 return code may be arbitrarily chosen. Only a heuristic can be used here.Check accompanying text for the 552 return code for occurrences of “virus” or “spam” to interpret message as being blocked e.g. due to triggering a filter such as a URL in the message being found in a domain black list.
Null connection returned to the DatabaseService.Don’t return null connection to the DatabaseService to solve this issue.
Unused API parameter prevented non-storing of attachments. When used, send/save lead to errors and were not possible at all.This has been solved by removing API parameter streamThrough and locally spool uploaded attachments before passing them on to save a draft or send an email.
Missing according DatabaseAccessProvider at runtime.This has been fixed by adding missing DatabaseAccessProvider for mail compose that is needed in case an Sproxyd file storage is used.This fixed is based on revision 16 and is not part of any revision between revision 16 and 18. With next public patch in two weeks and revision 19+ all fixes between revision 16 and 18 will be included.
Open-xchange-session cookie was not set on successful /login?action=tokens response even though it should.This has been solved by writing session cookie on token login.
Used wrong default value.This has been solved by using correct default value.
Action command parser was missing.This has been solved by adding action command parser for set action.
No unique information for the TOTP account.Added the user’s login to the TOTP account.
A missing value within the legacy series pattern causes an unhandled exception when trying to convert it into a recurrence rule.Fall back to “first” week when converting monthly_2/yearly_2 patterns if not specified.
Missing upgrade package for hazelcast enterprise.This has been fixed by adding a hazelcast enterprise upgrade package: open-xchange-cluster-enterprise-upgrade-from-7102.
Session cookie has not been written to HTTP response.This has been fixed by writing missing session cookie on login.
Event data was only stored partly when an unexpected error occurred during saving of supplementary data like alarms.This has been solved by importing each calendar object resource within separate transaction, extended alarm validity check.
UnifiedInboxManagement
OSGi service was not added to bundle’s needed/tracked services, which is required to check if an account is the special Unified Mail account.Solution: Orderly track UnifiedInboxManagement
OSGi service to check if an account is the special Unified Mail account.
Drive document has been accounted to upload quota, but shouldn’t.This has been solved by do not throw upload quota exceeded error in case file attachment is a Drive document.
Wrong version number for current version was assumed when auto-deleting file versions.This has been solved by passing proper current version number to auto-delete routine.
When using Google cache’s ´get(key, loader)´ method, the passed loader must not return null.Don’t return null in passed CacheLoader instance to solve this issue.
UnifiedInboxManagement
OSGi service was not added to bundle’s needed/tracked services, which is required to check if an account is the special Unified Mail account.Now orderly track UnifiedInboxManagement
OSGi service to check if an account is the special Unified Mail account.
If “UTF8=ACCEPT” is advertised through IMAP server’s capabilities, there is no need to encode(decode the mailbox name (according to RFC 2060, section 5.1.3. “Mailbox International Naming Convention”).This has been fixed by avoiding decoding/encoding of the mailbox name in case “UTF8=ACCEPT” is advertised through IMAP server’s capabilities.
The caldav servlet doesn’t support operations on recurring tasks, but it also doesn’t filter recurring tasks out.This has been resolved by just filtering thoes recurring tasks.
Actually undefined properties are cached at the “configuration” provider of the config cascade once they’ve been queried for the first time. This happens implicitly when the final scope is determined for a property that was picked up at another level of the config cascade. In case such properties are prefixed with “com.openexchange.capability.”, they’re also considered and evaluated to “false” when constructing the capability set for any other user, potentially overriding module permissions if they’ve been used in a discouraged way of using the permission identifier as capability property name.This has been fixed by ignoring undefined capability properties when building the capability set, added debug logging to reveal problematic configurations.
USM can not send an error message, the communication is restricted to the http return code for a failed login.Increased logging: Increase the level for those kind of log messages from DEBUG to INFO.
A change exception where the series master event could no longer be looked caused a runtime exception when converting the data to an appointment as used by the legacy calendar API.Now do not fail if the recurrence identifier cannot be converted to the corresponding recurrence (date) position.
Folder properties are protected, but the UI does not respect that.This has been solved by disabling the checkmark if the sync property is protected such that the user will not be able to sync google calendars for example.
Don’t attempt to re-encode subject string given by ENVELOPE fetch item to solve the cyrillic encoding issue.
Some model changes might trigger long running redraw actions, which block the browser and might even lead to “long running script”-warning.This has been solved by preventing browsers from redrawing the whole list where possible.
Adjust to latest API behaviour when removing folders associated to accounts.
Websocket push using Socket.IO in combination with Grizzly TLS causes deadlocks in Grizzly selector threads.This has been solved by reducing lock scope in original implementation. Furthermore offer a whole different Socket.IO implementation that uses less locking overall.
This has been fixed by adding missing handling for this special case.
Code expected RSA key, failed with DSA. The fix removes specified cast, uses existing public key algorithm
When serving the ‘all’ request, a potential exception is raised when recurrences are processed.Solution: Additional exception handling when processing loaded event data, increased logging capabilities.
Missing config switch in settings-list.Added missing config key to documentation.open-xchange.com
Issue was caused by race condition (multiple almost simultaneous removeRestorePoint calls)
Dependent on MAL implementation, an absent subject is returned as null, which confuses App Suite UI.Solution: Advertise a missing subject as an empty string within output layer.
Missing capability check before sending requests to the API.This has been solved by adding “global” capability check in internal API module.
URIs in href-elements within a PROPFIND request from a client may get decoded two times under certain circumstances, which might lead to a runtime exception whenever the original URI contains the percent sign ‘%’.Solution: Ensure to decode percent-encoded values only once.
The contacts application in the latest macOS release introduced a bug where the current user’s privileges were derived from the virtual root, and not the actual contacts collection.This has been fixed by indicating privileges from default folder also for root collection for macOS client.
Accounts get’s refreshed now once a related folder get’s updated to solve this issue.
Now a popup is displayed if maxlimit for the addresspicker is reached and “admin=false” parameter is respected if applying index range.
Name of external account name was not offered after adding a new external mailaccount.This has been solved by adding handling for an active mail compose window when a mail account get’s added/removed.
Mix-up of folder to account association when composing JSON response.This has been fixed by accessing folder in proper account.
Overlapping addresses were not correctly handled.This has been fixed by adjusting associated css.
Every rule in the stylesheet was treated as a css rule.This has been solved by treating rules according to rule type.
A NPE was triggered if start_time is not set(null).This has been fixed by using correct variable to determine UTC time difference.
This has been adjusted and for error code OAUTH-0013 button “Try again” is replaced by “Edit accounts” that links to corresponding settings pane.
No support for contentType multipart/alternative with initial new compose api.This has been solved by adding support for it, Appsuite UI now send this as a parameter. The MW will then create a html/text part from the html part.
Unit was not considered when checking size.This has been solved by adjusting check accordingly.
Selection is modified to get correct scrollbehavior but not restored correctly afterwards.This has been fixed by restoring selection correctly.
Firefox has some issues with visibility hidden and descenders.This has been fixed by adjusting css with padding and negative margins.
Scroll behavior in enter key listener changed selection.This has been solved by checking shift key too and prevent execution in that case.
Some dead links and obsolete infos.This has been solved by cleaning up start page and removed obsolete information.
Existing mechanism to periodically perform a clean-up task for expired composition spaces might not trigger actual clean-up often enough.This has been solved by choosing another mechanism to periodically perform a clean-up task for expired composition spaces.
Duplicate task leads to abortion of user copy operation.Solution: Do not hard fail on duplicate task, but handle it gracefully.
Action command was not checked for drop down in mail toolbar.This has been solved by checking vacation action before rendering dropdown link.
The “!important” CSS style value was dropped.This has been solved by keeping the “!important” CSS style value is dropped.
Was caused by hard coded limit for future appointments of 3 years.This has been fixed by making this limit configurable in eas.properties: com.openexchange.usm.eas.appointments.future.time_limit
Was caused by separate handling for savepoints on smartphones and other devices.This has been solved by extending initial fix to also cover smartphones.
Wrong “API” parameter was used.This has been fixed by adding correct API string to the request.
For events where the (external) organizer is not attending, the timezone is not set explicitly and falls back to the system default.This has been solved by prefering event timezone in notification mails for external organizer that does not attend the meeting.