Last Update: 2024-04-23
CVSS: 3.3
Links opened by blankshield are blocked due to security reasons.Solution: Open links with rel=“noopener” directly in chrome 72 and above. Note that this is just an intermediate fix and will be replaced as soon as the issue is fixed in blankshield.
CVSS: 4.1
CVSS: 4.2
CVSS: 5.4
CVSS: 5.3
CVSS: 4.8
Missed possibility to check if a context exists in a certain server.This has been solved by adding possibility to check a context’s existence in the scope of the registered server, in which the called provisioning node is running in. Thus the client is able to check before-hand, in which setup a context exists.
The feature has been designed to only serve one migrationRedirect URL.This has been solved by adding the possibility to configure the migrationRedirectURL on a per-host base via the as-config.yml
The LOCATED_IN_ANOTHER_SERVER exception was not properly handled in the ShareServlet.This has been fixed by handling the exception properly, i.e. redirect the client to the appropriate node. Introduced a new migrationRedirectURL property for the ShareServlet to use in order to send a redirect to the correct node.
Code minifier broke the sanitizer plugin.This has been fixed by upgrading the code minifier to a newer version.
CVSS: 3.5
CVSS: 5.4
CVSS: 4.3
CVSS: 4.3
Due to active load balancing between Middleware and Documentconverter server nodes, the PDF results for creating each ManagedFile were taken from different Documentconverter server nodes. In some document cases, this might give slightly different results due to contained date or other fields, evaluated and written at conversion time on each Documentconverter node.This has been solved by ensuring that range requests for one document always create the same hash id even in case the file version is missing and adding appropriate synchronization code on a file id basis results in generating just one ManagedFile on Middleware side within the Ajax request handler. The PDF result file is created from one DC server node only for the sequence of range requests for one document, even in case the file version is missing.
Due to active load balancing between Middleware and Documentconverter server nodes, the PDF results for creating each ManagedFile were taken from different Documentconverter server nodes. In some document cases, this might give slightly different results due to contained date or other fields, evaluated and written at conversion time on each Documentconverter node.This has been solved by ensuring that range requests for one document always create the same hash id even in case the file version is missing and adding appropriate synchronization code on a file id basis results in generating just one ManagedFile on Middleware side within the Ajax request handler. The PDF result file is created from one DC server node only for the sequence of range requests for one document, even in case the file version is missing.
CVSS: 5.4
CVSS: 6.5
CVSS: 4.3
CVSS: 5.4
CVSS: 4.3
CVSS: 4.3
CVSS: 4.3
CVSS: 3.7
CVSS: 3.7
Replacing all new lines with br-tags caused long br-sequences.This has been solved by not replacing newlines with br-tag, if signature looks like html.
In case hyper-links in mail contain percentage signs for URI parameters, those could lead to a incorrect locations since we were encoding them twice. This has been solved to just encode quotes in links.
In case hyper-links in mail contain percentage signs for URI parameters, those could lead to a incorrect locations since we were encoding them twice. This has been solved to just encode quotes in links.
CVSSv3: 3.6
CVSSv3: 4.3
CVSSv3: 5.4
CVSSv3: 5.4
CVSSv3: 5.4
CVSSv3: 5.4
CVSSv3: 4.3
Added missing email1 parameter to halo click handler to solve this issue.
Depth was not incremented, when style tag in html-body was added.This has been fixed by incrementing depth when adding CSS on style tag.
Error to early to load at least the translated message.Static error messages for different languages are now added to index.html to solve this issue.
Prematurely failed to acquire a call-back URL in case local token map is empty.Do not prematurely fail to acquire a call-back URL in case local token map is empty to solve this issue.
The link checked only if a google account were added, but not if this account was an gmail or an Google-Drive account.Now it is checked for both individual.
Guest quota was not working as expected.This has been solved by removing frontend quota check.
e.g. ``“Doe, Jane (JD)” doe.jane@domain.de“.
CVSS: 5.4 (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N)
CVSS: 7.7 (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N)
CVSS: 6.4 (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:L)
CVSS: 6.4 (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:L)
CVSS: 5.4 (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N)
CVSS: 5.4 (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N)
CVSS: 4.3 (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N)
CVSS: 4.3 (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N)
CVSS: 6.4 (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:L)
CVSS: 4.3 (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N)
rampup calls configurable for debuggingIn certain environments the API rampup delivery inconsistent response times. We added debug logging if preconditions for this API exceed a specific threshold and added functionality to allow disabling those preconditions. Note that this serves solely to support debugging of actual issues and should not be used by default. See SCR-63 for more information.
Japanese sort order for contact lists at mail compose and the Contacts app were inconsistent. We updated the sort mechanism at those places to deliver consistent results.
Fixed parameter indices to make report working again.
Loading the Source of vcard failed.This has been fixed by adjusting the request.
JVM route information not added to redirecting call-back URL.Ensure JVM route is added to redirecting call-back URL to solve this issue.
Lenticular brackets were removed from the list of valid characters, which broke certain attachment names as those characters appear to be common in Japanese. We’re now maintaining those characters when providing attachment information.
RFC2231 encoded parameters where incorrectly decoded when handling attachments. This broke certain attachment names as such encodings appear to be common in Japanese. We’ve corrected decoding and now provide correct attachment information.
Registration and de-registration messages of push clients have been logged at INFO level before, which could create large amounts of log data. As this information is supposed to be used for debugging purposes, we’re now logging it at log-level DEBUG. This solution has to be validated in a production environment.
Specific HTML mails where handled incorrectly due to a recent sanitizing change for HTML style expressions. In case where such styles got applied to hyper-links the link would potentially not work. We adjusted HTML parsing to avoid this.
In case the same mail address is used for multiple contacts, only one contact would be available when using address auto-complete for mail and other scenarios. To avoid this glitch we updated the filter to consider contacts to be unique in case their address are equal but names differ.
Microsoft Office attempts to render documents within the browser instead of downloading them, however not considering cookies required to fetch the requested information. As a result user experience suffers when trying to view or edit MS Office documents stored within OX App Suite. For this and other reasons we decided to remove the “Open in browser” option when using IE-based browsers. We suggest to use OX Documents for in-browser editing work-flows.
Existing Apple Push Notification Service (APNS) certificates will expire on 2017-12-07, please update to make sure client devices continue to receive push notifications when using OX Drive.
5.4 (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N)
5.4 (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N)
5.4 (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N)
3.1 (CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N)
3.1 (CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:L/A:N)
5.4 (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N)
5.4 (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N)
5.4 (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N)
5.4 (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N)
5.4 (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N)
5.4 (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N)
Wrong check if whether used connection pool is currently unused/empty caused premature stopping of idle-connection-closer.Proper check whether used connection pool is currently unused/empty to solve this issue.
Garbled mail messes up IMAP server’s BODYSTRUCTURE information.This has been solved by reparsing mail manually in case IMAP server’s BODYSTRUCTURE information is messed up.
JVM route information was not added to redirecting call-back URL.Now ensure JVM route is added to redirecting call-back URL.
Excessive ``SELECT cid FROM context_server2db_pool WHERE server_id=xxx AND write_db_pool_id=xxx AND db_schema=xxx´´ queries.This has been solved by optimizing collecting data for drive metric calculation and improved some locations which invoked ‘getContextsInSameSchema()’.
This has been fixed by adding a missing folder refresh.
Accept new ‘forceImages’ parameter for ‘mail?action=get&view=document’ action. Also show extended action label only when external images are filtered out.
Added the missing service to the activator to solve this issue.
Possible ‘java.lang.StringIndexOutOfBoundsException’ while parsing an address list. Fixed by orderly reset cached string length after string was modified.
The counter was not counting the parameters correctly when compiling the SQL statement.This has been solved by using the correct counter for cid when disabling schema.
It was possible to see the Guest user’s E-Mail address in an URL parameter.This has been fixed with replacing E-Mail address with ‘user-id@context-id’ tuple and adjusted resolve logic accordingly.
Inefficient check for duplicate/equally named folders and inefficient folder retrieval as well.This has been fixed by improving performance when updating a folder and fetching folder list afterwards.
Fixed typo in login call parameters to solve this issue.
Links accidentally considered as harmful.Managed a dedicated list of identifiers for possible global event handlers to get all those links working again.
Was resolved by adjusting Dutch Backed translation.
Possible empty line after multipart preamble was not maintained.Force a blank line before start boundary when writing out multipart content to solve this issue.
The yielded ‘javax.mail.internet.AddressException’ in case of a parsing error may return ‘null’ when invoking its ‘getRef()’ method.This has been fixed by orderly passing parsed address string to fall-back address instance in case of parsing error.
Jslob saves also stores fixed settings that are applied for smartphones only.This has been fixed by not saving ‘layout’, ‘showContactPictures’ and ‘showCheckboxes’ for mobile devices.
Added missing translation.
Fixed translation for “Maximum configured sized”.
We had no consistently check if threadSupport was enabled.in case ‘threadSupport’ is disabled also a potentially active folder viewoption ‘thread’ is ignored to oslve this issue.
Accidental duplicate registration for the same service instance.This has been fixed by removing duplicate service registration.
CVSS: 3.1 (CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:L/A:N)
CVSS: 5.4 (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N)
CVSS: 5.4 (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N)
CVSS: 5.4 (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N)
CVSS: 5.4 (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N)
CVSS: 6.4 (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:L)
CVSS: 3.7 (CVSS:3.0/AV:N/AC:H/PR:L/UI:R/S:U/C:L/I:L/A:N)
Contacts were just sorted by the first character. This has been fixed by adding recursion when letters are equal.
Missing string in i18n.Added missing string to i18n, this is only the new string, the string itself is still not translated, the translation will be available with the next public patch.
Possible control and/or white-space characters returned to clients. This has been fixed by dropping control and/or white-space characters from E-Mail addresses.
Fullwidth digits were replaced in file names. This has been solved by allowing fullwidth digits in file names.
LF character was used as line terminator in exported CSV files. Outlook was not able to handle those files. This has been solved by using CRLF sequence as line terminator in exported CSV files.
File name check was case-sensitive.Now file names check ignoring case to have a standardized procedure.
This has been solved by adding txt to regex of supported file extensions for preview.
The mail sent by thunderbird does not contain the ASCII representation of the mail address. Instead it contains the unexpected IDN representation. This was fixed in javax.mail as it deals with unexpected mail content. Try to parse with the default java charset. If ASCII is provided (as expected) nothing will change.
Excessive querying of all context identifiers, likely caused by unnecessarily “per node” initialization of default attachment storage cleaner. Solution: Efficient retrieval of distinct context identifiers per schema and refactored default attach- ment storage cleaner to be managed as cluster task (runs only once, no more per node).
Creation of trash and public folders on demand was removed. This has been solved by reenabling the creation of trash and public folder on demand.
Some Japanese characters are not display correctly (garbled) in emails. This has been fixed by using “x-windows-iso2022jp” charset in case Javas “iso-2022-jp” charset yields unmapped characters.
This has been solved by adding txt to regex of supported file extensions for preview.
Sometimes added Inline images disappered while composing a new email. This got solved by not advertising the Content-Length header for retrieved images from mail storage as associated MIME part does not provide exact size to solve this issue.
In case the com.openexchange.java-commons.logback-extensions bundle has not been started an attempt to register its MBean failed. Await availability of Logstash Socket Appender instance prior to attempting to register its MBean to solve this issue.
Removed unused libraries from com.openexchange.preview bundle.
Missing handling for .psd and .tiff in mail preview. This has been solved by adding PSD and TIFF support to preview list.
UI changed response so it looked like the currently logged in user confirmed the appointment. This has been fixed by using the actual user that confirmed instead of the currently logged in user.
This was caused by same identifier in collection and has been fixed by using unique identifiers so there are no duplicates anymore.
Possible quotes (“) in local part of an E-Mail address were handled as special characters. Now orderly handle quotes in local part of an E-Mail address to solve this issue.
The filename reservation logic recorded possibly conflicting filenames in a map using case-sensitive keys. This has been solved by tracking possibly conflicting filenames ignoring case.
CVSS: 5.4 (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N)
CVSS: 5.4 (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N)
CVSS: 5.4 (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N)
CVSS: 3.6 (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N)
CVSS: 5.4 (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N)
Mixed encoded values are not properly combined. Properly combine mixed encoded values to solve this issue.
Mail uses absolute positioning. Email exceeded internal limit (32KB) for specific post-processing. Raise size limit for that particular post-processing to 128KB for Chrome, 64KB for other browsers to display those emails.
Duplicate entries were written to the del_task folder table. This has been fixed by only writing the most current ones.
This has been solved by avoiding too many request to all possible DB-Schemas and improving start-up of middleware nodes for setups holding millions of contexts.
To allow debugging potential network and remote service issues more efficiently, we added sup- port to log connection status and usage metrics for each socket that gets opened to an external system (e.g. Database, IMAP). See Change SCR-24 for more information.
Previous month scrollposition was unreachable due to endless scrolling. This has been fixed by drawing an additional month if trying to scroll to the first drawn month.
“user” folder remained in child listing of root folder. Orderly drop single namespace folders from LSUB collection to solve this issue.
When programmatically working with Drive folders, they could be declared to be CacheAware but this property did not change the folders behavior in terms of cache handling. This has been resolved and needs to he validated at the specific implementation.
When requesting quota information for non-existing file storage accounts a runtime exception was thrown instead of properly handling the case. This has now been corrected.
The dialog to rename a folder in App Suite would not close under very special conditions. This has been researched and a potential workaround got applied. The effectiveness of this solutions needs to be validated for the environment in question.
When copying raw image content from apps like MS Paint to mail compose, rather than just adding that image via drag&drop or the provided composer options, its content did not get pasted when using IE11. This has been corrected for this particular case, however note that copy&paste is implemented very inconsistently across browsers and operating systems, other cases will potentially not work as expected since the browser does not provide necessary information to web applications.
When adding attachments to a Mail from OX Drive, they were added when saving a mail as draft but not removed when removing the attachment. This behavior has been corrected in a way that mail attachments are never stored when saving as draft.
A particular help page for external accounts was incorrectly linked, this has been corrected.
Collecting contact information while reading mail was not working when combining specific mail handling (seen/unseen) in combination with contact collection. This has been solved.
When receiving invitations or modifications of an appointment, we did show a very prominent pane that allows users to accept/decline. However some users still tried to manually import the attached ICS file which led to a series of problems. This is now being avoided by hiding ICS attachments in cases where we already show the accept/decline pane.
A new frontend-side configuration option has been added to disable the “add attachment” area when creating or editing PIM objects. Note that this is purely cosmetic and does not affect other clients than OX App Suite. See Change #4301 for more information.
Tried to create previews for documents for local files. This has been solved by not trying to create previews for documents for local files.
No warning given in case number of imported items were truncated. This has been fixed by adding warning if number of imported objects were truncated.
Any mail attachment appended to the new message has been checked against upload quota limitation. Only consider uploaded file (mail attachments) when checking upload quota limitation to solve this issue.
CVSS: 3.1 (CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:N/A:N)
CVSS: 3.3 (CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:N/A:N)
CVSS: 5.4 (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N)
CVSS: 5.4 (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N)
Confusing displayed error message. Solution: Rephrased error messages dealing about connectivity issues to mail server to have a more user-friendly information. Moreover added the “Please try again later.” suffix to hint to a possibly temporary nature of the issue.
There might be situations where the metadata for stored infostore documents does not indicate the referenced files MD5 checksum. This may be the case for files that were stored more than 4 years ago, or for files that have been uploaded in chunks, e.g. during a migration. When synchronizing via OX Drive, the missing checksums for those files are calculated on demand, which requires the files to be retrieved from the underlying storage. When having many or very large files where the checksum needs to be calculated for, this may lead to an increased read load which may impact other processes and systems in the installation. This has been fixed by providing functionality to calculate missing file checksums on demand.
Too much memory and CPU usage by canvas resize. Integrate canvas resize into our lazyload mechanism so not every picture is processed simultaniously to solve this issue.
Building the forwarded mail calling setHeader erased the header information about file name. This has been solved by calling setHeader first and set the file name header afterwards.
A SMTP server which responds with non standards-compliant multi-line greeting on socket connect messed up parsing of server’s capabilities. This has been solved by dealing with multi-line greetings from SMTP server.
No error message on require timeout. This has been fixed by adding timeout message and reload option with longer timeout (30 seconds).
The folder title gets not re-rendered after a title change. Now after a title change also the folder title gets re-rendered.
“user” folder remained in child listing of root folder. Orderly drop single namespace folders from LSUB collection to solve this issue.
When running OX App Suite 7.8.3 and 7.8.4 against a shared mail environment, SIEVE filter rules could unintentionally affect each other, for example auto-forward and vacation notice. This got fixed by retaining commented script content which is unknown to the 7.8.4 implementation.
When re-authorizing a oAuth account, for example after changing its password or revoking access, a runtime exception was thrown. This got fixed by considering empty authorization tokens.
Certain value pairs where not correctly distributed by the config cascade mechanism, especially those related to services that use oAuth for authentication. We solved this by making those properties config-cascade aware.
When having external mail access via oAuth disabled, the corresponding option was not properly hidden. This got solved to immediately start the non-oAuth wizard instead.
When moving/copying a folder from a external storage service to folder of the primary OX Drive storage service, a permission related error was thrown. This got solved by properly setting administrator privileges to the creator of a OX Drive folder while copying/moving in folders from external services.
When attempting to share a file which is locked, the sharing dialog did not close when canceling the operation. This got solved by handling potential errors related to locks when trying to share a file.
In certain cases the frontend language did fall back to german instead of english. This got fixed by setting a explicit fallback to en_US if the browser provides a unsupported language and no previously set OX language cookie.
OX App Suite UI did display incorrect recommendations for mobile browsers when using such as a desktop browser. This has been solved and we’re now showing recommendations for mobile browsers only when using a mobile device.
When defining start/end dates at the calendar on mobile browsers, the supplied data did not get taken over to the appointment. This was caused by incompatibility of a date/time format library with specific languages and has been fixed by making sure the same date/time format is used at all related components.
In case a database connection reported a communication failure or timeout, the specific database schema was not part of the exception. This has now been added to allow simple debugging of affected database clusters.
In case a IMAP backend did close a connection due to technical issues or timeouts, the resulting stack-trace at OX App Suite middleware was rather generic. This has been improved in a way that we now show the related IMAP command to allow better debugging. This issue has to be validated in production environments that show such unexpected behavior.
On few macOS based systems images were pasted twice to mail compose when using the operating systems copy&paste feature and hitting a specific timing pattern. Additional checks were added to avoid importing duplicate content.
When using “quick reply” to answer a mail, this option will disappear. We changed the behavior in a way that the option stays available after using it.
When using OX App Suite UI with Safari on iOS, the action to add a local attachment resulted in immediate launch of the camera App. We now trigger a selection menu which offers to either use the camera or access existing photos on the device.
When using Japanese language settings and subsequently “yomi” contact fields, those contacts were sorted incorrectly as “other”, which got solved.
When printing specific mails that define CSS, the created print version did not show substantial content. This got fixed by dropping certain CSS elements from our whitelist that could lead to broken layouts. See Change #4204.
For PIM objects with attachments we did show the hyperlinks pointing to OX Drive instead of the corresponding App. To avoid confusion we did visually remove those links as they provide almost no functionality.
When sending a mail to all appointment participants the resulting mail compose did contain duplicates of the expected recipients. This got solved by detecting and removing the currently logged in user from that list.
Certain file formats (tiff, psd, pbm) were shown as thumbnail preview while not being supported in image preview. To ensure consistency we added support for tiff and psd files to image preview.
When checking for validity of a uploaded image, the size limitations were not considered, which in turn led to higher than expected processing effort. The logic got changed to apply limitations prior to analyze validity of an image. If that action fails, the affected image is being removed from mail compose and a error is logged.
When updating an OAuth account (applying a new name), the enabled scopes was accidentally reseted.This has been solved by not touching OAuth account’s enabled scopes when updating its name.
Certain POP3 server’s do not obey to advertise UIDLs with at max. 70 characters.This has been fixed by extending the “uidl” column in “pop3_storage_ids” and “pop3_storage_deleted” tables from 70 to 128 characters as some POP3 server advertise bigger UIDL values. An Updatetask will be triggered with this fix.
A contact’s (yomi-) firstname was not taken into account during sort name generation in case no (yomi-) lastname was set.This has been solved by using combination of (yomi-) last- and firstname per default as sort name.
Missing feature for other languages.Added new setting and feature to make yomi fields with other languages.
Only hiragana in sorting table.Extend table with katakana to solve the first part. When yomi was given with Half-width Katakana it is still not sorted correctly, this will be fixed with an upcomming patch.
“name” and “filename” values were parsed in a wrong way from parameter list of Content-Type and Content-Disposition headers.This has been fixed by properly parsing file name from MIME part headers.
Some are translated with Kanji and the others with Hiragana, which gives the end users inconsistent look and feel.Now all are translated with Hiragana.
The list of confirmations was not part of the USM sync-state.USM syncs now the list of confirmations from the backend to solve this issue.
Used dummy folder_id ‘label’.This has been fixed by using ‘virtual/label’ now to avoid that an invalid ID is used in server requests.
Due to unnecessary package imports the documentconverter was not running.This has been fixed by removing those imports.
Possible dead lock situation through concurrent context create operations that imply to add data to “contextAttribute” table in context-associated payload database.This has been solved by adding retry strategy with exponential back-off and added optional lock to ‘contextAttribute’ table to ultimately serialize concurrent write operations. Whether the lock is supposed to be acquired is controlled through newly introduced “LOCK_ON_WRITE_CONTEXT_INTO_PAYLOAD_DB” property in file ‘hosting.properties’. Default is “false”.
Fixed superfluous trailing letters for Japanese.
Corrupt/broken Content-Type header in a MIME part breaks parsing of a mail message.This has been solved by dealing with corrupt/broken Content-Type header when parsing a MIME part.
Wrong look-up of standard folder in session-associated cache, which contains wrong entries in case password has been changed.This has been fixed by simply loading mail account data as-is and do not consider any caches.
The server tried to remove the pop3 folders multiple times.Now let the server remove pop3 folders only once.
Need of improvement in case access to OAuth-backed data is not/should not be possible as per configuration and missing scope authorization.Solution: Explicitly check whether OAuth provider has been enabled (OAUTH-0044), required scope(s) is/are available (OAUTH-0043), and required scope(s) is/are enabled/authorized (OAUTH-0042). Also added new error codes to the UI.
Improved logging behavior in case image upload gets denied due to size/resolution restrictions.
Unported API change in Dropdown mini-views let to this behavior.Ported API call to new version to solve this issue.
It was not possible to create a stop mailfilter rule.Now it is possible to save a rule with no condition and action if “Process subsequent rules” is disabled.
CVSS: 3.1 (CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N)
CVSS: 3.1 (CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N)
CVSS: 3.1 (CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:L/A:N)
CVSS: 3.1 (CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:L/A:N)
CVSS: 5.3 (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N)
Latest code changes make IE9 unusable.Now sending MSIE 9 users to the unsupported HTML file.
Image content were not accessible via OAuth.This has been solved by allowing OAuth-wise access to image content.
Appsuite had no support/failover strategy in case an IMAP host is resolvable to multiple IP addresses.This has been fixed by refactoring socket handling to act as fail-over strategy in case host is resolvable to multiple IP addresses.
If mail account and twitter account had the same id the twitter account was not displayed.This has been solved by constructing new ids for this collection to avoid duplicates.
Missing check if task folder is private.Added missing check to solve this issue.
The actual OAuth account associated with a subscription has not been considered, but always the default Google OAuth account was referenced.Solution: Consider the actual OAuth account that is associated with a subscription. Info: Popup Blocker may not be active.
Missing event in Keychain api led to this issue.This has been fixed by adding an additional event, so portal plugins update correctly.
Wrong mail provider was initialized for this special case.This has been solved by loading proper mail provider in case global mail server is configured.
Too many unnecessary request while adding huge distribution lists.This has been fixed by using already available display names and prevent needless fetching/redraw.
This was due to missing recovery for an unsupported character-encoding.This has been solved by handling possible unsupported character-encoding.
Subsequent base64-encoded strings are not combineable if individual values end with padding ‘=’ character.This has been fixed by not combine padded base64-encoded values, but decode them separately.
Weird start tag segments in real-world HTML messes-up HTML parser refusing to process the content any further.Solution: Better deal with malformed start tags in real-world HTML content.
In email with attachments which have different cid and id it was not possible to show all attachments.Make sure attachments do not have a cid attribute when added to a collection to solve this issue.
Thunderbird’s ISPDB for auto-configuration changed.Changed default value for property “com.openexchange.mail.autoconfig.ispdb” in file ‘autoconfig.properties’ from “https://live.mozillamessaging.com/autoconfig/v1.1/" to
“https://autoconfig.thunderbird.net/v1.1/".
To many operations in domtree if having much appointments.This has been fixed by disabling some functionality for a large Number of appointments.
Configured image limitations were not tested when checking for validity of an uploaded image.This has been solved by testing for image limitations when checking for validity of an uploaded image.
Added missing translation.
With this fix the Subject is displayed for unified inbox conversations.
Case-sensitive look-up for an OAuth API: “Twitter” is not equal to “twitter”.Perform ignore-case look-up by OAuth API identifier to solve this issue.
Wrong detection if a mail account action was targeted for primary mail account.Reliably check specified account identifier to determine primary account to solve this problem.
Some mails were not displayed because style tag does not get closed while sanitizing mail’s HTML content.This has been fixed by orderly closing the style tag while sanitizing HTML content.
Hidden files were not displayed because filter extensions for files were never called.Invoked filter extension point to post process file list to solve this issue.
Required SessionD service was not orderly tracked.This has been solved by properly tracking needed SessionD service.
The tracked instance of AuditLogService was not orderly put into utilized service registry.This has been fixed by properly putting tracked service into service registry.
It was recognized as a touch device and DND was disabled.This has been solved by adding an additional check.
Js error in yell function and only a empty settings page were displayed.Made yell function more robust, so Settings do not break anymore.
Open-xchange-osgi didn´t conatin the latest logback extension.Defined explicit dependency to newest open-xchange-osgi containing the latest logback extension.
Caused by the changes for favorite folders, where favorite folders for every module were added to the collection pool. The favorite folder for drive has the parent with id “9”. When the ui is refreshed, all parents of all folders are listed. That causes every refresh to request the folder with id “9”.This has been fixed by only adding favorite folders for modules with granted permission.
The filter collection does not handle an initial add correctly.Now the filter collection handles an initial add correctly.
Caused by missing checks if parent folders get renamed or removed.This has been solved by looking for rename or removal of parent folders.
Initial assumption to re-use OAuth credentials was wrong.Now OAuth credentials are not re-use when adding mail accounts.
When syncing Outlook using USM, certain amounts and combinations of contacts and distribution lists could lead to a situation where only a subset of contacts but not all distribution lists got synced. This has been solved by sorting the type of object (contact, distribution list) prior to performing the sync operation. This way the kind of objects retrieved at the client side stays consistent in case the total amount of objects exceeds the chunk size for one sync operation.
In case a backend error did occur, like downtime of the mail storage, there could be situations where Outlook clients using USM get into a sending-loop, resulting to duplicated E-Mail. Those kind of errors are now handled by the USM API in accordance to the OX App Suite middleware error code. Backend version 7.8.3-rev20 or higher is needed for this fix.
CVSS: 4.3 (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N)
CVSS: 5.3 (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N)
CVSS: 3.6 (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N/CR:L)
CVSS: 6.5 (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N)
The Debian project did rename the initial process from systemd to init when moving to Debian 8.7. Some areas of our startup scripts depend on this name to determine whether systemd is used or not. We’re now querying /proc/1/comm to figure out the kind and name of process that takes care about inits.
When running oxsysreport while having OX Guard installed, false-positives for password blacklisting could occur. As a result errors were reported by the oxsysreport tool, which has been solved by adjusting the regular expression for parameter blacklisting.
In case a E-Mail subject spans multiple lines where each consists of UTF-8 mail-safe base64 encoded characters, decoding partly failed and Unicode characters were displayed in a scrambled way. This has been solved by properly handling such split subjects and encoding each part independently.
A typo at the /opt/open-xchange/sbin/open-xchange script led to a situation where custom configured “nofiles” limits where not correctly applied to the process. This has been solved by correcting the properties name and adding a log message to open-xchange-console.log in case the process fails to set this limit.
Newer versions of Firefox use the largest icon presented as as favicon, which defaults to a unbranded OX icon. Originally this handling was introduced to set a “homescreen” icon when using the appropriate functionality on mobile operating systems. This was solved by removing the corresponding tag when using desktop operating systems.
A feature backport has been performed to allow recursive inheritance of OX Drive folder permissions when changing a parent folder.
When using a specific series of gestures while importing a .eml file to a mailbox, a Firefox bug on Windows and macOS got triggered which kept the “drop zone” visible after dropping the file outside of the browser window. This subsequently blocked other user interaction with the mail list. We added a workaround for this browser bug in a way that clicking outside the drop zone will revert its state.
When using mail categories with a desktop browser and moving mails to specific categories, those mails would not be displayed at Inbox anymore when using the same account using a mobile browser. We solved this by avoiding categorization Inbox if the corresponding feature set is not available on the currently used platforms.
In case of specific IMAP errors related to EXPUNGE commands, a detailed error message was returned to the user, which could contain a user-name for IMAP master authentication. This was solved by removing detailed error message contents for that IMAP command.
Firefox does not trigger dragleave or mouseout correctly.This has been fixed by using mouseenter to remove the dropzone when the mouse enter the window without dragged files.
If a user was changing its mail account displayname while the middleware uses a “global” mailServerSource setting, incorrect host names were applied. As a result the displayname could not be changed. We solved this by applying the appropriate host name to avoid erroneous responses during the operation.
Once the PeriodicCleaner task for shares was executed, potential SQL errors could not be traced since the related schema name was unknown. To allow further debugging we addedcom.openexchange.database.schema as parameter for this cleanup run. It will highlight which database schema triggered timeouts or other errors.
When sending a mail attachment and using “Drive Mail” a password was requested even though a user did not enable this option. This could happen in cases where a user first specified a password but then un-ticked the related option. We solved this by checking the options state more carefully prior to creating the related share.
When syncing Outlook using USM, certain amounts and combinations of contacts and distribution lists could lead to a situation where only a subset of contacts but not all distribution lists got synced. This has been solved by sorting the type of object (contact, distribution list) prior to performing the sync operation. This way the kind of objects retrieved at the client side stays consistent in case the total amount of objects exceeds the chunk size for one sync operation.
During conflict detection, the floating time-span of full-day appointments was calculated using the servers timezone (usually UTC) while other appointments used the timezone configured by the user. In cases where a large offset to UTC is present, there has been a 50⁄50 chance that appointments would conflict with full-day appointments at the previous or next day. We’re now calculating both values using the users specific timezone for conflict handling. This should bring down the probability of incorrect conflicts considerably.
Too greedy check for possibly malicious content led to this issue.This has been solved by allowing properly parsed start tag.
When using Thunderbird/Lightning and CalDAV of OX App Suite, full-day appointments could not be converted back to normal appointments using the CalDAV client. The reason for this was a client-specific CalDAV header used to indicate full-day appointments which caused issues with Lightning. We removed this header if the associated user-agent does not expect it.
In case a backend error did occur, like downtime of the mail storage, there could be situations where Outlook clients using USM get into a sending-loop, resulting to duplicated E-Mail. Those kind of errors are now handled by the USM API in accordance to the OX App Suite middleware error code.
In case a large document gets requested off a slow cloud storage, very long loading times could happen and expected timeouts were not considered. This has been solved by adding additional timeouts that will kick in if a API request to the storage layer takes longer than anticipated.
In case certain operating systems got configured incorrectly, specifically RHEL6 and SLES11, usage of the open-xchange-passwordchange-script plugin could lead to incorrectly encoded passwords passed over to a script. This has been solved by adding an optional parameter as described by Change #4022 to allow base64 encoded transfer. Additionally, unexpected encoding configurations will get logged to open-xchange-console.log to alert operators about potential follow-up issues.
When defining a start or due date for tasks while using a negative UTC offset, the selected date would be reported incorrectly. This has been solved by adjusting the full-day handling for tasks to the calendar implementation which uses UTC.
Some OX App Suite UI requests did lead to error messages regarding E-Mail which could not be found. After analyzing the situation, we suspect that there is a issue with obfuscated folder names. A fallback has been added in case decoding a folder name failed.
To allow better debugging and monitoring of interaction between OX App Suite and IMAP backends, a new parameter was added to parse the IMAP backends “greeting” and provide it as part of the OX App Suite log. This behaviour is configurable and described within release notes. When rolling out this Patch Release.
When using IMAP IDLE in larger deployments (which OX does not recommend) it might happen that threads are getting blocked by attempts to look up and close associated push listeners in a cluster once a user closes a session. Using synchonization protocols like Exchange Active Sync triggers many sessions to be opened and closed in a relatively short period of time. While there might be configurations where only one IMAP IDLE push listener per user is allowed, in many cases this level of consistency is excessive and could lead to outages. Therefor we changed the behaviour to only look up “local” sessions rather than querying the whole cluster. This behaviour is configurable and described within release notes. When rolling out this Patch Release please have a close look to IMAP IDLE session count and modify the configuration in accordance to the environments requirements. To enhance overall performance of session lookups, a index has been added to the Hazelcast “sessions” map. As a result, clusters need to be completely updated and restarted when applying this patch release, the “sessions” map is not compatible with its earlier version.
Logging has been extended to allow tracking individual IMAP activities/requests for a OX App Suite session which might use several IMAP connections. The new logging property is com.openexchange.mail.session.
In cases where the contact associated to the user account was created by the “oxadmin” account rather than the user itself, the user was unable to change its own contact data. Such situations may arise in specific provisioning implementations. Changing the contacts data is now possible again by correcting the mechanism to look up the oxadmin account as potential creator for the own contact.
When composing a mail to a list of several hundreds of recipients, browser warnings about unresponsive scripts occurred when trying to parse and tokenize the recipient list. The handling has been improved by 2-3x to allow a larger number of recipients.
When configuring a negative timezone offset (e.g. UTC-5), desktop notifications would not be shown since the timestamp of newly received mails was checked against UTC rather than the users timezone.
In case mailbox login names allow multi-byte unicode characters, the login process would fail when using OX App Suite. This has been solved by applying the correct charset when performing the login procedure for mailboxes.
In cases where a users configuration was damaged and the default app “none” has been selected, subsequent logins led to error messages. We’re now falling back to the global default app if the provided app cannot be found.
Some external cloud storage providers do not provide the amount of files within a folder, in such cases OX App Suite would should “0” for any folder at that storage. A new internal capability per storage has been added to signal wether the storage does provide that information without executing expensive computation or storage access. According to that capability, OX App Suite UI will remove the “object count” indicator at folder details.
An earlier bugfix introduced a significant change to HTTP API behaviour, any change to the MIME-Type parameter has been rejected as a result. While OX clients were unaffected, this led to an incompatibility with third-party clients when using the “infostore” API for uploading and modifying files. We reduced the scope of the change to block MIME-Types that start with “multipart” instead, this should not affect the vast majority of use-cases for this API.
Did some improvemnts to avoid a crashing OX. Utilize a user-scoped lock mechanism to avoid having a global lock that might affect unrelated threads unnecessarily. Avoid duplicate remote session look-up.
When you try to display or import an email which contains an attachment with an invalid MIME type as content type, an error was thrown.This has been fixed and it is possible to import and display the mail.
Caused by missing capability check for disabling and hiding.This has been fixed by adding the missing check.
Appsuite UI just redid the same operation.Solution: Appsuite UI checks which files caused conflicts and only tries to redo those.
Multiple response was not fully processed.This has been fixed by processing full array.
During the createuser command an alias for the primary mail account is already added. This alias is equal to the upper case notation used in the create command. The change command now tries to add the same alias but with only lower case letters. This isn’t recognized and therefore the middleware tries to insert this alias to the db again which results in the duplicate entry error.Solution: Do a case independent check when comparing the old with the new aliases.
There was no name check performed for the move operations.This has been fixed by adding the name check to the move operation.
IE has problems with flexbox styles.This has been solved by changing styles to fix the problem.
The client request didn’t get a response.With these changes the Viewer displays an error message if the file is too big to be loaded.
CVSS: 5.4 (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N)
CVSS: 4.3 (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N)
CVSS: 3.5 (CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:N/A:N)
CVSS: 5.4 (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N)
CVSS: 5.4 (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N)
CVSS: 3.6 (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N)
CVSS: 4.3 (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N)
CVSS: 3.6 (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N/CR:L)
CVSS: 3.3 (CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:N/A:N)
CVSS: 4.3 (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N)
CVSS: 3.1 (CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N)
CVSS: 4.3 (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N)
CVSS: 5.3 (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N)
Document tours are contained in documents-ui package, existence of standard tours package was not checked there.This has been solved by adding check for existence of standard tours package, do not show tours automatically if missing, hide settings menu entry.
Delete attempt does not check whether file is non-existing.This has been fixed by properly checking if attempt is made to delete a non-existing file changed logging appropriately.
IE has problems with flexbox styles.This has been fixed by changing styles to fix the problem.
OXIMAPConCache is an obsolete JCS cache. The StatisticTools was querying the JCSCacheInformation for that particular non existing cache. The same applies for MailConnectionCache and SessionCache.This has been solved by removing the obsolete calls and corrected the error message.
Missing error handling for overquota in multiple file upload.This has been solved by checking error FLS-0024 and stop queue if this error appears. Also check for rate limit error. If one of those errors appear, the upload queue stops and removes all files from the queue.
Deactivated Notification pool combined with multiple uploads of attachments result in a single notification mail for each attachment.Solution: Keep track of a batch of attachment uploads during the whole stack.
Error handling is now done inside the apps. If errors with external storages (or other folder errors) appear and that folder is currently selected, the app will change to the default folder and reload the parent folder.
The ‘locks’ capability was not correct for some external storages.Changed behaviour: The file lock feature is disabled for every external storage. Lock does only work in the internal ox fileStore now.
Birthday calculation was slightly different in both views and apart from that even not correct for all cases.This has been solved by using the same code for both views and also using a correct approach.
Dropbox identifies the folder through the path. New Files create all folders in their path by default. This is a special Dropbox behavior.This has been solved by checking for folder existence before storing a file and return default “folder does not exist exception”.
This has been fixed by adding missing handling for this special case. Now the login is working and the user gets notified about this error.
A earlier fix changed the response content when requesting a frontend related file. Instead of a function and a error message, just a error message was returned. As a result the web frontend could get stuck in case a file was not found. This has been solved by providing a similar response than earlier, just with obfuscated payload.
Non-existing mbean raised an error.This has been fixed by removing mbean.
Last error value was not a simple signed integer.Check for “N/A”, will return 0 instead of “N/A” with this fix and will only fix the problem for ox_grizzly_TCPNIOTransport.
This has been solved by adding special handling in find app.
A possible scheme/port information in “com.openexchange.mail.mailServer” or“com.openexchange.mail.transportServer” property was not properly handled.This has been solved by using a structured object for the global mail/transport server configuration setting to also apply protocol, port, etc. (if specified).
Settings is not a favorite app and is therefore ignored as autolaunch.This has been solved by adding a special case for settings. Settings will not appear in the dropdown but can be set by the provider as default autoStart app.
Some file storage implementations are not returning a file count.With this fix the filecount isn´t dispalyed if the external storage returns no value for file count.
Introduced new value for ox.serverConfig.persistence: “always”. Only works with adjustment in custom bundles.
Timestamp for 1.1.1970 were interpreted as timestamp 0. Adjusted calculation from Birth Dates to solve this issue.
Missing checks if parent folders get renamed or removed.This has been solved by looking for rename or removal of parent folders. On rename: anticipate changed path and keep folder. On remove: immediately remove affected favorites. This doesn’t work if triggered by another client.
The ical analysis of an external invitation delivers an json object “users” without sub fields, especially without confirmation. This was unexpected by USM and produced an error, which led to a general sync error with OLOX.Now the missing confirmation is accepted and initialized by USM with 0.
Possible database deadlock on concurrent delete attempts for users in the same context.Solution: Acquire a lock on user deletion to enforce enqueueing of concurrent delete calls.
Missing translations were added.
Missing translations were added.
This has been fixed by using standard listener.
CVSS: 5.4 (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N)
CVSS: 7.1 (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:L/A:N)
CVSS: 4.3 (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N)
CVSS: 4.8 (CVSS:3.0/AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:N/A:N)
CVSS: 7.1 (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:L/A:N)
CVSS: 4.3 (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L)
CVSS: 6.4 (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N)
CVSS: 2.2 (CVSS:3.0/AV:L/AC:H/PR:L/UI:R/S:U/C:L/I:N/A:N)
CVSS: 5.4 (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N)
CVSSv3: 3.6 (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N/CR:L)
CVSS: 4.3 (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N)
CVSS: 4.3 (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N)
CVSS: 5.4 (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N)
In case of a context that never existed on the system, a lookup for all contexts in the same schema lead to endless attempts to get those contexts.This has been fixed by adding the initial context to context list, if the database returns no values for the given context id. Add potential errors to output report.
Addmapping value was not split by comma when supplying multiple login mappings via csv file at create context.Now split multiple login mappings by comma during context creation from csv file to solve this issue.
Unnecessary global lock that leads to stacking up threads.This has been solved by removing unnecessary global lock from‘com.openexchange.jslob.storage.db.DBJSlobStorage’ class for improved throughput.
The mails were only deleted for internal appointment invitations.This has been solved by adding the deletion logic to the external invitation display and to internal task invitations.
Added new message for “select all” in tabbed inbox, some translation will be provided with the next patch.
No Handling for Drag & Drop in mail-categories.Added the missing Handling, first the mail is imported to the inbox and then moved to the category.
Malformed conditional comment (CC) causes to greedy detection of such a CC pattern in HTML content during sanitizing.This has been fixed by dealing with malformed conditional comments.
Really weird HTML content inside a mail containing over 700 nested body start tag segments renders the routine running mad that tries to replace body tags with div tags for embedded display inside App Suite UI.This has been fixed by avoiding excessive replacements of body tags inside such a really weird HTML content.
MailConfig values were overwritten with wrong values.This has been fixed by preventing overwriting in specific situations.
Incrementing use-count for a lot of contacts associated with a certain E-Mail address causes too many INSERT statements to be issued, that do flood the MySQL service.This has been solved by accumulating use-count incrementation through a batch statement and limit the number of updated contacts that are associated with the same address. That limit is configurable through property “com.openexchange.contactcollector.searchLimit” and defaults to “5”.
Groups where not drawn due to a limit.Now applying limit by result type so groups are drawn.
Due to the deactivation of the “address” mailfilter the default values were not available.This has been fixed by introducing a fallback to the former “header” filter if “address” is not available.
The read-write pool is not set as read-only one as fall-back in case no dedicated read-only pool is set in associated DB cluster.Assume the identifier for the write-pool as read-only one in case no explicit read-pool is set in referenced ‘db_cluster’ entry to solve this issue.
Inputfield overlapps cc/bcc buttons and the links were not placed correctly.This has been fixed by applying padding dynamically depending on button width.
No custom label colors applied to template.This has been solved by passing colorLabel identifier to html output.
This was caused by a missing hint that a file associated with a snippet/signature is (temporary) not available.Restored logging in case the file associated with a snippet/signature is (temporary) not available: “Missing file for snippet 1 for user X in context ctx_ID. Maybe file storage is (temporary) not available.”
Mail “burger” context menu was partially hidden by the upper layer.Fixed z-index issue to solve this.
Recognizing HTML input wasn´t working correctly in all cases.Now wrapping content with div…/div in those cases to solve this issue.
Requirements were not requested before drawing.Fixed drawing of viewer sidebar sections. Sections now look for requirements before drawing.
Services class was not initialized.This has been solved by properly initialize the Services class.
Collection and tokenfield state gets messed up cause models ‘token’ attribute get updated within the ‘tokenfield:createtoken’ handler.This has been fixed by redrawing Tokens only when the display name has changed.
Media queries were not flexible enough.This has been solved by using flex layout to use available space better (private and due time appear in this row too if set).
The folder ID changes, therefore the folder was lost on page reload.This has been fixed by listining to ID changes and update and store favorites.
The app did not contain any information about contextual help.This has been solved by showing context sensitive help in settings. External apps can also register their help pages on the extension point ‘io.ox/settings/help/mapping’ in the function list.
Was caused by missing capability check for version comments.This has been fixed by adding capability check for version comments.
After deleting a folder in a external storage account the view wasn´t updated.With this fix the view is updated after deleting a folder.
Move command not used in case msg count greater than block size.This has been fixed by using move command in case msg count block size.
Max-width were applied on whole container.This has solved by applying max-width for description only.
Guest user deletion triggers push listener removal for guests even if they might not have any push listener registered.Solution: Consider webmail permission before removing push listeners within the user deletion process.
Specific clients rely on a certain order of the EAS protocol elements. AllDayEvent shall be sent after StartTime,EndTime. Microsoft Exchange Server for example does this.Now sending AllDayEvent after StartTime,EndTime to solve this issue.
Now show display name if DISPLAYFROM is set.
Configurability for all settings is not available.Extend checkbox-related code in mail settings pane to consider configurability for this setting.
CVSS: 4.3, Credits to Lukas Reschke
CVSS: 5.7, Credits to Hugh Davenport (allthethings.co.nz)
CVSS: 3.7, Credits to Hugh Davenport (allthethings.co.nz)
CVSS: 2.5
CVSS: 4.1
CVSS: 5.3
CVSS: 3.5, Credits to secator
CVSS: 5.3, Credits to Zeeshan (@z33_5h4n)
CVSS: 5.3
CVSS: 3.1, Credits to Abdullah Hussam (@Abdulahhusam)
A bypass for existing sanitizer rules were found by modifying the media-type of a stored SVG file. This got solved by letting the sanitizer detect the files media-type regardless of the user-provided media-type. CVE-2016-7546, Credits to secator.
Fixed the regex to control pasted content, made it more generic to capture script code. CVE-2016-7546, Credits to Sumit Sahoo.
When copying a specific pattern of script code to mail compose, included script code gets executed. This has been solved by extending the frontend-side sanitizer at OX Documents. CVE-2016-7546, Credits to Sumit Sahoo.
When copying a specific pattern of script code to mail compose, included script code gets executed. This has been solved by extending the frontend-side sanitizer. CVE-2016-7546, Credits to Joel Melegrito.
A bypass has been found for the existing sanitizer, using malformed content-types and base64 encoded payload of “data:” references. This was solved by extending the sanitizer and removing certain types of hyperlinks. CVE-2016-7546, Credits to Zeeshan (@z33_5h4n).
When creating signatures its possible to enter HTML code straight away. Since that code did not get sanitized by the frontend it allows to execute script code as well. We’re now sanitizing the content at the frontend in addition to the existing sanitizer at the middleware. CVE-2016-7546, Credits to XSS01.
A new pattern was discovered that allowed a bypass of the existing sanitizer and execute script code payload within HTML files. It got fixed by adapting the sanitizer. CVE-2016-6850, Credits to kltdwd.
Check for valid URL schemes when pasting hyperlinks to avoid inclusion of malicious links.
Added rel=“noopener” when creating button markup for external links at OX Text and Spreadsheet. CVE-2016-6849.
MP3 audio files allow to store inline images to represent album covers. When using SVG with included Javascript it was possible to create links to malicious files that would execute script code. This got solved by sanitizing album cover images. CVE-2016-6847, Credits to mateuszg.
By providing local paths as RSS resource, attackers could validate the existence of arbitrary files based on the returned error code. This has been solved by adding a whitelist for valid protocols and also returning uniform error codes. CVE-2016-6852, Credits to mateuszg.
When using SVG images as user picture, script code may get embedded and executed when forging specific links. This got solved by denying SVG content as picture and sanitizing existing data. CVE-2016-6850, Credits to kltdwd.
GET requests to API endpoints can be modified in a way that a download is triggered that contains reflected content from the request. This may be used to run malicious code on client devices and got solved by removing the ability to trigger such downloads. CVE-2016-6848, Credits to Abdullah Hussam (@Abdulahhusam).
Hyperlinks within user-generated content can be used to influct tabnapping attacks. We solved that by adding parameters like rel=“noopener” to links. CVE-2016-6849, Credits to Zeeshan (@z33_5h4n).
Malicious hyperlinks containing JavaScript as payload were not correctly sanitized, this has been solved by also inspecting encoded content for malicious code and dropping support for certain types of hyperlinks. CVE-2016-6845, Credits to Zeeshan (@z33_5h4n).
When triggering a direct request to the app loader, provided input gets reflected to the requesting client. This can be used for content spoofing and got fixed by removing user input at error responses. Credits to Ahmed Abdalla.
When requesting a API path that does not exist, the requested path is returned as an error page. That could be used for content-spoofing attacks and has been fixed in a way that we don’t return user input on such error pages. CVE-2016-6846, Credits to hackys.
Nested JavaScript code within a SVG “image” file was executed when opening those files within the browser. We’ve extended sanitizing of SVG content. CVE-2016-6844, Credits to bugdisclose.
When changing a users name parameter to contain script code, that code got executed when creating a group. The corresponding place now uses a sanitized representation of the users data. CVE-2016-6843.
Useing a escepape method when loading data for OX Documents settings. CVE-2016-6842.
Enabling LogSanitisingConverter by setting the %sanitisedMessage token for OX Documents. Use CVE-2016-5741.
HTML-signs replaced with the respective HTML entities at OX Spreadsheet. CVE-2016-5124, Credits to sasi2103.
Removed insecure mark-up from incoming HTML before processing it in OX Text. CVE-2016-5124.
Now explicitly using own XMLStreamReader to avoid entity expansion when converting and working with spreadsheets. CVE-2016-4047, Credits to Deepanker Chawla.
Adding HTML escaping for date, uid and author in HTML fast load string for OX Text. CVE-2016-4045, Credits to Saeed Hashem (@SaeedHashem4).
When using systemd instead of sysv, the configurable limit of “open files” was not correctly applied. This has been solved in combination with Change #3773.
When storing empty values as mail address, certain provisioning code failed when changing a different parameter. This has been solved by allowing empty values in addition of NULL values when validating a change.
Some storage providers use file path as that files unique identifier. When adding a new version of the same file but with a different filename in OX Drive, that version will be created as a new file at the storage service and return vague error messages. We solved this by using unique names of additional files when adding a version. At the same time we dropped support for versioning, see Change #3756.
Depending on the mailbox format, folders might contain only other folders but no mails. When subscribing a subfolder and then deleting the parent folder, the subfolders remain subscribed and cannot be removed in App Suite. This has been solved by extending the IMAP folder consistency check.
Converting certain broken HTML mail to their plain-text representation failed due to compatibility issues with the used library. This has been solved by extending conversion support for that kind of mail.
In case the oxadminmaster account is configured to override oxadmin accounts, changing the password for oxadmin failed with a NPE. This was caused by incorrect cache invalidation in case oxadminmaster credentials werde used and got fixed accordingly.
When using sharing links that contain a expiration date, recipient and password, some links fail to generate and are not sent. This was caused by a incompatible order of database statements and has been solved.
expires header for fallback picturesWhen requesting a fallback image for a contact, for example when reading mail, the corresponding value of the expires response header was incorrectly set to a past date. This disabled caching of the response and led to unnecessary resource consumption. The problem has been solved by setting a future (+1 hour) date as value for the expires header.
Display name is always determined by associated user.Now choosing proper full name by given mail address.
Despite the users configuration print previews for mails were always using the HTML part of the message. This has been changed to respect the users configuration with regards to displaying HTML mail.
When taking over Email addresses from popular Office productivity suites by copy&paste, those were detected as single recipient. This happened since that software does not detect the kind of data but simply provides a string without delimiters. We’ve added support for more delimiters than comma and semicolon to work around this issue.
Wrong text formatting on explicit plain text transport.Solution: Proper text formatting in case user wants to send a plain-text message.
File name contains possible mail-safe encoding rendering shared item unreadable to user.Safety check for possible mail-safe encoding and appropriate decoding solved this issue.
If the lastname of the user is set to a single whitespace, the displayname was set to a single whitespace too. Tokens are trimmed and therefore, this token was not shown but still attached to the mail.This has been fixed by trimming participant display name before checking emptiness and add email address to tokenfield if displayname is empty.
No handling for caps with digits.Adjusts regex and adds error message when trying to use commas in params.
When importing CalDAV events with geolocation information, parsing failed in case float values were used for longitude and latitude. We made parsing less strict in this regard to allow importing.
When using the “Accept/Decline” buttons in mail and switching mails, those buttons kept showing up despite the appointments status has already been updated. This was solved by properly redrawing mails that offer those buttons.
Adjusted logging to not flood log files and have a more adequate log level for common cases in which an image cannot be retrieved.
Wrong file-name/title advertised to client when querying version/revision history for a file.This has been fixed by setting proper file-name/title when retrieving version/revision information for a file.
Add new version overwrote the original file.Properly add new file revision in case of explicit “Add new version” call and make “file_versions” capability available via folder API through field “supported_capabilities”.
No generic support to hide each user setting.This has been solved by adding support for this particular setting.
Mutually exclusive access to shared instances of ‘javax.mail.internet.MailDateFormat’ prevent concurrent threads to parse IMAP INTERNALDATE/ENVELOPE fetch responses.Deal with possible locked shared instances of ‘javax.mail.internet.MailDateFormat’ to not block concurrent threads that attempt to parse IMAP INTERNALDATE/ENVELOPE fetch responses.
When sending NIL values for the “x-originating-ip” parameter, certain IMAP servers run into problems. This has been worked around to ensue no NIL values are sent by App Suite.
Under certain circumstances, the organizer value was built from the user’s display name when serializing to iCal.This has been fixed by using the user’s e-mail address as organizer value if “primaryMail” is configured.
A newly introduced login handler stored an user attribute on each login operation, and the corresponding cache invalidation event was distributed remotely throughout the cluster, which lead to an increased number of unnecessary events.This has been updated by only updating user attribute if it actually was changed, skip cluster-wide invalidation.
When including Dropbox as a storage account, Drive did offer to add descriptions to files, which is unsupported by Dropbox. We’re now adapting available Drive features in accordance to capabilities of those external storage providers.
Generic detection for possible XML content leads to accidental XML escaping.This has been fixed by excluding application content from XML escaping.
In certain cases the ShareService did shut down during bundle startup, this has been handled to avoid signalling “stop” events during startup.
The message for “Mail folder could not be found on mail server” were known, actually by design, but not expected to happen that often.The fix just excludes the inbox from the obfuscation, to reduce the amount of error messages.
To filter for email addresses in a more comfortable way “Sender address” were included as condition type.
Appsuite using a shared keypress handler for the numpad key and the ‘a’. In combination with ctrl or another special key all messages get selected. A missing check in archive action allowed to archive a message with the numpad key.Now checking for ‘a’ key before archive.
When passing a screenshot to mail compose, a attachment without filename got created. We now assign a default filename to such content to avoid compatibility issues.
It was not possible to add an user to a group containing a space in the name and were created by the command line tool.This has been solved by using CHECK_GROUP_UID_REGEXP property for group name validation during http-api calls.
Mail content were not visible in all mails, actual mail content nested inside head element, which is removed for embedded display of foreign HTML content.Transfer non-head child elements to body to make the content visible.
Too many contacts thus hitting the default limit of 10000 contacts.Now exclude the global address book from the picker to avoid an unresponsive dialog. New settings is: io.ox/contacts//picker/globalAddressBook=true/false.
Configurability for all settings is not available.Extend checkbox-related code in mail settings pane to consider configurability for this setting.
Removing the mails one by one takes very long.With this fix all mails are handled together and it is quite faster.
Copy command was able to run into overquota.This has been fixed by using move operation for clear folder command in case move operation is supported by IMAP server.
In rare cases the iOS Mail/Calendar clients decide to send out repeated cancellation mails. While the behaviour is triggered by the client we try to counter this behaviour by blocking cancellation mails at replies at OX App Suite when synchronizing.
When mounting Drive using WebDAV, some clients provide incorrect creation times for files. This was caused by a incompatible date format and has been fixed by providing RFC1123 dates instead.
Appointment object is missing the action folder id.This has been solved by adding action folder id to appointment object.
When using the recipient picker for Email the second time while not having access to public and shared folders, those were shown as an option nonetheless. We fixed that by cleaning caches so the correct folders are provided as options.
Only affects calendar views as they are external, i.e. loaded from the server and was quite rare.This has been solved by implementing a delay to let the browser breathe. The delay is not really perceivable so it won’t annoy end-users.
Not all settings are implemented to configure via yml-File.Now this setting is supported for property- and yml-file.
In order keep the list at the address-book picker in sync with the Contacts app, identity circles can now be customized with regards to color. See SCR #3602.
In order keep the list at the address-book picker in sync with the Contacts app, identity circles can now be customized with regards to name initials. See SCR #3602.
The logback filtering works in conjunction with the MDC properties, meaning that in order for a log filter to work, the userId, contextId and (optionally) sessionId have to be present in the MDC. In this case, the previous mentioned MDC properties were only applied upon a login request, hence the only DEBUG log entry that was visible in the log was that of the login request.This has been fixed by applying the MDC properties ‘userId’, ‘contextId’ and ‘sessionId’ (that is the USM session id and not OX session id) to the MDC when getting the USM session from the SessionStorage (which happens on every USM/EAS request).
When using public calendars and setting reminders to “0”, this value is treated as “no reminder”. This has been solved by signalling 0 as a legal value for appointments at such folders.
The new user setting “Start in global address book” (default: true) conflicts with an extremely slow loading of address book.This has been solved by checking if the user setting is configurable. If not, the user doesn’t see the setting. This fix neither accelerates the loading process nor does it avoid the invalid UI state if users go back and forth.
The error is cause by two update operations on a contact off the distribution list. If a contact off the distribution list is within the address-book of the user, then the entry within the distribution list will reference this contact. In case the email address referenced by the distribution list is removed the entry within the distribution list is also updated (now empty). If then in a next step the contact is deleted the entry within the distribution list will be changed to a contact without a reference. In this case the mail address within the distribution list will be used, which is still be empty. In this case the distribution list is invalid because of this missing mail address.The exception message now tells the user which contact is causing the error and therefore he is able to solve the issue himself.
In case users got provisioned with a specific name for the “Archive” folder, there was no way to remove that information afterwards. We’ve removed a sanitiy check for empty folder names and instead add “null” to the users mail configuration in case that folder shall be empty. As a result no folder will show up as “Archive” anymore. Note that using this functionality makes it mandatory to disable archive functionality as a capability for the user. Otherwise there will be inconsistencies and unexpected behaviour on the user-interface level, including re-creation of the “Archive” folder with its default values.
The underlying org.jdom library adjusts line endings during serialization, for inline vCards in multistatus responses this led to duplicated carriage return characters. While usually the receiving side is in charge to normalize line endings during parsing, one particular client is not able to do so.Solution: Serialize inline vCards in CARDDAV:address-data property as CDATA.
The mail contains two parts of type text/plain. The second part contains the greetings. USM handles only the first part for sending the mail in plain text format to the client (used by Android).With this fix USM concatenates all text/plain parts together.
Missing signature handling for update.Introduced central helper function which considers the different states, value of defaultSignature (compose/reply) is now used as new default value for ‘defaultReplyForwardSignature’.
The container element of settings pages doesn’t have a fixed height. This broke percentage-based height specification of its children.This has been fixed by using absolute positioning to make percentage-based heights work again.
When using HTTP redirect bindings for single logout responses, our implementation did expect zlib headers while raw gzip was returned. This has been solved by handling this kind of input.
When sending a mail to a mailing list and using a X.509 signature plus another attachment, that attachment could not get previewed in App Suite. This has been solved by avoiding to fetch ignorable parts of the mail.
Local date instead of internal utc date were used in one calculation.This has been fixed by sticking to utc-based calculations.
After displaying “hidden” files was disabled, they did still show up at the Drive portal tile of App Suite. This got solved by applying the correct filter to the tile as well.
When deleting a recurring appointment, the related event mechanism did distribute events which refer to the recurring appointment but did not contain any pointers to exceptions of that series. We’re now sending more sophisticated objects that allow to gather references to exceptions of that recurring appointment.
Sort handler was called before models were drawn and list were messed up.This has been solved by skipping sort when queue contains items and sort manually once the queue has been processed.
When using honorific prefixes, suffices or additional names at contacts, those details were transferred and serialized as individual attributes which led to display issues on some CardDAV clients. This has been solved by putting this information to single attribute.
The Archive folder did list subfolders in descending date order to make sure the most recent folders are on top. However this did conflict with certain use-cases and added inconsistency, therefor we switched to alphabetically ascending order for all folders except numeric ones.
The file paths.perfMap was delivered with CRLF linebreaks, which of course does not make sense on Unix-style environments. We applied proper linebreaks again.
In case a directory contained a hidden subfolder without permissions to the deleting users, removal of that enclosing folder failed without a sufficient error message. We’ve extended the OX Drive protocol to handle this situation and make clients aware of the root cause.
Getting the standard folders (e.g. for “Sent”) failed in case a spam/ham folders where absent but expected. The code has been hardened to deal with situations like this, which may occur when using custom spam handler implementations or configuration.
The method getProperties was used.This was fixed by using getUserProperties.
When having contexts spread across different middleware clusters but using the same database backends, the report client did not finish its execution. This has been solved by considering such configurations and general hardening of the report functionality in this regard.
No filtering based on transport_url for added email accounts.Only list sender addresses from accounts that have a transport_url now.
UseCountCopyTask used a wrong mapping object and tried to copy use counts of internal users and usercopy failed.This has been fixed by using the correct mapping object and skip use counts of internal users.
When copying or moving a mail from a mail backend that supports more IMAP user-flags than the target backend, an error was raised. This has been solved by checking existing flags and convert them in a compatible way.
In case a guest user has a reference to a deleted user, running reports did not deliver any results. This has been solved by handling the absence of the referenced user.
When using a CalDAV client like eMClient, some cancellation mails could not be used to delete the related appointment since their ID was missing. We solved that by avoiding a fallback to the “Publish” method when synchronizing.
When configuring a external mail accounts SMTP credentials as “As incoming mail server” and changing this configuration to specific credentials, the old credentials were maintained. This has been fixed.
New external appointments were displayed as accepted, but are nor accepted.Now new external appointments are not displayed as accepted.
In case a E-Mail contains illegal references to multiparts, such as attachments, a warning was raised at the log. To avoid log flooding the situation is being handled in the code without logging a verbose message.
Click delegate on premium container didn’t worked as expecting.This has been solved by using default select handler and call upsell method via custom trigger.
When defining special-use flags for IMAP folders, those were not considered when logging in for the first time. The behaviour has been made configurable by change #3524. Now we’re considering those pre-defined special-use folders.
In case the current day is a Sunday, the date label was hardly readable since several shades of red were applied. This has been solved by correcting the priority of shades when displaying the calendar month view.
In case vCard data information is stored to a external service and that service becomes unavailable, exporting fails. This has been addressed by adding a check if all referenced information is present and accessible before starting to export.
No hover message reporting the total messages and unread messages in email folder.The missing title is added again is now visible on hovering.
This was caused by excessive creation of (sub-)strings while trying to re-parse a weird, but possible start tag segment.This has been fixed by improving detection of possibly contained HTML start tag and changed re-parse routine to avoid sub-string creation where possible.
“ID” command gets issued after login happened, breaking Dovecot’s session tracing.This has been fixed by moving signalling IMAP session identifier through “ID” command to pre-login state.
As a side-effect of content sanitization certain invalid E-Mail structures, in this case broken tags were removed which led to follow-up issues when displaying the mail. We’ve made the sanitizer more flexible to avoid such false-positive cases.
An infinite loop while trying to determine a folder’s reverse path to root folder caused the excessive creation of folder instances all kept in a wrapping java.util.ArrayList instance. It turned out that while loading the path for a folder from a subscribed external IMAP account, the special INBOX folder references itself as parent, consequently rendering the traversing loop infinite.This has been solved by introducing several safety checks (in case a folder references itself as parent) and guards to prevent from possible such an infinite loop when trying to determine a folder’s path to root folder.
When creating a file on a Swift storage backend, the service might respond with HTTP Status 201 instead of 200 which was unexpected. This got fixed by handling this status as well.
When deploying a new cluster, having not yet registered a mailstore, creating a context caused inconsistencies in the configdb.This has been solved by running delete method of all registered plugins in case of a failure in postCreate of any of the registered plugins.
It was not possible to retrieving informations from cloud storage folder if they contain a dot in foldername.Now cid method removed all ‘.’ from the ids to fix this issue.
Edit the description of a file in a Dropbox account were not possible with the Appsuite-UI.Un-mangle the file identifier to fix this.
Now setting the filename when moving files across different file storages to solve this issue.
When working with large distribution lists, usually more than 500 members, OX App Suite UI triggered a lot of unnecessary requests to get member information. Depending on the workflow and amount of members this could exceed the default rate-limit and effectively lock-out a user for several minutes. We have optimized which and how many calls are triggered when editing distribution lists to avoid this scenario.
In case the mailfilter package is not installed, the frontend was missing a capability check and offered to create mailfilters based on existing E-Mail nonetheless. This was fixed by considering those capabilities.
The regex pattern to identify the uuencoding wasn’t able to handle umlauts.This has been fixed by improving the regex pattern to recognize umlauts.
added permission for portal
In case a user account is configured to only use OX Drive, some functionality was offered that would require the Contacts app to be present, for example contact details. These issues have been resolved by removing links at invite guests or permission dialogs.
A database connection was not returned to the pool under specific circumstances.This has been solved by ensuring database connection is returned to pool.
Sort menu was hidden by mail detail view if this part was to small.Now the menu is always on top.
When cancelling a group appointment in Outlook as organizer, the appointment for participants was not removed in case those participants did have “PIM” access permissions. This was caused by a server-client state conflict and has been solved.
OX6 sets display name and last name while creating a new distribution list.Solution for distribution lists: if display name is updated last name is set to the same value.
When updating OX App Suite, recent default configurations changes to logback.xml were reset. Packaging now considers those changes and makes sure the defaults are maintained when updating.
Adding an IMAP folder via Mobile Web UI on root level (beside INBOX) does not work.This has been fixed by changing check for virtual folders to allow contextmenu and deny pagechange.
sendmail button and/or send mail sub items of button group will be disabled from now as soon as there is webmail not available.
Email option menu was displayed wrong if the topbanner was active.This has been fixed by adding proper z-index to top banner.
Standard group guest delete and edit buttons were active.Now edit or delete for guest group is disabled.
The position of the vacation notice was reseted to the top if this rule has changed.Now the position is kept if the rule was edited.
When listing folders with more than 10.000 E-Mails and scrolling through them, IE11 did report script warnings. Those warnings were triggered by long-running JS actions. We optimized the handling of pagination when dealing with lots of mails to avoid triggering those warnings. On very slow machines this might still happen though.
The csv parser is configured to be tolerant and accepts rows in csv files with columns sizes lower than the number of title columns. If a row does not contain enough columns it will add empty columns at the end of the row. If a column in the middle of the row is missing all other entries will be shifted to the left. This leads to an error for the distribution list column, because the importer uses the data of another column for this field.This has been fixed by adding a new parameter “line_number” to the response result entry in case of an error, because it’s impossible to improve the handling of defective csv files.
For some users the “recovery/secret?action=check” call permanently signals that the currently used password is outdated and the new one is prompted.Various DEBUG logging was added to class ‘com.openexchange.secret.impl.CryptoSecretEncryptionService’, which is supposed to be enabled to affected users using ‘/opt/open-xchange/sbin/lofconf’ command-line tool, also did some other improvements for this. Also see Software Change 3482 below.
It’s now possible to include “optional” fields at contacts to the search facet. This allows searching for those parameters values.
checkconfigconsistencyThe checkconfigconsistency tool did report some incorrect findings at cache.ccf. This has been solved by considering directories when comparing configuration file content.
On model creation data from the original mail was propagated that should have been omitted.This has been fixed by omitting original mail data, now the cc filed is not open automatically.
Separate email addresses with semicolon after two or more were added as one didn’t work.This has been fixed by stopping edit more after first model update.
Redirect to loginLocation and logoutLocation does not work.With this fix, the custom login and logout Locations are working again.
includeGuests and excludeUsers parameters was missing in soap interfaces.This has been solved by adding includeGuests and excludeUsers parameters to soap interfaces.
If a HTML Email message exceeds limits for processing, a truncated representation is provided to the user. We added some more details and less confusing description about why this is the case and how a user can handle the situation.
The polish translation for mail filter rules had some flaws, those were solved by updating the specific translation.
When applying very specific folder permissions, a issue was observed that folders are not show via OX App Suite while being expected to show up. This was caused by a incomplete permission check and got solved by correcting this check.
If an user click on an invalid appointment/task link, he got the spinner.With this fix, the appointment is displayed or the link is displaying the folder from the link.
Upsell i-Frame for onboarding wizard didn’t working.Added missing capability fiele to solve this.
The polish translation for quota levels had some flaws, those were solved by updating the specific translation.
After a Appsuite refresh some “subscribable” folders disappeared.This has been fixed by dropping “subfolders” attribute if all=false to avoid bad model updates.
Email messages with multiple different Content-Transfer-Encoding headers did cause errors with Outlook. Such malformed messages are now sanitized before delivering them to the client.
When forwarding a specific mail structure multiple times, the corresponding sequence ID was miscalculated. As a result some mails could not be displayed anymore. This glitch has been solved by correcting the calculation for nested messages and attachments.
In the account settings for mail the smtp settings are displayed, but username and password were not shown.Fixed an enum issue to solve this.
ignoring this attribute via xslt transformation
No single general solution for all different use cases in this scenario.Solution: Introduced ui setting ‘io.ox/calendar//freeBusyStrict’ (default: true), when NOT in strict mode detail view is available, details for appointments are not displayed.
When enabling the “auto login” functionality, error messages were logged regarding incorrect cookie information. Since users that have not been logged in before will accidentally trigger this message, it has been removed from the default loglevel.
Existing documentation about the topic of filestores was party missing and inconclusive. This has been solved by migrating to a new documentation system and workflow. Please use https://documentation.open-xchange.com/ as reference for technical documentation.
Added a new config item ‘com.openexchange.documentconverter.pdftoolMaxVMemMB’ has been added to the ‘documentconverter.properties’ configuration file. The implementation uses this value to limit the amount of memory for the PDF tool
in addition, all DC joib queues are cleared
Some DocumentConverter jobs never got processed by the DocumentConverter backend and remained within the job queue forever due to a missing unlock of the job after the first conversion. This happened under certain conditions like same job conversions for the same source document in parallel. When pending or blocked jobs are within the DocumentConverter queue due to a parallel processing of the same conversion, it is ensured, that those jobs get unlocked after the first conversion of this kind of jobs happened, giving a fast processing and removal of all pending jobs with the same characteristics.
We’ve added rudimentary support for resources when using the Exchange ActiveSync (EAS) protocol. The Email address of a resource will be delivered to the client to allow scheduling.
Existing documentation about the topic of different quota levels and configuration was party missing and inconclusive. This has been solved by migrating to a new documentation system and workflow. Please use https://documentation.open-xchange.com/ as reference for technical documentation.
When removing oAuth credentials for a messaging account, e.g. Twitter, the related entry at the main menu did not get removed. This has been solved by refactoring the oAuth implementation.