Last Update: 2024-05-07
CVSS:8.2
User_id was used as contact_id.This has been fixed by using correct contact_id
Internal cache in IMAP bundle used to held in-memory structure of IMAP server’s LIST/LSUB output steadily fills up over several months as long as enough active session are present. Moreover, accumulation of unused/stale IMAP store containers managed in IMAP connection cache also due to vast number of active sessions.Let cached entries expire (and remove from cache) after reasonable amount of idle time as well as drop unused/stale IMAP store containers managed in IMAP connection cache to solve this issue.
CVSS:3.1
CVSS:3.1
CVSS:3.1
CVSS:3.1
CVSS:3.1
CVSS:3.1
CVSS:3.1
CVSS:3.1
CVSS:3.1
This has been solved by preventing remotely received being aggregated into another local event and thus re-distributed remotely again though immediate processing of remotely received events (with a separate thread).
CVSS:3.1
CVSS: 2.2
CVSS: 2.2
CVSS: 5.0
CVSS: 5.0
Was caused by an issue in the javax.mail implementation.This has been solved by applying fix from https://github.com/eclipse-ee4j/mail/issues/323
Actually undefined properties are cached at the “configuration” provider of the config cascade once they’ve been queried for the first time. This happens implicitly when the final scope is determined for a property that was picked up at another level of the config cascade. In case such properties are prefixed with “com.openexchange.capability.”, they’re also considered and evaluated to “false” when constructing the capability set for any other user, potentially overriding module permissions if they’ve been used in a discouraged way of using the permission identifier as capability property name.This has been fixed by ignoring undefined capability properties when building the capability set, added debug logging to reveal problematic configurations.
Was caused by defered object that was not resolved correctly in some cases.This has been solved by always resolving object correctly.
CVSS: 5.0
CVSS: 5.0
CVSS: 7.7
CVSS: 5.0
CVSS: 5.0
CVSS: 5.0
CVSS: 6.5
The existing iOS Push certificate expires on Dec 5th. This Patch renew the cerificate.
The existing iOS Push certificate expires on Dec 5th. This Patch renew the cerificate.
Invoke javax.servlet.http.HttpServletRequest.getSession(boolean) in SAML and OIDC implementations to maintain route to the right Middleware node, which spawned the Open-Xchange session.
DOMPurify removed src=“”.This has been fixed by using data uri instead.
Memory gets flooded with many regular untagged IMAP responses, which are actually of no use.This has been solved by adding mechanism to drop regular untagged IMAP responses on command execution to avoid flooding memory with unused IMAP responses.
This was caused by DOMPurify removes src=“blob:…”This has been solved by using data uri instead.
This has been fixed by adding some overflow styles inside the css file.
This was caused by missing CSS.This has been fixed by adding missing css ellipsis.
Table layout does not work correctly in IE11 switch to block when IE11 is detected.This has been fixed by adjusting class=body section in mail detail view for IE11.
CVSS: 3.1
CVSS: 2.2
CVSS: 2.2
Was caused by wrong detection whether a move or a rename needs to be performed.Fixed check whether a move or a rename needs to be performed to solve this issue.
Same request parameters lead to same responses from the MW #getDocument Ajax handler. In case the request parameters don’t change after revisionless save, the response will be the unchanged one.This has been fixed by providing ‘revtag’ parameter when creating the attachment.
Adjusted appearance like described in ““Google” Text” in the branding guideline.
If the organiser is no attendee (Outlook), the locale for the notification recipient was not set.This has been fixed by adding the acting users locale in this case.
Mark guidedtours.properties as configfile now.
Detect confirmation change prior applying incoming patches.
If the organiser is no attendee (Outlook), the locale for the notification recipient was not set. Adding the acting users locale in this case now.
Trying to delete location/directory from source file storage failed. Due to that, context information has not been properly updated.Solved by fail-safe deletion of source location in file storage. Note: Filestore identifier of affected contexts need to be manually adjusted in database.
CVSS: 3.1
Missing event listener for series delete.This has been solved by adding the missing event listener.
This has been solved by introducing locale/format to allow country specific address formatting.
A superfluous check led to the “unregisterdatabase” utility reporting that also read-only schemas are possibly “in use”.This has been solved by performing “in use” check during “unregisterdatabase” for master database only.
Missing max width for recipients element.This has been fixed by adding ‘max-width’ and ‘ellipsis’ for former overflowing recipient nodes.
Edge recognized as IE with higher version.This has been fixed by improving the browser check.
It was not possible to map feedback app names to custom names.This has been solved by adding new extension point to process feedback data.
Corrupted mail with invalid multipart delimiters and invalid charset name quoting leads to failure when parsing/displaying the affected mail.Solution: Deal with possibly quoted charset names on charset look-up. This fixes the exception when looking-up charset by charset name, but does not display reasonable content since multipart delimiters are corrupt in mail’s source. The user sees: This mail has no content.
CVSS: 5.4
CVSS: 5.3
Growing inconsistencies in general cache causing a massive amount of log messages keeping CPUs constantly busy.Improved general caching to use a single map instead of trying to manage two resources (map & queue) for implementing LRU behavior.
Also signatures with whitespaces were filtered.This has been solved by adjusting the filter for signatures.
Callback function was expecting a string.This has been solved by making it work with strings and error objects.
Feedback button was located in io-ox-core.This has been fixed by moving Feedback button to io-ox-screens.
There is an issue in the hunspell library which cannot cope with composed utf-16 characters. As we use the library in-process the SIGSEGV causes a complete crash of the process.This has been fixed by filtering out all composed utf-16 characters to prevent possible crashes in the hunspell library.
Invoke a “post deletion” call-back to reseller plug-in to let reseller information being cleared when context has been successfully removed.
CVSS: 3.3
When a new change exception event is indicated for a ‘declined’ event, its transparency was not checked against an original event as there is none.This has been fixed by cheching transparency for newly indicated change exceptions against the original series master event.
Unnecessary/excessive locking in both - session management and general cache - leads to many threads trying to acquire the same locks. Improved session management and general cache implementation to use higher level concurrency classes and getting rid off unnecessary/excessive locking.
Some misinterpretation of css from IE 11 caused this issue.This has been solved by adding a css fix only for IE11 to handle this issue.
This is just an improvement for signatures: Signature with empty content (only whitespace) will not be added anymore.
Spam/ham information advertised mail account data even though no spam handler was available or concrete spam handler tells to not create such folders.This has been fixed by suppressing spam/ham information in mail account data if spam is disabled or no such folders are supposed to be created according to spam handler specification.
Late fetch of emoji library and replacement of emojis required dom-replacement after the deep-link has been registered which will remove any registered data. Fixed by loading emojis early to prevent asynchronous replacement of emojis.
Unnecessary/excessive locking in both - session management and general cache - leads to many threads trying to acquire the same locks. Improved session management and general cache implementation to use higher level concurrency classes and getting rid off unnecessary/excessive locking.
The causing exception was hidden, which has been changed to find the root cause of this bug.
The Moment and moment-interval framework used inconsistent time formats in japanese. Update locales in moment-interval plugin to be consistent.
The unified mail storage returned normal mail ids instead of unified ones for copy/move commands.Solution: Return proper unified mail ids.
Links opened by blankshield are blocked due to security reasons.Solution: Open links with rel=“noopener” directly in chrome 72 and above. Note that this is just an intermediate fix and will be replaced as soon as the issue is fixed in blankshield.
Print used own format of address where it was not possible to internationalize the address.This has been fixed by using internationalization approach which is already used to display the address in the contacts detail pane.
Due to a change from latest 7.8.4 patch (#5074), it was not possible to create an appointment with Thunderbird.This has been solved by reverting the fix to have a working Thunderbird integration again. A new fix for the other bug (#62106, not possible to import big ical files) will be provided later with another patch.
CVSS: 4.1
CVSS: 4.2
Pasting a value into an input field triggered no validation and may result in a disabled save button.
Two wrong translations were adjusted to fix this.
Parsed date wrong for IMAP results.Now just one date is used for results. This is just a partial fix. A full solution would be to request a longer timeframe and to do the slicing manually. But this rather requires a larger change to the search module and can not be handled inside a patch.
Out Of Memory when importing large iCal files.This has been solved bz reducing the used heap space. Detailed informations about the import limit “com.openexchange.import.ical.limit” are available here:Seehttps://documentation.open-xchange.com/components/middleware/config/7.10.1/index.html#mode=features&feature=Import/Export .
Some URLs were not clickable with latest version.This has been solved by adjusting whitelist delivery from backend that the setting arrives at the client.
Adjusted reload/relogin hint and added translations.
When a second modal dialog is opened, the focusin-listener of the second dialog is registered before the listener of the previous dialog is removed. Since the keepFocus function is bound to the prototype of the dialog, the unregistration removes the listeners for all instances. Therefore, the keepfocus function is not correctly registered and will not keep the dropdown open when the dialog loses focus. That leads to the problem, that no click events are triggered on the elements of the dropdown and thereforce, no model updates are triggered.This has been solved by adjusting focusin events, so they are also correctly registered for the second (or third or fourth) modal dialog. Therefore, bind keepFocus to the current this value and make it unique.
It was not possible to send an email to an appointment participant if he had only a secondary emails address entered inside the address book.This has been fixed by using provided data instead of fetching everything.
Used regular expression while performing html-to-text conversion may keep a thread running excessively long.This has been solved by applying configurable* HTML parser timeout also to html-to-text conversion. If timeout kicks-in a fall-back html2-text conversion is performed.*) See setting “com.openexchange.html.parse.timeout” (defaults to 10 seconds).
An auto-forward rule with { id: ‘keep’ } was not displayed correctly.This has been fixed by adjusting so that both versions of the keep behavior ( { id: ‘keep’ } and copy: true) can be written and displayed correctly according to what is available on the system.
location.reload aborts redirection.This has been solved by forcing reload only when current host and pathname matches target url.
This was caused by a package update inside the “com.openexchange.server” bundle.This has been solved by adding the missing bundle to document-converter’s launcher file, which is considered when building document-converter service.
This driverestricted patch includes a new server key to enable fcm Push for Drive Android and a new iOS Push certificate.
CVSS: 5.4
CVSS: 5.3
CVSS: 4.8
Wrong PRIMARY KEY specified for “filestore2user” table, which allows duplicate entries per user.This has been solved by avoiding duplicate entries in “filestore2user” table when moving user’s file storage.
Css was broken.This has been solved by adjusting CSS to display the address in multiple lines.
Missed possibility to check if a context exists in a certain server.This has been solved by adding possibility to check a context’s existence in the scope of the registered server, in which the called provisioning node is running in. Thus the client is able to check before-hand, in which setup a context exists.
Code minifier broke the sanitizer plugin.This has been fixed by upgrading the code minifier to a newer version.
It was not possible to display messages fetched from IMAP having a corrupt BODYSTRUCTURE information.More robust handling with IMAP messages having a corrupt BODYSTRUCTURE information solve this issue.
Orderly suppressing stack trace for OXExceptions with a category listed by “com.openexchange.log.suppressedCategories” property to solve this issue.
Changed interpretation of the default value for “com.openexchange.smtp.smtpLocalhost” property.This has been solved by restoring proper interpretation of the default value for “com.openexchange.smtp.smtpLocalhost” property.
Naming changed from “drive_folder_mode” to “drive_user_folder_mode”.Solution: Accept & output alternative “drive_folder_mode” element for passing “drive_user_folder_mode”
The feature has been designed to only serve one migrationRedirect URL.This has been solved by adding the possibility to configure the migrationRedirectURL on a per-host base via the as-config.yml
The LOCATED_IN_ANOTHER_SERVER exception was not properly handled in the ShareServlet.This has been fixed by handling the exception properly, i.e. redirect the client to the appropriate node. Introduced a new migrationRedirectURL property for the ShareServlet to use in order to send a redirect to the correct node.
No differentiation between keyboard “clicks” and touch/mouse “clicks”.Support autoselect only for keyboard navigation to solve this.
Increase robustness for mail by using loader information directly instead of a derived property value. Now the folder is always displayed in a search result.
Changed Error message to “This appointment already exists in your calendar.” and added translations.
Second body node in dom causes problems when used without iframe.Appsuite 7.8.4 has extended backend sanitizing, where body nodes are replaced with divs. With this, another body node to preserve inline styles is not needed.
Simplified the message. Message is not translated in every language yet.
Race condition caused the ul element reference to be missing.This has been fixed by using a safer way to store the ul element reference.
Sortname was the same with multiple contacts, so no clear sorting order.This has been fixed by adding the first valid mail address as second sorting criteria, if sortnames are the same.
Wrong vCard file name representations are compared.This has been solved by checking proper vCard file name representations.
No filtering and yells for those emails.This has been solved by adding yells and filtering.
Missing data about mail address field.Addressbook popup returns field-value is used to initialize participant model.
This has been solved by increasing MaxLength for passwortd.
Sanitizer removed attributes needed for mail styling.This has been solved by improving sanitizer so styles are preserved.
Content type with upper case letters do not pass the attachment check for inlineimages.Made content type check case-insensitve for inlineimages to solve this issue.
The date is stored in utc but was converted to a localized date by momentjs which could lead to a wrong date in some cases.This has been fixed by converting the rule to a date in utc time to prevent timezone offsets to display a different date.
Selected mail not scrolled into view.Now scroll selected mail into view to have this mail displayed.
When an appsuite user has a POP3 secondary account and the “com.openexchange.mail.hidePOP3StorageFolders” setting is configured to true this setting was not respected and POP3 folders were returned as private folders of the primary account.
Migrated from the legacy GCM to the new FCM (Firebase Cloud Messaging) when sending push notifications to the OX Drive clients on Android.
Proper cleanup in case of runtime exceptions while writing to filestore.
High CPU load and possible OOM due to overflowing of cache events.Mitigate CPU impact caused by cache events with a large list of keys to invalidate.
App Suite UI passed wrong information to Open-Xchange Server in case personal part of “From” address contains brackets as a workaround for another old issue.This has been solved by removing the workaround.
Trying to issue an ‘EXAMINE’ command against a non-existent folder yields a ‘javax.mail.FolderNotFoundException’.This has been fixed by treating a possible ‘javax.mail.FolderNotFoundException’ as folder cannot be opened.
When creating the auto-forward rule it was not checked if the used sieve action “copy” exists.Now, if the sieve action “copy” is not available the combination “redirect” / “keep” is retained to solve this issue.
The lsub entry couldn’t be resolved because of a naming mismatch: “Inbox” vs “INBOX”.This has been fixed by storing lsub entries also under the original fullname, so no error is displayed while moving mails from external accounts.
The hostname was used to create the octets. If the hostname is not an ip address the conversion fails.This has been solved by using host address instead of hostname to calculate octets.
Trying to issue an ‘EXAMINE’ command against a non-existent folder yields a ‘javax.mail.FolderNotFoundException’.This has been fixed by treating a possible ‘javax.mail.FolderNotFoundException’ as folder cannot be opened.
The “vcard” parameter was parsed and written differently.Solution: Lenient evaluation of “vcard” parameter.
Failed to read value for config-tree path warnings when opening share links.Don’t apply share compose settings if not available to solve this issue.
Mail compose did not unregister it’s logout extension point if startup fails. This causes the logout to abort as the extension is still there for a non-existing mail compose instance.This has been fixed by removing logout extension if app startup fails.
CVSS: 3.5
CVSS: 5.4
CVSS: 4.3
CVSS: 3.1
The background color of .mail-detail .detail-view-row .actions>li a:focus was hardcoded.This has been solved by reworking @brand-primary for this part.
The hostname was is used to create the octets. If the hostname is not an ip address the conversion failed.This has been solved by using host address instead of hostname to calculate octets.
A function was not executed in Edge and IE. Jquery has problems in Edge if the HTML is not trimmed.This has been fixed by adding different event handling for Edge and IE, trimmed HTML before adding to print page.
Broken CSS on login page.Fixed simple CSS typo in login page CSS to solve this issue.
We reduced the scope and therefor effect on database locks when loading database assignments from configdb exclusively. This is a partial solution for issues reported at Bug #56419.
Loading IMAP part by reference failed, IMAP server signal zero bytes when using relative section identifier “TEXT”.This has been solved by retrying fetching IMAP part in case no specific section identifier was used. Using specific section identifier works without problems.
Multiple IMAP-IDLE listeners spawned for a user in a cluster for unknown reason.This has been solved by changing handling of IMAP-IDLE listeners: Extended logging to check why a new IMAP-IDLE listener was spawned, more aggressive refreshing of acquired cluster lock and avoiding (remotely) checking existence of sessions for existing cluster lock entries and immediately tear-down of an IMAP-IDLE listener once it times out.
When using reset on a backbone collection with plain js objects, the reset function removes objects which looks like to have the same identifier and only one attachment was displayed.Prevent this by creating models first and then use reset.
This was not supported in the past.This is activated again because we have now support for this.
Full-width characters in personal part were dropped.This has been fixed by maintaining full-width characters in personal part.
Order of recipients was not preserved.Now preserve order of recipients to solve this issue.
Problematic handling when collection cache was used. Events triggered after list view was drawn.This has been solved by disabling caching of search result also for modules using collection loader.
jsessionid=123… After Twitter’s announcement about the changes regarding the callback URLs and that every application needs to white-list all callback URLs otherwise clients will be denied access to that application, all callback URLs that featured the previous mentioned route it will be considered as invalid since the segment path is being considered by Twitter as part of the actual callback URL.This has been fixed by writing the ‘jsessionid’ as a URL parameter instead of path segment for the Twitter OAuth provider.The callback-URLs at https://apps.twitter.com/ should have the following format: https://mydomain.com/ajax/defer
Confirmation button Popup were broken in portrait format.This has been fixed by adding smartphone styles.
The old style autoforward rules are not interpreted correctly by the v2 mail-filter HTTP API, i.e. if an autoforward rule was created with a previous version of the middleware, then the ‘keep’ action command will be present in the sieve script. The JSON parser in this case does not recognise that and assumes that ‘keep’ is yet another action command that needs parsing.This has been solved by adjusting the response after the filter is read. Therefore, ensure that old style autoforward rules are correctly parsed by the mail filter JSONParser and delivered via the mail-filter v2 HTTP API, that is merge the action commands ‘redirect’ and ‘keep’ and if the later is set, apply the ‘copy’ flag to the ‘redirect’ action command on the JSON response. No sieve rules are adjusted.
The cause of this issue was that the origin folder was used for capability checks instead of the destination folder.This has been solved by using the destination folder in case of move instead.
The wrong name has been stored as the fullname (e.g. ‘Spam123’ instead of ‘subfolder.Spam123’) and this folder was created on the root level.This has been solved by using the proper fullname instead of the short name.
Only direct subfolders were unsubscribed.Now properly unsubscribe all subfolders to solve this issue.
This has been solved by adjusting the restore popup.
Long header lines contained in a MIME message were not folded.Now rigorously fold header lines of passed mail, which is supposed to be transported.
Avoid excessive locking in cache implementation to weaken the impact of the original problem.
Adding storage accounts always had been disabled for smartphones. Since the option to add new accounts has been removed from the settings area, this should be enabled. A few adjustments were made for mobile style. Implementation is now equal to address book or calendar app.
The always did not wait for a inner deferred to finish which caused the login:success event to be triggered to early just before the user language was set correctly. The UI then falls back to en_US in each case, but only for initial login.This has been solved by adjusting token login handler and replacing .always with .then in token login handler success function.
CVSS: 5.4
CVSS: 6.5
CVSS: 4.3
CVSS: 5.4
CVSS: 4.3
CVSS: 4.3
CVSS: 4.3
CVSS: 3.7
CVSS: 3.7
A function for checking inline images did not expect non-html content and led to this non working Copy&Paste.This has been solved by adjusting the check for inline images.
Changed behavior of com.openexchange.server.knownProxies: com.openexchange.server.knownProxies does now allow subnets as known proxies. Added SCR-49.
Was not mapped by regex.This has been solved by adding both cases to this regex.
Usercopy failed with duplicate key.Now ‘target_id’ for new reminder referenced the old object ID instead of the object ID for moved appointments/tasks.
Missing tabidnex messed up focus handling.This has been fixed by adding tabindex -1 to labels for IE11.
There was no styling for the print rendering.This has been solved by adding a print rendering view.
Adjusted Translation to fix this issue.
An erroneous paths were provided to the ‘rsync’ utility, while only the absolute path is required for such an operation.This has been solved by using the correct path for the copy operation via ‘rsync’, the protocol type as the ‘file’ is always implied.
Used static preconfigured workweek for recurring appointments.This has been fixed by using configured workweek instead of default work week.
Added missing translation.
Due to active load balancing between Middleware and Documentconverter server nodes, the PDF results for creating each ManagedFile were taken from different Documentconverter server nodes. In some document cases, this might give slightly different results due to contained date or other fields, evaluated and written at conversion time on each Documentconverter node.This has been solved by ensuring that range requests for one document always create the same hash id even in case the file version is missing and adding appropriate synchronization code on a file id basis results in generating just one ManagedFile on Middleware side within the Ajax request handler. The PDF result file is created from one DC server node only for the sequence of range requests for one document, even in case the file version is missing.
TimeInput toggled after draw.This has been fixed by calling toogleTimeInput as soon as possible.
Small improvements to ease debugging with not working Kerberos authentication as administrators are not able to identify the users with problems.
Missing config option to control whether shared INBOX should be visible as “shared/user” or “shared/user/INBOX”.This has been solved by introducing config option “com.openexchange.imap.includeSharedInboxExplicitly” to control whether shared INBOX should be visible as “shared/user” or “shared/user/INBOX”. Default is “false”. Related Software change request is SCR-183.
The parser was not able to properly parse the share urls.This has been fixed by properly parsing share urls.
Added missing translation.
‘handle-ham’ is called when moving messages from Spam folder to Trash folder.Do not invoke ‘handle-ham’ when moving messages from Spam folder to Trash folder to solve this issue.
A recently introduced typo at a configuration parameter was solved that led to issues connecting to S3 storage backends. To avoid configuration changes and unexpected issues, please deploy this Patch Release if S3 storage backends are used. This addresses SDB article #394.
In case hyper-links in mail contain percentage signs for URI parameters, those could lead to a incorrect locations since we were encoding them twice. This has been solved to just encode quotes in links.
When sorting mails by size and toggling conversation view on and off, a incorrect file size has been displayed. This has been solved by resetting old collections on toggle.
Based on suggestions we renamed the property “town” to “city” on the web frontend.
When using OX App Suite on a smartphone browser, parts of the tour were not correctly branded. We made sure that the productName properties are being used correctly for mobile assets as well.
When using specific SAML based authentication methods, the default login page of OX App Suite has been shown for a split second. We’re now skipping the default login process when using SAML and redirects even before the login screen is rendered.
When using a certain MAL implementation, workarounds were to be used with can lead to an error when trying to forward multiple mails. We’re now avoiding the workaround in case multiple mails are being selected.
Appointments without a custom color were not colored according to their calendar folders color, if it has been set. This has been solved by adding the color label of the parent folder to all appointments that don’t specify their own color while printing.
When using Logstash as log output, long stacktraces could be delivered as JSON file with linebreaks, which messes up the Logstash encoder. We identified the culprit at a JSON generator of a third-party library, which splits JSON after processing a certain amount of bytes. We replaced usage of this library by manual JSON object compilation.
When trying to remove certain HTML signatures from mail compose, a cleanup method to sanitize HTML was a bit too strict and embraced HTML5 standards. We’re now examining API responses for signatures in more detail with less strict cleanup.
When using search on mobile browsers, the folder selector did show an incorrect translation. This has been corrected with proper translation.
Changed timing of extension point broke some customizations.This has been solved by restoring old timing, introduce new extension point for the use-case introduced for customizing the login process.
Changed timing of extension point broke some customizations.This has been solved by restoring old timing, introduce new extension point for the use-case introduced for customizing the login process.
CVSSv3: 3.6
CVSSv3: 4.3
CVSSv3: 5.4
CVSSv3: 5.4
CVSSv3: 5.4
CVSSv3: 5.4
CVSSv3: 4.3
Update of tinyMCE plugin changed API: custom function to insert emoji into tinyMCE editor is not part of plugin any longer.This has been solved by adding default implementation for custom insert method to restore old behaviour.
This has been solved by adding missing property documentation.
The plaintext was again sanitized superfluously.Just sanitize email-addresses once to fix this.
“Keep a copy of the message” led to a sieve rule with the command “keep”.This has been fixed by adding “copy”:true” to the redirect action “Keep a copy of the message”.
View and Filter were not working for external file storages.This has been fixed by removing the filter for external file storages because external file storages cannot and do not provide the full “infostore” feature set.
Users were redirected to the OX login screen instead of a custom login page.This has been changed and the users are now redirected to the customized login screen.
Middleware’s Sproxyd connector refused to store an empty file to Sproxyd end-point and Hard fail when trying to delete a non-existing file.This has been solved by allowing to store an empty file to Sproxydend-point and Do not fail when trying to delete a non-existing file from Sproxydend-point.
Error to early to load at least the translated message.Static error messages for different languages added to index.html to solve this issue.
Button was shown although if no service is available.This has been fixed by adding check to show subscribe buttons only if there is a service available.
We changed the login process to be completely customizable using ui plugins. This allows for fine-grained control to meet all possible demands.
An encrypted file in Drive with uppercase file type name couldn’t be previewed.Now ignore case of file extension for encrypted files to solve this issue.
Was caused by height calculation from invisible elements.This has been fixed by only calculating height on visible elements.
Threads are kept too long in subsequent connect attempts against a IMAP host in case of a fail-over scenario.Added option com.openexchange.imap.useMultipleAddressesMaxRetries (Default: 3) to specify max. number of retry attempts.
Categories were not parsed if the corresponding property was absent in incoming iCal files.This has been fixed by always parsing and applying categories from iCal.
Wrong/Fall-back MIME type advertised for a signature’s embedded image.This has been solved by using metadata-extractor library to detect image’s MIME type if absent and return that for response’s Content-Type header.
After an ‘update’-requerst only a subset of the account data is used locally.Now simply process the data returned by the ‘update’-request like it is made for ‘all’-requests.
Possible IMAP response during failed authentication are not considered.Handle possible IMAP response code during failed authentication attempt to better reflect to the user what went wrong. Introduced retry mechanism in case special “UNAVAILABLE” response code is advertised by IMAP server. Enhanced logging in case an external account gets disabled.Changed logging for failed authentication for following IMAP response codes:AUTHENTICATIONFAILED: MSG-1000 “There was an issue in authenticating your E-Mail password…”AUTHORIZATIONFAILED: MSG-1036 “Mail server host denies access for login login.”UNAVAILABLE: MSG-1038 “A temporary failure occurred on mail server host during login for login. Please try again later.” (But only after 5 failed attempts!)EXPIRED: MSG-1039 “Access to mail server host is no longer permitted for login login using his password.” PRIVACYREQUIRED: MSG-1040 “Access to mail server host is not permitted for login login due to a lack of privacy.”
Action was not prepared for job queue.This has been solved by introducing job queue for files?action=move.
No error handling for folders. After the ‘ignore’ button was pressed, a ‘undefined’ file was tried to move. That caused a typeError in the frontend and also the above provided server error due to a invalid request.This has been solved by implementing error handling also for folder and files inside folders.
If the decryption was successful, but Guard simply doesn’t understand the signature algorithm, the signature was ignored.This has been fixed by allowing decryption with unknown signature type.
Prematurely failed to acquire a call-back URL in case local token map is empty.Do not prematurely fail to acquire a call-back URL in case local token map is empty to solve this issue.
Invoking cleanup() on a ContentAwareComposedMailMessage instance throws an UnsupportedOperationException.This has been solved by avoiding invoking clean-up for ContentAwareComposedMailMessage instance.
Depth was not incremented, when style tag in html-body was added.Increment depth when adding CSS on style tag to solve this issue.
Strict javascript engines (Edge) failed when assigning values to read-only variables in strict mode.This has been fixed by using the setter function with a new object instead of assigning directly to the object of the getter.
Combination of width:auto and max-widht:100% causes elements to enlarger when set to 100% width.This has been solved by removing styles.
Using tables in monthview led to missing days in the view.Implemented a more cleaner version to have always all days displayed.
The MAXREDIRECTS limit that the Sieve server provided was used on the middleware to check the total redirect commands in the entire user’s script.The middleware now checks the total redirect commands in a single rule to solve this issue.
New/Missing line breaks after sanitizing.Don’t use the new print for signatures for OX6 to avoid unnecessary line breaks.
A missing “participants” array in the updated appointment data was misinterpreted so that participants got removed.Take over original participant data in case they’re not explicitly set by the client.
Response format was strangely encoded html.This has been solved by forcing response format to be correct html with json data.
Wrong order were implemented.This has been fixed by changing fixed order of folders.
Guest quota was not working as expected.This has been solved by removing frontend quota check.
e.g. ``“Doe, Jane (JD)” doe.jane@domain.de“.
Missing handling to store grid options.This has been fixed by adding handling for all options (sort, order, done).
Missing blur handler.This has been solved by introcucing blur handler on typeahead field.
Wrong mail part id for the text part.This has been solved by adjusting part in case “nature” is set to “virtual”.
Eml import were available for unified inbox but not working.Now importing for unified mail folder is disabled.
Week collection of last week in month was overwritten, instead of reused, when new weeks were required.Reuse already existing week collections to solve this issue.
Look-up whether destination user should use Unified Quota although not yet completely available.Now deny copying a user using Unified Quota and avoid checking for it during user-copy operation.
Heart-beat kicks-in too late.This has been solved by letting heart-beat kick-in early enough.
Default account “displayname” is used in from dropdown but initally set in a jslob setting once you’ve started to add a custom displayname.This has been fixed by storing current account “displayname” right from the start and keep in updated every time a instance of mail compose is created.
Empty lines are discarded when parsing multipart content.Keep possible preceding new-lines at the start of a multipart content to not destroy SMIME signature.
CVSS: 5.4 (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N)
CVSS: 7.7 (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N)
CVSS: 6.4 (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:L)
CVSS: 6.4 (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:L)
CVSS: 5.4 (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N)
CVSS: 5.4 (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N)
CVSS: 4.3 (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N)
CVSS: 4.3 (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N)
CVSS: 4.3 (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N)
CVSS: 6.4 (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:L)
CVSS: 4.3 (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N)
When using the usercopy functionality for users which have individual filestores, unexpected errors were thrown. We resolved the situation in a way that errors during user copying are caught and handled correctly. We still deny copying users with individual filestores.
On specific custom mail abstraction implementations, replying to HTML E-Mails lead to creation of plain-text E-Mails. This is related to the custom implementation and does not affect other operators. We added a workaround which needs to be validated at the target environment.
rampup calls configurable for debuggingIn certain environments the API rampup delivery inconsistent response times. We added debug logging if preconditions for this API exceed a specific threshold and added functionality to allow disabling those preconditions. Note that this serves solely to support debugging of actual issues and should not be used by default. See SCR-63 for more information.
Japanese sort order for contact lists at mail compose and the Contacts app were inconsistent. We updated the sort mechanism at those places to deliver consistent results.
Fixed parameter indices to make report working again.
Updated drafthandling an now no new draft is generated and no error is displayed.
With the introduction of the simplified mail filter test and actions in the HTTP API v2, there was no check done in the config calls to determine whether a simplified command is using any unannounced/not supported sieve capabilities, which lead into returning those simplified commands, thus the UI assumed that the particular simplified action command was available.Ensure that the required capabilities of the simplified action commands are also checked for possible required sieve capabilities to only show supported sieve rules.
Loading the Source of vcard failed.This has been fixed by adjusting the request.
Missing cancel handling on mobile phones.Now handling canceling on mobile phones.
Linking an image in a signature was not possible.This has been solved by updating TinyMCE.
Verically merged tables are only shown in OX Text but are not visible in Word (except the top cell).Hiding vertically merged cells so that the user cannot modify its content and gets the impression of data loss after opening the document in Word to solve this issue.
JVM route information not added to redirecting call-back URL.Ensure JVM route is added to redirecting call-back URL to solve this issue.
The related request used wrong column numbers.This has been solved by adjusting those column numbers.
Files API handles .csv files differently whether we check for the file extension or the mime type.This has been fixed by checking directly for view model type instead of using the mime type based files API methods.
Checking if a context to restore might be the last one held in associated DB schema does not deal with the possibility that the context does no more exist. In that case that test should simply pass.This has been solved by checking context existence prior to checking if it might be the last one held in associated DB schema on context restoration.
Lenticular brackets were removed from the list of valid characters, which broke certain attachment names as those characters appear to be common in Japanese. We’re now maintaining those characters when providing attachment information.
RFC2231 encoded parameters where incorrectly decoded when handling attachments. This broke certain attachment names as such encodings appear to be common in Japanese. We’ve corrected decoding and now provide correct attachment information.
The newline character was removed from the LogstashEncoder and moved to the LogstashSocketAppender.This has been fixed by removing the newline character from the LogstashSocketAppender. Re-introduced the newline character to the LogstashEncoder.
Race condition when uploading sample file into drive.Make sure sample file is uploaded before starting the tour to solve this issue.
Cached content was used to decide which alias to add and which to remove, but that cached content might not be up-to-date.This has been solved by setting a user’s aliases at once.
Internet Explorer has problems with absolute positioned elements in table cells.This has been solved by calculating the height in Internet Explorer 11.
The rfc for the corresponding vtodo element, only specifies four status. The ox status for waiting is not covered by the specification and was mapped to the status cancelled after import.To guarantee the correct status import of vtodo-elements, the status parameter is extended with a new parameter, called X-OX-STATUS and the value WAITING, which is parsed when importing to represent the “Waiting”-status of the task.
Registration and de-registration messages of push clients have been logged at INFO level before, which could create large amounts of log data. As this information is supposed to be used for debugging purposes, we’re now logging it at log-level DEBUG. This solution has to be validated in a production environment.
Many code lines just work with “spam”, not with “confirmed_spam”.Always checking for “confirmed_spam” as well to solve this issue.
Specific HTML mails where handled incorrectly due to a recent sanitizing change for HTML style expressions. In case where such styles got applied to hyper-links the link would potentially not work. We adjusted HTML parsing to avoid this.
After hiding and showing your name, it is was still hidden.This has been fixed by storing current account “displayname” right from the start and keep in updated every time a instance of mail compose is created.
Right click outside the context menu doesn´t close it.This has been fixed by removing selector from blackllist and listen for contextmenu event to close.
The validation for the “size” condition was incorrect if a action for mailfilter were added.The validation for the “size” condition has been corrected to be consistent.
In case the same mail address is used for multiple contacts, only one contact would be available when using address auto-complete for mail and other scenarios. To avoid this glitch we updated the filter to consider contacts to be unique in case their address are equal but names differ.
Microsoft Office attempts to render documents within the browser instead of downloading them, however not considering cookies required to fetch the requested information. As a result user experience suffers when trying to view or edit MS Office documents stored within OX App Suite. For this and other reasons we decided to remove the “Open in browser” option when using IE-based browsers. We suggest to use OX Documents for in-browser editing work-flows.
Existing Apple Push Notification Service (APNS) certificates will expire on 2017-12-07, please update to make sure client devices continue to receive push notifications when using OX Drive.
5.4 (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N)
5.4 (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N)
5.4 (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N)
3.1 (CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N)
3.1 (CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:L/A:N)
5.4 (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N)
5.4 (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N)
5.4 (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N)
5.4 (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N)
5.4 (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N)
5.4 (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N)
When storing the report before sending it, a useless comma was added.This has been solved by constructing correct JSON when loading macdetails from local storage.
Wrong check if whether used connection pool is currently unused/empty caused premature stopping of idle-connection-closer.Proper check whether used connection pool is currently unused/empty to solve this issue.
List request breaks on altnamespace with many folders.This has been fixed by removing ‘default0’ list request out of ‘virtual/standard’.
Wrong owner identifier passed to quota-aware file storage instance.This has been fixed by compiling proper owner info when resolving a file storage.
Remote IP address of connected end-point was not available.Now also output remote IP address of connected end-point to solve this.
Garbled mail messes up IMAP server’s BODYSTRUCTURE information.This has been solved by reparsing mail manually in case IMAP server’s BODYSTRUCTURE information is messed up.
“ISO-8859-1” charset is assumed for every string value in MAPI properties of a TNEF-encoded attachment.This has been solved by detecting proper charset (e.g. by code page attribute) and use that to get the string value.
JVM route information was not added to redirecting call-back URL.Now ensure JVM route is added to redirecting call-back URL.
Generating setDocumentAttribute operation twice. In renameHandler and during reloading the document.Marking document as unmodified before reloading it to solve this issue.
Some characters haven’t been sanitized.More sanitizing for feedback exports solve this.
Changed default status from accepted to unconfirmed due to some issues with itip attachments.This has been fixed by using status accepted as default for public appointments.
Garbled HTML content with conditional revealed comments confuses Jericho HTML parser.Get rid off HTML comments prior to processing to display such mails.
Excessive ``SELECT cid FROM context_server2db_pool WHERE server_id=xxx AND write_db_pool_id=xxx AND db_schema=xxx´´ queries.This has been solved by optimizing collecting data for drive metric calculation and improved some locations which invoked ‘getContextsInSameSchema()’.
“collect_addresses” field extracted out of wrong JSON object.This has been solved by extracting “collect_addresses” field out of proper JSON object.
Modification of source code from middleware before evaluation.This has been solved by stop modifying source code on the client side.
This has been fixed by adding a missing folder refresh.
Possible HTTP proxy timeout during long-running operations.Introduced the possibility to let a client submit a certain operation to a job queue, which can be frequently polled to check operation’s status.
Removing oneself as a participant caused permission loss. Which was treated as an error.Don’t treat permission loss as an error anymore as this is expected in this case now.
Accept new ‘forceImages’ parameter for ‘mail?action=get&view=document’ action. Also show extended action label only when external images are filtered out.
Missing failure handling of tinymce. Remove the image manually.This has been solved by removing image preview if upload of image fails due to whatever reason (for example, when the image size is too big).
Possible ‘java.lang.StringIndexOutOfBoundsException’ while parsing an address list. Fixed by orderly reset cached string length after string was modified.
The counter was not counting the parameters correctly when compiling the SQL statement.This has been solved by using the correct counter for cid when disabling schema.
No Signature was displayed because the Mapping for signitures were broken.This has been solved by removing accidentally kept reference that messed up mapping.
It was possible to see the Guest user’s E-Mail address in an URL parameter.This has been fixed with replacing E-Mail address with ‘user-id@context-id’ tuple and adjusted resolve logic accordingly.
Inefficient check for duplicate/equally named folders and inefficient folder retrieval as well.This has been fixed by improving performance when updating a folder and fetching folder list afterwards.
Single signature were not fully implemented for mobile.This has been solved by adjusting the getDefaultSignature method.
Text mails got a ‘cleanup’ when displayed in AppSuite.This has been solved by tweaking replacement of redudant line breaks to presere two empty lines.
Fixed typo in login call parameters to solve this issue.
Edit was called without considering mail attributes.Action is now invoked to prevent this issue.
Links accidentally considered as harmful.Managed a dedicated list of identifiers for possible global event handlers to get all those links working again.
Was resolved by adjusting Dutch Backed translation.
Folder selection had virtual/all folder hard coded.This has been fixed by using configured values to determine virtual/all folder.
The yielded ‘javax.mail.internet.AddressException’ in case of a parsing error may return ‘null’ when invoking its ‘getRef()’ method.This has been fixed by orderly passing parsed address string to fall-back address instance in case of parsing error.
General problem that might occur if an action gets chained.Once an undefined list element was present the check always returned true now(“draw it”).
Basic-auth information only provided in “Authorization” header for HTTP protocol, but not for HTTPS.This has been solved by always providing basic-auth information in “Authorization” header regardless of used protocol and refactored to use newer HttpClient library.
The ‘starts with’ and ‘ends with’ simplified rules got mixed up.Properly parse starts- and ends with match types to solve this issue.
Jslob saves also stores fixed settings that are applied for smartphones only.This has been fixed by not saving ‘layout’, ‘showContactPictures’ and ‘showCheckboxes’ for mobile devices.
The header of the respective file was adjusted to get the right translation.
Sortorder was adjusted. Note: Selecting a specific sort field (other than “date”) when mails are grouped by conversations might still yield “strange” results since a conversation’s mails are statically sorted by “date” and only the top mail of each conversations is considered for sorting the conversation groups. Having a flagged mail in the midst of a conversation does not sort that mail to the top since only conversation’s newest mail is considered.
Added missing translation.
Fixed translation for “Maximum configured sized”.
We had no consistently check if threadSupport was enabled.in case ‘threadSupport’ is disabled also a potentially active folder viewoption ‘thread’ is ignored to oslve this issue.
CVSS: 3.1 (CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:L/A:N)
CVSS: 5.4 (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N)
CVSS: 5.4 (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N)
CVSS: 5.4 (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N)
CVSS: 5.4 (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N)
CVSS: 5.4 (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N)
CVSS: 6.4 (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:L)
CVSS: 3.7 (CVSS:3.0/AV:N/AC:H/PR:L/UI:R/S:U/C:L/I:L/A:N)
Sometimes it was not possible to upload pictures into the dedicated signature storage.Fixed a racecondition to solve this issue.
Missing handling for pending images.This has been fixed by introducing cascade.
Support for ‘imapflags’ was removed for the new v2 api in 7.8.4.This has been fixed by re-adding the support for the ‘imapflags’ capability.
Wrong sort order returned for “flagged” sort field (660).This has been solved by returning proper sort order for “flagged” sort field (660).
This was caused by a missing check for contacts without mail address.Now those contacts are filtered.
This was solved by dropping support for browsers built-in printing and give users a hint to use AppSuites print instead.
It was just sorted by the first character.This has been fixed by adding recursion when letters are equal.
Missing string in i18n.Added missing string to i18n, this is only the new string, the string itself is still not translated, the translation will be available with the next public patch.
Possible control and/or white-space characters returned to clients.This has been fixed by dropping control and/or white-space characters from E-Mail addresses.
Certain rules created with -not- conditions, including -not exists- could not be parsed correctly.This has been solved by adjusting the parsing and added backend support for this behaviour.
Superfluous error logging for common case when client/end-user abruptly aborts the HTTP connection.This has been fixed by adjusting logging for common case when client/end-user abruptly aborts the HTTP connection.
Fullwidth digits were replaced in file names.This has been solved by allowing fullwidth digits in file names.
Possible empty line after multipart preamble was not maintained.Force a blank line before start boundary when writing out multipart content to solve this issue.
Names were written to user attributes table with possible leading and/or trailing whitespaces.This has been fixed by checking for duplicate user attributes after any leading and trailing whitespaces were removed.
MS Internet Explorer 11 has problems with auto height when bottom css attribute is set to 100%.This has been solved by setting bottom to auto if the browser is IE 11.
LF character was used as line terminator in exported CSV files. Outlook was not able to handle those files.This has been solved by using CRLF sequence as line terminator in exported CSV files.
Added missing Hazelcast invalidation packages and accompanying bundles for v7.8.3 and v7.8.4 to solve this issue.
File name check was case-sensitive.Now file names check ignoring case to have a standardized procedure.
Styles were applied manually and get cleared after deleting the last letter in mailcompose.This has been fixed by using tinymce option ‘forced_root_block_attrs’ and apply custom style and identifier class.
Middleware ignored MAXREDIRECTS.Now Middleware limits redirect commands and “redirect” actions are limited according to the MAXREDIRECTS setting.
Check was case sensitive.This has been fixed by comparing case insensitive and fix the sync-async problem for the fallback.
Was caused by a problem with deleted files of running OX Documents when logging out.This has been solved by rejecting promise in this error case in the quit handler.
The mail sent by thunderbird does not contain the ASCII representation of the mail address. Instead it contains the unexpected IDN representation. This was fixed in javax.mail as it deals with unexpected mail content. Try to parse with the default java charset. If ASCII is provided (as expected) nothing will change.
After upgrading a standalone document converter node, the open-xchange-documentconverter-server daemon doesn’t start anymore. This has been fixed by adding new bundles to launcher.
Excessive querying of all context identifiers, likely caused by unnecessarily “per node” initialization of default attachment storage cleaner. Solution: Efficient retrieval of distinct context identifiers per schema and refactored default attach- ment storage cleaner to be managed as cluster task (runs only once, no more per node).
Creation of trash and public folders on demand was removed. This has been solved by reenabling the creation of trash and public folder on demand.
Copy button was disabled for Safari because of API limitations. This has been solved by enabling the button for Safari again, meanwhile Safari supports the required API.
Some Japanese characters are not display correctly (garbled) in emails. This has been fixed by using “x-windows-iso2022jp” charset in case Javas “iso-2022-jp” charset yields unmapped characters.
Even though the mailfilter.v2 API is the one being used, capability checks were done against the legacy to mailfilter API. This has been solved by setting capability check to mailfilter v2.
This has been solved by adding txt to regex of supported file extensions for preview.
com.openexchange.mail.filter.preferGSSAPI=trueWhen updating from 7.8.3 consider the case where users preferred GSSAPI as SASL mech and set the new c.o.mail.filter.preferredSaslMech accordingly to solve this issue.
If a file uplaod was running and a second file upload is started, the upload time were not calculated new. Fixed time estimation as increased collection size was not taken into account during calculation.
The root folder is “9” for Drive, but for external storages it is “1”. When the root is reached, the overview is shown. The check if the root is reached only considered “9” and therfor did not work when using external storage accounts. This has been fixed by checking also for folder id “1” for external storages.
Removed unused libraries from com.openexchange.preview bundle.
com.openexchange.mail.filter.json.v2Command registries are not properly registered as services. Properly register comand registries for new v2 API to solve this.
Missing handling for .psd and .tiff in mail preview. This has been solved by adding PSD and TIFF support to preview list.
In case the com.openexchange.java-commons.logback-extensions bundle has not been started an attempt to register its MBean failed. Await availability of Logstash Socket Appender instance prior to attempting to register its MBean to solve this issue.
Wrong folders detection on MS Windows. Improved detection to solve this issue.
Missing implementation for mobile view. This has been solved by adding missing implementation.
Was caused by a missing extension. Added missing extension to solve this problem.
UI changed response so it looked like the currently logged in user confirmed the appointment. This has been fixed by using the actual user that confirmed instead of the currently logged in user.
This was caused by a wrong client side order of the folder. This has been fixed by changing client side order to: inbox, drafts, sent, spam, trash, archive.
The text “Empty” is shown initially when selecting a empty mail folder but not when the user did tap on other folders and then returns back. Second visit calls busy twice that breaks the “visibile-invisible-chain”. This has been fixed by using a robust implementation that utilizes busy and idle.
Possible quotes (“) in local part of an E-Mail address were handled as special characters. Now orderly handle quotes in local part of an E-Mail address to solve this issue.
The filename reservation logic recorded possibly conflicting filenames in a map using case-sensitive keys. This has been solved by tracking possibly conflicting filenames ignoring case.
CVSS: 5.4 (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N)
CVSS: 5.4 (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N)
CVSS: 5.4 (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N)
CVSS: 3.6 (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N)
CVSS: 5.4 (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N)
Smart dropdown uses “auto” as height parameter, but numeric calculations with strings are impossible. Error in calculation where “auto” was assumed to be a number.
Mixed encoded values are not properly combined. Properly combine mixed encoded values to solve this issue.
Mail uses absolute positioning. Email exceeded internal limit (32KB) for specific post-processing. Raise size limit for that particular post-processing to 128KB for Chrome, 64KB for other browsers to display those emails.
Duplicate entries were written to the del_task folder table. This has been fixed by only writing the most current ones.
This has been solved by avoiding too many request to all possible DB-Schemas and improving start-up of middleware nodes for setups holding millions of contexts.
With this fix the Japanese date format were changed to the shorter hh:mm version.
Inexact SQL expression to remove duplicate entries from user_attribute table. This has been fixed by deleting duplicate entries by their UUID association.
Added dynamic date format for user locale to solve this issue.
Consider proper image dimension when performing auto-rotate of JPEG images to solve this issue.
Client/end-user abruptly aborts the HTTP connection while writing out the content of a ZIP archive. This has been solved by adjusting logging for common case when client/end-user abruptly aborts the HTTP connection.
Previous month scrollposition was unreachable due to endless scrolling. This has been fixed by drawing an additional month if trying to scroll to the first drawn month.
“user” folder remained in child listing of root folder. Orderly drop single namespace folders from LSUB collection to solve this issue.
In some cases like PDF source content or previously rendered files, a ManagedFile was returned although the request contained an async flag. This has been solved by ignorring ManagedFiles at all whenever async flag is set at request and return a JSON Object with element {“async”:true} in such cases.
When requesting quota information for non-existing file storage accounts a runtime exception was thrown instead of properly handling the case. This has now been corrected.
When sending user feedback as CSV file via mail, empty SMTP authentication configuration settings would prevent sending the mail. We added a potential solution for this, however did not have nec- essary information to reproduce the original problem. Therefor this fix has to be validated by the requesting customer.
The dialog to rename a folder in App Suite would not close under very special conditions. This has been researched and a potential workaround got applied. The effectiveness of this solutions needs to be validated for the environment in question.
When copying raw image content from apps like MS Paint to mail compose, rather than just adding that image via drag&drop or the provided composer options, its content did not get pasted when using IE11. This has been corrected for this particular case, however note that copy&paste is implemented very inconsistently across browsers and operating systems, other cases will potentially not work as expected since the browser does not provide necessary information to web applications.
When composing multiple mails at the same time, the date/time information when the mail has been saved as draft was added to all open composer windows and did overwrite the actual date. This has been solved so that each composer window shows the correct saving date.
Certain E-Mails did contain combinations of text that led to incorrect hyperlink detection. This got solved by parsing links at plain-text mails less greedy.
To allow debugging potential network and remote service issues more efficiently, we added sup- port to log connection status and usage metrics for each socket that gets opened to an external system (e.g. Database, IMAP). See Change SCR-24 for more information.
A particular help page for external accounts was incorrectly linked, this has been corrected.
Collecting contact information while reading mail was not working when combining specific mail handling (seen/unseen) in combination with contact collection. This has been solved.
Encrypted mails could not be printed after decrypting. This has been fixed.
A new frontend-side configuration option has been added to disable the “add attachment” area when creating or editing PIM objects. Note that this is purely cosmetic and does not affect other clients than OX App Suite. See Change #4301 for more information.
Tried to create previews for documents for local files. This has been solved by not trying to create previews for documents for local files.
No warning given in case number of imported items were truncated. This has been fixed by adding warning if number of imported objects were truncated.
Any mail attachment appended to the new message has been checked against upload quota limitation. Only consider uploaded file (mail attachments) when checking upload quota limitation to solve this issue.
CVSS: 3.1 (CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:N/A:N)
CVSS: 3.3 (CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:N/A:N)
CVSS: 5.4 (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N)
CVSS: 5.4 (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N)
Confusing displayed error message. Solution: Rephrased error messages dealing about connectivity issues to mail server to have a more user-friendly information. Moreover added the “Please try again later.” suffix to hint to a possibly temporary nature of the issue.
No previous selection when there actually was an item selected. This has been solved by using the correct selection.
There might be situations where the metadata for stored infostore documents does not indicate the referenced files MD5 checksum. This may be the case for files that were stored more than 4 years ago, or for files that have been uploaded in chunks, e.g. during a migration. When synchronizing via OX Drive, the missing checksums for those files are calculated on demand, which requires the files to be retrieved from the underlying storage. When having many or very large files where the checksum needs to be calculated for, this may lead to an increased read load which may impact other processes and systems in the installation. This has been fixed by providing functionality to calculate missing file checksums on demand.
Too much memory and CPU usage by canvas resize. Integrate canvas resize into our lazyload mechanism so not every picture is processed simultaniously to solve this issue.
Building the forwarded mail calling setHeader erased the header information about file name. This has been solved by calling setHeader first and set the file name header afterwards.
A SMTP server which responds with non standards-compliant multi-line greeting on socket connect messed up parsing of server’s capabilities. This has been solved by dealing with multi-line greetings from SMTP server.
No error message on require timeout. This has been fixed by adding timeout message and reload option with longer timeout (30 seconds).
The folder title gets not re-rendered after a title change. Now after a title change also the folder title gets re-rendered.
Adjusted the translation to solve this.
Adjusted the translation to solve this.
Adjusted the translation to solve this.
Adjusted one translation and added a new translation to the Address Picker.
Adjusted the translation to solve this.
Leftover namespace folder remains in LIST/LSUB collection. This has been fixed by adding a special check that cares about dropping leftover namespace folders.
When running OX App Suite 7.8.3 and 7.8.4 against a shared mail environment, SIEVE filter rules could unintentionally affect each other, for example auto-forward and vacation notice. This got fixed by retaining commented script content which is unknown to the 7.8.4 implementation.
Certain value pairs where not correctly distributed by the config cascade mechanism, especially those related to services that use oAuth for authentication. We solved this by making those properties config-cascade aware.
When moving/copying a folder from a external storage service to folder of the primary OX Drive storage service, a permission related error was thrown. This got solved by properly setting administrator privileges to the creator of a OX Drive folder while copying/moving in folders from external services.
When attempting to share a file which is locked, the sharing dialog did not close when canceling the operation. This got solved by handling potential errors related to locks when trying to share a file.
In certain cases the frontend language did fall back to german instead of english. This got fixed by setting a explicit fallback to en_US if the browser provides a unsupported language and no previously set OX language cookie.
OX App Suite UI did display incorrect recommendations for mobile browsers when using such as a desktop browser. This has been solved and we’re now showing recommendations for mobile browsers only when using a mobile device.
When defining start/end dates at the calendar on mobile browsers, the supplied data did not get taken over to the appointment. This was caused by incompatibility of a date/time format library with specific languages and has been fixed by making sure the same date/time format is used at all related components.
In case a database connection reported a communication failure or timeout, the specific database schema was not part of the exception. This has now been added to allow simple debugging of affected database clusters.
In cases where the original recipients (To, Cc) of a mail got removed during compose and re-added later, the resulting mail was sent without recipient information. This got fixed by properly handling events related to tokens that display participants.
Changes to documentconverter led to higher than usual base CPU load. This impact got reduced by lowering a queue polling time to a value which offers a good compromise between queue responsiveness and “idle” CPU load.
In case a IMAP backend did close a connection due to technical issues or timeouts, the resulting stack-trace at OX App Suite middleware was rather generic. This has been improved in a way that we now show the related IMAP command to allow better debugging. This issue has to be validated in production environments that show such unexpected behavior.
When using “quick reply” to answer a mail, this option will disappear. We changed the behavior in a way that the option stays available after using it.
When using OX App Suite UI with Safari on iOS, the action to add a local attachment resulted in immediate launch of the camera App. We now trigger a selection menu which offers to either use the camera or access existing photos on the device.
When setting a vacation notice, it was not possible to define a alias address for the notice instead of the primary address. This got fixed by more consistent checks for mail aliases.
When using Japanese language settings and subsequently “yomi” contact fields, those contacts were sorted incorrectly as “other”, which got solved.
When printing specific mails that define CSS, the created print version did not show substantial content. This got fixed by dropping certain CSS elements from our whitelist that could lead to broken layouts. See Change #4204.
For PIM objects with attachments we did show the hyperlinks pointing to OX Drive instead of the corresponding App. To avoid confusion we did visually remove those links as they provide almost no functionality.
When sending a mail to all appointment participants the resulting mail compose did contain duplicates of the expected recipients. This got solved by detecting and removing the currently logged in user from that list.
Certain file formats (tiff, psd, pbm) were shown as thumbnail preview while not being supported in image preview. To ensure consistency we added support for tiff and psd files to image preview.
When using OX App Suite UI on a mobile browser, updates to a E-Mail addresses “personal part” at mail compose were not reflected to the selected mail address. This got solved by updating the corresponding element after the change has happened.
When updating an OAuth account (applying a new name), the enabled scopes was accidentally reseted.This has been solved by not touching OAuth account’s enabled scopes when updating its name.
Certain POP3 server’s do not obey to advertise UIDLs with at max. 70 characters.This has been fixed by extending the “uidl” column in “pop3_storage_ids” and “pop3_storage_deleted” tables from 70 to 128 characters as some POP3 server advertise bigger UIDL values. An Updatetask will be triggered with this fix.
A contact’s (yomi-) firstname was not taken into account during sort name generation in case no (yomi-) lastname was set.This has been solved by using combination of (yomi-) last- and firstname per default as sort name.
Missing feature for other languages.Added new setting and feature to make yomi fields with other languages.
Only hiragana in sorting table.Extend table with katakana to solve the first part. When yomi was given with Half-width Katakana it is still not sorted correctly, this will be fixed with an upcomming patch.
The list of confirmations was not part of the USM sync-state.USM syncs now the list of confirmations from the backend to solve this issue.
Used dummy folder_id ‘label’.This has been fixed by using ‘virtual/label’ now to avoid that an invalid ID is used in server requests.
CVSS: 3.1 (CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N)
CVSS: 3.1 (CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N)
CVSS: 3.1 (CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:L/A:N)
CVSS: 4.3 (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N)
CVSS: 3.1 (CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:L/A:N)
CVSS: 5.3 (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N)
Replacing single quotes in fast load string of OX Text. CVE-2017-6913.
Adjusting error messages to avoid exposing folder names when triggering errors based on folder IDs. CVE-2016-10078.
Fixed folder/object permission plausibility checks when using certain API calls to move data internally. CVE-2017-6912, credits to Iordache Cosmin.
Improved detection for corrupt HTML with regards to HTML comments. CVE-2017-5864, credits to Zoczus.
Allow only valid CSS elements at HTML mail and removing external references. CVE-2017-5864, credits to Secator.
Disallow to manually specify a file’s MIME type when uploading such content. CVE-2017-5864, credits to Secator.
We’re handling timezone information more carefully now since it’s potentially user-provided data. CVE-2017-5864, credits to R00trus.
Hard error in case HTML cannot be parsed to its individual segments/tags. Content which cannot be parsed and sanitized will no longer be delivered to the client. This might affect broken/malformed legitimate mails but also attempts to bypass HTML filters. CVE-2017-5864, credits to ZeeShan.
Hard error in case HTML cannot be parsed to its individual segments/tags. Content which cannot be parsed and sanitized will no longer be delivered to the client. This might affect broken/malformed legitimate mails but also attempts to bypass HTML filters. CVE-2017-5864, credits to Zoczus.
Disallow ‘list-style-image’ style element which can be used to include external content and track users. CVE-2017-5210, credits to Iordache Cosmin.
Check if snippet/signature is either shared or owned by the user that attempts to delete/modify it. Deny operation if condition is not satisfied and return with an error. CVE-2017-5863, credits to Iordache Cosmin.
Sanitized error message by dropping folder name from user-visible error message and replaced name by numeric identifier for the technical log message. CVE-2016-10078, credits to Iordache Cosmin.
RSS “text/xhtml” content is now being pre-processed by sanitizer. CVE-2017-5864, credits to Iordache Cosmin.
Added an additional layer for reminders between JSON and SQL which performs permission checks. CVE-2017-5863, credits to Iordache Cosmin.
We’re now handling global event handlers (onerror, onabort, etc.) as unsafe and remove them during sanitizing. CVE-2016-10077, credits to Zoczus.
Added area elements to “noopener” mechanism. CVE-2017-5211, credits to Zoczus.
Removed user input at the response of the Accounts API which could be used for content spoofing. CVE-2017-5211, credits to Ahmed Abdalla.
We added client-side sanitizers at the mail signature editor to avoid self-XSS in addition to server-side filters that remove malicious code at persistent data. CVE-2017-5213.
We removed “form” and “input” elements from the HTML sanitizing white-list. Note that this will remove such kind of content in legitimate mails. CVE-2017-5210, credits to Zoczus.
We now prevent form submit, open a new window manually, nulling window.opener, redirect the form to the new window and then manually submit the form. In addition we removed “form” and “input” elements from the HTML sanitizing white-list. Note that this will remove such kind of content in legitimate mails. CVE-2017-5211, credits to Zoczus.
Perform sanitizing on SVG files to remove meta tags that can be used to set/overwrite cookies. CVE-2017-5213, credits to Abiral Shrestha.
Check if underlying task is accessible in the parent folder when accessing attachments. CVE-2017-5212, credits to Iordache Cosmin.
We’re now considering Javascript content from personal “snippets” as potentially harmful and reject “inline” use. CVE-2017-5213, credits to Secator.
Proper handling of combined characters during HTML sanitizing. CVE-2016-10077, credits to Zoczus.
Removed the task folder name at error responses when calling a folder by its ID. CVE-2016-10078, credits to Iordache Cosmin.
Proper handling of combined characters during HTML sanitizing. CVE-2016-10077, credits to Zoczus.
Removed user input at the response of the Apps API which could be used for content spoofing. CVE-2017-5211, credits to Ahmed Abdalla.
Adding user-based permission checks in addition to UUIDs to avoid access to foreign images at OX Documents. CVE-2016-10078, credits to Secator.
Added greedy/repetitive detection of possibly malformed HTML-tags to avoid follow-up issues with HTML sanitizing. CVE-2016-10077, credits to ZeeShan.
The “name” and “filename” attributes of Content-Type were incorrectly parsed, which led to broken attachment file names when using certain encodings. This got solved.
When moving a mail to the “Trash” folder, in some cases the unread counter was incorrectly updated. This has been solved by making such “move” operations more robust for the counter.
Mails with broken Content-Type headers at their MIME part could not always be rendered. We added some workarounds in order to attempt parsing and displaying such mails.
Some CSV data did trigger errors during import, caused by incorrect mappings for “Marital status” and “Employee ID” and the attempt to import read-only values like “Object ID”. This got solved by adjusting the mapping and skip list.
The “logincounter” CLT did use excessive and unoptimized queries when generating statistics. In combination with millions of data sets this could lead to database timeouts and subsequently unusable output. We enhanced that function to use chunk-wise querying and processing of such kind of data.
Latest code changes make IE9 unusable.Now sending MSIE 9 users to the unsupported HTML file.
Parts of the folder representation is cached and in cases where the users password got changed without terminating its session this cache was outdated and led to problems with standard folders like “Sent”. This got solved by looking up those folders via mail accounts API rather than using a cache.
In special cases where the corresponding IMAP folder of a POP3 account got manually deleted, there were issues removing the associated POP3 account. Other issues were related to the attempt of deleting the same account multiple times. Those got fixed.
In case of more than 50 recipients for a mail, the mail compose dialog became a bit unresponsive. This was caused by unnecessary requests to contact images and got solved by allowing to asynchronously load such images as well as reducing the amount of requests.
Configuration description about oAuth and related scopes got added at https://documentation.open-xchange.com.
In some cases the assignment of a Google oAuth account did break, usually when adding multiple accounts. In such cases the reference was made to the default Google account rather than the account associated to a subscription. This got fixed and the correct account is referenced now.
Missing check if task folder is private.Added missing check to solve this issue.
This was due to missing recovery for an unsupported character-encoding.This has been solved by handling possible unsupported character-encoding.
If a scope for a oAuth account got defined (e.g. to access a external calendar) and the corresponding OX account got downgraded to lose access to calendar, accessing the oAuth account was not possible anymore. This got improved by handling unexpected absence of scope and corresponding Apps.
The actual OAuth account associated with a subscription has not been considered, but always the default Google OAuth account was referenced.Solution: Consider the actual OAuth account that is associated with a subscription. Info: Popup Blocker may not be active.
Subsequent base64-encoded strings are not combinable if individual values end with padding ‘=’ character.This has been fixed by not combine padded base64-encoded values, but decode them separately.
Weird start tag segments in real-world HTML messes-up HTML parser refusing to process the content any further.Solution: Better deal with malformed start tags in real-world HTML content.
When sharing a link on smartphone devices, the dialog was displayed in a way that the input field for recipients of the link was not shown. This has been solved by allowing to scroll that section into the viewport on small screens.
In email with attachments which have different cid and id it was not possible to show all attachments.Make sure attachments do not have a cid attribute when added to a collection to solve this issue.
In special cases, a list of deleted change exceptions for recurring appointments was provided by Outlook to USM, which led to an exception and subsequently incomplete sync. This got fixed by considering this case.
Thunderbird’s ISPDB for auto-configuration changed.Changed default value for property “com.openexchange.mail.autoconfig.ispdb” in file ‘autoconfig.properties’ from “https://live.mozillamessaging.com/autoconfig/v1.1/" to
“https://autoconfig.thunderbird.net/v1.1/".
Even though a users did not have the “document_preview” capability assigned, calls to the Documentconverter API were made. This got solved by considering the users capability before executing such requests, for example when generating thumbnail previews for mail attachments.
Case-sensitive look-up for an OAuth API: “Twitter” is not equal to “twitter”.Perform ignore-case look-up by OAuth API identifier to solve this issue.
Wrong detection if a mail account action was targeted for primary mail account.Reliably check specified account identifier to determine primary account to solve this problem.
In case IMAP ACLs just for “see folder” are granted, the “this folder is shared” indicator was displayed. While technically correct this is misleading to users since no content is actually shared. The handling has been changed to avoid displaying the indicator for this kind of ACL.
When removing all mails within the Trash folder manually (select all, delete) instead of using the explicit function, the folder list was not reloaded. This got fixed by triggering a reload in such cases.
To many operations in DOM-tree if having much appointments.This has been fixed by disabling some functionality for a large Number of appointments.
Missing event in Keychain API led to this issue.This has been fixed by adding an additional event, so portal plugins update correctly.
Some mails were not displayed because style tag does not get closed while sanitizing mail’s HTML content.This has been fixed by orderly closing the style tag while sanitizing HTML content.
Configured image limitations were not tested when checking for validity of an uploaded image.This has been solved by testing for image limitations when checking for validity of an uploaded image.
When changing or editing a recurring appointment, different dialogs with different naming were displayed. This got unified and changed to shorter naming in favor of small screen devices.
Hidden files were not displayed because filter extensions for files were never called.Invoked filter extension point to post process file list to solve this issue.
Required SessionD service was not orderly tracked.This has been solved by properly tracking needed SessionD service.
The tracked instance of AuditLogService was not orderly put into utilized service registry.This has been fixed by properly putting tracked service into service registry.
Even though ObfuscatorService is implemented as a singleton, it got registered multiple times which led to error messages. Those did not affect functionality but led to higher log traffic than necessary. The problem got fixed by making sure ObfuscatorService gets registered just once.
In certain cases a users capabilities to use USM and related sync implementations got incorrectly detected. We solved that by sticking to the advertised module access permissions instead of dynamically resolving it.
init script problems according to title / shutdown of ReaderEngine instances not reliable during DC server bundle shutdown, fixed init scripts, cleanup after migration for 7.8.2 / catching spurious exception during RE instance kill in Java bundle shut.
In cases where a regular HTTP/HTTPS resource contains the subtring “mailto” like
“www.mailtool.invalid”, that link was incorrectly detected as mailto: handler and mail compose got opened rather than the URL. This got solved by just looking for mailto: at the beginning of a URL.
JS error in yell function and only a empty settings page were displayed.Made yell function more robust, so Settings do not break anymore.
In case a E-Mail subject spans multiple lines where each consists of UTF-8 mail-safe base64 encoded characters, decoding partly failed and Unicode characters were displayed in a scrambled way. This has been solved by properly handling such split subjects and encoding each part independently.
Several log messages referred to a situation where access to a IMAP folder is attempted which got closed already. We added optimizations to lower the probability of such cases and handle them correctly instead of throwing an error.
In case two threads update a users “last login” information, a log message of level “ERROR” was logged. Since this is rather a temporary issue and can’t be solved in retrospect we lowered its log level. Further optimizations made it less likely that this kind of issue would happen at all.
A typo at the /opt/open-xchange/sbin/open-xchange script led to a situation where custom configured “nofiles” limits where not correctly applied to the process. This has been solved by correcting the properties name and adding a log message to open-xchange-console.log in case the process fails to set this limit.
Changed required packages from open-xchange-documentconverter to open-xchange-documentconverter-server in spec file
When using mail categories with a desktop browser and moving mails to specific categories, those mails would not be displayed at Inbox anymore when using the same account using a mobile browser. We solved this by avoiding categorization Inbox if the corresponding feature set is not available on the currently used platforms.
In case of specific IMAP errors related to EXPUNGE commands, a detailed error message was returned to the user, which could contain a user-name for IMAP master authentication. This was solved by removing detailed error message contents for that IMAP command.
Due to external account refactoring in 7.8.3, the “default0” prefix for “standard” IMAP folders was shown at the frontend. This got fixed by stripping that prefix in places where users would expect just the folder name.
Firefox does not trigger dragleave or mouseout correctly.This has been fixed by using mouseenter to remove the dropzone when the mouse enter the window without dragged files.
If a user was changing its mail account displayname while the middleware uses a “global”
mailServerSource setting, incorrect host names were applied. As a result the displayname could not be changed. We solved this by applying the appropriate host name to avoid erroneous responses during the operation.
If a HTML mail exceeds pre-defined limits, a rather harsh message is displayed at the frontend. This got polished in order to show a user friendly representation.
Single mails are printed correctly when using native browser printing (CTRL+p) but mail threads were not printed. This got fixed by handling mail threads in a more compatible way and allowing native functions to get their relevant content.
When changing the account name syntax of an external mail account, this change is not reflected to mail lists when reading mail sent and received by the same user. This got fixed by honoring a naming scheme which uses commas to separate last and firstname.
Once the PeriodicCleaner task for shares was executed, potential SQL errors could not be traced since the related schema name was unknown. To allow further debugging we addedcom.openexchange.database.schema as parameter for this cleanup run. It will highlight which database schema triggered timeouts or other errors.
Caused by the changes for favorite folders, where favorite folders for every module were added to the collection pool. The favorite folder for drive has the parent with id “9”. When the UI is refreshed, all parents of all folders are listed. That causes every refresh to request the folder with id “9”.This has been fixed by only adding favorite folders for modules with granted permission.
In case a users signature contains a faulty “createdby” header on file-level, subsequent changes to that signature were rejected based on a permission evaluation. In order to accept inconsistent data within in the system, the permission check has been removed.
When sharing calendar folders and accessing them via CalDAV, appointments marked as “private” were not correctly synced. The same use-case works fine when using the HTTP API. This got fixed for CalDAV by considering this kind of appointment when creating responses.
Now clear and close dropdown on cancel to solve this issue.
When using the hyperlink for a external storage account at the Settings-Accounts page, no or the wrong App is launched. This has been corrected and a fallback to Drive was added.
To allow better debugging and monitoring of interaction between OX App Suite and IMAP backends, a new parameter was added to parse the IMAP backends “greeting” and provide it as part of the OX App Suite log. This behavior is configurable and described within release notes. When rolling out this Patch Release.
When syncing Outlook using USM, certain amounts and combinations of contacts and distribution lists could lead to a situation where only a subset of contacts but not all distribution lists got synced. This has been solved by sorting the type of object (contact, distribution list) prior to performing the sync operation. This way the kind of objects retrieved at the client side stays consistent in case the total amount of objects exceeds the chunk size for one sync operation.
When using OX App Suite UI on a smartphone, the “Attachments” link within mail compose has been shown with incorrect font and color. This got fixed by applying proper mobile styles to this link.
During conflict detection, the floating time-span of full-day appointments was calculated using the servers timezone (usually UTC) while other appointments used the timezone configured by the user. In cases where a large offset to UTC is present, there has been a 50⁄50 chance that appointments would conflict with full-day appointments at the previous or next day. We’re now calculating both values using the users specific timezone for conflict handling. This should bring down the probability of incorrect conflicts considerably.
Did some improvements to avoid a crashing OX. Utilize a user-scoped lock mechanism to avoid having a global lock that might affect unrelated threads unnecessarily. Avoid duplicate remote session look-up.
An earlier bugfix introduced a significant change to HTTP API behavior, any change to the MIME-Type parameter has been rejected as a result. While OX clients were unaffected, this led to an incompatibility with third-party clients when using the “infostore” API for uploading and modifying files. We reduced the scope of the change to block MIME-Types that start with “multipart” instead, this should not affect the vast majority of use-cases for this API.
Too greedy check for possibly malicious content led to this issue.This has been solved by allowing properly parsed start tag.
In cases where the contact associated to the user account was created by the “oxadmin” account rather than the user itself, the user was unable to change its own contact data. Such situations may arise in specific provisioning implementations. Changing the contacts data is now possible again by correcting the mechanism to look up the oxadmin account as potential creator for the own contact.
When composing a mail to a list of several hundreds of recipients, browser warnings about unresponsive scripts occurred when trying to parse and tokenize the recipient list. The handling has been improved by 2-3x to allow a larger number of recipients.
Caused by missing capability check for disabling and hiding.This has been fixed by adding the missing check.
Document tours are contained in documents-ui package, existence of standard tours package was not checked there.This has been solved by adding check for existence of standard tours package, do not show tours automatically if missing, hide settings menu entry.
When configuring a negative timezone offset (e.g. UTC-5), desktop notifications would not be shown since the timestamp of newly received mails was checked against UTC rather than the users timezone.
In case mailbox login names allow multi-byte Unicode characters, the login process would fail when using OX App Suite. This has been solved by applying the correct charset when performing the login procedure for mailboxes.
indexing mismatch between the DOM nodes representing the file items and the model entries holding the file data.This has been solved by fixing the sort method.
App Suite UI just redid the same operation.Solution: App Suite UI checks which files caused conflicts and only tries to redo those.
Multiple response was not fully processed.This has been fixed by processing full array.
During the createuser command an alias for the primary mail account is already added. This alias is equal to the upper case notation used in the create command. The change command now tries to add the same alias but with only lower case letters. This isn’t recognized and therefore the middleware tries to insert this alias to the db again which results in the duplicate entry error.Solution: Do a case independent check when comparing the old with the new aliases.
There was no name check performed for the move operations.This has been fixed by adding the name check to the move operation.
Inappropriate invocation of ‘MailConfig.doCustomParsing()’ lets Zimbra MAL connector fail to perform its own parsing of access information.Solution: Do call ‘MailConfig.doCustomParsing()’ regardless of passed parameters.
When using Thunderbird/Lightning and CalDAV of OX App Suite, full-day appointments could not be converted back to normal appointments using the CalDAV client. The reason for this was a client-specific CalDAV header used to indicate full-day appointments which caused issues with Lightning. We removed this header if the associated user-agent does not expect it.
In case a backend error did occur, like downtime of the mail storage, there could be situations where Outlook clients using USM get into a sending-loop, resulting to duplicated E-Mail. Those kind of errors are now handled by the USM API in accordance to the OX App Suite middleware error code.
Guided tour for OX Text does not display info about mail,if mail is not available
Delete attempt does not check whether file is non-existing.This has been fixed by properly checking if attempt is made to delete a non-existing file changed logging appropriately.
IE has problems with flexbox styles.This has been fixed by changing styles to fix the problem.
When using the “onboarding wizard” while having a custom login implementation running, some configuration templates could not be properly created since access to the correct credentials (e.g. mail address, login name) is not possible. This has been solved by offering the ability to integrate custom login sources.
There has been a dependency between the calendar and tasks App with regards to handling iCal files, which led to a situation that appointments could not be imported if tasks are disabled. This dependency has been relaxed to allow cases where either App is disabled.
A earlier fix changed the response content when requesting a frontend related file. Instead of a function and a error message, just a error message was returned. As a result the web frontend could get stuck in case a file was not found. This has been solved by providing a similar response than earlier, just with obfuscated payload.
The client request didn’t get a response.With these changes the Viewer displays an error message if the file is too big to be loaded.
In cases where a users configuration was damaged and the default App “none” has been selected, subsequent logins led to error messages. We’re now falling back to the global default App if the provided App cannot be found.
showruntimestats -a errors: No such cache: OXIMAPConCacheOXIMAPConCache is an obsolete JCS cache. The StatisticTools was querying the JCSCacheInformation for that particular non existing cache. The same applies for MailConnectionCache and SessionCache.This has been solved by removing the obsolete calls and corrected the error message.
Missing error handling for overquota in multiple file upload.This has been solved by checking error FLS-0024 and stop queue if this error appears. Also check for rate limit error. If one of those errors appear, the upload queue stops and removes all files from the queue.
When uploading files as Mail attachment or Drive object, the corresponding progress bar offered a “Cancel” button that was not translated.
In case certain operating systems got configured incorrectly, specifically RHEL6 and SLES11, usage of the open-xchange-passwordchange-script plugin could lead to incorrectly encoded passwords passed over to a script. This has been solved by adding an optional parameter as described by Change #4022 to allow base64 encoded transfer. Additionally, unexpected encoding configurations will get logged to open-xchange-console.log to alert operators about potential follow-up issues.
Deactivated Notification pool combined with multiple uploads of attachments result in a single notification mail for each attachment.Solution: Keep track of a batch of attachment uploads during the whole stack.
Non-existing mbean raised an error.This has been fixed by removing mbean.
Last error value was not a simple signed integer.Check for “N/A”, will return 0 instead of “N/A” with this fix and will only fix the problem for ox_grizzly_TCPNIOTransport.
This has been solved by adding special handling in find App.
A possible scheme/port information in “com.openexchange.mail.mailServer” or“com.openexchange.mail.transportServer” property was not properly handled.This has been solved by using a structured object for the global mail/transport server configuration setting to also apply protocol, port, etc. (if specified).
Settings is not a favorite App and is therefore ignored as autolaunch.This has been solved by adding a special case for settings. Settings will not appear in the dropdown but can be set by the provider as default autoStart App.
Some file storage implementations are not returning a file count.With this fix the file count is not displayed if the external storage returns no value for file count.
Introduced new value for ox.serverConfig.persistence: “always”. Only works with adjustment in custom bundles.
Settings pane for message sound was displayed when no websocket support was available.This has been solved by adding missing capability check.
OXGuard extends “send as mail” ext.point, but the capabilities are NOT extended – now with manual check for capabilities.
The implementation now checks the default template folder and use the user’s default folder as a fallback.
When using conversation (thread) view, the context menu was not added for each individual mail but for the whole thread and the first mail. This makes it hard to handle individual mails and got solved.
When defining a start or due date for tasks while using a negative UTC offset, the selected date would be reported incorrectly. This has been solved by adjusting the full-day handling for tasks to the calendar implementation which uses UTC.
The “My accounts” page at “Settings” did contain untranslated strings for external account names, this got solved by making use of existing translation strings.
Timestamp for 1.1.1970 were interpreted as timestamp 0. Adjusted calculation from Birth Dates to solve this issue.
In case of a context that never existed on the system, a lookup for all contexts in the same schema lead to endless attempts to get those contexts.This has been fixed by adding the initial context to context list, if the database returns no values for the given context id. Add potential errors to output report.
When adding own contact information to a Mail as vCard, that virtual attachment could not be removed afterwards. This was caused by an API change which is now reflected to mail compose.
Missing checks if parent folders get renamed or removed.This has been solved by looking for rename or removal of parent folders. On rename: anticipate changed path and keep folder. On remove: immediately remove affected favorites. This doesn’t work if triggered by another client.
“Addmapping” value was not split by comma when supplying multiple login mappings via csv file at create context.Now split multiple login mappings by comma during context creation from CSV file to solve this issue.
The ical analysis of an external invitation delivers an JSON object “users” without sub fields, especially without confirmation. This was unexpected by USM and produced an error, which led to a general sync error with OLOX.Now the missing confirmation is accepted and initialized by USM with 0.
Unnecessary global lock that leads to stacking up threads.This has been solved by removing unnecessary global lock from‘com.openexchange.jslob.storage.db.DBJSlobStorage’ class for improved throughput.
Error handling is now done inside the apps. If errors with external storages (or other folder errors) appear and that folder is currently selected, the App will change to the default folder and reload the parent folder.
It was possible to share folders of an external storage account as link to other internal users. Since those accounts are per-account, that link would not work though. Therefor we removed the option to send a link to such folders to other internal users.
The ‘locks’ capability was not correct for some external storages.Changed behavior: The file lock feature is disabled for every external storage. Lock does only work in the internal ox fileStore now.
Possible database deadlock on concurrent delete attempts for users in the same context.Solution: Acquire a lock on user deletion to enforce queuing of concurrent delete calls.
Malformed conditional comment (CC) causes to greedy detection of such a CC pattern in HTML content during sanitizing.This has been fixed by dealing with malformed conditional comments.
Really weird HTML content inside a mail containing over 700 nested body start tag segments renders the routine running mad that tries to replace body tags with div tags for embedded display inside App Suite UI.This has been fixed by avoiding excessive replacements of body tags inside such a really weird HTML content.
In case a external mail account cannot be used (e.g. because the password changed), there has not been a notification to the user in order to resolve the situation. This has been changed to provide warning messages when trying to accessing a unavailable account.
When sharing a object with expiry date, that expiry date was set to “one month” when editing the share afterwards. We solved that by no longer applying the default value when editing a share.
MailConfig values were overwritten with wrong values.This has been fixed by preventing overwriting in specific situations.
Incrementing use-count for a lot of contacts associated with a certain E-Mail address causes too many INSERT statements to be issued, that do flood the MySQL service.This has been solved by accumulating use-count incrementation through a batch statement and limit the number of updated contacts that are associated with the same address. That limit is configurable through property “com.openexchange.contactcollector.searchLimit” and defaults to “5”.
Groups where not drawn due to a limit.Now applying limit by result type so groups are drawn.
Due to the deactivation of the “address” mailfilter the default values were not available.This has been fixed by introducing a fall-back to the former “header” filter if “address” is not available.
Use the actual hover fade value as defined in current UI theme.
Initial assumption to re-use OAuth credentials was wrong.Now OAuth credentials are not re-use when adding mail accounts.
Services class was not initialized.This has been solved by properly initialize the Services class.
Birthday calculation was slightly different in both views and apart from that even not correct for all cases.This has been solved by using the same code for both views and also using a correct approach.
Collection and token field state gets messed up cause models ‘token’ attribute get updated within the ‘tokenfield:createtoken’ handler.This has been fixed by redrawing Tokens only when the display name has changed.
In case syntax errors are present at YAML-style configuration files, the middleware did start up partly but apparently was not logging this situation clear enough for some operators. We improved error messages that are thrown once this happens to make it more clear.
linked caps and implemented “hide disabled elements” feature
If multiple E-Mail addresses are stored for a contact but not “E-Mail 1” and neither Company nor Position are available a blank second line at the contacts list was displayed. This has been adjusted to fall back to “E-Mail 2” and “E-Mail 3” in case “E-Mail 1” is unavailable.
No custom label colors applied to template.This has been solved by passing colorLabel identifier to html output.
When using default plain-text signatures and navigating with the TAB key, the cursor would be set at the end of the signature. This has been solved in a way that the cursor will be set to the beginning of the message.
When uploading several files which combined size exceed the maximum upload size, the related error message was related to the last file which got added. However, in such cases the error is related to the combined file size, therefor the wording has been adjusted.
This was caused by a missing hint that a file associated with a snippet/signature is (temporary) not available.Restored logging in case the file associated with a snippet/signature is (temporary) not available: “Missing file for snippet 1 for user X in context ctx_ID. Maybe file storage is (temporary) not available.”
Added new message for “select all” in tabbed inbox, some translation will be provided with the next patch.
Media queries were not flexible enough.This has been solved by using flex layout to use available space better (private and due time appear in this row too if set).
The folder ID changes, therefore the folder was lost on page reload.This has been fixed by listening to ID changes and update and store favorites.
In case connection to a Logstash server gets interrupted, log messages will be lost. We introduced a buffer for such messages that gets filled in case the connection is temporarily unavailable.
Recognizing HTML input was not working correctly in all cases.Now wrapping content with div…/div in those cases to solve this issue.
No Handling for Drag & Drop in mail-categories.Added the missing Handling, first the mail is imported to the inbox and then moved to the category.
The app did not contain any information about contextual help.This has been solved by showing context sensitive help in settings. External apps can also register their help pages on the extension point ‘io.ox/settings/help/mapping’ in the function list.
When sorting mail attachments by Size or Date, the corresponding column header was not show, this is now the case.
Was caused by missing capability check for version comments.This has been fixed by adding capability check for version comments.
Missing translations were added.
After deleting a folder in a external storage account the view was not updated.With this fix the view is updated after deleting a folder.
Dropbox identifies the folder through the path. New Files create all folders in their path by default. This is a special Dropbox behavior.This has been solved by checking for folder existence before storing a file and return default “folder does not exist exception”.
This has been fixed by using standard listener.
Max-width were applied on whole container.This has solved by applying max-width for description only.
Guest user deletion triggers push listener removal for guests even if they might not have any push listener registered.Solution: Consider webmail permission before removing push listeners within the user deletion process.
Specific clients rely on a certain order of the EAS protocol elements. AllDayEvent shall be sent after StartTime,EndTime. Microsoft Exchange Server for example does this.Sending AllDayEvent after StartTime,EndTime.
Now show display name if DISPLAYFROM is set.
The Appointment object at the deleteDateFromNotoficationQueue event was missing some typically unused data in cases where a participant deletes the appointment after accepting it. To allow compatibility with certain calendaring implementations, we now add a full Appointment object to the queue in such cases.
The message for “Mail folder could not be found on mail server” were known, actually by design, but not expected to happen that often.The fix just excludes the inbox from the obfuscation, to reduce the amount of error messages.
setting field delimter and text separators in RE SC code instead via UNO on DC server side
Copy command was able to run into over-quota.This has been fixed by using move operation for clear folder command in case move operation is supported by IMAP server.
Adjusted login- and error-handling to solve this issue.Special error code “MSG-0113” in case creation of default/standard folders fails with an “over quota” error was added. This Error will be displayed after login to the end-user.
When setting a interval for calendar time scales, that interval was applied for time pickers and drag-lasso. Now this interval is also used for the calendar views time scale.
Capabilities of mail folders were incorrectly checked in case the mail system did not support permissions. As a result the context menu contained permission related actions which were not working as expected. We added a explicit check for environment where permission handling of own mailbox folders is disabled.
In cases where multiple users are provisioned to the same context with the Global Address Book disabled, automatic contact collection of addresses that are present at the Global Address Book has not been performed. We changed the behavior to consider cases where the Global Address Book exists but cannot be accessed.