This update for roundcubemail fixes the following issues:

Update to 1.6.7

This is a security update to the stable version 1.6 of Roundcube Webmail.
It provides a fix to a recently reported XSS vulnerabilities:

  * Fix cross-site scripting (XSS) vulnerability in handling SVG animate attributes.
    Reported by Valentin T. and Lutz Wolf of CrowdStrike.
  * Fix cross-site scripting (XSS) vulnerability in handling list columns from user preferences.
    Reported by Huy Nguyễn Phạm Nhật.
  * Fix command injection via crafted im_convert_path/im_identify_path on Windows.
    Reported by Huy Nguyễn Phạm Nhật.

  CHANGELOG

  * Makefile: Use phpDocumentor v3.4 for the Framework docs (#9313)
  * Fix bug where HTML entities in URLs were not decoded on HTML to plain text conversion (#9312)
  * Fix bug in collapsing/expanding folders with some special characters in names (#9324)
  * Fix PHP8 warnings (#9363, #9365, #9429)
  * Fix missing field labels in CSV import, for some locales (#9393)
  * Fix cross-site scripting (XSS) vulnerability in handling SVG animate attributes
  * Fix cross-site scripting (XSS) vulnerability in handling list columns from user preferences
  * Fix command injection via crafted im_convert_path/im_identify_path on Windows

Update to 1.6.6:

  * Fix regression in handling LDAP search_fields configuration parameter (#9210)
  * Enigma: Fix finding of a private key when decrypting a message using GnuPG v2.3
  * Fix page jump menu flickering on click (#9196)
  * Update to TinyMCE 5.10.9 security release (#9228)
  * Fix PHP8 warnings (#9235, #9238, #9242, #9306)
  * Fix saving other encryption settings besides enigma's (#9240)
  * Fix unneeded php command use in installto.sh and deluser.sh scripts (#9237)
  * Fix TinyMCE localization installation (#9266)
  * Fix bug where trailing non-ascii characters in email addresses 
    could have been removed in recipient input (#9257)
  * Fix IMAP GETMETADATA command with options - RFC5464

Update to 1.6.5 (boo#1216895):

  * Fix cross-site scripting (XSS) vulnerability in setting 
    Content-Type/Content-Disposition for attachment 
    preview/download  CVE-2023-47272

  Other changes:

  * Fix PHP8 fatal error when parsing a malformed BODYSTRUCTURE (#9171)
  * Fix duplicated Inbox folder on IMAP servers that do not use Inbox 
    folder with all capital letters (#9166)
  * Fix PHP warnings (#9174)
  * Fix UI issue when dealing with an invalid managesieve_default_headers 
    value (#9175)
  * Fix bug where images attached to application/smil messages 
    weren't displayed (#8870)
  * Fix PHP string replacement error in utils/error.php (#9185)
  * Fix regression where smtp_user did not allow pre/post strings 
    before/after %u placeholder (#9162)