£Á°èZ¨Ä…–K§‚«“ô4“ÒÙ´dîfUÙÃÅ WKbyʦ•êŽ…È®FÒ¿ÊÎóCozá¬S@6{Í:›œêZÌ:Š•_%:¢¾¾~;‘Ã~芩ÊǍí`ÔÑ©ú뙵'5I¿fš×WO%ø9¾«¾DK|€ùÍD”Ýs]nHÕ¶êםӼ㞪éUWŸÈË%DÒÕ¬ï‘]/Åcx ‰ï2ß]ä6G[]S£Ôϯrs{úëóµmÒï#UQxo·õÞCe]"±/aÙ&Eã4ú9Jé_ÞåëdãöKë)AÞ ¯¹ægƒÛowЍø^d™ý½ßB7áyMä9ÜÖUã !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! ## Release 1.6.16 - Fix potential too long value in IMAP ID command (#10136) - Security: Fix stored XSS/HTML/CSS injection in subject field of the draft restore dialog - Security: Fix CSS injection bypass in HTML sanitizer via SVG `` - Security: Fix pre-auth SQL injection in `virtuser_query` plugin via preg_replace backslash escape bypass - Security: Fix SSRF bypass via specific local address URLs - Security: Fix bypass of remote image blocking via CSS var() - Security: Fix local/private URL fetch bypass when remote resources were not allowed - Security: Fix pre-auth arbitrary file delete via redis/memcache session poisoning bypass - Security: Fix code injection vulnerability - remove support for code evaluation in LDAP `autovalues` option ## Release 1.6.15 - Fix regression where mail search would fail on non-ascii search criteria (#10121) - Fix regression where some data url images could get ignored/lost (#10128) - Fix SVG Animate FUNCIRI Attribute Bypass — Remote Image Loading via fill/filter/stroke ## Release 1.6.14 - Fix Postgres connection using IPv6 address (#10104) - Security: Fix pre-auth arbitrary file write via unsafe deserialization in redis/memcache session handler - Security: Fix bug where a password could get changed without providing the old password - Security: Fix IMAP Injection + CSRF bypass in mail search - Security: Fix remote image blocking bypass via various SVG animate attributes - Security: Fix remote image blocking bypass via a crafted body background attribute - Security: Fix fixed position mitigation bypass via use of !important - Security: Fix XSS issue in a HTML attachment preview - Security: Fix SSRF + Information Disclosure via stylesheet links to a local network hosts ## Release 1.6.13 - Managesieve: Fix handling of string-list format values for date tests in Out of Office (#10075) - Fix remote image blocking bypass via SVG content reported by nullcathedral - Fix CSS injection vulnerability reported by CERT Polska