Change log for roundcube package in Debian
1 → 75 of 148 results | First • Previous • Next • Last |
Published in sid-release |
roundcube (1.6.7+dfsg-1) unstable; urgency=high * New upstream bugfix and security release (closes: #1071474): + Fix command injection via crafted im_convert_path/im_identify_path on Windows. + Fix cross-site scripting (XSS) vulnerability in handling list columns from user preferences. + Fix cross-site scripting (XSS) vulnerability in handling SVG animate attributes. + Fix PHP8 warnings. * Update Standards-Version to 4.7.0 (no changes necessary). * Refresh d/patches. -- Guilhem Moulin <email address hidden> Sun, 19 May 2024 23:20:59 +0200
Available diffs
- diff from 1.6.6+dfsg-2 to 1.6.7+dfsg-1 (8.0 KiB)
Superseded in sid-release |
roundcube (1.6.6+dfsg-2) unstable; urgency=medium * d/control: Drop ‘libmagic1’ from roundcube-core's Depends. (Closes: #1066853) -- Guilhem Moulin <email address hidden> Thu, 14 Mar 2024 19:28:50 +0100
Available diffs
- diff from 1.6.6+dfsg-1 to 1.6.6+dfsg-2 (617 bytes)
- diff from 1.6.6+dfsg-1build1 (in Ubuntu) to 1.6.6+dfsg-2 (668 bytes)
Published in bullseye-release |
roundcube (1.4.15+dfsg.1-1~deb11u2) bullseye-security; urgency=high * Fix CVE-2023-47272: Cross-site scripting (XSS) vulnerability in setting Content-Type/Content-Disposition for attachment preview/download. (Closes: #1055421) -- Guilhem Moulin <email address hidden> Tue, 28 Nov 2023 15:49:21 +0100
Published in bookworm-release |
roundcube (1.6.5+dfsg-1~deb12u1) bookworm-security; urgency=high * New upstream security and bugfix release: + Fix CVE-2023-47272: Cross-site scripting (XSS) vulnerability in setting Content-Type/Content-Disposition for attachment preview/download. (Closes: #1055421) + Fix PHP8 fatal error when parsing a malformed BODYSTRUCTURE. + Fix UI issue when dealing with an invalid managesieve_default_headers value. + Fix bug where images attached to application/smil messages weren't displayed. + Fix PHP8 warnings. + Fix regression where ‘smtp_user’ did not allow pre/post strings before/after ‘%u’ placeholder. * Refresh d/patches. -- Guilhem Moulin <email address hidden> Tue, 28 Nov 2023 16:10:54 +0100
Superseded in sid-release |
roundcube (1.6.6+dfsg-1) unstable; urgency=medium * New upstream bugfix release: + Fix regression in handling LDAP search_fields configuration parameter. + Fix PHP8 warnings. + Fix rcube::decrypt(). + Enigma: Fix finding of a private key when decrypting a message using GnuPG v2.3. + Fix page jump menu flickering on click. + Fix Sieve scripts comment parse with CRLF. + Fix bug where trailing non-ascii characters in email addresses could have been removed in recipient input. + Fix IMAP GETMETADATA command with options [RFC5464]. + Support (DEPTH 0) in GETMETADATA command. + Clear IMAP capabilities on connection close. * Add ‘logs/errors.log’ to d/clean. (Closes: #1046449) * Move version mangling from build to install targets. * d/roundcube-core.*.timer: Set Persistent=false. (Closes: #1057061) * d/roundcube-core.roundcube-cleandb.timer: Adjust OnCalendar= to match cronjob specification. * Refresh d/patches. * d/control: Add php-guzzlehttp-guzzle to Build-Depends (unless under ‘nocheck’ profile) as Actions_Utils_Modcss::test_run() requires it. * Backport upstream change from master branch to fix Actions_Utils_Modcss:: test_run(). * d/p/mark-flaky-tests-as-such.patch: Unmark test_encrypt_and_decrypt() as flaky. * d/origtargz-diff.sh: Drop query string in destination filename. -- Guilhem Moulin <email address hidden> Mon, 22 Jan 2024 15:16:43 +0100
Available diffs
- diff from 1.6.5+dfsg-1 to 1.6.6+dfsg-1 (1.5 MiB)
Superseded in bookworm-release |
roundcube (1.6.4+dfsg-1~deb12u1) bookworm-security; urgency=high * New upstream security and bugfix release: + Fix CVE-2023-5631: Cross-site scripting (XSS) vulnerability in handling of SVG in HTML messages. (Closes: #1054079) + Managesieve plugin: Fix javascript error when relational or spamtest extension is not enabled. + Fix PHP8 warnings. * Replace upstream release “version” 1.6-git with the actual tagged version. * Add DEP-8 test to check RCMAIL_VERSION against d/changelog. * Salsa CI: Disable lintian and reprotest jobs. * Refresh patches. -- Guilhem Moulin <email address hidden> Thu, 19 Oct 2023 00:20:52 +0200
Superseded in sid-release |
roundcube (1.6.5+dfsg-1) unstable; urgency=high * New upstream security and bugfix release: + Fix cross-site scripting (XSS) vulnerability in setting Content-Type/Content-Disposition for attachment preview/download. (Closes: #1055421) + Fix PHP8 fatal error when parsing a malformed BODYSTRUCTURE. + Fix UI issue when dealing with an invalid managesieve_default_headers value. + Fix bug where images attached to application/smil messages weren't displayed. + Fix PHP8 warnings. + Fix regression where ‘smtp_user’ did not allow pre/post strings before/after ‘%u’ placeholder. * d/control: Drop 10 year old Breaks+Replaces constraints. * d/rules: Update to reflect upstream Makefile. * roundcube-plugins: Remove obsolete maintscript. * roundcube-core: Suggests some potentially useful roundcube-plugin-*. * Refresh d/patches. -- Guilhem Moulin <email address hidden> Sun, 05 Nov 2023 18:15:48 +0100
Available diffs
- diff from 1.6.4+dfsg-1 to 1.6.5+dfsg-1 (7.4 KiB)
Superseded in sid-release |
roundcube (1.6.4+dfsg-1) unstable; urgency=high * New upstream security and bugfix release: + Fix cross-site scripting (XSS) vulnerability in handling of SVG in HTML messages. (Closes: #1054079) + Managesieve plugin: Fix javascript error when relational or spamtest extension is not enabled. + Fix PHP8 warnings. * Add DEP-8 test to check RCMAIL_VERSION against d/changelog. * roundcube-core.postinst: Don't choke on non-existing symlink targets. (Closes: #1053709) -- Guilhem Moulin <email address hidden> Mon, 16 Oct 2023 20:02:40 +0200
Available diffs
- diff from 1.6.2+dfsg-1 to 1.6.4+dfsg-1 (50.3 KiB)
Superseded in sid-release |
roundcube (1.6.3+dfsg-2) unstable; urgency=low * Replace upstream release “version” 1.6-git with the actual tagged version (currently 1.6.3). -- Guilhem Moulin <email address hidden> Sat, 07 Oct 2023 16:20:03 +0200
Superseded in bullseye-release |
roundcube (1.4.14+dfsg.1-1~deb11u1) bullseye; urgency=high * New security/bugfix upstream release: + Fix CVE-2023-43770: cross-site scripting (XSS) vulnerability in handling of linkrefs in plain text messages. (Closes: #1052059) + Enigma: Fix initial synchronization of private keys. * d/u/signing-key.asc: Add Alec's key BEE674A019359DC1. * Refresh d/patches. -- Guilhem Moulin <email address hidden> Mon, 25 Sep 2023 11:32:59 +0200
Superseded in bookworm-release |
roundcube (1.6.3+dfsg-1~deb12u1) bookworm; urgency=medium * Rebuild for bookworm. * Salsa CI: Set RELEASE=bookworm. * d/gbp.conf: Set --debian-branch=debian/bookworm. -- Guilhem Moulin <email address hidden> Mon, 25 Sep 2023 14:22:10 +0200
Superseded in sid-release |
roundcube (1.6.3+dfsg-1) unstable; urgency=medium * New upstream security and bugfix release: + Fix cross-site scripting (XSS) vulnerability in handling of linkrefs in plain text messages. (Closes: #1052059) + Fix regression that broke use_secure_urls feature hence OAuth2 authentication. (Closes: #1050317) + Fix regression where LDAP addressbook 'filter' option was ignored. + Fix regression in decoding mail parts FETCHed from IMAP. + Fix PHP8 warnings. * roundcube-core.cron: Trigger gc twice every hour. (Closes: #1043395) * Fix GuzzleHttp autoload location. (Closes: #1040705) * d/p/fix-autoload-location.patch: Set ‘Forwarded: not-needed’ DEP-3 header. * Refresh d/patches. -- Guilhem Moulin <email address hidden> Mon, 18 Sep 2023 14:18:17 +0200
Superseded in sid-release |
roundcube (1.6.2+dfsg-1) unstable; urgency=medium [ Amin Bandali ] * Test suite: Adjust short date test to make it work with all ICUs. (Closes: #1030161) [ Remus-Gabriel Chelu ] * Add Romanian debconf templates translation. (Closes: #1033468) [ Guilhem Moulin ] * New upstream bugfix release. * d/gbp.conf, d/README.source: Remove obsolete comment. * d/sql/mysql/1.3.0-1: Move inline comment. * d/p/fix-short-date-test-icu72.patch: Remove patch applied upstream. * Refresh patches. -- Guilhem Moulin <email address hidden> Sun, 02 Jul 2023 11:54:33 +0200
Available diffs
roundcube (1.6.1+dfsg-1) unstable; urgency=medium * New upstream bugfix release. * Update d/sql for 1.6.1+dfsg-1. * Fix d/README.source order. * Refresh d/patches. * d/roundcube-core.postinst: Add $config['imap_host'] to $CONFFILE.ucftmp if needs be. This fixes d/t/config-ownership-perms. * d/t/config-ownership-perms: Use HOST:PORT in roundcube/hosts string. -- Guilhem Moulin <email address hidden> Tue, 24 Jan 2023 01:42:19 +0100
Available diffs
- diff from 1.6.0+dfsg-2 to 1.6.1+dfsg-1 (34.6 KiB)
Superseded in sid-release |
roundcube (1.6.0+dfsg-2) unstable; urgency=medium * Salsa CI: Restore piuparts job. * Salsa CI: Install suitable RDBMS before running piuparts. * Salsa CI: Include recipes/debian.yml. * d/control: Build-Depends: Drop versioned constraint on uglifyjs. * Update standards version to 4.6.2, no changes needed. * Fix FTBFS (closes: #1026528). * d/s/lintian-overrides: Remove mismatched overrides. -- Guilhem Moulin <email address hidden> Tue, 20 Dec 2022 20:36:47 +0100
Available diffs
- diff from 1.6.0+dfsg-1.1 to 1.6.0+dfsg-2 (2.3 KiB)
Superseded in sid-release |
roundcube (1.6.0+dfsg-1.1) unstable; urgency=medium * Non-maintainer upload. * No source change upload to rebuild with debhelper 13.10. -- Michael Biebl <email address hidden> Sat, 15 Oct 2022 12:43:57 +0200
Available diffs
- diff from 1.6.0+dfsg-1 to 1.6.0+dfsg-1.1 (341 bytes)
Superseded in sid-release |
roundcube (1.6.0+dfsg-1) unstable; urgency=low * New upstream release. * d/p/fix-install-path.patch: Also adjust installer/index.php. * d/t/control: Factor stanzas with same dependencies and restrictions. * /etc/roundcube/*.php: Don't include files only once. * DEP-8: Run upstream installer checks in a dedicated autopkgtest. * d/t/cleanup: Sort sessions by changed date on error. * d/t/installer-checks: And also run 3rd step of installation checks. * DEP-8: Add ‘Restrictions: breaks-testbed’ when suitable. * DEP-8: Name inline tests. * debian/control: Replace 'Depends: libapache2-mod-php | php' with 'Depends: php'. * Add d/README.source to document the package workflow. -- Guilhem Moulin <email address hidden> Fri, 29 Jul 2022 11:47:02 +0200
Available diffs
- diff from 1.6~rc+dfsg-2 to 1.6.0+dfsg-1 (46.4 KiB)
Deleted in experimental-release (Reason: None provided.) |
roundcube (1.6~rc+dfsg-2) experimental; urgency=medium * Adjust d/origtargz-diff.sh for 1.6~rc+dfsg. * Refresh lintian overrides to accommodate lintian v2.115. * Bump Standards-Version to 4.6.1 (no changes needed). * Promote GuzzleHttp\Client back to "require" from "suggest". * Revert "Don't install the installer into /usr/share/roundcube." * Run upstream installer checks for apache2 and lighttpd DEP-8 tests. * Add roundcube-cleandb.{service,timer} which replaces the cronjob on systems where PID1 is systemd. * Add roundcube-gc.{service,timer} to purge expired sessions, caches and tempfiles in the background in a scheduled fashion. * Don't force set session.gc_probability=1 since we don't have to rely on probabilistic synchronous garbage collection anymore. * Remove obsolete /etc/default/roundcube and /etc/cron.daily/roundcube-core files since removing temporary files is part of the normal garbage collection routine. * DEP-8: Create tempfiles in $AUTOPKGTEST_TMP not /tmp. * DEP-8: Test roundcube-{cleandb,gc}.service (cleanup and garbage collection routines). -- Guilhem Moulin <email address hidden> Wed, 29 Jun 2022 20:23:02 +0200
Available diffs
- diff from 1.5.0+dfsg.1-2 to 1.6~rc+dfsg-2 (669.0 KiB)
- diff from 1.5.1+dfsg-1 to 1.6~rc+dfsg-2 (576.9 KiB)
Superseded in experimental-release |
roundcube (1.6~rc+dfsg-1) experimental; urgency=medium * New upstream release candidate 1.6. * d/u/signing-key.asc: Add Alec's key BEE674A019359DC1. * Refresh d/patches. -- Guilhem Moulin <email address hidden> Sun, 12 Jun 2022 16:46:12 +0200
Superseded in experimental-release |
roundcube (1.6~beta+dfsg-2) experimental; urgency=medium * d/roundcube-core.NEWS: Mention roundcube-skin-* packages by name now that they cleared the NEW queue. * d/control: roundcube-core: Add 'Recommends: roundcube-skin-classic, roundcube-skin-larry'. * Update d/copyright. * d/watch: Add uversionmangle for /-(alpha|beta|rc)\d*$/. * d/watch: Improve dversionmangle. * d/sql/*.sql: Escape identifiers to fix compatibility with MySQL 8 (LP: #1970428). * New script d/sqlupdate replacing d/addsqlupdate.sh. * Update d/sql for 1.6~beta+dfsg-1 (remove 2020122900 which is in d/sql/*/1.5.0+dfsg.1-1 already). * Run wrap-and-sort(1). * Remove d/t/fix-format_date-x.patch and generate an en_US.utf8 locale for the upstream test suite instead. This adds Build-Depends: locales. -- Guilhem Moulin <email address hidden> Wed, 11 May 2022 20:22:23 +0200
Published in buster-release |
roundcube (1.3.17+dfsg.1-1~deb10u2) buster-security; urgency=high * Backport fix for CVE-2021-46144: Fix cross-site scripting (XSS) via HTML messages with malicious CSS content. (Closes: #1003027) -- Guilhem Moulin <email address hidden> Thu, 06 Jan 2022 09:04:44 +0100
Superseded in bullseye-release |
roundcube (1.4.13+dfsg.1-1~deb11u1) bullseye-security; urgency=high * New security upstream release, with fix for CVE-2021-46144: XSS vulnerability via HTML messages with malicious CSS content (closes: #1003027). * Prepend '<!-- html ignored -->' to the test vector of the above. * Refresh d/patches. -- Guilhem Moulin <email address hidden> Thu, 06 Jan 2022 08:51:41 +0100
Superseded in experimental-release |
roundcube (1.6~beta+dfsg-1) experimental; urgency=medium * New beta upstream release. Highlights for major version 1.6 include: - Full PHP 8.1 support (closes: #1000642) - Unified and simplified services connection options: . renamed `default_host` resp. `smtp_server` to `imap_host` resp. `smtp_host` . removed `default_port`, `smtp_port`, `managesieve_port` and `managesieve_usetls` options - The classic and larry skins are no longer included in the upstream repository hence are excluded from this source package; we will ship in separate packages. * Add d/roundcube-core.NEWS to highlight the above. * Update default value for roundcube/hosts template to "localhost:143" to match the upstream default. * Update d/copyright. * Update d/sql. * Refresh d/patches. Remove the following patches (now obsolete or applied upstream): - fix-FTBFS-with-phpunit-8.patch - fix-file-list-in-phpunit-configuration.patch - fix-FTBFS-with-phpunit-9.patch * Add patch to fix `$rcmail->format_date(.., 'x')` calls. * Remove mismatched Lintian override. * Add 'Restrictions: rw-build-tree' to the phpunit DEP-8 test as it writes into tests/.phpunit.result.cache. * Add aspell-en and php-pspell to Build-Depends (unless under 'nocheck' build profile) and DEP-8 test to test Framework_SpellcheckerPspell. * Add hunspell-en-us and php-enchant to Build-Depends (unless under 'nocheck' build profile) and DEP-8 test to test Framework_SpellcheckerEnchant. * Add php-roundcube-rtf-html-php to Build-Depends (unless under 'nocheck' build profile) and DEP-8 test to test Framework_TnefDecoder. * Add php-bacon-qr-code to Build-Depends (unless under 'nocheck' build profile) and DEP-8 test to test Actions_Contacts_Qrcode. * d/rules, d/t/control: Mark flaky tests as such and run phpunit with `--exclude-group=flaky --fail-on-skipped` in build-time and DEP-8 tests. * CI: Disable piuparts which is bound to fail due to the schema upgrade. * d/rules: Replace '$(dir $@)' with '$(@D)'. -- Guilhem Moulin <email address hidden> Mon, 14 Mar 2022 00:16:05 +0100
Superseded in bullseye-release |
roundcube (1.4.12+dfsg.1-1~deb11u1) bullseye-security; urgency=high * New bugfix/security upstream release (closes: #1000156), with fixes for: + CVE-2021-44025: XSS issue in handling attachment filename extension in mimetype mismatch warning; and + CVE-2021-44026: possible SQL injection via some session variables. * d/gbp.conf: Rename upstream branch to upstream/release-1.4. * d/salsa-ci.yml: Set RELEASE=bullseye. * Refresh d/patches. -- Guilhem Moulin <email address hidden> Thu, 18 Nov 2021 20:07:03 +0100
Superseded in sid-release |
roundcube (1.5.1+dfsg-1) unstable; urgency=medium * New upstream bugfix release. * Change repacking suffix to +dfsg from +dfsg.1. -- Guilhem Moulin <email address hidden> Sat, 04 Dec 2021 15:07:42 +0100
Available diffs
- diff from 1.5.0+dfsg.1-2 to 1.5.1+dfsg-1 (100.3 KiB)
Superseded in sid-release |
roundcube (1.5.0+dfsg.1-2) unstable; urgency=medium * CI: Restore piuparts job. * DEP-8: config-ownership-perms: Add Restrictions: allow-stderr. -- Guilhem Moulin <email address hidden> Sat, 23 Oct 2021 20:00:35 +0200
Available diffs
- diff from 1.4.11+dfsg.1-4 to 1.5.0+dfsg.1-2 (5.5 MiB)
- diff from 1.5.0+dfsg.1-1 to 1.5.0+dfsg.1-2 (943 bytes)
Superseded in sid-release |
roundcube (1.5.0+dfsg.1-1) unstable; urgency=low * New upstream release. Highlights for major version 1.5 include: - full PHP 8.0 support (closes: #977687) - dark mode for Elastic skin - collected recipients and trusted senders - moving recipients between inputs with drag & drop - full unicode support with MySQL database - support of IMAP LITERAL [RFC7888] - support of [RFC2231] encoded names - cache refactoring * Ship upstream's bin/updatedb.sh to roundcube-core. * d/t/dbconfig-no-thanks: Also run bin/updatedb.sh. * d/t/dbconfig-no-thanks: Check DB ownership and permissions. * Exclude spellchecker from build-time and DEP8 tests, as dictionary mismatch makes it too brittle. * d/pkg-php-tools-overrides: Remove useless roundcube/net_sieve builtin. -- Guilhem Moulin <email address hidden> Sat, 23 Oct 2021 09:47:50 +0200
Deleted in experimental-release (Reason: None provided.) |
roundcube (1.5~rc+dfsg.1-3) experimental; urgency=medium * DEP-8: Add test for dbconfig-no-thanks (set custom $config['db_dsnw']). * Create symlink var/lib/roundcube/SQL pointing to usr/share/roundcube/SQL. This is required for dbconfig-no-thanks deployments (closes: #996613). * Refresh lintian overrides to accommodate lintian v2.109. * Retroactively update d/roundcube-core.NEWS to advertise the 1.4 smtp_* default settings (closes: #994446). -- Guilhem Moulin <email address hidden> Sat, 16 Oct 2021 23:20:50 +0200
Superseded in experimental-release |
roundcube (1.5~rc+dfsg.1-2) experimental; urgency=medium * Replace `which` with `command -v` in maint scripts. * Refresh lintian overrides to accommodate lintian v2.107. * Bump Standards-Version to 4.6.0 (no changes needed). * Remove 4 obsolete maintscript entries in 2 files. * Set upstream metadata fields: Security-Contact. -- Guilhem Moulin <email address hidden> Fri, 08 Oct 2021 20:53:01 +0200
Superseded in experimental-release |
roundcube (1.5~rc+dfsg.1-1) experimental; urgency=medium * New upstream release candidate 1.5 (closes: #949629). * d/rules: Exclude tinymce/js/tinymce/tinymce.d.ts in accordance with jsdeps.json. -- Guilhem Moulin <email address hidden> Tue, 06 Jul 2021 12:00:42 +0200
Superseded in experimental-release |
roundcube (1.5~beta+dfsg.1-4) experimental; urgency=medium * d/roundcube-core.cron.daily, d/addsqlupdate.sh: `set -ue` and improve quoting. * d/*: Fix space damage. * bin/update.sh: hardcode define('INSTALL_PATH', '/var/lib/roundcube/'); (closes: #989140). * d/roundcube-core.postinst: Set DEBIAN_PKG=[0|1] for symmetry. * d/p/debianize-config.patch: Comment out sample plugins, see #884992. -- Guilhem Moulin <email address hidden> Sat, 29 May 2021 15:03:39 +0200
roundcube (1.4.11+dfsg.1-4) unstable; urgency=medium * d/roundcube-core.postinst: Remove the roundcube lighttpd module after it has been disabled, not before (closes: #988282). * d/roundcube-core.postinst: lighttpd: Don't enable fastcgi-php if there is already an enabled fastcgi .php handler (closes: #988236). * d/uupdate: Fix comment. -- Guilhem Moulin <email address hidden> Mon, 17 May 2021 20:45:48 +0200
Available diffs
Superseded in experimental-release |
roundcube (1.5~beta+dfsg.1-3) experimental; urgency=medium * d/*.post*, d/*.config: Improve style consistency. * d/*.post*: pathfind(): Keep IFS null (instead of setting it to the empty string) if it was null before. * d/roundcube-core.postinst: Set ln(1)'s '-T' to flag protect against undesired semantics should the target be an existing directory. * d/roundcube-core.postinst, d/roundcube-core.config: Replace useless calls to sed. * d/*.pre*, d/*.post*, d/*.config: Fix space damage. * d/roundcube-core.postinst: Make configuration sample parsing and reading roundcube/hosts more robust. * d/roundcube-core.postinst: 3DES key generation: Use a random 18-bytes long string base64 encoded (the key needs to be 24 bytes long). * d/roundcube-core.postinst: lighttpd: Prefer the more efficient fastcgi-php-fpm over fastcgi-php on lighttpd 1.4.55-2 and later. * d/copyright: Add self. * DEP-8: Add basic Apache2 and lighttpd tests. * DEP-8: Add configuration file and log/temp directory ownership and mode checks. * DEP-8: Add an hardened deployment, with a dedicated PHP-FPM pool and dedicated user/group (so the HTTPd can't read sensitive roundcube data). * d/roundcube-core.post*: Reload webserver with deb-systemd-invoke(1) when possible. * d/roundcube-core.postinst: Avoid running bin/update.sh with root privileges, depending on /etc/roundcube/config.inc.php's ownership and mode: if the file is word-readable then issue a warning and run as www-data; otherwise, if the file not root-owned then run as its owner; otherwise, if the file is group readable and is not group owned by root, and the group is used as a primary group for a single user, then use that user. Should all that fail root privileges are preserved and a warning is issued. * d/roundcube-core.postinst: Issue a warning if a .dpkg-new leak is dedected. -- Guilhem Moulin <email address hidden> Mon, 17 May 2021 21:00:08 +0200
Superseded in experimental-release |
roundcube (1.5~beta+dfsg.1-2) experimental; urgency=medium * Add hunspell-en-us to Build-Depends and DEP-8 tests dependencies as spellcheck tests rely on that dictionary. -- Guilhem Moulin <email address hidden> Mon, 08 Mar 2021 19:14:45 +0100
Superseded in experimental-release |
roundcube (1.5~beta+dfsg.1-1) experimental; urgency=medium * New upstream beta release. * Change default spellchecker engine from pspell to enchant as the latter is better supported and more flexible. * d/copyright: Update Files-Excluded stanza for tinymce component. * d/uupdate: Fix tinymce-langs URL. * d/control: Bump dependencies to match jsdeps.json and composer.json-dist. * d/control: Update build dependencies for the improved test suite. * Update d/copyright. * Fix DEP-8 tests: The test suite now requires reads the configuration file, so we need to run it as www-data. We test with SQLite3 backend, and also the default backend (MySQL) on testbeds providing container-level isolation. * d/rules: Treat plugins/*/readme* (not only plugins/*/README*) as documentation. * CI: Disable piuparts which is bound to fail due to the schema upgrade. -- Guilhem Moulin <email address hidden> Mon, 08 Mar 2021 00:42:28 +0100
Superseded in sid-release |
roundcube (1.4.11+dfsg.1-3) unstable; urgency=medium * Remove versioned dependency (php* <<8.0) as it prevents users from upgrading php-common (e.g. via 3rd-party repositories). Instead we give a hint which phpX.Y-* packages needs to be manually installed. Thanks to the Debian PHP PEAR Maintainers for their input! -- Guilhem Moulin <email address hidden> Fri, 26 Feb 2021 23:44:31 +0100
Available diffs
Superseded in sid-release |
roundcube (1.4.11+dfsg.1-2) unstable; urgency=medium * d/rules: Reorder targets based on the dh sequencer execution order. * d/roundcube-core.README.Debian: Add instructions for running Roundcube code as a user:group other than the default www-data:www-data. -- Guilhem Moulin <email address hidden> Thu, 11 Feb 2021 21:49:03 +0100
Available diffs
- diff from 1.4.10+dfsg.1-1 to 1.4.11+dfsg.1-2 (128.6 KiB)
- diff from 1.4.11+dfsg.1-1 to 1.4.11+dfsg.1-2 (2.9 KiB)
Superseded in sid-release |
roundcube (1.4.11+dfsg.1-1) unstable; urgency=high * New upstream bugfix/security release. * d/rules: Remove duplicate dh_link call. * d/rules: Fix sourcemap URLs in minified CSS. -- Guilhem Moulin <email address hidden> Mon, 08 Feb 2021 23:32:06 +0100
Available diffs
Superseded in sid-release |
roundcube (1.4.10+dfsg.2-2) unstable; urgency=medium [ Sandro Knauß ] * Remove retry-to-reach-imap-server.patch (Closes: #960302) It triggered too many issues for other users. [ Guilhem Moulin ] * Update d/missing-sources/README. * Remove useless duplicate d/install-jsdeps.sh. * d/rules: Use execute_after_dh_* from Debhelper compatibility level 13 when relevant. * d/control: Require php* <8.0 in dependencies. -- Guilhem Moulin <email address hidden> Mon, 08 Feb 2021 00:22:01 +0100
Available diffs
Superseded in buster-release |
roundcube (1.3.16+dfsg.1-1~deb10u1) buster-security; urgency=high * New upstream bugfix release, with security fix for CVE-2020-35730: Cross-site scripting (XSS) vulnerability via HTML or Plain text messages with malicious content svg/namespace. (Closes: #978491) * Revert upstream commit 435cfa116 to avoid irrelevant jstz update. -- Guilhem Moulin <email address hidden> Mon, 28 Dec 2020 02:49:49 +0100
Superseded in sid-release |
roundcube (1.4.10+dfsg.2-1) unstable; urgency=low * Retroactively update roundcube-plugins.NEWS as enigma is currently usable in Bullseye and sid. * d/rules: Complete refactoring. * Ship skin README files to /usr/share/doc/PACKAGE/skins. * Run bin/updatecss.sh at build time to (re-)stamp background images. * Exclude irrelevant scripts from binary packages: cssshrink.sh, initdb.sh, install-jsdeps.sh, installto.sh, jsshrink.sh, makedoc.sh, updatecss.sh, and updatedb.sh. * Don't install .htaccess into /usr/share/roundcube. The root directory for the HTTPd is /var/lib/roundcube and already ship the htaccess there. * Don't install the installer into /usr/share/roundcube. * Lintian overrides: Remove package annotations. * Remove upstream installation instructions from /usr/share/doc/roundcube-core * Lintian: Override false positive package-contains-documentation-outside-usr-share-doc and package-contains-empty-directory. * Install managesieve helpdocs to /usr/share/doc/roundcube-plugins. * Install password helpers into /usr/share/roundcube/plugins/password/helpers not into /usr/share/doc/roundcube-core/examples. * plugins/password/helpers/chpass-wrapper.py: use python3 as interpreter and add to roundcube-plugins' Suggests. * d/watch: Monitor git tags rather than release tarballs. * d/gbp.conf: Add upstream VCS tag as additional parent to upstream/$VERSION. * d/gbp.conf: Rename upstream branch to upstream/release-1.4. * Recommend using new directory /var/lib/roundcube/public_html as document root. * Update d/*.README.Debian with current instructions. * Run the upstream test suite (excluding Selenium-based web tests) at build time (unless under 'nocheck' build profile). This adds phpunit, php-masterminds-html5 and php-intl to Build-Depends. * Add DEP-8 tests. For now this only consists of the upstream test suite (excluding Selenium-based web tests). * Replace Build-Depends: closure-compiler, yui-compressor with cleancss, uglifyjs (>=3), used respectively for CSS and Javascript minification. Build also source maps alongside the minified code. (Closes: #978073) * Elastic skin: Ship non-minified CSS and sourcemap alongside Less source files. (Closes: #978070) * New Build-Depends: pigz. Ship gzipped (minified) JS and CSS files along side the non-compressed versions. Compatible HTTPds can send these files as is in order to avoid on-the-fly compression overhead. (Closes: #978075) -- Guilhem Moulin <email address hidden> Fri, 15 Jan 2021 23:55:02 +0100
Available diffs
- diff from 1.4.10+dfsg.1-1 to 1.4.10+dfsg.2-1 (114.4 KiB)
Superseded in sid-release |
roundcube (1.4.10+dfsg.1-1) unstable; urgency=high * New upstream bugfix release, including security fix for: CVE-2020-35730: Cross-site scripting (XSS) vulnerability via HTML or Plain text messages with malicious content svg/namespace. (Closes: #978491) * d/rules: Make sure to fail the build when an error is raised in a for loop. (Closes: #978069) * d/rules: Refactor and move CSS/JS generation and minification from override_dh_auto_install to override_dh_auto_build. Thanks to Jonas Smedegaard pointing this out. * Bump Standards-Version to 4.5.1 (no changes needed). * Upgrade watch file to version 4. * Rename Debian branch to debian/latest for DEP-14 compliance. * d/gbp.conf: Remove custom setting compression=xz. -- Guilhem Moulin <email address hidden> Mon, 28 Dec 2020 01:33:45 +0100
Available diffs
Superseded in sid-release |
roundcube (1.4.9+dfsg.1-1) unstable; urgency=medium * New upstream bugfix release. -- Guilhem Moulin <email address hidden> Thu, 01 Oct 2020 17:43:08 +0200
Available diffs
Superseded in buster-release |
roundcube (1.3.15+dfsg.1-1~deb10u1) buster-security; urgency=high * New upstream release, with security fix for CVE-2020-16145: Cross-site scripting (XSS) vulnerability via HTML messages with malicious svg or math content. (Closes: #968216) -- Guilhem Moulin <email address hidden> Tue, 11 Aug 2020 17:44:16 +0200
Superseded in sid-release |
roundcube (1.4.8+dfsg.1-1) unstable; urgency=high * New upstream bugfix release, including security fix for CVE-2020-16145: Cross-site scripting (XSS) vulnerability via HTML messages with malicious svg or math content. (Closes: #968216) -- Guilhem Moulin <email address hidden> Tue, 11 Aug 2020 16:45:02 +0200
Available diffs
Superseded in buster-release |
roundcube (1.3.14+dfsg.1-1~deb10u1) buster-security; urgency=high * New upstream release, with security fix for CVE-2020-15562: Cross-Site Scripting (XSS) vulnerability via HTML messages with malicious svg/namespace (Closes: #964355) -- Guilhem Moulin <email address hidden> Mon, 06 Jul 2020 16:30:57 +0200
Superseded in sid-release |
roundcube (1.4.7+dfsg.2-1) unstable; urgency=low * d/rules: Exclude TinyMCE language Javascript packs from minification as Roundcube and TinyMCE load $code.js files not $code.min.js. * d/patches: Rename Use-system-JQueryUI.patch to use-system-JQueryUI.patch. * Bundle TinyCME as secondary orig tarballs (downloaded automatically using custom uscan(1) script) rather than in d/missing-sources. The TinyCME zip archive we used to ship in d/missing-sources violates DFSG (since 1.3.0+dfsg.1-1), because upstream's jsdeps.json links to the so-called "production package" which doesn't include preferred sources of modification. This remained unnoticed because lintian doesn't inspect the content of archives in d/missing-sources. Unfortunately Roundcube is still too dependent on the TinyCME version for us to switch to the packaged version (see #784351), so we use secondary tarballs (repacked to exclude generated files such as minified JS and CSS files) for now. * d/control: Bump minimum node-less version to 3.0.0 as for later versions evaluation of JavaScript inline is disabled by default unless the new --js flag is set. * d/patches: Add Forwarded: DEP-3 headers. -- Guilhem Moulin <email address hidden> Fri, 24 Jul 2020 02:44:11 +0200
Available diffs
Published in stretch-release |
roundcube (1.2.3+dfsg.1-4+deb9u6) stretch; urgency=high * Backport security fix for CVE-2020-15562: Cross-Site Scripting (XSS) vulnerability via HTML messages with malicious svg/namespace (Closes: #964355) -- Guilhem Moulin <email address hidden> Mon, 06 Jul 2020 16:14:59 +0200
Superseded in sid-release |
roundcube (1.4.7+dfsg.1-1) unstable; urgency=high * New upstream bugfix release, including security fixes for: Cross-Site Scripting (XSS) vulnerability via HTML messages with malicious svg/namespace (closes: #964355) -- Guilhem Moulin <email address hidden> Sun, 05 Jul 2020 23:57:50 +0200
Available diffs
Superseded in sid-release |
roundcube (1.4.6+dfsg.1-3) unstable; urgency=low * d/upstream/metadata: Add upstream's screenshot URL. * d/po/de.po: Convert from ISO-8859-15 to TDF-8. * Remove bundled OpenPGP.js as the bundled source is not the preferred form of modification hence violates DFSG. This breaks key generation in the enigma plugin (server-side OpenPGP support), but other key operations (incl. import of private keys) still work. That being said enigma is already broken in Buster (and Bullseye too right now) due to the missing dependency 'php-crypt-gpg'. Admins wanting enigma already need to manually install the dependency; they'll now need to also copy https://raw.githubusercontent.com/openpgpjs/openpgpjs/v4.4.6/dist/openpgp.min.js (or a later version) to /usr/share/roundcube/plugins/enigma/openpgp.min.js for key generation to keep working. -- Guilhem Moulin <email address hidden> Sat, 04 Jul 2020 01:07:51 +0200
Available diffs
- diff from 1.4.6+dfsg.1-2 to 1.4.6+dfsg.1-3 (492.8 KiB)
Superseded in sid-release |
roundcube (1.4.6+dfsg.1-2) unstable; urgency=medium * d/rules: Fix FTBFS on systems where lessc(1) 1.6.3 uses node 12.18.0. * d/roundcube-core.preinst: Remove script as the dbconfig logic is a no-op. -- Guilhem Moulin <email address hidden> Thu, 18 Jun 2020 14:01:20 +0200
Available diffs
Superseded in sid-release |
roundcube (1.4.6+dfsg.1-1) unstable; urgency=low * New upstream bugfix release. * d/copyright: Add generated CSS (minified or compiled from LESS sources) to Files-Excluded:. We don't want these in our (repacked) orig tarball nor in our git tree. d/origtargz-diff.sh can be used to verify that all upstream-generated CSS/JS files are re-generated at build time and that none is missing from our .debs. -- Guilhem Moulin <email address hidden> Sun, 07 Jun 2020 16:43:45 +0200
Available diffs
- diff from 1.4.5+dfsg.1-2 to 1.4.6+dfsg.1-1 (100.4 KiB)
Superseded in sid-release |
roundcube (1.4.5+dfsg.1-2) unstable; urgency=low * d/copyright: Upgrade URLs to secure HTTP. * d/copyright: Simplify Files-Excluded: pattern for generated JS files. Add new helper script d/origtargz-diff.sh to make sure we ship all files: generated files from the upstream tarball (before repacking) are excluded from the repacked .orig tarball, so we need to generate them back at build time and install them somewhere. * d/rules: Replace `find -print0 | xargs -r0` calls and loops with `find -exec`. * d/rules: Minify CSS files ourselves (like for .js files we minify all files, even the ones for which there is no .min.css in the upstream tree). * d/rules: Add yui-compressor to Build-Depends: for CSS minification. * d/patches/debianize-config.patch: typofix (closes: #931909). * d/rules: Also (re-)minify CSS/JS in roundcube-plugins, not only in roundcube-core. The upstream tarball contains multiple plugins/*/*.min.js files before repacking, and while Roundcube seems to manage without, there are no reasons not to re-minify these in additions to the files in -core. * d/roundcube-core.preinst: Drop logic to remove old symlinks with file targets (.js, .txt etc.) as dpkg is able to handle these on its own. * d/roundcube-core.{pre,post}inst: Drop logic to handle upgrade path from ancient versions (<oldstable). We don't support these upgrade paths and it clutters the maintainer scripts. * d/roundcube-core.maintscript: Ensure smooth directory-to-symlink conversion. This is required for upgrades from <1.4~. * d/roundcube-core.dirs: Remove var/lib/roundcube/config as dh_link will create a symlink to etc/roundcube with that name. -- Guilhem Moulin <email address hidden> Sat, 06 Jun 2020 16:44:07 +0200
Available diffs
Superseded in sid-release |
roundcube (1.4.5+dfsg.1-1) unstable; urgency=high * New upstream bugfix release, including security fixes for: - Cross-Site Scripting (XSS) vulnerability via malicious XML messages (closes: #962123) - Cross-Site Scripting (XSS) vulnerability in template object 'username' (closes: #962124) * d/roundcube-core.postinst: Also call ucfr(1) on existing config.inc.php and always pass --debconf-ok to ucf(1). * Bump debhelper compatibility level to 13. * Add upstream meta-information to debian/upstream/metadata. -- Guilhem Moulin <email address hidden> Wed, 03 Jun 2020 15:09:31 +0200
Available diffs
- diff from 1.4.4+dfsg.1-1 to 1.4.5+dfsg.1-1 (92.6 KiB)
Superseded in sid-release |
roundcube (1.4.4+dfsg.1-1) unstable; urgency=high * New upstream release, including security fixes for: - Cross-Site Scripting (XSS) vulnerability via malicious HTML messages (Closes: #959140) - CSRF attack can cause an authenticated user to be logged out (Closes: #959142) * Include krb_authentication plugin to the roundcube-plugins binary package. Upstream ships this (core) plugin since 1.2-beta but somehow it never made it to the Debian package. Thanks to Mike Gabriel for the poke. (Closes: #958642) * d/control: Update Maintainer: field to use @alioth-lists.debian.net not deprecated @lists.alioth.debian.org. -- Guilhem Moulin <email address hidden> Wed, 29 Apr 2020 22:10:57 +0200
Available diffs
- diff from 1.4.3+dfsg.1-1 to 1.4.4+dfsg.1-1 (92.5 KiB)
Superseded in sid-release |
roundcube (1.4.3+dfsg.1-1) unstable; urgency=medium * New upstream release. * d/roundcube-core.post*: + Replace tabs with spaces. + Pass flag '-f' to rm(1). * d/roundcube-core.postinst: + Create temporary config file with restricted permissions. Previously the file was created with mode 0644 (minus umask), possibly leaking secrets to a local attacker during a short time window. (The file was, and still is, removed later during the postinst stage.) + If the config file /etc/roundcube/config.inc.php already exists, don't override its ownership or mode. Otherwise (atomically) create it with owner root:www-data and mode 0640, like before. (Closes: #951194) + Honor dpkg-statoverride(1) rules on /var/lib/roundcube/temp and /var/log/roundcube: don't chown/chmod these directories if the local admin has defined overrides. * d/roundcube-core.postrm: + Also remove '.ucf-{new,old,dist}'-suffixed configuration files on purge, as suggested by ucf(1). + Only recursively remove /var/lib/roundcube/temp on purge, not its parent /var/lib/roundcube. Roundcube needs only write access to the temp dir. * d/patches/update_script.patch: Restore patch removed in 1.4.1+dfsg.1-1 to fix the ucf logic. * d/patches/dbconfig-common_support.patch: Use C++ style comment for consistency. -- Guilhem Moulin <email address hidden> Mon, 24 Feb 2020 06:39:10 +0100
Available diffs
- diff from 1.4.2+dfsg.1-2 to 1.4.3+dfsg.1-1 (200.2 KiB)
Superseded in buster-release |
roundcube (1.3.10+dfsg.1-1~deb10u1) buster; urgency=medium * d/control: revert bump of Standards-Version, as we want to release to stable. * d/upstream/signing-key.asc: revert Minimize OpenPGP certificate. * Add patch to Fix "Retry to connect to IMAP server" (Closes: #947320) -- Sandro Knauß <email address hidden> Tue, 24 Dec 2019 20:45:55 +0100
Superseded in sid-release |
roundcube (1.4.2+dfsg.1-2) unstable; urgency=medium * d/control: + Specify minimum versions for libjs-* dependencies. + Bump Standards-Version to 4.5.0 (no changes needed). * d/roundcube-core.links: link to /usr/share/javascript/$FOO, instead of its unreliable target name. (Closes: #948011) * d/roundcube-core.logrotate: + Add glob pattern for /var/log/roundcube/*.log, as ".log" is the default extension used for log filenames since 1.4-beta. (Closes: #948034) + Rotate daily and reduce the retention period to 14 days to match the new apache2 and nginx defaults. * d/rules: Rebuild skins/elastic/styles/{styles,print,embed}.css from the .less sources instead of shipping the upstream versions. This requires lessc(1) from node-less in the build environment. -- Guilhem Moulin <email address hidden> Wed, 29 Jan 2020 11:21:01 +0100
Available diffs
Superseded in sid-release |
roundcube (1.4.2+dfsg.1-1) unstable; urgency=low * New upstream release. * d/control: roundcube-plugins now suggests php-cli as enigma's import_keys.sh requires it. -- Guilhem Moulin <email address hidden> Wed, 01 Jan 2020 23:09:32 +0100
Available diffs
- diff from 1.4.1+dfsg.1-2 to 1.4.2+dfsg.1-1 (161.0 KiB)
Superseded in sid-release |
roundcube (1.4.1+dfsg.1-2) unstable; urgency=low [ Sandro Knauß ] * Add patch to Fix "Retry to connect to IMAP server" (Closes: #947320) -- Guilhem Moulin <email address hidden> Fri, 27 Dec 2019 11:14:20 +0100
Available diffs
Deleted in experimental-release (Reason: None provided.) |
roundcube (1.4.1+dfsg.1-1) experimental; urgency=low * New upstream release. + New Depends (and Build-Depends) 'php-mbstring', required by a call to mb_internal_encoding() in program/lib/Roundcube/bootstrap.php. * Rebase debian/install-jsdeps.sh from bin/install-jsdeps.sh. * Use system JS dependencies when possible: JQuery from libjs-jquery, jstz from libjs-jstimezonedetect, codemirror from libjs-codemirror, bootstrap from libjs-bootstrap4, jquery-minicolors from libjs-jquery-minicolors, libjs-jquery-minicolors, JQuery UI from libjs-jquery-ui. * New Build-Depends: closure-compiler, used for JS minification instead of yui-compressor. closure-compiler is what upstream uses, and yui-compressor is unable to compress 1.4's program/js/app.js and skins/elastic/ui.js. * Move plugin README.md files to /usr/share/doc/roundcube/plugins/$PLUGIN * Ensure INSTALL_PATH is always set to /var/lib/roundcube in the upstream tools. * d/roundcube-core.postinst: The honored environment variable for confdir is RCUBE_CONFIG_PATH, not RCMAIL_CONFIG_DIR. * d/control: Bump Standards-Version to 4.4.1 (no changes needed). * Refresh tinymce language pack from upstream. * d/control, d/compat: Set debhelper-compat version in Build-Depends. * d/control: Set 'Rules-Requires-Root: no'. -- Guilhem Moulin <email address hidden> Wed, 18 Dec 2019 19:17:13 +0100
Superseded in sid-release |
roundcube (1.3.10+dfsg.1-1) unstable; urgency=medium * New upstream release: (Closes: #927713) - Fixes CVE-2019-10740 [ Guilhem Moulin ] * Backport fix for CVE-2018-1000071: Insecure Permissions vulnerability in enigma plugin that can result in exfiltration of gpg private key. https://github.com/roundcube/roundcubemail/issues/6173 (Closes: #897014) * New upstream release (1.3.9). (Closes: #898068) * d/roundcube-core.config: Honor debconf setting roundcube/language, by skipping the relevant part at pre-configure stage. (Closes: #923142) * d/roundcube-core.postinst: Create temporary configuration file atomically. * d/upstream/signing-key.asc: Minimize OpenPGP certificate. * Add new plugins to roundcube-plugins: 'attachment_reminder' (closes: #918126), 'example_addressbook', 'identicon', 'identity_select' and 'redundant_attachments'. * d/control: Bump Standards-Version to 4.3.0 (no changes needed). -- Beowulf <email address hidden> Wed, 18 Dec 2019 00:26:48 +0100
Available diffs
- diff from 1.3.8+dfsg.1-2 to 1.3.10+dfsg.1-1 (30.2 KiB)
Superseded in experimental-release |
roundcube (1.4~rc1+dfsg.2-1) experimental; urgency=medium * New upstream release. + New Depends (and Build-Depends) 'php-mbstring', required by a call to mb_internal_encoding() in program/lib/Roundcube/bootstrap.php. * Rebase debian/install-jsdeps.sh from bin/install-jsdeps.sh. * Use system JS dependencies when possible: JQuery from libjs-jquery, jstz from libjs-jstimezonedetect, codemirror from libjs-codemirror, bootstrap from libjs-bootstrap4, jquery-minicolors from libjs-jquery-minicolors, libjs-jquery-minicolors, JQuery UI from libjs-jquery-ui. * New Build-Depends: closure-compiler, used for JS minification instead of yui-compressor. closure-compiler is what upstream uses, and yui-compressor is unable to compress 1.4-rc1's program/js/app.js and skins/elastic/ui.js. * Move plugin README.md files to /usr/share/doc/roundcube/plugins/$PLUGIN * Ensure INSTALL_PATH is always set to /var/lib/roundcube in the upstream tools. * d/roundcube-core.postinst: The honored environment variable for confdir is RCUBE_CONFIG_PATH, not RCMAIL_CONFIG_DIR. -- Guilhem Moulin <email address hidden> Tue, 11 Jun 2019 02:07:49 +0200
Superseded in stretch-release |
roundcube (1.2.3+dfsg.1-4+deb9u3) stretch-security; urgency=high * Backport fix for CVE-2018-19206: XSS vulnerability via crafted use of <svg><style>, as demonstrated by an onload attribute in a BODY element, within an HTML attachment. https://github.com/roundcube/roundcubemail/issues/6410 -- Guilhem Moulin <email address hidden> Sat, 24 Nov 2018 04:36:11 +0100
roundcube (1.3.8+dfsg.1-2) unstable; urgency=medium * debian/roundcube-plugins.maintscript: + Remove old maintscript, which doesn't apply since oldstable. + Convert /usr/share/doc/roundcube-plugins from symlink to directory (needed since plugin README files are now in that directory). -- Guilhem Moulin <email address hidden> Mon, 05 Nov 2018 04:38:45 +0100
Available diffs
- diff from 1.3.6+dfsg.1-1 to 1.3.8+dfsg.1-2 (18.7 KiB)
Superseded in sid-release |
roundcube (1.3.8+dfsg.1-1) unstable; urgency=medium * New upstream release. * debian/control: Migrate Vcs-Browser and Vcs-Git from Alioth to Salsa. * debian/roundcube-core.postinst: in lighttpd_install(), treat `lighty-enable-mod`'s exit status 2 (denoting a minor flaw e.g., a module was not enabled because it was already loaded before) as success. (Closes: #898040.) * Move plugin README files to /usr/share/doc/roundcube/plugins/$PLUGIN * debian/control: Bump Standards-Version to 4.2.1 (no changes needed). -- Guilhem Moulin <email address hidden> Sat, 03 Nov 2018 05:53:08 +0100
Superseded in stretch-release |
roundcube (1.2.3+dfsg.1-4+deb9u2) stretch-security; urgency=high * Backport fix for CVE-2018-9846: When the archive plugin enabled and configured, it's possible to exploit the unsanitized, user-controlled "_uid" parameter to perform an MX (IMAP) injection attack. https://github.com/roundcube/roundcubemail/issues/6238 (Closes: #895184). * Backport fix for CVE-2018-1000071: Insecure Permissions vulnerability in enigma plugin that can result in exfiltration of gpg private key. https://github.com/roundcube/roundcubemail/issues/6173 -- Guilhem Moulin <email address hidden> Sat, 21 Apr 2018 01:51:56 +0200
roundcube (1.3.6+dfsg.1-1) unstable; urgency=medium * New upstream release. (Closes: #883620). + Includes fix for CVE-2018-9846: When the archive plugin enabled and configured, it's possible to exploit the unsanitized, user-controlled "_uid" parameter to perform an MX (IMAP) injection attack. (Closes: #895184). + Upgrade OpenPGP.js from 1.6.2 to 2.6.2. * debian/control: + Bump Standards-Version to 4.1.4 (no changes needed). + Remove dependency on 'php-mcrypt' package, which is no longer needed since Roundcube 1.2. (Closes: #895100). * debian/patches/*.patch: Remove files not mentioned in series: + correct-magic-path.patch + disable-dns-prefetch.patch + dont-limit-email-local-part.patch + fix-599586.patch + install-jsdeps.sh + received-headers-sa.patch + too-old-mdb2.patch + use-debian-jquery-ui.patch + uuencoded-attachments.patch * debian/roundcube-core.postinst: Use non-recursive calls to chown(1) and chmod(1). -- Guilhem Moulin <email address hidden> Sat, 14 Apr 2018 20:52:38 +0200
Available diffs
- diff from 1.3.3+dfsg.1-2 to 1.3.6+dfsg.1-1 (778.0 KiB)
Superseded in stretch-release |
roundcube (1.2.3+dfsg.1-4+deb9u1) stretch-security; urgency=high * Backport fix for CVE-2017-16651: File disclosure vulnerability caused by insufficient input validation in conjunction with file-based attachment plugins, which are used by default. https://github.com/roundcube/roundcubemail/issues/6026 -- Guilhem Moulin <email address hidden> Thu, 09 Nov 2017 06:45:05 +0100
roundcube (1.3.3+dfsg.1-2) unstable; urgency=medium * Upgrade internal TinyMCE to 4.5.8 to match upstream's JS dependencies. (Closes: #881902.) * roundcube-core: Remove symlinks /etc/apache2/conf-available/roundcube.conf and /etc/lighttpd/conf-available/50-roundcube.conf when the HTTPd is uninstalled before roundcube-core. (Closes: #857838.) -- Guilhem Moulin <email address hidden> Mon, 20 Nov 2017 03:45:14 +0100
Available diffs
roundcube (1.3.3+dfsg.1-1) unstable; urgency=high * New upstream release. It primarily fixes a recently discovered file disclosure vulnerability caused by insufficient input validation in conjunction with file-based attachment plugins, which are used by default. More details will be published under CVE-2017-16651. * debian/rules: + Make the build reproducible. Thanks to Chris Lamb for the report and patch. (Closes: #880827.) + Run `chmod 0755 plugins/password/helpers/*.p[ly]` + Fix precedence in find(1) call in override_dh_install. Thanks to Chris Lamb for the report and patch. (Closes: #876722.) * debian/control: + Replace "Priority: extra" (deprecated since Debian Policy 4.0.1) with "Priority: optional". + Bump Standards-Version to 4.1.0 (no changes needed). + Promote php-mysql to first alternative in roundcube-mysql's dependencies: it currently depends on php7.0-mysql, which in turns provides virtual package php-mysqlnd. * Patch /etc/roundcube/htaccess to use mod_php7.c in the <IfModule> directive. Thanks to Peter Nowee for the report and patch. (Closes: #880194.) * debian/roundcube-core.preinst: Add "#DEBHELPER#" placeholder. * debian/roundcube-core.links: Remove robots.txt, which is no longer shipped by the package since 1.3.0+dfsg.1-1. (Closes: #877275.) -- Guilhem Moulin <email address hidden> Thu, 09 Nov 2017 05:32:13 +0100
Available diffs
- diff from 1.3.1+dfsg.1-1 to 1.3.3+dfsg.1-1 (97.6 KiB)
roundcube (1.3.1+dfsg.1-1) unstable; urgency=medium * New upstream release. * resort copyright file. * update upstream-Add-get-and-extract-arguments-and-CACHEDIR-env-varia.patch. * Bump Standards-Version to 4.1.0 (no changes needed). * use dbc_go the propper way and use "$@". -- Sandro Knauß <email address hidden> Sun, 10 Sep 2017 18:58:06 +0200
Available diffs
- diff from 1.3.0+dfsg.1-1 to 1.3.1+dfsg.1-1 (187.2 KiB)
roundcube (1.3.0+dfsg.1-1) unstable; urgency=medium * New upstream release. * Update patches: - remove patches that are not needed anymore - hunks - update_composer.patch to match new upstream release * robots.txt is not shipped anymore in the package * Get rid of unused overrides * Bump Standards-Version to 4.0.0 (no changes needed) * Bump compat level to 10 (no changes needed). * Update copyright file * Add SQL updates to Debian package * 3rdparty handling: - switch to install-jsdeps.sh - install unminified version whwn possible, too - modify jsdeps.json to be able to use sources - update all missing-sourcecs * create-jquery-ui-custom.sh don't handle input arguments * Update source.lintian-overrides -- Sandro Knauß <email address hidden> Tue, 22 Aug 2017 19:55:39 +0200
Available diffs
roundcube (1.2.3+dfsg.1-4) unstable; urgency=high * Backport fix for CVE-2017-8114: Roundcube Webmail allows arbitrary password resets by authenticated users. This affects versions before 1.0.11, 1.1.x before 1.1.9, and 1.2.x before 1.2.5. The problem is caused by an improperly restricted exec call in the virtualmin and sasl drivers of the password plugin. (Closes: #861388). -- Guilhem Moulin <email address hidden> Mon, 01 May 2017 23:37:14 +0200
Available diffs
roundcube (1.2.3+dfsg.1-3) unstable; urgency=high * Backport fix for CVE-2015-5381: rcube_utils.php in Roundcube before 1.1.8 and 1.2.x before 1.2.4 is susceptible to a cross-site scripting vulnerability via a crafted Cascading Style Sheets (CSS) token sequence within an SVG element. (Closes: #857473). In 1.2.3+dfsg.1-2 the patch wasn't added to debian/patches/series. -- Guilhem Moulin <email address hidden> Tue, 14 Mar 2017 11:43:18 +0100
Available diffs
- diff from 1.2.3+dfsg.1-1 to 1.2.3+dfsg.1-3 (982 bytes)
1 → 75 of 148 results | First • Previous • Next • Last |