Change log for roundcube package in Debian
| 1 → 75 of 148 results | First • Previous • Next • Last |
| Published in sid-release |
roundcube (1.6.7+dfsg-1) unstable; urgency=high
* New upstream bugfix and security release (closes: #1071474):
+ Fix command injection via crafted im_convert_path/im_identify_path
on Windows.
+ Fix cross-site scripting (XSS) vulnerability in handling list columns
from user preferences.
+ Fix cross-site scripting (XSS) vulnerability in handling SVG animate
attributes.
+ Fix PHP8 warnings.
* Update Standards-Version to 4.7.0 (no changes necessary).
* Refresh d/patches.
-- Guilhem Moulin <email address hidden> Sun, 19 May 2024 23:20:59 +0200
Available diffs
- diff from 1.6.6+dfsg-2 to 1.6.7+dfsg-1 (8.0 KiB)
| Superseded in sid-release |
roundcube (1.6.6+dfsg-2) unstable; urgency=medium
* d/control: Drop ‘libmagic1’ from roundcube-core's Depends.
(Closes: #1066853)
-- Guilhem Moulin <email address hidden> Thu, 14 Mar 2024 19:28:50 +0100
Available diffs
- diff from 1.6.6+dfsg-1 to 1.6.6+dfsg-2 (617 bytes)
- diff from 1.6.6+dfsg-1build1 (in Ubuntu) to 1.6.6+dfsg-2 (668 bytes)
| Published in bullseye-release |
roundcube (1.4.15+dfsg.1-1~deb11u2) bullseye-security; urgency=high
* Fix CVE-2023-47272: Cross-site scripting (XSS) vulnerability in setting
Content-Type/Content-Disposition for attachment preview/download.
(Closes: #1055421)
-- Guilhem Moulin <email address hidden> Tue, 28 Nov 2023 15:49:21 +0100
| Published in bookworm-release |
roundcube (1.6.5+dfsg-1~deb12u1) bookworm-security; urgency=high
* New upstream security and bugfix release:
+ Fix CVE-2023-47272: Cross-site scripting (XSS) vulnerability in setting
Content-Type/Content-Disposition for attachment preview/download.
(Closes: #1055421)
+ Fix PHP8 fatal error when parsing a malformed BODYSTRUCTURE.
+ Fix UI issue when dealing with an invalid managesieve_default_headers
value.
+ Fix bug where images attached to application/smil messages weren't
displayed.
+ Fix PHP8 warnings.
+ Fix regression where ‘smtp_user’ did not allow pre/post strings
before/after ‘%u’ placeholder.
* Refresh d/patches.
-- Guilhem Moulin <email address hidden> Tue, 28 Nov 2023 16:10:54 +0100
| Superseded in sid-release |
roundcube (1.6.6+dfsg-1) unstable; urgency=medium
* New upstream bugfix release:
+ Fix regression in handling LDAP search_fields configuration parameter.
+ Fix PHP8 warnings.
+ Fix rcube::decrypt().
+ Enigma: Fix finding of a private key when decrypting a message using
GnuPG v2.3.
+ Fix page jump menu flickering on click.
+ Fix Sieve scripts comment parse with CRLF.
+ Fix bug where trailing non-ascii characters in email addresses could
have been removed in recipient input.
+ Fix IMAP GETMETADATA command with options [RFC5464].
+ Support (DEPTH 0) in GETMETADATA command.
+ Clear IMAP capabilities on connection close.
* Add ‘logs/errors.log’ to d/clean. (Closes: #1046449)
* Move version mangling from build to install targets.
* d/roundcube-core.*.timer: Set Persistent=false. (Closes: #1057061)
* d/roundcube-core.roundcube-cleandb.timer: Adjust OnCalendar= to match
cronjob specification.
* Refresh d/patches.
* d/control: Add php-guzzlehttp-guzzle to Build-Depends (unless under
‘nocheck’ profile) as Actions_Utils_Modcss::test_run() requires it.
* Backport upstream change from master branch to fix Actions_Utils_Modcss::
test_run().
* d/p/mark-flaky-tests-as-such.patch: Unmark test_encrypt_and_decrypt() as
flaky.
* d/origtargz-diff.sh: Drop query string in destination filename.
-- Guilhem Moulin <email address hidden> Mon, 22 Jan 2024 15:16:43 +0100
Available diffs
- diff from 1.6.5+dfsg-1 to 1.6.6+dfsg-1 (1.5 MiB)
| Superseded in bookworm-release |
roundcube (1.6.4+dfsg-1~deb12u1) bookworm-security; urgency=high
* New upstream security and bugfix release:
+ Fix CVE-2023-5631: Cross-site scripting (XSS) vulnerability in handling
of SVG in HTML messages. (Closes: #1054079)
+ Managesieve plugin: Fix javascript error when relational or spamtest
extension is not enabled.
+ Fix PHP8 warnings.
* Replace upstream release “version” 1.6-git with the actual tagged version.
* Add DEP-8 test to check RCMAIL_VERSION against d/changelog.
* Salsa CI: Disable lintian and reprotest jobs.
* Refresh patches.
-- Guilhem Moulin <email address hidden> Thu, 19 Oct 2023 00:20:52 +0200
| Superseded in sid-release |
roundcube (1.6.5+dfsg-1) unstable; urgency=high
* New upstream security and bugfix release:
+ Fix cross-site scripting (XSS) vulnerability in setting
Content-Type/Content-Disposition for attachment preview/download.
(Closes: #1055421)
+ Fix PHP8 fatal error when parsing a malformed BODYSTRUCTURE.
+ Fix UI issue when dealing with an invalid managesieve_default_headers
value.
+ Fix bug where images attached to application/smil messages weren't
displayed.
+ Fix PHP8 warnings.
+ Fix regression where ‘smtp_user’ did not allow pre/post strings
before/after ‘%u’ placeholder.
* d/control: Drop 10 year old Breaks+Replaces constraints.
* d/rules: Update to reflect upstream Makefile.
* roundcube-plugins: Remove obsolete maintscript.
* roundcube-core: Suggests some potentially useful roundcube-plugin-*.
* Refresh d/patches.
-- Guilhem Moulin <email address hidden> Sun, 05 Nov 2023 18:15:48 +0100
Available diffs
- diff from 1.6.4+dfsg-1 to 1.6.5+dfsg-1 (7.4 KiB)
| Superseded in sid-release |
roundcube (1.6.4+dfsg-1) unstable; urgency=high
* New upstream security and bugfix release:
+ Fix cross-site scripting (XSS) vulnerability in handling of SVG in HTML
messages. (Closes: #1054079)
+ Managesieve plugin: Fix javascript error when relational or spamtest
extension is not enabled.
+ Fix PHP8 warnings.
* Add DEP-8 test to check RCMAIL_VERSION against d/changelog.
* roundcube-core.postinst: Don't choke on non-existing symlink targets.
(Closes: #1053709)
-- Guilhem Moulin <email address hidden> Mon, 16 Oct 2023 20:02:40 +0200
Available diffs
- diff from 1.6.2+dfsg-1 to 1.6.4+dfsg-1 (50.3 KiB)
| Superseded in sid-release |
roundcube (1.6.3+dfsg-2) unstable; urgency=low
* Replace upstream release “version” 1.6-git with the actual tagged version
(currently 1.6.3).
-- Guilhem Moulin <email address hidden> Sat, 07 Oct 2023 16:20:03 +0200
| Superseded in bullseye-release |
roundcube (1.4.14+dfsg.1-1~deb11u1) bullseye; urgency=high
* New security/bugfix upstream release:
+ Fix CVE-2023-43770: cross-site scripting (XSS) vulnerability in handling
of linkrefs in plain text messages. (Closes: #1052059)
+ Enigma: Fix initial synchronization of private keys.
* d/u/signing-key.asc: Add Alec's key BEE674A019359DC1.
* Refresh d/patches.
-- Guilhem Moulin <email address hidden> Mon, 25 Sep 2023 11:32:59 +0200
| Superseded in bookworm-release |
roundcube (1.6.3+dfsg-1~deb12u1) bookworm; urgency=medium * Rebuild for bookworm. * Salsa CI: Set RELEASE=bookworm. * d/gbp.conf: Set --debian-branch=debian/bookworm. -- Guilhem Moulin <email address hidden> Mon, 25 Sep 2023 14:22:10 +0200
| Superseded in sid-release |
roundcube (1.6.3+dfsg-1) unstable; urgency=medium
* New upstream security and bugfix release:
+ Fix cross-site scripting (XSS) vulnerability in handling of linkrefs in
plain text messages. (Closes: #1052059)
+ Fix regression that broke use_secure_urls feature hence OAuth2
authentication. (Closes: #1050317)
+ Fix regression where LDAP addressbook 'filter' option was ignored.
+ Fix regression in decoding mail parts FETCHed from IMAP.
+ Fix PHP8 warnings.
* roundcube-core.cron: Trigger gc twice every hour. (Closes: #1043395)
* Fix GuzzleHttp autoload location. (Closes: #1040705)
* d/p/fix-autoload-location.patch: Set ‘Forwarded: not-needed’ DEP-3 header.
* Refresh d/patches.
-- Guilhem Moulin <email address hidden> Mon, 18 Sep 2023 14:18:17 +0200
| Superseded in sid-release |
roundcube (1.6.2+dfsg-1) unstable; urgency=medium
[ Amin Bandali ]
* Test suite: Adjust short date test to make it work with all ICUs.
(Closes: #1030161)
[ Remus-Gabriel Chelu ]
* Add Romanian debconf templates translation. (Closes: #1033468)
[ Guilhem Moulin ]
* New upstream bugfix release.
* d/gbp.conf, d/README.source: Remove obsolete comment.
* d/sql/mysql/1.3.0-1: Move inline comment.
* d/p/fix-short-date-test-icu72.patch: Remove patch applied upstream.
* Refresh patches.
-- Guilhem Moulin <email address hidden> Sun, 02 Jul 2023 11:54:33 +0200
Available diffs
roundcube (1.6.1+dfsg-1) unstable; urgency=medium
* New upstream bugfix release.
* Update d/sql for 1.6.1+dfsg-1.
* Fix d/README.source order.
* Refresh d/patches.
* d/roundcube-core.postinst: Add $config['imap_host'] to $CONFFILE.ucftmp if
needs be. This fixes d/t/config-ownership-perms.
* d/t/config-ownership-perms: Use HOST:PORT in roundcube/hosts string.
-- Guilhem Moulin <email address hidden> Tue, 24 Jan 2023 01:42:19 +0100
Available diffs
- diff from 1.6.0+dfsg-2 to 1.6.1+dfsg-1 (34.6 KiB)
| Superseded in sid-release |
roundcube (1.6.0+dfsg-2) unstable; urgency=medium * Salsa CI: Restore piuparts job. * Salsa CI: Install suitable RDBMS before running piuparts. * Salsa CI: Include recipes/debian.yml. * d/control: Build-Depends: Drop versioned constraint on uglifyjs. * Update standards version to 4.6.2, no changes needed. * Fix FTBFS (closes: #1026528). * d/s/lintian-overrides: Remove mismatched overrides. -- Guilhem Moulin <email address hidden> Tue, 20 Dec 2022 20:36:47 +0100
Available diffs
- diff from 1.6.0+dfsg-1.1 to 1.6.0+dfsg-2 (2.3 KiB)
| Superseded in sid-release |
roundcube (1.6.0+dfsg-1.1) unstable; urgency=medium * Non-maintainer upload. * No source change upload to rebuild with debhelper 13.10. -- Michael Biebl <email address hidden> Sat, 15 Oct 2022 12:43:57 +0200
Available diffs
- diff from 1.6.0+dfsg-1 to 1.6.0+dfsg-1.1 (341 bytes)
| Superseded in sid-release |
roundcube (1.6.0+dfsg-1) unstable; urgency=low
* New upstream release.
* d/p/fix-install-path.patch: Also adjust installer/index.php.
* d/t/control: Factor stanzas with same dependencies and restrictions.
* /etc/roundcube/*.php: Don't include files only once.
* DEP-8: Run upstream installer checks in a dedicated autopkgtest.
* d/t/cleanup: Sort sessions by changed date on error.
* d/t/installer-checks: And also run 3rd step of installation checks.
* DEP-8: Add ‘Restrictions: breaks-testbed’ when suitable.
* DEP-8: Name inline tests.
* debian/control: Replace 'Depends: libapache2-mod-php | php' with 'Depends:
php'.
* Add d/README.source to document the package workflow.
-- Guilhem Moulin <email address hidden> Fri, 29 Jul 2022 11:47:02 +0200
Available diffs
- diff from 1.6~rc+dfsg-2 to 1.6.0+dfsg-1 (46.4 KiB)
| Deleted in experimental-release (Reason: None provided.) |
roundcube (1.6~rc+dfsg-2) experimental; urgency=medium
* Adjust d/origtargz-diff.sh for 1.6~rc+dfsg.
* Refresh lintian overrides to accommodate lintian v2.115.
* Bump Standards-Version to 4.6.1 (no changes needed).
* Promote GuzzleHttp\Client back to "require" from "suggest".
* Revert "Don't install the installer into /usr/share/roundcube."
* Run upstream installer checks for apache2 and lighttpd DEP-8 tests.
* Add roundcube-cleandb.{service,timer} which replaces the cronjob on
systems where PID1 is systemd.
* Add roundcube-gc.{service,timer} to purge expired sessions, caches and
tempfiles in the background in a scheduled fashion.
* Don't force set session.gc_probability=1 since we don't have to rely on
probabilistic synchronous garbage collection anymore.
* Remove obsolete /etc/default/roundcube and /etc/cron.daily/roundcube-core
files since removing temporary files is part of the normal garbage
collection routine.
* DEP-8: Create tempfiles in $AUTOPKGTEST_TMP not /tmp.
* DEP-8: Test roundcube-{cleandb,gc}.service (cleanup and garbage collection
routines).
-- Guilhem Moulin <email address hidden> Wed, 29 Jun 2022 20:23:02 +0200
Available diffs
- diff from 1.5.0+dfsg.1-2 to 1.6~rc+dfsg-2 (669.0 KiB)
- diff from 1.5.1+dfsg-1 to 1.6~rc+dfsg-2 (576.9 KiB)
| Superseded in experimental-release |
roundcube (1.6~rc+dfsg-1) experimental; urgency=medium * New upstream release candidate 1.6. * d/u/signing-key.asc: Add Alec's key BEE674A019359DC1. * Refresh d/patches. -- Guilhem Moulin <email address hidden> Sun, 12 Jun 2022 16:46:12 +0200
| Superseded in experimental-release |
roundcube (1.6~beta+dfsg-2) experimental; urgency=medium
* d/roundcube-core.NEWS: Mention roundcube-skin-* packages by name
now that they cleared the NEW queue.
* d/control: roundcube-core: Add 'Recommends: roundcube-skin-classic,
roundcube-skin-larry'.
* Update d/copyright.
* d/watch: Add uversionmangle for /-(alpha|beta|rc)\d*$/.
* d/watch: Improve dversionmangle.
* d/sql/*.sql: Escape identifiers to fix compatibility with MySQL 8
(LP: #1970428).
* New script d/sqlupdate replacing d/addsqlupdate.sh.
* Update d/sql for 1.6~beta+dfsg-1 (remove 2020122900 which is in
d/sql/*/1.5.0+dfsg.1-1 already).
* Run wrap-and-sort(1).
* Remove d/t/fix-format_date-x.patch and generate an en_US.utf8 locale for
the upstream test suite instead. This adds Build-Depends: locales.
-- Guilhem Moulin <email address hidden> Wed, 11 May 2022 20:22:23 +0200
| Published in buster-release |
roundcube (1.3.17+dfsg.1-1~deb10u2) buster-security; urgency=high
* Backport fix for CVE-2021-46144: Fix cross-site scripting (XSS) via HTML
messages with malicious CSS content. (Closes: #1003027)
-- Guilhem Moulin <email address hidden> Thu, 06 Jan 2022 09:04:44 +0100
| Superseded in bullseye-release |
roundcube (1.4.13+dfsg.1-1~deb11u1) bullseye-security; urgency=high
* New security upstream release, with fix for CVE-2021-46144: XSS
vulnerability via HTML messages with malicious CSS content
(closes: #1003027).
* Prepend '<!-- html ignored -->' to the test vector of the above.
* Refresh d/patches.
-- Guilhem Moulin <email address hidden> Thu, 06 Jan 2022 08:51:41 +0100
| Superseded in experimental-release |
roundcube (1.6~beta+dfsg-1) experimental; urgency=medium
* New beta upstream release. Highlights for major version 1.6 include:
- Full PHP 8.1 support (closes: #1000642)
- Unified and simplified services connection options:
. renamed `default_host` resp. `smtp_server` to `imap_host` resp.
`smtp_host`
. removed `default_port`, `smtp_port`, `managesieve_port` and
`managesieve_usetls` options
- The classic and larry skins are no longer included in the upstream
repository hence are excluded from this source package; we will ship in
separate packages.
* Add d/roundcube-core.NEWS to highlight the above.
* Update default value for roundcube/hosts template to "localhost:143" to
match the upstream default.
* Update d/copyright.
* Update d/sql.
* Refresh d/patches. Remove the following patches (now obsolete or applied
upstream):
- fix-FTBFS-with-phpunit-8.patch
- fix-file-list-in-phpunit-configuration.patch
- fix-FTBFS-with-phpunit-9.patch
* Add patch to fix `$rcmail->format_date(.., 'x')` calls.
* Remove mismatched Lintian override.
* Add 'Restrictions: rw-build-tree' to the phpunit DEP-8 test as it writes
into tests/.phpunit.result.cache.
* Add aspell-en and php-pspell to Build-Depends (unless under 'nocheck'
build profile) and DEP-8 test to test Framework_SpellcheckerPspell.
* Add hunspell-en-us and php-enchant to Build-Depends (unless under
'nocheck' build profile) and DEP-8 test to test
Framework_SpellcheckerEnchant.
* Add php-roundcube-rtf-html-php to Build-Depends (unless under 'nocheck'
build profile) and DEP-8 test to test Framework_TnefDecoder.
* Add php-bacon-qr-code to Build-Depends (unless under 'nocheck'
build profile) and DEP-8 test to test Actions_Contacts_Qrcode.
* d/rules, d/t/control: Mark flaky tests as such and run phpunit with
`--exclude-group=flaky --fail-on-skipped` in build-time and DEP-8 tests.
* CI: Disable piuparts which is bound to fail due to the schema upgrade.
* d/rules: Replace '$(dir $@)' with '$(@D)'.
-- Guilhem Moulin <email address hidden> Mon, 14 Mar 2022 00:16:05 +0100
| Superseded in bullseye-release |
roundcube (1.4.12+dfsg.1-1~deb11u1) bullseye-security; urgency=high
* New bugfix/security upstream release (closes: #1000156), with fixes for:
+ CVE-2021-44025: XSS issue in handling attachment filename extension in
mimetype mismatch warning; and
+ CVE-2021-44026: possible SQL injection via some session variables.
* d/gbp.conf: Rename upstream branch to upstream/release-1.4.
* d/salsa-ci.yml: Set RELEASE=bullseye.
* Refresh d/patches.
-- Guilhem Moulin <email address hidden> Thu, 18 Nov 2021 20:07:03 +0100
| Superseded in sid-release |
roundcube (1.5.1+dfsg-1) unstable; urgency=medium * New upstream bugfix release. * Change repacking suffix to +dfsg from +dfsg.1. -- Guilhem Moulin <email address hidden> Sat, 04 Dec 2021 15:07:42 +0100
Available diffs
- diff from 1.5.0+dfsg.1-2 to 1.5.1+dfsg-1 (100.3 KiB)
| Superseded in sid-release |
roundcube (1.5.0+dfsg.1-2) unstable; urgency=medium * CI: Restore piuparts job. * DEP-8: config-ownership-perms: Add Restrictions: allow-stderr. -- Guilhem Moulin <email address hidden> Sat, 23 Oct 2021 20:00:35 +0200
Available diffs
- diff from 1.4.11+dfsg.1-4 to 1.5.0+dfsg.1-2 (5.5 MiB)
- diff from 1.5.0+dfsg.1-1 to 1.5.0+dfsg.1-2 (943 bytes)
| Superseded in sid-release |
roundcube (1.5.0+dfsg.1-1) unstable; urgency=low
* New upstream release. Highlights for major version 1.5 include:
- full PHP 8.0 support (closes: #977687)
- dark mode for Elastic skin
- collected recipients and trusted senders
- moving recipients between inputs with drag & drop
- full unicode support with MySQL database
- support of IMAP LITERAL [RFC7888]
- support of [RFC2231] encoded names
- cache refactoring
* Ship upstream's bin/updatedb.sh to roundcube-core.
* d/t/dbconfig-no-thanks: Also run bin/updatedb.sh.
* d/t/dbconfig-no-thanks: Check DB ownership and permissions.
* Exclude spellchecker from build-time and DEP8 tests, as dictionary
mismatch makes it too brittle.
* d/pkg-php-tools-overrides: Remove useless roundcube/net_sieve builtin.
-- Guilhem Moulin <email address hidden> Sat, 23 Oct 2021 09:47:50 +0200
| Deleted in experimental-release (Reason: None provided.) |
roundcube (1.5~rc+dfsg.1-3) experimental; urgency=medium
* DEP-8: Add test for dbconfig-no-thanks (set custom $config['db_dsnw']).
* Create symlink var/lib/roundcube/SQL pointing to usr/share/roundcube/SQL.
This is required for dbconfig-no-thanks deployments (closes: #996613).
* Refresh lintian overrides to accommodate lintian v2.109.
* Retroactively update d/roundcube-core.NEWS to advertise the 1.4 smtp_*
default settings (closes: #994446).
-- Guilhem Moulin <email address hidden> Sat, 16 Oct 2021 23:20:50 +0200
| Superseded in experimental-release |
roundcube (1.5~rc+dfsg.1-2) experimental; urgency=medium * Replace `which` with `command -v` in maint scripts. * Refresh lintian overrides to accommodate lintian v2.107. * Bump Standards-Version to 4.6.0 (no changes needed). * Remove 4 obsolete maintscript entries in 2 files. * Set upstream metadata fields: Security-Contact. -- Guilhem Moulin <email address hidden> Fri, 08 Oct 2021 20:53:01 +0200
| Superseded in experimental-release |
roundcube (1.5~rc+dfsg.1-1) experimental; urgency=medium
* New upstream release candidate 1.5 (closes: #949629).
* d/rules: Exclude tinymce/js/tinymce/tinymce.d.ts in accordance with
jsdeps.json.
-- Guilhem Moulin <email address hidden> Tue, 06 Jul 2021 12:00:42 +0200
| Superseded in experimental-release |
roundcube (1.5~beta+dfsg.1-4) experimental; urgency=medium
* d/roundcube-core.cron.daily, d/addsqlupdate.sh: `set -ue` and improve
quoting.
* d/*: Fix space damage.
* bin/update.sh: hardcode define('INSTALL_PATH', '/var/lib/roundcube/');
(closes: #989140).
* d/roundcube-core.postinst: Set DEBIAN_PKG=[0|1] for symmetry.
* d/p/debianize-config.patch: Comment out sample plugins, see #884992.
-- Guilhem Moulin <email address hidden> Sat, 29 May 2021 15:03:39 +0200
roundcube (1.4.11+dfsg.1-4) unstable; urgency=medium
* d/roundcube-core.postinst: Remove the roundcube lighttpd module after it
has been disabled, not before (closes: #988282).
* d/roundcube-core.postinst: lighttpd: Don't enable fastcgi-php if there is
already an enabled fastcgi .php handler (closes: #988236).
* d/uupdate: Fix comment.
-- Guilhem Moulin <email address hidden> Mon, 17 May 2021 20:45:48 +0200
Available diffs
| Superseded in experimental-release |
roundcube (1.5~beta+dfsg.1-3) experimental; urgency=medium
* d/*.post*, d/*.config: Improve style consistency.
* d/*.post*: pathfind(): Keep IFS null (instead of setting it to the empty
string) if it was null before.
* d/roundcube-core.postinst: Set ln(1)'s '-T' to flag protect against
undesired semantics should the target be an existing directory.
* d/roundcube-core.postinst, d/roundcube-core.config: Replace useless calls
to sed.
* d/*.pre*, d/*.post*, d/*.config: Fix space damage.
* d/roundcube-core.postinst: Make configuration sample parsing and reading
roundcube/hosts more robust.
* d/roundcube-core.postinst: 3DES key generation: Use a random 18-bytes long
string base64 encoded (the key needs to be 24 bytes long).
* d/roundcube-core.postinst: lighttpd: Prefer the more efficient
fastcgi-php-fpm over fastcgi-php on lighttpd 1.4.55-2 and later.
* d/copyright: Add self.
* DEP-8: Add basic Apache2 and lighttpd tests.
* DEP-8: Add configuration file and log/temp directory ownership and mode
checks.
* DEP-8: Add an hardened deployment, with a dedicated PHP-FPM pool and
dedicated user/group (so the HTTPd can't read sensitive roundcube data).
* d/roundcube-core.post*: Reload webserver with deb-systemd-invoke(1) when
possible.
* d/roundcube-core.postinst: Avoid running bin/update.sh with root
privileges, depending on /etc/roundcube/config.inc.php's ownership and
mode: if the file is word-readable then issue a warning and run as
www-data; otherwise, if the file not root-owned then run as its owner;
otherwise, if the file is group readable and is not group owned by root,
and the group is used as a primary group for a single user, then use that
user. Should all that fail root privileges are preserved and a warning is
issued.
* d/roundcube-core.postinst: Issue a warning if a .dpkg-new leak is
dedected.
-- Guilhem Moulin <email address hidden> Mon, 17 May 2021 21:00:08 +0200
| Superseded in experimental-release |
roundcube (1.5~beta+dfsg.1-2) experimental; urgency=medium
* Add hunspell-en-us to Build-Depends and DEP-8 tests dependencies as
spellcheck tests rely on that dictionary.
-- Guilhem Moulin <email address hidden> Mon, 08 Mar 2021 19:14:45 +0100
| Superseded in experimental-release |
roundcube (1.5~beta+dfsg.1-1) experimental; urgency=medium
* New upstream beta release.
* Change default spellchecker engine from pspell to enchant as the latter
is better supported and more flexible.
* d/copyright: Update Files-Excluded stanza for tinymce component.
* d/uupdate: Fix tinymce-langs URL.
* d/control: Bump dependencies to match jsdeps.json and composer.json-dist.
* d/control: Update build dependencies for the improved test suite.
* Update d/copyright.
* Fix DEP-8 tests: The test suite now requires reads the configuration file,
so we need to run it as www-data. We test with SQLite3 backend, and also
the default backend (MySQL) on testbeds providing container-level
isolation.
* d/rules: Treat plugins/*/readme* (not only plugins/*/README*) as
documentation.
* CI: Disable piuparts which is bound to fail due to the schema upgrade.
-- Guilhem Moulin <email address hidden> Mon, 08 Mar 2021 00:42:28 +0100
| Superseded in sid-release |
roundcube (1.4.11+dfsg.1-3) unstable; urgency=medium
* Remove versioned dependency (php* <<8.0) as it prevents users from
upgrading php-common (e.g. via 3rd-party repositories). Instead we give a
hint which phpX.Y-* packages needs to be manually installed. Thanks to
the Debian PHP PEAR Maintainers for their input!
-- Guilhem Moulin <email address hidden> Fri, 26 Feb 2021 23:44:31 +0100
Available diffs
| Superseded in sid-release |
roundcube (1.4.11+dfsg.1-2) unstable; urgency=medium
* d/rules: Reorder targets based on the dh sequencer execution order.
* d/roundcube-core.README.Debian: Add instructions for running Roundcube
code as a user:group other than the default www-data:www-data.
-- Guilhem Moulin <email address hidden> Thu, 11 Feb 2021 21:49:03 +0100
Available diffs
- diff from 1.4.10+dfsg.1-1 to 1.4.11+dfsg.1-2 (128.6 KiB)
- diff from 1.4.11+dfsg.1-1 to 1.4.11+dfsg.1-2 (2.9 KiB)
| Superseded in sid-release |
roundcube (1.4.11+dfsg.1-1) unstable; urgency=high * New upstream bugfix/security release. * d/rules: Remove duplicate dh_link call. * d/rules: Fix sourcemap URLs in minified CSS. -- Guilhem Moulin <email address hidden> Mon, 08 Feb 2021 23:32:06 +0100
Available diffs
| Superseded in sid-release |
roundcube (1.4.10+dfsg.2-2) unstable; urgency=medium
[ Sandro Knauß ]
* Remove retry-to-reach-imap-server.patch (Closes: #960302)
It triggered too many issues for other users.
[ Guilhem Moulin ]
* Update d/missing-sources/README.
* Remove useless duplicate d/install-jsdeps.sh.
* d/rules: Use execute_after_dh_* from Debhelper compatibility level 13 when
relevant.
* d/control: Require php* <8.0 in dependencies.
-- Guilhem Moulin <email address hidden> Mon, 08 Feb 2021 00:22:01 +0100
Available diffs
| Superseded in buster-release |
roundcube (1.3.16+dfsg.1-1~deb10u1) buster-security; urgency=high
* New upstream bugfix release, with security fix for CVE-2020-35730:
Cross-site scripting (XSS) vulnerability via HTML or Plain text messages
with malicious content svg/namespace. (Closes: #978491)
* Revert upstream commit 435cfa116 to avoid irrelevant jstz update.
-- Guilhem Moulin <email address hidden> Mon, 28 Dec 2020 02:49:49 +0100
| Superseded in sid-release |
roundcube (1.4.10+dfsg.2-1) unstable; urgency=low
* Retroactively update roundcube-plugins.NEWS as enigma is currently usable
in Bullseye and sid.
* d/rules: Complete refactoring.
* Ship skin README files to /usr/share/doc/PACKAGE/skins.
* Run bin/updatecss.sh at build time to (re-)stamp background images.
* Exclude irrelevant scripts from binary packages: cssshrink.sh, initdb.sh,
install-jsdeps.sh, installto.sh, jsshrink.sh, makedoc.sh, updatecss.sh,
and updatedb.sh.
* Don't install .htaccess into /usr/share/roundcube. The root directory for
the HTTPd is /var/lib/roundcube and already ship the htaccess there.
* Don't install the installer into /usr/share/roundcube.
* Lintian overrides: Remove package annotations.
* Remove upstream installation instructions from /usr/share/doc/roundcube-core
* Lintian: Override false positive
package-contains-documentation-outside-usr-share-doc and
package-contains-empty-directory.
* Install managesieve helpdocs to /usr/share/doc/roundcube-plugins.
* Install password helpers into /usr/share/roundcube/plugins/password/helpers
not into /usr/share/doc/roundcube-core/examples.
* plugins/password/helpers/chpass-wrapper.py: use python3 as interpreter and
add to roundcube-plugins' Suggests.
* d/watch: Monitor git tags rather than release tarballs.
* d/gbp.conf: Add upstream VCS tag as additional parent to upstream/$VERSION.
* d/gbp.conf: Rename upstream branch to upstream/release-1.4.
* Recommend using new directory /var/lib/roundcube/public_html as document
root.
* Update d/*.README.Debian with current instructions.
* Run the upstream test suite (excluding Selenium-based web tests) at build
time (unless under 'nocheck' build profile). This adds phpunit,
php-masterminds-html5 and php-intl to Build-Depends.
* Add DEP-8 tests. For now this only consists of the upstream test suite
(excluding Selenium-based web tests).
* Replace Build-Depends: closure-compiler, yui-compressor with cleancss,
uglifyjs (>=3), used respectively for CSS and Javascript minification.
Build also source maps alongside the minified code. (Closes: #978073)
* Elastic skin: Ship non-minified CSS and sourcemap alongside Less source
files. (Closes: #978070)
* New Build-Depends: pigz. Ship gzipped (minified) JS and CSS files along
side the non-compressed versions. Compatible HTTPds can send these files
as is in order to avoid on-the-fly compression overhead.
(Closes: #978075)
-- Guilhem Moulin <email address hidden> Fri, 15 Jan 2021 23:55:02 +0100
Available diffs
- diff from 1.4.10+dfsg.1-1 to 1.4.10+dfsg.2-1 (114.4 KiB)
| Superseded in sid-release |
roundcube (1.4.10+dfsg.1-1) unstable; urgency=high
* New upstream bugfix release, including security fix for: CVE-2020-35730:
Cross-site scripting (XSS) vulnerability via HTML or Plain text messages
with malicious content svg/namespace. (Closes: #978491)
* d/rules: Make sure to fail the build when an error is raised in a for
loop. (Closes: #978069)
* d/rules: Refactor and move CSS/JS generation and minification from
override_dh_auto_install to override_dh_auto_build. Thanks to Jonas
Smedegaard pointing this out.
* Bump Standards-Version to 4.5.1 (no changes needed).
* Upgrade watch file to version 4.
* Rename Debian branch to debian/latest for DEP-14 compliance.
* d/gbp.conf: Remove custom setting compression=xz.
-- Guilhem Moulin <email address hidden> Mon, 28 Dec 2020 01:33:45 +0100
Available diffs
| Superseded in sid-release |
roundcube (1.4.9+dfsg.1-1) unstable; urgency=medium * New upstream bugfix release. -- Guilhem Moulin <email address hidden> Thu, 01 Oct 2020 17:43:08 +0200
Available diffs
| Superseded in buster-release |
roundcube (1.3.15+dfsg.1-1~deb10u1) buster-security; urgency=high
* New upstream release, with security fix for CVE-2020-16145: Cross-site
scripting (XSS) vulnerability via HTML messages with malicious svg or math
content. (Closes: #968216)
-- Guilhem Moulin <email address hidden> Tue, 11 Aug 2020 17:44:16 +0200
| Superseded in sid-release |
roundcube (1.4.8+dfsg.1-1) unstable; urgency=high
* New upstream bugfix release, including security fix for CVE-2020-16145:
Cross-site scripting (XSS) vulnerability via HTML messages with malicious
svg or math content. (Closes: #968216)
-- Guilhem Moulin <email address hidden> Tue, 11 Aug 2020 16:45:02 +0200
Available diffs
| Superseded in buster-release |
roundcube (1.3.14+dfsg.1-1~deb10u1) buster-security; urgency=high
* New upstream release, with security fix for CVE-2020-15562: Cross-Site
Scripting (XSS) vulnerability via HTML messages with malicious
svg/namespace (Closes: #964355)
-- Guilhem Moulin <email address hidden> Mon, 06 Jul 2020 16:30:57 +0200
| Superseded in sid-release |
roundcube (1.4.7+dfsg.2-1) unstable; urgency=low
* d/rules: Exclude TinyMCE language Javascript packs from minification as
Roundcube and TinyMCE load $code.js files not $code.min.js.
* d/patches: Rename Use-system-JQueryUI.patch to use-system-JQueryUI.patch.
* Bundle TinyCME as secondary orig tarballs (downloaded automatically using
custom uscan(1) script) rather than in d/missing-sources. The TinyCME zip
archive we used to ship in d/missing-sources violates DFSG (since
1.3.0+dfsg.1-1), because upstream's jsdeps.json links to the so-called
"production package" which doesn't include preferred sources of
modification. This remained unnoticed because lintian doesn't inspect the
content of archives in d/missing-sources. Unfortunately Roundcube is
still too dependent on the TinyCME version for us to switch to the
packaged version (see #784351), so we use secondary tarballs (repacked to
exclude generated files such as minified JS and CSS files) for now.
* d/control: Bump minimum node-less version to 3.0.0 as for later versions
evaluation of JavaScript inline is disabled by default unless the new --js
flag is set.
* d/patches: Add Forwarded: DEP-3 headers.
-- Guilhem Moulin <email address hidden> Fri, 24 Jul 2020 02:44:11 +0200
Available diffs
| Published in stretch-release |
roundcube (1.2.3+dfsg.1-4+deb9u6) stretch; urgency=high
* Backport security fix for CVE-2020-15562: Cross-Site Scripting (XSS)
vulnerability via HTML messages with malicious svg/namespace
(Closes: #964355)
-- Guilhem Moulin <email address hidden> Mon, 06 Jul 2020 16:14:59 +0200
| Superseded in sid-release |
roundcube (1.4.7+dfsg.1-1) unstable; urgency=high
* New upstream bugfix release, including security fixes for: Cross-Site
Scripting (XSS) vulnerability via HTML messages with malicious
svg/namespace (closes: #964355)
-- Guilhem Moulin <email address hidden> Sun, 05 Jul 2020 23:57:50 +0200
Available diffs
| Superseded in sid-release |
roundcube (1.4.6+dfsg.1-3) unstable; urgency=low
* d/upstream/metadata: Add upstream's screenshot URL.
* d/po/de.po: Convert from ISO-8859-15 to TDF-8.
* Remove bundled OpenPGP.js as the bundled source is not the preferred form
of modification hence violates DFSG. This breaks key generation in the
enigma plugin (server-side OpenPGP support), but other key operations
(incl. import of private keys) still work. That being said enigma is
already broken in Buster (and Bullseye too right now) due to the missing
dependency 'php-crypt-gpg'. Admins wanting enigma already need to
manually install the dependency; they'll now need to also copy
https://raw.githubusercontent.com/openpgpjs/openpgpjs/v4.4.6/dist/openpgp.min.js
(or a later version) to /usr/share/roundcube/plugins/enigma/openpgp.min.js
for key generation to keep working.
-- Guilhem Moulin <email address hidden> Sat, 04 Jul 2020 01:07:51 +0200
Available diffs
- diff from 1.4.6+dfsg.1-2 to 1.4.6+dfsg.1-3 (492.8 KiB)
| Superseded in sid-release |
roundcube (1.4.6+dfsg.1-2) unstable; urgency=medium * d/rules: Fix FTBFS on systems where lessc(1) 1.6.3 uses node 12.18.0. * d/roundcube-core.preinst: Remove script as the dbconfig logic is a no-op. -- Guilhem Moulin <email address hidden> Thu, 18 Jun 2020 14:01:20 +0200
Available diffs
| Superseded in sid-release |
roundcube (1.4.6+dfsg.1-1) unstable; urgency=low
* New upstream bugfix release.
* d/copyright: Add generated CSS (minified or compiled from LESS sources) to
Files-Excluded:. We don't want these in our (repacked) orig tarball nor
in our git tree. d/origtargz-diff.sh can be used to verify that all
upstream-generated CSS/JS files are re-generated at build time and that
none is missing from our .debs.
-- Guilhem Moulin <email address hidden> Sun, 07 Jun 2020 16:43:45 +0200
Available diffs
- diff from 1.4.5+dfsg.1-2 to 1.4.6+dfsg.1-1 (100.4 KiB)
| Superseded in sid-release |
roundcube (1.4.5+dfsg.1-2) unstable; urgency=low
* d/copyright: Upgrade URLs to secure HTTP.
* d/copyright: Simplify Files-Excluded: pattern for generated JS files. Add
new helper script d/origtargz-diff.sh to make sure we ship all files:
generated files from the upstream tarball (before repacking) are excluded
from the repacked .orig tarball, so we need to generate them back at build
time and install them somewhere.
* d/rules: Replace `find -print0 | xargs -r0` calls and loops with `find
-exec`.
* d/rules: Minify CSS files ourselves (like for .js files we minify all
files, even the ones for which there is no .min.css in the upstream tree).
* d/rules: Add yui-compressor to Build-Depends: for CSS minification.
* d/patches/debianize-config.patch: typofix (closes: #931909).
* d/rules: Also (re-)minify CSS/JS in roundcube-plugins, not only in
roundcube-core. The upstream tarball contains multiple plugins/*/*.min.js
files before repacking, and while Roundcube seems to manage without, there
are no reasons not to re-minify these in additions to the files in -core.
* d/roundcube-core.preinst: Drop logic to remove old symlinks with file
targets (.js, .txt etc.) as dpkg is able to handle these on its own.
* d/roundcube-core.{pre,post}inst: Drop logic to handle upgrade path from
ancient versions (<oldstable). We don't support these upgrade paths and
it clutters the maintainer scripts.
* d/roundcube-core.maintscript: Ensure smooth directory-to-symlink
conversion. This is required for upgrades from <1.4~.
* d/roundcube-core.dirs: Remove var/lib/roundcube/config as dh_link will
create a symlink to etc/roundcube with that name.
-- Guilhem Moulin <email address hidden> Sat, 06 Jun 2020 16:44:07 +0200
Available diffs
| Superseded in sid-release |
roundcube (1.4.5+dfsg.1-1) unstable; urgency=high
* New upstream bugfix release, including security fixes for:
- Cross-Site Scripting (XSS) vulnerability via malicious XML messages
(closes: #962123)
- Cross-Site Scripting (XSS) vulnerability in template object 'username'
(closes: #962124)
* d/roundcube-core.postinst: Also call ucfr(1) on existing config.inc.php
and always pass --debconf-ok to ucf(1).
* Bump debhelper compatibility level to 13.
* Add upstream meta-information to debian/upstream/metadata.
-- Guilhem Moulin <email address hidden> Wed, 03 Jun 2020 15:09:31 +0200
Available diffs
- diff from 1.4.4+dfsg.1-1 to 1.4.5+dfsg.1-1 (92.6 KiB)
| Superseded in sid-release |
roundcube (1.4.4+dfsg.1-1) unstable; urgency=high
* New upstream release, including security fixes for:
- Cross-Site Scripting (XSS) vulnerability via malicious HTML messages
(Closes: #959140)
- CSRF attack can cause an authenticated user to be logged out
(Closes: #959142)
* Include krb_authentication plugin to the roundcube-plugins binary package.
Upstream ships this (core) plugin since 1.2-beta but somehow it never made
it to the Debian package. Thanks to Mike Gabriel for the poke.
(Closes: #958642)
* d/control: Update Maintainer: field to use @alioth-lists.debian.net not
deprecated @lists.alioth.debian.org.
-- Guilhem Moulin <email address hidden> Wed, 29 Apr 2020 22:10:57 +0200
Available diffs
- diff from 1.4.3+dfsg.1-1 to 1.4.4+dfsg.1-1 (92.5 KiB)
| Superseded in sid-release |
roundcube (1.4.3+dfsg.1-1) unstable; urgency=medium
* New upstream release.
* d/roundcube-core.post*:
+ Replace tabs with spaces.
+ Pass flag '-f' to rm(1).
* d/roundcube-core.postinst:
+ Create temporary config file with restricted permissions. Previously
the file was created with mode 0644 (minus umask), possibly leaking
secrets to a local attacker during a short time window. (The file was,
and still is, removed later during the postinst stage.)
+ If the config file /etc/roundcube/config.inc.php already exists, don't
override its ownership or mode. Otherwise (atomically) create it with
owner root:www-data and mode 0640, like before. (Closes: #951194)
+ Honor dpkg-statoverride(1) rules on /var/lib/roundcube/temp and
/var/log/roundcube: don't chown/chmod these directories if the local
admin has defined overrides.
* d/roundcube-core.postrm:
+ Also remove '.ucf-{new,old,dist}'-suffixed configuration files on purge,
as suggested by ucf(1).
+ Only recursively remove /var/lib/roundcube/temp on purge, not its
parent /var/lib/roundcube. Roundcube needs only write access to the
temp dir.
* d/patches/update_script.patch: Restore patch removed in 1.4.1+dfsg.1-1
to fix the ucf logic.
* d/patches/dbconfig-common_support.patch: Use C++ style comment for
consistency.
-- Guilhem Moulin <email address hidden> Mon, 24 Feb 2020 06:39:10 +0100
Available diffs
- diff from 1.4.2+dfsg.1-2 to 1.4.3+dfsg.1-1 (200.2 KiB)
| Superseded in buster-release |
roundcube (1.3.10+dfsg.1-1~deb10u1) buster; urgency=medium
* d/control: revert bump of Standards-Version, as we want to release to
stable.
* d/upstream/signing-key.asc: revert Minimize OpenPGP certificate.
* Add patch to Fix "Retry to connect to IMAP server" (Closes: #947320)
-- Sandro Knauß <email address hidden> Tue, 24 Dec 2019 20:45:55 +0100
| Superseded in sid-release |
roundcube (1.4.2+dfsg.1-2) unstable; urgency=medium
* d/control:
+ Specify minimum versions for libjs-* dependencies.
+ Bump Standards-Version to 4.5.0 (no changes needed).
* d/roundcube-core.links: link to /usr/share/javascript/$FOO, instead of its
unreliable target name. (Closes: #948011)
* d/roundcube-core.logrotate:
+ Add glob pattern for /var/log/roundcube/*.log, as ".log" is the default
extension used for log filenames since 1.4-beta. (Closes: #948034)
+ Rotate daily and reduce the retention period to 14 days to match the
new apache2 and nginx defaults.
* d/rules: Rebuild skins/elastic/styles/{styles,print,embed}.css from the
.less sources instead of shipping the upstream versions. This requires
lessc(1) from node-less in the build environment.
-- Guilhem Moulin <email address hidden> Wed, 29 Jan 2020 11:21:01 +0100
Available diffs
| Superseded in sid-release |
roundcube (1.4.2+dfsg.1-1) unstable; urgency=low
* New upstream release.
* d/control: roundcube-plugins now suggests php-cli as enigma's
import_keys.sh requires it.
-- Guilhem Moulin <email address hidden> Wed, 01 Jan 2020 23:09:32 +0100
Available diffs
- diff from 1.4.1+dfsg.1-2 to 1.4.2+dfsg.1-1 (161.0 KiB)
| Superseded in sid-release |
roundcube (1.4.1+dfsg.1-2) unstable; urgency=low [ Sandro Knauß ] * Add patch to Fix "Retry to connect to IMAP server" (Closes: #947320) -- Guilhem Moulin <email address hidden> Fri, 27 Dec 2019 11:14:20 +0100
Available diffs
| Deleted in experimental-release (Reason: None provided.) |
roundcube (1.4.1+dfsg.1-1) experimental; urgency=low
* New upstream release.
+ New Depends (and Build-Depends) 'php-mbstring', required by a call to
mb_internal_encoding() in program/lib/Roundcube/bootstrap.php.
* Rebase debian/install-jsdeps.sh from bin/install-jsdeps.sh.
* Use system JS dependencies when possible: JQuery from libjs-jquery, jstz
from libjs-jstimezonedetect, codemirror from libjs-codemirror, bootstrap
from libjs-bootstrap4, jquery-minicolors from libjs-jquery-minicolors,
libjs-jquery-minicolors, JQuery UI from libjs-jquery-ui.
* New Build-Depends: closure-compiler, used for JS minification instead of
yui-compressor. closure-compiler is what upstream uses, and
yui-compressor is unable to compress 1.4's program/js/app.js and
skins/elastic/ui.js.
* Move plugin README.md files to /usr/share/doc/roundcube/plugins/$PLUGIN
* Ensure INSTALL_PATH is always set to /var/lib/roundcube in the upstream
tools.
* d/roundcube-core.postinst: The honored environment variable for confdir is
RCUBE_CONFIG_PATH, not RCMAIL_CONFIG_DIR.
* d/control: Bump Standards-Version to 4.4.1 (no changes needed).
* Refresh tinymce language pack from upstream.
* d/control, d/compat: Set debhelper-compat version in Build-Depends.
* d/control: Set 'Rules-Requires-Root: no'.
-- Guilhem Moulin <email address hidden> Wed, 18 Dec 2019 19:17:13 +0100
| Superseded in sid-release |
roundcube (1.3.10+dfsg.1-1) unstable; urgency=medium
* New upstream release: (Closes: #927713)
- Fixes CVE-2019-10740
[ Guilhem Moulin ]
* Backport fix for CVE-2018-1000071: Insecure Permissions vulnerability in
enigma plugin that can result in exfiltration of gpg private key.
https://github.com/roundcube/roundcubemail/issues/6173 (Closes: #897014)
* New upstream release (1.3.9). (Closes: #898068)
* d/roundcube-core.config: Honor debconf setting roundcube/language, by
skipping the relevant part at pre-configure stage. (Closes: #923142)
* d/roundcube-core.postinst: Create temporary configuration file atomically.
* d/upstream/signing-key.asc: Minimize OpenPGP certificate.
* Add new plugins to roundcube-plugins: 'attachment_reminder' (closes:
#918126), 'example_addressbook', 'identicon', 'identity_select' and
'redundant_attachments'.
* d/control: Bump Standards-Version to 4.3.0 (no changes needed).
-- Beowulf <email address hidden> Wed, 18 Dec 2019 00:26:48 +0100
Available diffs
- diff from 1.3.8+dfsg.1-2 to 1.3.10+dfsg.1-1 (30.2 KiB)
| Superseded in experimental-release |
roundcube (1.4~rc1+dfsg.2-1) experimental; urgency=medium
* New upstream release.
+ New Depends (and Build-Depends) 'php-mbstring', required by a call to
mb_internal_encoding() in program/lib/Roundcube/bootstrap.php.
* Rebase debian/install-jsdeps.sh from bin/install-jsdeps.sh.
* Use system JS dependencies when possible: JQuery from libjs-jquery, jstz
from libjs-jstimezonedetect, codemirror from libjs-codemirror, bootstrap
from libjs-bootstrap4, jquery-minicolors from libjs-jquery-minicolors,
libjs-jquery-minicolors, JQuery UI from libjs-jquery-ui.
* New Build-Depends: closure-compiler, used for JS minification instead of
yui-compressor. closure-compiler is what upstream uses, and
yui-compressor is unable to compress 1.4-rc1's program/js/app.js and
skins/elastic/ui.js.
* Move plugin README.md files to /usr/share/doc/roundcube/plugins/$PLUGIN
* Ensure INSTALL_PATH is always set to /var/lib/roundcube in the upstream
tools.
* d/roundcube-core.postinst: The honored environment variable for confdir is
RCUBE_CONFIG_PATH, not RCMAIL_CONFIG_DIR.
-- Guilhem Moulin <email address hidden> Tue, 11 Jun 2019 02:07:49 +0200
| Superseded in stretch-release |
roundcube (1.2.3+dfsg.1-4+deb9u3) stretch-security; urgency=high
* Backport fix for CVE-2018-19206: XSS vulnerability via crafted use of
<svg><style>, as demonstrated by an onload attribute in a BODY element,
within an HTML attachment.
https://github.com/roundcube/roundcubemail/issues/6410
-- Guilhem Moulin <email address hidden> Sat, 24 Nov 2018 04:36:11 +0100
roundcube (1.3.8+dfsg.1-2) unstable; urgency=medium
* debian/roundcube-plugins.maintscript:
+ Remove old maintscript, which doesn't apply since oldstable.
+ Convert /usr/share/doc/roundcube-plugins from symlink to directory
(needed since plugin README files are now in that directory).
-- Guilhem Moulin <email address hidden> Mon, 05 Nov 2018 04:38:45 +0100
Available diffs
- diff from 1.3.6+dfsg.1-1 to 1.3.8+dfsg.1-2 (18.7 KiB)
| Superseded in sid-release |
roundcube (1.3.8+dfsg.1-1) unstable; urgency=medium
* New upstream release.
* debian/control: Migrate Vcs-Browser and Vcs-Git from Alioth to Salsa.
* debian/roundcube-core.postinst: in lighttpd_install(), treat
`lighty-enable-mod`'s exit status 2 (denoting a minor flaw e.g., a module
was not enabled because it was already loaded before) as success. (Closes:
#898040.)
* Move plugin README files to /usr/share/doc/roundcube/plugins/$PLUGIN
* debian/control: Bump Standards-Version to 4.2.1 (no changes needed).
-- Guilhem Moulin <email address hidden> Sat, 03 Nov 2018 05:53:08 +0100
| Superseded in stretch-release |
roundcube (1.2.3+dfsg.1-4+deb9u2) stretch-security; urgency=high
* Backport fix for CVE-2018-9846: When the archive plugin enabled and
configured, it's possible to exploit the unsanitized, user-controlled
"_uid" parameter to perform an MX (IMAP) injection attack.
https://github.com/roundcube/roundcubemail/issues/6238
(Closes: #895184).
* Backport fix for CVE-2018-1000071: Insecure Permissions vulnerability in
enigma plugin that can result in exfiltration of gpg private key.
https://github.com/roundcube/roundcubemail/issues/6173
-- Guilhem Moulin <email address hidden> Sat, 21 Apr 2018 01:51:56 +0200
roundcube (1.3.6+dfsg.1-1) unstable; urgency=medium
* New upstream release. (Closes: #883620).
+ Includes fix for CVE-2018-9846: When the archive plugin enabled and
configured, it's possible to exploit the unsanitized, user-controlled
"_uid" parameter to perform an MX (IMAP) injection attack.
(Closes: #895184).
+ Upgrade OpenPGP.js from 1.6.2 to 2.6.2.
* debian/control:
+ Bump Standards-Version to 4.1.4 (no changes needed).
+ Remove dependency on 'php-mcrypt' package, which is no longer needed
since Roundcube 1.2. (Closes: #895100).
* debian/patches/*.patch: Remove files not mentioned in series:
+ correct-magic-path.patch
+ disable-dns-prefetch.patch
+ dont-limit-email-local-part.patch
+ fix-599586.patch
+ install-jsdeps.sh
+ received-headers-sa.patch
+ too-old-mdb2.patch
+ use-debian-jquery-ui.patch
+ uuencoded-attachments.patch
* debian/roundcube-core.postinst: Use non-recursive calls to chown(1) and
chmod(1).
-- Guilhem Moulin <email address hidden> Sat, 14 Apr 2018 20:52:38 +0200
Available diffs
- diff from 1.3.3+dfsg.1-2 to 1.3.6+dfsg.1-1 (778.0 KiB)
| Superseded in stretch-release |
roundcube (1.2.3+dfsg.1-4+deb9u1) stretch-security; urgency=high
* Backport fix for CVE-2017-16651: File disclosure vulnerability caused by
insufficient input validation in conjunction with file-based attachment
plugins, which are used by default.
https://github.com/roundcube/roundcubemail/issues/6026
-- Guilhem Moulin <email address hidden> Thu, 09 Nov 2017 06:45:05 +0100
roundcube (1.3.3+dfsg.1-2) unstable; urgency=medium
* Upgrade internal TinyMCE to 4.5.8 to match upstream's JS dependencies.
(Closes: #881902.)
* roundcube-core: Remove symlinks /etc/apache2/conf-available/roundcube.conf
and /etc/lighttpd/conf-available/50-roundcube.conf when the HTTPd is
uninstalled before roundcube-core.
(Closes: #857838.)
-- Guilhem Moulin <email address hidden> Mon, 20 Nov 2017 03:45:14 +0100
Available diffs
roundcube (1.3.3+dfsg.1-1) unstable; urgency=high
* New upstream release. It primarily fixes a recently discovered file
disclosure vulnerability caused by insufficient input validation in
conjunction with file-based attachment plugins, which are used by default.
More details will be published under CVE-2017-16651.
* debian/rules:
+ Make the build reproducible. Thanks to Chris Lamb for the report and
patch. (Closes: #880827.)
+ Run `chmod 0755 plugins/password/helpers/*.p[ly]`
+ Fix precedence in find(1) call in override_dh_install. Thanks to Chris
Lamb for the report and patch. (Closes: #876722.)
* debian/control:
+ Replace "Priority: extra" (deprecated since Debian Policy 4.0.1) with
"Priority: optional".
+ Bump Standards-Version to 4.1.0 (no changes needed).
+ Promote php-mysql to first alternative in roundcube-mysql's
dependencies: it currently depends on php7.0-mysql, which in turns
provides virtual package php-mysqlnd.
* Patch /etc/roundcube/htaccess to use mod_php7.c in the <IfModule>
directive. Thanks to Peter Nowee for the report and patch. (Closes:
#880194.)
* debian/roundcube-core.preinst: Add "#DEBHELPER#" placeholder.
* debian/roundcube-core.links: Remove robots.txt, which is no longer shipped
by the package since 1.3.0+dfsg.1-1. (Closes: #877275.)
-- Guilhem Moulin <email address hidden> Thu, 09 Nov 2017 05:32:13 +0100
Available diffs
- diff from 1.3.1+dfsg.1-1 to 1.3.3+dfsg.1-1 (97.6 KiB)
roundcube (1.3.1+dfsg.1-1) unstable; urgency=medium * New upstream release. * resort copyright file. * update upstream-Add-get-and-extract-arguments-and-CACHEDIR-env-varia.patch. * Bump Standards-Version to 4.1.0 (no changes needed). * use dbc_go the propper way and use "$@". -- Sandro Knauß <email address hidden> Sun, 10 Sep 2017 18:58:06 +0200
Available diffs
- diff from 1.3.0+dfsg.1-1 to 1.3.1+dfsg.1-1 (187.2 KiB)
roundcube (1.3.0+dfsg.1-1) unstable; urgency=medium
* New upstream release.
* Update patches:
- remove patches that are not needed anymore
- hunks
- update_composer.patch to match new upstream release
* robots.txt is not shipped anymore in the package
* Get rid of unused overrides
* Bump Standards-Version to 4.0.0 (no changes needed)
* Bump compat level to 10 (no changes needed).
* Update copyright file
* Add SQL updates to Debian package
* 3rdparty handling:
- switch to install-jsdeps.sh
- install unminified version whwn possible, too
- modify jsdeps.json to be able to use sources
- update all missing-sourcecs
* create-jquery-ui-custom.sh don't handle input arguments
* Update source.lintian-overrides
-- Sandro Knauß <email address hidden> Tue, 22 Aug 2017 19:55:39 +0200
Available diffs
roundcube (1.2.3+dfsg.1-4) unstable; urgency=high
* Backport fix for CVE-2017-8114: Roundcube Webmail allows arbitrary
password resets by authenticated users. This affects versions before
1.0.11, 1.1.x before 1.1.9, and 1.2.x before 1.2.5. The problem is caused
by an improperly restricted exec call in the virtualmin and sasl drivers
of the password plugin. (Closes: #861388).
-- Guilhem Moulin <email address hidden> Mon, 01 May 2017 23:37:14 +0200
Available diffs
roundcube (1.2.3+dfsg.1-3) unstable; urgency=high
* Backport fix for CVE-2015-5381: rcube_utils.php in Roundcube before 1.1.8
and 1.2.x before 1.2.4 is susceptible to a cross-site scripting
vulnerability via a crafted Cascading Style Sheets (CSS) token sequence
within an SVG element. (Closes: #857473).
In 1.2.3+dfsg.1-2 the patch wasn't added to debian/patches/series.
-- Guilhem Moulin <email address hidden> Tue, 14 Mar 2017 11:43:18 +0100
Available diffs
- diff from 1.2.3+dfsg.1-1 to 1.2.3+dfsg.1-3 (982 bytes)
| 1 → 75 of 148 results | First • Previous • Next • Last |
