Navigation:
Browse pkgsrc
(this page)
mail roundcub..
CVSweb ] [ 
Homepage ] [ 
RSS ] [ 
Required by ] [ 
Add to tracker ] 2018-05-19 11:18:37 by S.P.Zeidler | Files touched by this commit (10) |  |
Log message:
Pullup ticket #5759 - requested by bsiegert
mail/roundcube: security update
Revisions pulled up:
- mail/roundcube/Makefile 1.89
- mail/roundcube/Makefile.common 1.10
- mail/roundcube/PLIST 1.45
- mail/roundcube/distinfo 1.61
- mail/roundcube/files/apache.conf 1.2
- mail/roundcube/files/lighttpd.conf 1.1
- mail/roundcube/files/nginx.conf 1.2
- mail/roundcube/options.mk 1.16
- mail/roundcube/patches/patch-ac deleted
- mail/roundcube/patches/patch-rcube_mime_default 1.3
-------------------------------------------------------------------
Module Name: pkgsrc
Committed By: triaxx
Date: Wed May 16 08:14:41 UTC 2018
Modified Files:
pkgsrc/mail/roundcube: Makefile Makefile.common PLIST distinfo
options.mk
pkgsrc/mail/roundcube/files: apache.conf nginx.conf
pkgsrc/mail/roundcube/patches: patch-rcube_mime_default
Added Files:
pkgsrc/mail/roundcube/files: lighttpd.conf
Removed Files:
pkgsrc/mail/roundcube/patches: patch-ac
Log message:
roundcube: update to 1.3.6
* add JavaScript dependencies listed in jsdeps.json
* put them on /pub/pkgsrc/distfiles/roundcube to avoid checksum error due
to archive automatic generation (e.g. tinymce_languages.zip)
* remove patch-ac
* add example configuration fragment for www/lighttpd
CHANGELOG Roundcube Webmail
===========================
RELEASE 1.3.6
-------------
- Fix parsing date strings (e.g. from a Date: mail header) with comments
(#6216)
- Fix PHP 7.2: count(): Parameter must be an array in enchant-based
spellchecker (#6234)
- Fix possible IMAP command injection and type juggling vulnerabilities
(#6229)
- Enigma: Fix key selection for signing
- Enigma: Enable keypair generation on Internet Explorer 11
- Fix check_request() bypass in places using get_uids() [CVE-2018-9846]
(#6238)
- Fix bug where usernames without domain part could be malformed or
converted to lower-case on logon (#6224)
RELEASE 1.3.5
-------------
- Managesieve: Fix bug where text: syntax was forced for strings longer
than 1024 characters (#6143)
- Managesieve: Fix missing Save button in Edit Filter Set page of Classic
skin (#6154)
- Fix duplicated labels in Test SMTP Config section (#6166)
- Fix PHP Warning: exif_read_data(...): Illegal IFD size (#6169)
- Enigma: Fix key generation in Safari by upgrade to OpenPGP 2.6.2 (#6149)
- Fix security issue in remote content blocking on HTML image and style
tags (#6178)
- Added 9pt and 11pt to the list of font sizes in HTML editor
- Fix handling encoding of HTML tags in "inline" JSON output (#6207)
- Fix bug where some unix timestamps were not handled correctly by
rcube_utils::anytodatetime() (#6212)
RELEASE 1.3.4
-------------
- Fix bug where contacts search could skip some records (#6130)
- Fix possible information leak - add more strict sql error check on user
creation (#6125)
- Fix a couple of warnings on PHP 7.2 (#6098)
- Fix broken long filenames when using imap4d server - workaround server
bug (#6048)
- Fix so temp_dir misconfiguration prints an error to the log (#6045)
- Fix untagged COPYUID responses handling - again (#5982)
- Fix PHP warning "idn_to_utf8(): INTL_IDNA_VARIANT_2003 is deprecated"
with PHP 7.2 (#6075)
- Fix bug where Archive folder wasn't auto-created on login with
create_default_folders=true
- Fix performance issue when parsing malformed and long Date header (#6087)
- Fix syntax error in mssql.initial.sql (#6097)
- Fix bug where contacts export by selection returned no more than 10
entries (#6103)
- Fix searching contacts by address in LDAP source (#6084)
- Fix X-Frame-Options:ALLOW-FROM support, remove custom click-jacking
protection (#6057)
RELEASE 1.3.3
-------------
- Fix decoding of mailto: links with + character in HTML messages (#6020)
- Fix false reporting of failed upgrade in installto.sh (#6019)
- Fix file disclosure vulnerability caused by insufficient input validation
[CVE-2017-16651] (#6026)
- Fix mangled non-ASCII characters in links in HTML messages (#6028)
RELEASE 1.3.2
-------------
- Improve detection for Egde browser and add pointer event support (#5922)
- Fix bug where pink image was used instead of a thumbnail when image
resize fails (#5933)
- Fix so files size/count limit is verified (client-side) also on
drag-n-drop uploads (#5940)
- Fix invalid template loading on a message error in preview frame (#5941)
- Fix bug where HTML messages could have been rendered empty on some
systems (#5957)
- Fix wording of "Mark previewed messages as read" to "Mark \
messages as
read" (#5952)
- Enigma: Fix decryption of messages encoded with non-ascii charset (#5962)
- Fix missing cursor in HTML editor on mail reply (#5969)
- Fix (again) bug where image data URIs in css style were treated as
evil/remote in mail preview (#5580)
- Fix bug where mail search could return empty result on servers without
SORT capability (#5973)
- Fix bug where assets_path wasn't added to some watermark frames
- Fix so untagged COPYUID responses are also supported according to RFC6851
(#5982)
- Fix issue caused by non-default session.cookie_lifetime setting (#5961)
- Fix Edge encoding bug when pasting text into the HTML editor, update to
TinyMCE 4.5.8 (#5885)
- Fix handling of unknown Content-Disposition type (#6002)
- Fix truncated folder name on messages list in multi-folder mode, for
folders with non-ascii characters (#6004)
- Fix bug where removing the last subfolder did not hide toggle button on
its parent record (#6007)
- Fix bug where ghost messages could be added to the list after fast delete
(#5941)
RELEASE 1.3.1
-------------
- Don't ignore (global) userlogins/sendmail logs in per_user_logging mode
- Add Preferences > Mailbox View > Main Options > Layout (#5829)
- Password: Fix compatibility with PHP 7+ in cpanel_webmail driver (#5820)
- Managesieve: Fix parsing dot-staffed lines in multiline text (#5838)
- Managesieve: Fix AM/PM suffix in vacation time selectors
- Managesieve: Fix bug where 'exists' operator was reset to 'contains'
(#5899)
- Remove non-printable characters from filenames on download/display (#5880)
- Fix decoding non-ascii attachment names from TNEF attachments (#5646,
#5799)
- Fix uninitialized string offset in rcube_utils::bin2ascii() and make sure
rcube_utils::random_bytes() result has always requested length (#5788)
- Fix bug where HTML messages with @media styles could moddify style of
page body (#5811)
- Fix style issue on selected and unfocused message that is part of a
thread (#5798)
- Fix bug where a.button style from managesieve plugin could impact other
elements (#5800)
- Fix position of selected icon for (Mailvelope) Encrypt button
- Fix fatal error when using DMY- or MDY-based date format in PostgreSQL
(#5808)
- Fix bug where errors were not printed when using bin/update.sh (#5834)
- Fix PHP 7.2 warnings on count() use (#5845)
- Fix bug where Chrome could not upload the same file that was selected
before (#5854)
- Fix duplicate messages on the list after deleting messages on the next to
the last page (#5862)
- Fix bug where messages count was not updated after delete when imap_cache
is set (#5872)
- Fix potential XSS vulnerability with malformed HTML message markup
- Fix sending message with "Too many public recipients" dialog buttons
(#5924)
- Bring back double-click behavior on the message list which was removed in
1.3.0 (#5823)
- Enigma: Fix decrypting an encrypted+signed message when signature
verification fails (#5914)
RELEASE 1.3.0
-------------
- Update to TinyMCE 4.5.7
- Fix bug where invalid recipients could be silently discarded (#5739)
- Fix conflict with _gid cookie of Google Analytics (#5748)
- Print error from CLI scripts when system/exec function is disabled (#5744)
- Fix bug where comment notation within style tag would cause the whole
style to be ignored (#5747)
- Fix bug where it wasn't possible to scroll folders list in Edge (#5750)
- Fix folders list sorting on Windows - if php-intl is available (#5732)
- Fix addressbook searching by gender (#5757)
- Fix prevention from using % and * characters in folder name (#5762)
- Fix POST parameter reflection in default_charset selector (#5768)
- Enigma: Fix compatibility with assets_dir
- Managesieve: Skip redundant LISTSCRIPTS command
- Fix SQL syntax error on MariaDB 10.2 (#5774)
- Fix bug where zipdownload ignored files with the same name (#5777)
- Fix bug where it wasn't possible to set timezone to auto-detected value
(#5782)
RELEASE 1.3-rc
--------------
- "Flattened" the larry theme: fresher look by removing shadows and
gradients
- Support logging to php://stdout (#5721)
- Add support for DelSp=Yes in format=flowed messages (#5702)
- Update to jQuery 3.2.1
- Update to TinyMCE 4.5.6
- Plugin API: Call message_part_structure hook for sub-parts of
multipart/alternative message (#5678)
- Enigma: Always use detached signatures (#5624)
- Enigma: Fix handling of messages with nested PGP encrypted parts (#5634)
- Minimize unwanted message loading in preview frame on drag (#5616)
- Fix failing database schema check in all engines except mysql (#5730)
- Fix autocomplete popup closing with click outside the input, don't handle
Tab key as Enter (#5606)
- Fix jsdeps.json synchronization on update, warn about missing
requirements of install-jsdeps.sh (#5598)
- Fix missing thread expand icon on search result in widescreen mode (#5613)
- Fix bug where image data URIs in css style were treated as evil/remote in
mail preview (#5580)
- Fix bug where external content in src attribute of input/video tags was
not secured (#5583)
- Fix PHP error on update of a contact with multiple email addresses when
using PHP 7.1 (#5587)
- Fix bug where mail content frame couldn't be reset in some corner cases
(#5608)
- Fix bug where some classic skin images were not displayed in IE/Edge
(#5614)
- Fix bug where signature couldn't be added above the quote in Firefox 51
(#5628)
- Fix regression where groups with email address were resolved to its
members' addresses
- Fix update of group name in the contacts list header on group rename
(#5648)
- Add rewrite rule to disable access to /vendor/bin folder in .htaccess
(#5630)
- Fix bug where it was too easy accidentally move a folder when using the
subscription checkbox (#5655)
- Managesieve: Fix parser issue with empty lines between comments (#5657)
- Managesieve: Fix possible defect in handling \r\n in scripts (#5685)
- Fix/rephrase "unsaved changes" warning when cancelling a draft (#5610)
- Fix XSS issue in handling of a style tag inside of an svg element
[CVE-2017-6820]
- Fix bug where settings/upload.inc could not be used by plugins (#5694)
- Fix regression in LDAP fuzzy search where it always used prefix search
instead (#5713)
- Fix bug where namespace prefix could not be truncated on folders list if
show_real_foldernames=true (#5695)
- Fix undesired effects when postgres database uses different timezone than
PHP host (#5708)
- Installer: Fix DB schema initialization on MS SQL Server
- Fix bug where base_dn setting was ignored inside group_filters (#5720)
- Password: Fix security issue in virtualmin and sasl drivers
[CVE-2017-8114]
RELEASE 1.3-beta
----------------
- Nicely handle contact deletion on contact edit (#5522)
- vcard_attachments: Add possibility to attach contact vCard to composed
message (#4997)
- Preserve message internal/received date on import in mbox format (#5559)
- Zipdownload: Fix date format in mbox "From line"
- Possibility to display QR code for contacts data (#5030)
- Added identicon plugin
- Widescreen layout aka three column view (#5093)
- Unify automatic marking as \Seen in preview pane, full-page and extwin
views (#5071)
- Disable double-click on the list when preview pane is on (#5199)
- Support hostname and hostname:port in force_https option (#5511)
- Support ALLOW-FROM in x_frame_options (#5122)
- Allow to omit a subject when sending an email (#5068)
- Warn about too many disclosed recipients in composed email
[max_disclosed_recipients] (#5132)
- identity_select: Support Received header (#5085)
- Plugin API: Added get_compose_responses hook (#5457)
- Display error when trying to upload more files than specified in
max_file_uploads (#5483)
- Add missing sql upgrade file for 'ip' column resize in session table
(#5465)
- Do not show inline images of unsupported mimetype (#5463)
- Password: Added replacement variables support in password_pop_host (#5539)
- Password: Don't store passwords in temp files when using dovecotpw (#5531)
- Password: Added LDAP PPolicy driver (#5364)
- Password: Added cpanel_webmail driver (#5549)
- Password: Added possibility to nicely redirect from other plugins on
password expiration (#5468)
- Implement separate action to mark all messages in a folder as \Seen
(#5006)
- Implement marking as \Seen in all folders or in a folder and its
subfolders (#5076)
- Archive: Don't reload messages list when it's not needed (#5225)
- Archive: Add option to automatically mark archived messages as \Seen
(#5142)
- Improve randomness of password salts and random hashes (#5266)
- Password/cPanel: Add support for hash authentication and reseller
accounts (#5252)
- Support host-specific
imap_conn_options/smtp_conn_options/managesieve_conn_options (#5136)
- Center and scale images in attachment preview frame (#5421)
- Added max_message_size option enforced when attaching files to a composed
message (#4993)
- Added Search button in quick search menus (#5312)
- Implement "one click" attachment/messages/photo upload (#5024)
- Squirrelmail_usercopy: Add option to define character set of data files
- Removed useless 'created' column from 'session' table (#5389)
- Dropped legacy browsers support (#5167)
- Removed legacy_browser plugin
- Removed hacks for IE < 10
- Update to jQuery 3.1.1 and jQuery-UI 1.12.0
- compile .min.js files with ECMASCRIPT5 option
- Require PHP >= 5.4
- Add possibility to preview and download attachments in mail compose
(#5053)
- Add possibility to rename attachments in mail compose (#4996)
- Remove backward compatibility "layer" of bc.php (#4902)
- Support WEBP images in mail messages (#5362)
- Support MathML in HTML message preview (#5182)
- Rename Addressbook to Contacts (#5233)
- Remove PHP mail() support, smtp_server is required now (#5340)
- Display full message subject in onmouseover on truncated subject in mail
view (#5346)
- Enigma: Support GnuPG 2.1 (#5313)
- Enigma: Support key generation for multiple identities (#5383)
- Enigma: Import keys from key-server(s) (#5286)
- Enigma: Search missing public keys on a key-server in mail compose (#5286)
- Enigma: Delete user keys when using deluser.sh script
- Enigma: Fix redundant list-secret-keys/list-public-keys calls on
signing/encryption
- Enigma: Implement PGP encryption and signing in one go (#5302)
- Enigma: Display signature verification status for encrypted+signed
messages (#5302)
- Display different attachment icon on encrypted messages
- Display different confirmation text when moving messages to Trash (#5220)
- Indicate that a collapsed thread has flagged children (#5013)
- Implemented message/rfc822 attachment preview
- Update to jsTimezoneDetect 1.0.6
- Managesieve: Add (optional) RAW script editor (#5414)
- Managesieve: Add option to automatically set vacation :from address
(#5428)
- Managesieve: Support 'string' test from variables extension [RFC 5229]
(#5248)
- Managesieve: Support 'duplicate' extension [RFC 7352]
- Managesieve: Unhide advanced rule controls if there are inputs with errors
- Managesieve: Display warning message when filter form contains errors
- Control search engine crawlers via X-Robots-Tag header instead of <meta>
and robots.txt (#5098)
- Fixed redundancy in sql caching system and compatibility with Galera
Cluster (#5439)
- Removed redundant 'created' column from cache and cache_shared tables
- Removed use of redundant data records
- Added missing primary keys (dictionary, cache, cache_shared tables)
- Fix so templating system does not mess with external (e.g. email) content
(#5499)
- Fix redundant keep-alive/refresh after session error on compose page
(#5500)
- Managesieve: Fix handling of scripts with nested rules (#5540)
- Fix variable substitution in ldap host for some use-cases, e.g.
new_user_identity (#5544)
- Enigma: Fix PHP fatal error when decrypting a message with invalid
signature (#5555)
- Fix adding images to new identity signatures
- Fix rsync error handling in installto.sh script (#5562)
- Fix some advanced search issues with multiple addressbooks (#5572)
- Fix so group/addressbook selection is retained on page refresh
To generate a diff of this commit:
cvs rdiff -u -r1.88 -r1.89 pkgsrc/mail/roundcube/Makefile
cvs rdiff -u -r1.9 -r1.10 pkgsrc/mail/roundcube/Makefile.common
cvs rdiff -u -r1.44 -r1.45 pkgsrc/mail/roundcube/PLIST
cvs rdiff -u -r1.60 -r1.61 pkgsrc/mail/roundcube/distinfo
cvs rdiff -u -r1.15 -r1.16 pkgsrc/mail/roundcube/options.mk
cvs rdiff -u -r1.1 -r1.2 pkgsrc/mail/roundcube/files/apache.conf \
pkgsrc/mail/roundcube/files/nginx.conf
cvs rdiff -u -r0 -r1.1 pkgsrc/mail/roundcube/files/lighttpd.conf
cvs rdiff -u -r1.10 -r0 pkgsrc/mail/roundcube/patches/patch-ac
cvs rdiff -u -r1.2 -r1.3 \
pkgsrc/mail/roundcube/patches/patch-rcube_mime_default
|
| 2018-05-06 11:13:56 by S.P.Zeidler | Files touched by this commit (6) | |
Log message: Pullup ticket #5742 - requested by taca mail/roundcube: regression fix mail/roundcube-plugin-enigma: regression fix mail/roundcube-plugin-password: regression fix mail/roundcube-plugin-zipdownload: regression fix Revisions pulled up: - mail/roundcube-plugin-enigma/distinfo 1.9 - mail/roundcube-plugin-password/distinfo 1.9 - mail/roundcube-plugin-zipdownload/distinfo 1.9 - mail/roundcube/Makefile.common 1.9 - mail/roundcube/distinfo 1.60 - mail/roundcube/plugins.mk 1.2 ------------------------------------------------------------------- Module Name: pkgsrc Committed By: taca Date: Mon Apr 30 06:44:11 UTC 2018 Modified Files: pkgsrc/mail/roundcube: plugins.mk Log message: mail/roundcube: fix typo Fix typo in DEPENDS. To generate a diff of this commit: cvs rdiff -u -r1.1 -r1.2 pkgsrc/mail/roundcube/plugins.mk ------------------------------------------------------------------- Module Name: pkgsrc Committed By: taca Date: Mon Apr 30 06:45:04 UTC 2018 Modified Files: pkgsrc/mail/roundcube: Makefile.common distinfo pkgsrc/mail/roundcube-plugin-enigma: distinfo pkgsrc/mail/roundcube-plugin-password: distinfo pkgsrc/mail/roundcube-plugin-zipdownload: distinfo Log message: mail/roundcube: update to 1.2.9 RELEASE 1.2.9 ------------- - Fix regression where IMAP commands with '*' uidset argument wasn't working To generate a diff of this commit: cvs rdiff -u -r1.8 -r1.9 pkgsrc/mail/roundcube/Makefile.common cvs rdiff -u -r1.59 -r1.60 pkgsrc/mail/roundcube/distinfo cvs rdiff -u -r1.8 -r1.9 pkgsrc/mail/roundcube-plugin-enigma/distinfo cvs rdiff -u -r1.8 -r1.9 pkgsrc/mail/roundcube-plugin-password/distinfo cvs rdiff -u -r1.8 -r1.9 pkgsrc/mail/roundcube-plugin-zipdownload/distinfo |
| 2018-05-06 10:40:13 by S.P.Zeidler | Files touched by this commit (5) | |
Log message:
Pullup ticket #5739 - requested by bsiegert
mail/roundcube: security update
mail/roundcube-plugin-enigma: security update
mail/roundcube-plugin-password: security update
mail/roundcube-plugin-zipdownload: security update
Revisions pulled up:
- mail/roundcube-plugin-enigma/distinfo 1.8
- mail/roundcube-plugin-password/distinfo 1.8
- mail/roundcube-plugin-zipdownload/distinfo 1.8
- mail/roundcube/Makefile.common 1.8
- mail/roundcube/distinfo 1.59
-------------------------------------------------------------------
Module Name: pkgsrc
Committed By: taca
Date: Mon Apr 23 13:55:00 UTC 2018
Modified Files:
pkgsrc/mail/roundcube: Makefile.common distinfo
pkgsrc/mail/roundcube-plugin-enigma: distinfo
pkgsrc/mail/roundcube-plugin-password: distinfo
pkgsrc/mail/roundcube-plugin-zipdownload: distinfo
Log message:
mail/roundcube: update to 1.2.8
This is a security update to the stable version 1.2. It fixes a recently
reported vulnerability allowing IMAP command injection via a GET parameters.
More details about this are published under CVE-2018-9846.
The second fix is about a missed remote content blocking on HTML messages
with
specially crafted image and style tags.
We strongly recommend to update all productive installations of Roundcube
1.2.x. Please do backup your data before updating!
CHANGELOG
* Fix check_request() bypass in places using get_uids() [CVE-2018-9846]
(#6238)
* Fix possible IMAP command injection vulnerability [CVE-2018-9846] (#6229)
* Fix security issue in remote content blocking on HTML image and style tags
(#6178)
To generate a diff of this commit:
cvs rdiff -u -r1.7 -r1.8 pkgsrc/mail/roundcube/Makefile.common
cvs rdiff -u -r1.58 -r1.59 pkgsrc/mail/roundcube/distinfo
cvs rdiff -u -r1.7 -r1.8 pkgsrc/mail/roundcube-plugin-enigma/distinfo
cvs rdiff -u -r1.7 -r1.8 pkgsrc/mail/roundcube-plugin-password/distinfo
cvs rdiff -u -r1.7 -r1.8 pkgsrc/mail/roundcube-plugin-zipdownload/distinfo
|
New packages: