Subject: CVS commit: [pkgsrc-2018Q1] pkgsrc/mail/roundcube
From: S.P.Zeidler
Date: 2018-05-19 11:18:37
Message id: 20180519091837.B8D14FBEC@cvs.NetBSD.org

Log Message:
Pullup ticket #5759 - requested by bsiegert
mail/roundcube: security update

Revisions pulled up:
- mail/roundcube/Makefile                                       1.89
- mail/roundcube/Makefile.common                                1.10
- mail/roundcube/PLIST                                          1.45
- mail/roundcube/distinfo                                       1.61
- mail/roundcube/files/apache.conf                              1.2
- mail/roundcube/files/lighttpd.conf                            1.1
- mail/roundcube/files/nginx.conf                               1.2
- mail/roundcube/options.mk                                     1.16
- mail/roundcube/patches/patch-ac                               deleted
- mail/roundcube/patches/patch-rcube_mime_default               1.3

-------------------------------------------------------------------
   Module Name:    pkgsrc
   Committed By:   triaxx
   Date:           Wed May 16 08:14:41 UTC 2018

   Modified Files:
            pkgsrc/mail/roundcube: Makefile Makefile.common PLIST distinfo
                options.mk
            pkgsrc/mail/roundcube/files: apache.conf nginx.conf
            pkgsrc/mail/roundcube/patches: patch-rcube_mime_default
   Added Files:
            pkgsrc/mail/roundcube/files: lighttpd.conf
   Removed Files:
            pkgsrc/mail/roundcube/patches: patch-ac

   Log Message:
   roundcube: update to 1.3.6

   * add JavaScript dependencies listed in jsdeps.json
      * put them on /pub/pkgsrc/distfiles/roundcube to avoid checksum error due
        to archive automatic generation (e.g. tinymce_languages.zip)
   * remove patch-ac
   * add example configuration fragment for www/lighttpd

   CHANGELOG Roundcube Webmail
   ===========================

   RELEASE 1.3.6
   -------------
   - Fix parsing date strings (e.g. from a Date: mail header) with comments
   (#6216)
   - Fix PHP 7.2: count(): Parameter must be an array in enchant-based
   spellchecker (#6234)
   - Fix possible IMAP command injection and type juggling vulnerabilities
   (#6229)
   - Enigma: Fix key selection for signing
   - Enigma: Enable keypair generation on Internet Explorer 11
   - Fix check_request() bypass in places using get_uids() [CVE-2018-9846]
   (#6238)
   - Fix bug where usernames without domain part could be malformed or
   converted to lower-case on logon (#6224)

   RELEASE 1.3.5
   -------------
   - Managesieve: Fix bug where text: syntax was forced for strings longer
   than 1024 characters (#6143)
   - Managesieve: Fix missing Save button in Edit Filter Set page of Classic
   skin (#6154)
   - Fix duplicated labels in Test SMTP Config section (#6166)
   - Fix PHP Warning: exif_read_data(...): Illegal IFD size (#6169)
   - Enigma: Fix key generation in Safari by upgrade to OpenPGP 2.6.2 (#6149)
   - Fix security issue in remote content blocking on HTML image and style
   tags (#6178)
   - Added 9pt and 11pt to the list of font sizes in HTML editor
   - Fix handling encoding of HTML tags in "inline" JSON output (#6207)
   - Fix bug where some unix timestamps were not handled correctly by
   rcube_utils::anytodatetime() (#6212)

   RELEASE 1.3.4
   -------------
   - Fix bug where contacts search could skip some records (#6130)
   - Fix possible information leak - add more strict sql error check on user
   creation (#6125)
   - Fix a couple of warnings on PHP 7.2 (#6098)
   - Fix broken long filenames when using imap4d server - workaround server
   bug (#6048)
   - Fix so temp_dir misconfiguration prints an error to the log (#6045)
   - Fix untagged COPYUID responses handling - again (#5982)
   - Fix PHP warning "idn_to_utf8(): INTL_IDNA_VARIANT_2003 is deprecated"
   with PHP 7.2 (#6075)
   - Fix bug where Archive folder wasn't auto-created on login with
   create_default_folders=true
   - Fix performance issue when parsing malformed and long Date header (#6087)
   - Fix syntax error in mssql.initial.sql (#6097)
   - Fix bug where contacts export by selection returned no more than 10
   entries (#6103)
   - Fix searching contacts by address in LDAP source (#6084)
   - Fix X-Frame-Options:ALLOW-FROM support, remove custom click-jacking
   protection (#6057)

   RELEASE 1.3.3
   -------------
   - Fix decoding of mailto: links with + character in HTML messages (#6020)
   - Fix false reporting of failed upgrade in installto.sh (#6019)
   - Fix file disclosure vulnerability caused by insufficient input validation
   [CVE-2017-16651] (#6026)
   - Fix mangled non-ASCII characters in links in HTML messages (#6028)

   RELEASE 1.3.2
   -------------
   - Improve detection for Egde browser and add pointer event support (#5922)
   - Fix bug where pink image was used instead of a thumbnail when image
   resize fails (#5933)
   - Fix so files size/count limit is verified (client-side) also on
   drag-n-drop uploads (#5940)
   - Fix invalid template loading on a message error in preview frame (#5941)
   - Fix bug where HTML messages could have been rendered empty on some
   systems (#5957)
   - Fix wording of "Mark previewed messages as read" to "Mark \ 
messages as
   read" (#5952)
   - Enigma: Fix decryption of messages encoded with non-ascii charset (#5962)
   - Fix missing cursor in HTML editor on mail reply (#5969)
   - Fix (again) bug where image data URIs in css style were treated as
   evil/remote in mail preview (#5580)
   - Fix bug where mail search could return empty result on servers without
   SORT capability (#5973)
   - Fix bug where assets_path wasn't added to some watermark frames
   - Fix so untagged COPYUID responses are also supported according to RFC6851
   (#5982)
   - Fix issue caused by non-default session.cookie_lifetime setting (#5961)
   - Fix Edge encoding bug when pasting text into the HTML editor, update to
   TinyMCE 4.5.8 (#5885)
   - Fix handling of unknown Content-Disposition type (#6002)
   - Fix truncated folder name on messages list in multi-folder mode, for
   folders with non-ascii characters (#6004)
   - Fix bug where removing the last subfolder did not hide toggle button on
   its parent record (#6007)
   - Fix bug where ghost messages could be added to the list after fast delete
   (#5941)

   RELEASE 1.3.1
   -------------
   - Don't ignore (global) userlogins/sendmail logs in per_user_logging mode
   - Add Preferences > Mailbox View > Main Options > Layout (#5829)
   - Password: Fix compatibility with PHP 7+ in cpanel_webmail driver (#5820)
   - Managesieve: Fix parsing dot-staffed lines in multiline text (#5838)
   - Managesieve: Fix AM/PM suffix in vacation time selectors
   - Managesieve: Fix bug where 'exists' operator was reset to 'contains'
   (#5899)
   - Remove non-printable characters from filenames on download/display (#5880)
   - Fix decoding non-ascii attachment names from TNEF attachments (#5646,
   #5799)
   - Fix uninitialized string offset in rcube_utils::bin2ascii() and make sure
   rcube_utils::random_bytes() result has always requested length (#5788)
   - Fix bug where HTML messages with @media styles could moddify style of
   page body (#5811)
   - Fix style issue on selected and unfocused message that is part of a
   thread (#5798)
   - Fix bug where a.button style from managesieve plugin could impact other
   elements (#5800)
   - Fix position of selected icon for (Mailvelope) Encrypt button
   - Fix fatal error when using DMY- or MDY-based date format in PostgreSQL
   (#5808)
   - Fix bug where errors were not printed when using bin/update.sh (#5834)
   - Fix PHP 7.2 warnings on count() use (#5845)
   - Fix bug where Chrome could not upload the same file that was selected
   before (#5854)
   - Fix duplicate messages on the list after deleting messages on the next to
   the last page (#5862)
   - Fix bug where messages count was not updated after delete when imap_cache
   is set (#5872)
   - Fix potential XSS vulnerability with malformed HTML message markup
   - Fix sending message with "Too many public recipients" dialog buttons
   (#5924)
   - Bring back double-click behavior on the message list which was removed in
   1.3.0 (#5823)
   - Enigma: Fix decrypting an encrypted+signed message when signature
   verification fails (#5914)

   RELEASE 1.3.0
   -------------
   - Update to TinyMCE 4.5.7
   - Fix bug where invalid recipients could be silently discarded (#5739)
   - Fix conflict with _gid cookie of Google Analytics (#5748)
   - Print error from CLI scripts when system/exec function is disabled (#5744)
   - Fix bug where comment notation within style tag would cause the whole
   style to be ignored (#5747)
   - Fix bug where it wasn't possible to scroll folders list in Edge (#5750)
   - Fix folders list sorting on Windows - if php-intl is available (#5732)
   - Fix addressbook searching by gender (#5757)
   - Fix prevention from using % and * characters in folder name (#5762)
   - Fix POST parameter reflection in default_charset selector (#5768)
   - Enigma: Fix compatibility with assets_dir
   - Managesieve: Skip redundant LISTSCRIPTS command
   - Fix SQL syntax error on MariaDB 10.2 (#5774)
   - Fix bug where zipdownload ignored files with the same name (#5777)
   - Fix bug where it wasn't possible to set timezone to auto-detected value
   (#5782)

   RELEASE 1.3-rc
   --------------
   - "Flattened" the larry theme: fresher look by removing shadows and
   gradients
   - Support logging to php://stdout (#5721)
   - Add support for DelSp=Yes in format=flowed messages (#5702)
   - Update to jQuery 3.2.1
   - Update to TinyMCE 4.5.6
   - Plugin API: Call message_part_structure hook for sub-parts of
   multipart/alternative message (#5678)
   - Enigma: Always use detached signatures (#5624)
   - Enigma: Fix handling of messages with nested PGP encrypted parts (#5634)
   - Minimize unwanted message loading in preview frame on drag (#5616)
   - Fix failing database schema check in all engines except mysql (#5730)
   - Fix autocomplete popup closing with click outside the input, don't handle
   Tab key as Enter (#5606)
   - Fix jsdeps.json synchronization on update, warn about missing
   requirements of install-jsdeps.sh (#5598)
   - Fix missing thread expand icon on search result in widescreen mode (#5613)
   - Fix bug where image data URIs in css style were treated as evil/remote in
   mail preview (#5580)
   - Fix bug where external content in src attribute of input/video tags was
   not secured (#5583)
   - Fix PHP error on update of a contact with multiple email addresses when
   using PHP 7.1 (#5587)
   - Fix bug where mail content frame couldn't be reset in some corner cases
   (#5608)
   - Fix bug where some classic skin images were not displayed in IE/Edge
   (#5614)
   - Fix bug where signature couldn't be added above the quote in Firefox 51
   (#5628)
   - Fix regression where groups with email address were resolved to its
   members' addresses
   - Fix update of group name in the contacts list header on group rename
   (#5648)
   - Add rewrite rule to disable access to /vendor/bin folder in .htaccess
   (#5630)
   - Fix bug where it was too easy accidentally move a folder when using the
   subscription checkbox (#5655)
   - Managesieve: Fix parser issue with empty lines between comments (#5657)
   - Managesieve: Fix possible defect in handling \r\n in scripts (#5685)
   - Fix/rephrase "unsaved changes" warning when cancelling a draft (#5610)
   - Fix XSS issue in handling of a style tag inside of an svg element
   [CVE-2017-6820]
   - Fix bug where settings/upload.inc could not be used by plugins (#5694)
   - Fix regression in LDAP fuzzy search where it always used prefix search
   instead (#5713)
   - Fix bug where namespace prefix could not be truncated on folders list if
   show_real_foldernames=true (#5695)
   - Fix undesired effects when postgres database uses different timezone than
   PHP host (#5708)
   - Installer: Fix DB schema initialization on MS SQL Server
   - Fix bug where base_dn setting was ignored inside group_filters (#5720)
   - Password: Fix security issue in virtualmin and sasl drivers
   [CVE-2017-8114]

   RELEASE 1.3-beta
   ----------------
   - Nicely handle contact deletion on contact edit (#5522)
   - vcard_attachments: Add possibility to attach contact vCard to composed
   message (#4997)
   - Preserve message internal/received date on import in mbox format (#5559)
   - Zipdownload: Fix date format in mbox "From line"
   - Possibility to display QR code for contacts data (#5030)
   - Added identicon plugin
   - Widescreen layout aka three column view (#5093)
   - Unify automatic marking as \Seen in preview pane, full-page and extwin
   views (#5071)
   - Disable double-click on the list when preview pane is on (#5199)
   - Support hostname and hostname:port in force_https option (#5511)
   - Support ALLOW-FROM in x_frame_options (#5122)
   - Allow to omit a subject when sending an email (#5068)
   - Warn about too many disclosed recipients in composed email
   [max_disclosed_recipients] (#5132)
   - identity_select: Support Received header (#5085)
   - Plugin API: Added get_compose_responses hook (#5457)
   - Display error when trying to upload more files than specified in
   max_file_uploads (#5483)
   - Add missing sql upgrade file for 'ip' column resize in session table
   (#5465)
   - Do not show inline images of unsupported mimetype (#5463)
   - Password: Added replacement variables support in password_pop_host (#5539)
   - Password: Don't store passwords in temp files when using dovecotpw (#5531)
   - Password: Added LDAP PPolicy driver (#5364)
   - Password: Added cpanel_webmail driver (#5549)
   - Password: Added possibility to nicely redirect from other plugins on
   password expiration (#5468)
   - Implement separate action to mark all messages in a folder as \Seen
   (#5006)
   - Implement marking as \Seen in all folders or in a folder and its
   subfolders (#5076)
   - Archive: Don't reload messages list when it's not needed (#5225)
   - Archive: Add option to automatically mark archived messages as \Seen
   (#5142)
   - Improve randomness of password salts and random hashes (#5266)
   - Password/cPanel: Add support for hash authentication and reseller
   accounts (#5252)
   - Support host-specific
   imap_conn_options/smtp_conn_options/managesieve_conn_options (#5136)
   - Center and scale images in attachment preview frame (#5421)
   - Added max_message_size option enforced when attaching files to a composed
   message (#4993)
   - Added Search button in quick search menus (#5312)
   - Implement "one click" attachment/messages/photo upload (#5024)
   - Squirrelmail_usercopy: Add option to define character set of data files
   - Removed useless 'created' column from 'session' table (#5389)
   - Dropped legacy browsers support (#5167)
        - Removed legacy_browser plugin
        - Removed hacks for IE < 10
        - Update to jQuery 3.1.1 and jQuery-UI 1.12.0
        - compile .min.js files with ECMASCRIPT5 option
   - Require PHP >= 5.4
   - Add possibility to preview and download attachments in mail compose
   (#5053)
   - Add possibility to rename attachments in mail compose (#4996)
   - Remove backward compatibility "layer" of bc.php (#4902)
   - Support WEBP images in mail messages (#5362)
   - Support MathML in HTML message preview (#5182)
   - Rename Addressbook to Contacts (#5233)
   - Remove PHP mail() support, smtp_server is required now (#5340)
   - Display full message subject in onmouseover on truncated subject in mail
   view (#5346)
   - Enigma: Support GnuPG 2.1 (#5313)
   - Enigma: Support key generation for multiple identities (#5383)
   - Enigma: Import keys from key-server(s) (#5286)
   - Enigma: Search missing public keys on a key-server in mail compose (#5286)
   - Enigma: Delete user keys when using deluser.sh script
   - Enigma: Fix redundant list-secret-keys/list-public-keys calls on
   signing/encryption
   - Enigma: Implement PGP encryption and signing in one go (#5302)
   - Enigma: Display signature verification status for encrypted+signed
   messages (#5302)
   - Display different attachment icon on encrypted messages
   - Display different confirmation text when moving messages to Trash (#5220)
   - Indicate that a collapsed thread has flagged children (#5013)
   - Implemented message/rfc822 attachment preview
   - Update to jsTimezoneDetect 1.0.6
   - Managesieve: Add (optional) RAW script editor (#5414)
   - Managesieve: Add option to automatically set vacation :from address
   (#5428)
   - Managesieve: Support 'string' test from variables extension [RFC 5229]
   (#5248)
   - Managesieve: Support 'duplicate' extension [RFC 7352]
   - Managesieve: Unhide advanced rule controls if there are inputs with errors
   - Managesieve: Display warning message when filter form contains errors
   - Control search engine crawlers via X-Robots-Tag header instead of <meta>
   and robots.txt (#5098)
   - Fixed redundancy in sql caching system and compatibility with Galera
   Cluster (#5439)
        - Removed redundant 'created' column from cache and cache_shared tables
        - Removed use of redundant data records
        - Added missing primary keys (dictionary, cache, cache_shared tables)
   - Fix so templating system does not mess with external (e.g. email) content
   (#5499)
   - Fix redundant keep-alive/refresh after session error on compose page
   (#5500)
   - Managesieve: Fix handling of scripts with nested rules (#5540)
   - Fix variable substitution in ldap host for some use-cases, e.g.
   new_user_identity (#5544)
   - Enigma: Fix PHP fatal error when decrypting a message with invalid
   signature (#5555)
   - Fix adding images to new identity signatures
   - Fix rsync error handling in installto.sh script (#5562)
   - Fix some advanced search issues with multiple addressbooks (#5572)
   - Fix so group/addressbook selection is retained on page refresh

   To generate a diff of this commit:
   cvs rdiff -u -r1.88 -r1.89 pkgsrc/mail/roundcube/Makefile
   cvs rdiff -u -r1.9 -r1.10 pkgsrc/mail/roundcube/Makefile.common
   cvs rdiff -u -r1.44 -r1.45 pkgsrc/mail/roundcube/PLIST
   cvs rdiff -u -r1.60 -r1.61 pkgsrc/mail/roundcube/distinfo
   cvs rdiff -u -r1.15 -r1.16 pkgsrc/mail/roundcube/options.mk
   cvs rdiff -u -r1.1 -r1.2 pkgsrc/mail/roundcube/files/apache.conf \
        pkgsrc/mail/roundcube/files/nginx.conf
   cvs rdiff -u -r0 -r1.1 pkgsrc/mail/roundcube/files/lighttpd.conf
   cvs rdiff -u -r1.10 -r0 pkgsrc/mail/roundcube/patches/patch-ac
   cvs rdiff -u -r1.2 -r1.3 \
        pkgsrc/mail/roundcube/patches/patch-rcube_mime_default

Files:
RevisionActionfile
1.88.10.1modifypkgsrc/mail/roundcube/Makefile
1.7.4.3modifypkgsrc/mail/roundcube/Makefile.common
1.44.12.1modifypkgsrc/mail/roundcube/PLIST
1.58.4.3modifypkgsrc/mail/roundcube/distinfo
1.15.16.1modifypkgsrc/mail/roundcube/options.mk
1.1.24.1modifypkgsrc/mail/roundcube/files/apache.conf
1.1.24.1modifypkgsrc/mail/roundcube/files/nginx.conf
1.2.22.1modifypkgsrc/mail/roundcube/patches/patch-rcube_mime_default
1.1.2.2addpkgsrc/mail/roundcube/files/lighttpd.conf
1.10removepkgsrc/mail/roundcube/patches/patch-ac