pkgsrc.se | The NetBSD package collection

./mail/roundcube, Browser-based multilingual IMAP client

[ CVSweb ] [ Homepage ] [ RSS ] [ Required by ] [ Add to tracker ]

Branch: CURRENT, Version: 1.6.9, Package name: php74-roundcube-1.6.9, Maintainer: taca

Roundcube Webmail is a browser-based multilingual IMAP client with an
application-like user interface. It provides full functionality you
expect from an email client, including MIME support, address book, folder
management, message searching and spell checking. Roundcube Webmail is
written in PHP and requires the MySQL, PostgreSQL or SQLite database.
With its plugin API it is easily extendable and the user interface is
fully customizable using skins.

The code designed to run on a webserver is mainly written in PHP and
Javascript. It includes a custom framework with an IMAP library derived
from IlohaMail and requires a set of external libraries (see composer.json
and jsdeps.json files).

The most noteworthy changes of Roundcube 1.6:

* PHP 8.1 support
* Dropped support for PHP < 7.3
* Support responses (snippets) in HTML format
* Option to purge deleted mails older than 30, 60 or 90 days
* Unified and simplified services connection config options
* Removed the Classic and Larry skins from the release packages
* SQLite: Use foreign keys, require SQLite >= 3.6.19

Required to run:
[textproc/php-json] [converters/php-iconv] [graphics/php-exif] [graphics/php-gd] [databases/php-pdo_mysql] [archivers/php-zip] [net/pear-Net_Sieve] [net/pear-Net_SMTP] [net/php-sockets] [mail/pear-Mail_Mime] [mail/pear-Auth_SASL] [converters/php-mbstring] [textproc/php-intl] [net/pear-Net_IDNA2]

Required to build:
[www/apache24]

Package options: apache, gd, iconv, mysql, php-sockets

Master sites:

https://github.com/roundcube/ (Download)

Filesize: 5761.176 KB

Version history: (Expand)

(2024-09-01) Updated to version: php74-roundcube-1.6.9
(2024-08-08) Updated to version: php74-roundcube-1.6.8
(2024-05-22) Updated to version: php74-roundcube-1.6.7
(2024-01-28) Updated to version: php74-roundcube-1.6.6
(2023-11-09) Updated to version: php74-roundcube-1.6.5
(2023-10-17) Updated to version: php74-roundcube-1.6.4

CVS history: (Expand)

2024-09-01 16:55:11 by Takahiro Kambe | Files touched by this commit (3) | Package updated

Log message:
mail/roundcube: update to 1.6.9

1.6.9 (2024-09-01)

- Fix regression where printing/scaling/rotating image attachments was
  broken (#9571)
- Fix regression where HTML messages were displayed unstyled (#9586)

2024-08-08 19:05:03 by Takahiro Kambe | Files touched by this commit (3) | Package updated

Log message:
mail/roundcube: update to 1.6.8

1.6.8 (2024-08-04)

This is a security update to the stable version 1.6 of Roundcube Webmail.
It provides fixes to recently reported security vulnerabilities:

* Fix XSS vulnerability in post-processing of sanitized HTML content
  [CVE-2024-42009]

* Fix XSS vulnerability in serving of attachments other than HTML or SVG
  [CVE-2024-42008]

* Fix information leak (access to remote content) via insufficient CSS
  filtering [CVE-2024-42010]

Credits to Oskar Zeino-Mahmalat (Sonar) for all these findings and thanks
for providing a very detailed report in a private communication.

This version is considered stable and we recommend to update all productive
installations of Roundcube 1.6.x with it.  Please do backup your data before
updating!

CHANGELOG

* Managesieve: Protect special scripts in managesieve_kolab_master mode
* Fix newmail_notifier notification focus in Chrome (#9467)
* Fix fatal error when parsing some TNEF attachments (#9462)
* Fix double scrollbar when composing a mail with many plain text lines
  (#7760)
* Fix decoding mail parts with multiple base64-encoded text blocks (#9290)
* Fix bug where some messages could get malformed in an import from a MBOX
  file (#9510)
* Fix invalid line break characters in multi-line text in Sieve scripts
  (#9543)
* Fix bug where "with attachment" filter could fail on some fts engines
  (#9514)
* Fix bug where an unhandled exception was caused by an invalid image
  attachment (#9475)
* Fix bug where a long subject title could not be displayed in some cases
  (#9416)
* Fix infinite loop when parsing malformed Sieve script (#9562)
* Fix bug where imap_conn_option's 'socket' was ignored (#9566)
* Fix XSS vulnerability in post-processing of sanitized HTML content
  [CVE-2024-42009]
* Fix XSS vulnerability in serving of attachments other than HTML or SVG
  [CVE-2024-42008]
* Fix information leak (access to remote content) via insufficient CSS
  filtering [CVE-2024-42010]

2024-01-28 03:58:22 by Takahiro Kambe | Files touched by this commit (4) | Package updated

Log message:
mail/roundcube: update to 1.6.6

1.6.6 (2024-01-20)

* Fix regression in handling LDAP search_fields configuration parameter
  (#9210)
* Enigma: Fix finding of a private key when decrypting a message using GnuPG
  v2.3
* Fix page jump menu flickering on click (#9196)
* Update to TinyMCE 5.10.9 security release (#9228)
* Fix PHP8 warnings (#9235, #9238, #9242, #9306)
* Fix saving other encryption settings besides enigma's (#9240)
* Fix unneeded php command use in installto.sh and deluser.sh scripts
  (#9237)
* Fix TinyMCE localization installation (#9266)
* Fix bug where trailing non-ascii characters in email addresses could have
  been removed in recipient input (#9257)
* Fix IMAP GETMETADATA command with options - RFC5464

2023-11-09 17:28:55 by Takahiro Kambe | Files touched by this commit (3) | Package updated

Log message:
mail/roundcube: update to 1.6.5

This is security release, quoted from release announce:

Security fix

Fix cross-site scripting (XSS) vulnerability in setting
Content-Type/Content-Disposition for attachment preview/download.
Credits for this finding go to Rene Rehme (rehme.infosec).

See the full changelogs in the release notes on the Github download pages
for the updated versions 1.6.5 and 1.5.6.

We strongly recommend to update all productive installations of Roundcube
1.6.x and 1.5.x with this new versions.

1.6.5 (2023-11-05)

* Fix PHP8 fatal error when parsing a malformed BODYSTRUCTURE (#9171)
* Fix duplicated Inbox folder on IMAP servers that do not use Inbox folder
  with all capital letters (#9166)
* Fix PHP warnings (#9174)
* Fix UI issue when dealing with an invalid managesieve_default_headers
  value (#9175)
* Fix bug where images attached to application/smil messages weren't
  displayed (#8870)
* Fix PHP string replacement error in utils/error.php (#9185)
* Fix regression where `smtp_user` did not allow pre/post strings
  before/after `%u` placeholder (#9162)
* Fix cross-site scripting (XSS) vulnerability in setting
  Content-Type/Content-Disposition for attachment preview/download

2023-10-17 17:47:09 by Takahiro Kambe | Files touched by this commit (4) | Package updated

Log message:
mail/roundcube: update to 1.6.4

1.6.4 (2023-10-16)

Security update.

- Fix PHP8 warnings (#9142, #9160)
- Fix default 'mime.types' path on Windows (#9113)
- Managesieve: Fix javascript error when relational or spamtest
  extension is not enabled (#9139)
- Fix cross-site scripting (XSS) vulnerability in handling of SVG in
  HTML messages (#9168)

2023-09-18 05:39:03 by Takahiro Kambe | Files touched by this commit (8) | Package updated

Log message:
mail/roundcube: update to 1.6.3

From release announce:

We just published a security update to the version 1.6 of Roundcube Webmail.
It provides a fix to a recently reported XSS vulnerability:

Fix cross-site scripting (XSS) vulnerability in handling of linkrefs in
plain text messages, reported by Niraj Shivtarkar.  See the full changelog
in the release notes in the release notes on the Github download page.

We strongly recommend to update all productive installations of Roundcube
1.6.x with this new version.

1.6.3 (2023-09-15)

* Fix bug where installto.sh/update.sh scripts were removing some essential
  options from the config file (#9051)

* Update jQuery-UI to version 1.13.2 (#9041)

* Fix regression that broke use_secure_urls feature (#9052)

* Fix potential PHP fatal error when opening a message with message/rfc822
  part (#8953)

* Fix bug where a duplicate `<title>` tag in HTML email could cause some
  parts being cut off (#9029)

* Fix bug where a list of folders could have been sorted incorrectly (#9057)

* Fix regression where LDAP addressbook 'filter' option was ignored (#9061)

* Fix wrong order of a multi-folder search result when sorting by size
  (#9065)

* Fix so install/update scripts do not require PEAR (#9037)

* Fix regression where some mail parts could have been decoded incorrectly,
  or not at all (#9096)

* Fix handling of an error case in Cyrus IMAP BINARY FETCH, fallback to
  non-binary FETCH (#9097)

* Fix PHP8 deprecation warning in the reconnect plugin (#9083)

* Fix "Show source" on mobile with x_frame_options = deny (#9084)

* Fix various PHP warnings (#9098)

* Fix deprecated use of ldap_connect() in password's ldap_simple driver
  (#9060)

* Fix cross-site scripting (XSS) vulnerability in handling of linkrefs in
  plain text messages

2023-07-27 10:18:00 by David Brownlee | Files touched by this commit (2)

Log message:
Also install the "vendor/" contents to resolve guzzlehttp requirement

Bump PKGREVISION

2023-07-07 14:57:21 by Takahiro Kambe | Files touched by this commit (7) | Package updated

Log message:
mail/roundcube: update to 1.6.2

1.6.2 (2023-07-02)

* Add Uyghur localization
* Fix regression in OAuth request URI caused by use of REQUEST_URI instead
  of SCRIPT_NAME as a default (#8878)
* Fix bug where false attachment reminder was displayed on HTML mail with
  inline images (#8885)
* Fix bug where a non-ASCII character in app.js could cause error in
  javascript engine (#8894)
* Fix JWT decoding with url safe base64 schema (#8890)
* Fix bug where .wav instead of .mp3 file was used for the new mail
  notification in Firefox (#8895)
* Fix PHP8 warning (#8891)
* Fix support for Windows-31J charset (#8869)
* Fix so LDAP VLV option is disabled by default as documented (#8833)
* Fix so an email address with name is supported as input to the managesieve
  notify :from parameter (#8918)
* Fix Help plugin menu (#8898)
* Fix invalid onclick handler on the logo image when using non-array
  skin_logo setting (#8933)
* Fix duplicate recipients in "To" and "Cc" on reply (#8912)
* Fix bug where it wasn't possible to scroll lists by clicking middle mouse
  button (#8942)
* Fix bug where label text in a single-input dialog could be partially
  invisible in some locales (#8905)
* Fix bug where LDAP (fulltext) search didn't work without 'search_fields'
  in config (#8874)
* Fix extra leading newlines in plain text converted from HTML (#8973)
* Fix so recipients with a domain ending with .s are allowed (#8854)
* Fix so vCard output does not contain non-standard/redundant TYPE=OTHER and
  TYPE=INTERNET (#8838)
* Fix QR code images for contacts with non-ASCII characters (#9001)
* Fix PHP8 warnings when using list_flags and list_cols properties by
  plugins (#8998)
* Fix bug where subfolders could loose subscription on parent folder rename
  (#8892)
* Fix connecting to LDAP using an URI with ldapi:// scheme (#8990)
* Fix insecure shell command params handling in cmd_learn driver of
  markasjunk plugin (#9005)
* Fix bug where some mail headers didn't work in cmd_learn driver of
  markasjunk plugin (#9005)
* Fix PHP fatal error when importing vcf file using PHP 8.2 (#9025)
* Fix so output of log_date_format with microseconds contains time in server
  time zone, not UTC