2024-11-16 13:08:07 by Thomas Klausner | Files touched by this commit (2504) |
Log message:
*: recursive bump for perl 5.40
|
2024-09-01 16:55:11 by Takahiro Kambe | Files touched by this commit (3) | |
Log message:
mail/roundcube: update to 1.6.9
1.6.9 (2024-09-01)
- Fix regression where printing/scaling/rotating image attachments was
broken (#9571)
- Fix regression where HTML messages were displayed unstyled (#9586)
|
2024-08-08 19:05:03 by Takahiro Kambe | Files touched by this commit (3) | |
Log message:
mail/roundcube: update to 1.6.8
1.6.8 (2024-08-04)
This is a security update to the stable version 1.6 of Roundcube Webmail.
It provides fixes to recently reported security vulnerabilities:
* Fix XSS vulnerability in post-processing of sanitized HTML content
[CVE-2024-42009]
* Fix XSS vulnerability in serving of attachments other than HTML or SVG
[CVE-2024-42008]
* Fix information leak (access to remote content) via insufficient CSS
filtering [CVE-2024-42010]
Credits to Oskar Zeino-Mahmalat (Sonar) for all these findings and thanks
for providing a very detailed report in a private communication.
This version is considered stable and we recommend to update all productive
installations of Roundcube 1.6.x with it. Please do backup your data before
updating!
CHANGELOG
* Managesieve: Protect special scripts in managesieve_kolab_master mode
* Fix newmail_notifier notification focus in Chrome (#9467)
* Fix fatal error when parsing some TNEF attachments (#9462)
* Fix double scrollbar when composing a mail with many plain text lines
(#7760)
* Fix decoding mail parts with multiple base64-encoded text blocks (#9290)
* Fix bug where some messages could get malformed in an import from a MBOX
file (#9510)
* Fix invalid line break characters in multi-line text in Sieve scripts
(#9543)
* Fix bug where "with attachment" filter could fail on some fts engines
(#9514)
* Fix bug where an unhandled exception was caused by an invalid image
attachment (#9475)
* Fix bug where a long subject title could not be displayed in some cases
(#9416)
* Fix infinite loop when parsing malformed Sieve script (#9562)
* Fix bug where imap_conn_option's 'socket' was ignored (#9566)
* Fix XSS vulnerability in post-processing of sanitized HTML content
[CVE-2024-42009]
* Fix XSS vulnerability in serving of attachments other than HTML or SVG
[CVE-2024-42008]
* Fix information leak (access to remote content) via insufficient CSS
filtering [CVE-2024-42010]
|
2024-01-28 03:58:22 by Takahiro Kambe | Files touched by this commit (4) | |
Log message:
mail/roundcube: update to 1.6.6
1.6.6 (2024-01-20)
* Fix regression in handling LDAP search_fields configuration parameter
(#9210)
* Enigma: Fix finding of a private key when decrypting a message using GnuPG
v2.3
* Fix page jump menu flickering on click (#9196)
* Update to TinyMCE 5.10.9 security release (#9228)
* Fix PHP8 warnings (#9235, #9238, #9242, #9306)
* Fix saving other encryption settings besides enigma's (#9240)
* Fix unneeded php command use in installto.sh and deluser.sh scripts
(#9237)
* Fix TinyMCE localization installation (#9266)
* Fix bug where trailing non-ascii characters in email addresses could have
been removed in recipient input (#9257)
* Fix IMAP GETMETADATA command with options - RFC5464
|
2023-11-09 17:28:55 by Takahiro Kambe | Files touched by this commit (3) | |
Log message:
mail/roundcube: update to 1.6.5
This is security release, quoted from release announce:
Security fix
Fix cross-site scripting (XSS) vulnerability in setting
Content-Type/Content-Disposition for attachment preview/download.
Credits for this finding go to Rene Rehme (rehme.infosec).
See the full changelogs in the release notes on the Github download pages
for the updated versions 1.6.5 and 1.5.6.
We strongly recommend to update all productive installations of Roundcube
1.6.x and 1.5.x with this new versions.
1.6.5 (2023-11-05)
* Fix PHP8 fatal error when parsing a malformed BODYSTRUCTURE (#9171)
* Fix duplicated Inbox folder on IMAP servers that do not use Inbox folder
with all capital letters (#9166)
* Fix PHP warnings (#9174)
* Fix UI issue when dealing with an invalid managesieve_default_headers
value (#9175)
* Fix bug where images attached to application/smil messages weren't
displayed (#8870)
* Fix PHP string replacement error in utils/error.php (#9185)
* Fix regression where `smtp_user` did not allow pre/post strings
before/after `%u` placeholder (#9162)
* Fix cross-site scripting (XSS) vulnerability in setting
Content-Type/Content-Disposition for attachment preview/download
|
2023-10-17 17:47:09 by Takahiro Kambe | Files touched by this commit (4) | |
Log message:
mail/roundcube: update to 1.6.4
1.6.4 (2023-10-16)
Security update.
- Fix PHP8 warnings (#9142, #9160)
- Fix default 'mime.types' path on Windows (#9113)
- Managesieve: Fix javascript error when relational or spamtest
extension is not enabled (#9139)
- Fix cross-site scripting (XSS) vulnerability in handling of SVG in
HTML messages (#9168)
|
2023-09-18 05:39:03 by Takahiro Kambe | Files touched by this commit (8) | |
Log message:
mail/roundcube: update to 1.6.3
From release announce:
We just published a security update to the version 1.6 of Roundcube Webmail.
It provides a fix to a recently reported XSS vulnerability:
Fix cross-site scripting (XSS) vulnerability in handling of linkrefs in
plain text messages, reported by Niraj Shivtarkar. See the full changelog
in the release notes in the release notes on the Github download page.
We strongly recommend to update all productive installations of Roundcube
1.6.x with this new version.
1.6.3 (2023-09-15)
* Fix bug where installto.sh/update.sh scripts were removing some essential
options from the config file (#9051)
* Update jQuery-UI to version 1.13.2 (#9041)
* Fix regression that broke use_secure_urls feature (#9052)
* Fix potential PHP fatal error when opening a message with message/rfc822
part (#8953)
* Fix bug where a duplicate `<title>` tag in HTML email could cause some
parts being cut off (#9029)
* Fix bug where a list of folders could have been sorted incorrectly (#9057)
* Fix regression where LDAP addressbook 'filter' option was ignored (#9061)
* Fix wrong order of a multi-folder search result when sorting by size
(#9065)
* Fix so install/update scripts do not require PEAR (#9037)
* Fix regression where some mail parts could have been decoded incorrectly,
or not at all (#9096)
* Fix handling of an error case in Cyrus IMAP BINARY FETCH, fallback to
non-binary FETCH (#9097)
* Fix PHP8 deprecation warning in the reconnect plugin (#9083)
* Fix "Show source" on mobile with x_frame_options = deny (#9084)
* Fix various PHP warnings (#9098)
* Fix deprecated use of ldap_connect() in password's ldap_simple driver
(#9060)
* Fix cross-site scripting (XSS) vulnerability in handling of linkrefs in
plain text messages
|
2023-08-14 07:25:36 by Thomas Klausner | Files touched by this commit (1247) |
Log message:
*: recursive bump for Python 3.11 as new default
|
2023-07-07 14:57:21 by Takahiro Kambe | Files touched by this commit (7) | |
Log message:
mail/roundcube: update to 1.6.2
1.6.2 (2023-07-02)
* Add Uyghur localization
* Fix regression in OAuth request URI caused by use of REQUEST_URI instead
of SCRIPT_NAME as a default (#8878)
* Fix bug where false attachment reminder was displayed on HTML mail with
inline images (#8885)
* Fix bug where a non-ASCII character in app.js could cause error in
javascript engine (#8894)
* Fix JWT decoding with url safe base64 schema (#8890)
* Fix bug where .wav instead of .mp3 file was used for the new mail
notification in Firefox (#8895)
* Fix PHP8 warning (#8891)
* Fix support for Windows-31J charset (#8869)
* Fix so LDAP VLV option is disabled by default as documented (#8833)
* Fix so an email address with name is supported as input to the managesieve
notify :from parameter (#8918)
* Fix Help plugin menu (#8898)
* Fix invalid onclick handler on the logo image when using non-array
skin_logo setting (#8933)
* Fix duplicate recipients in "To" and "Cc" on reply (#8912)
* Fix bug where it wasn't possible to scroll lists by clicking middle mouse
button (#8942)
* Fix bug where label text in a single-input dialog could be partially
invisible in some locales (#8905)
* Fix bug where LDAP (fulltext) search didn't work without 'search_fields'
in config (#8874)
* Fix extra leading newlines in plain text converted from HTML (#8973)
* Fix so recipients with a domain ending with .s are allowed (#8854)
* Fix so vCard output does not contain non-standard/redundant TYPE=OTHER and
TYPE=INTERNET (#8838)
* Fix QR code images for contacts with non-ASCII characters (#9001)
* Fix PHP8 warnings when using list_flags and list_cols properties by
plugins (#8998)
* Fix bug where subfolders could loose subscription on parent folder rename
(#8892)
* Fix connecting to LDAP using an URI with ldapi:// scheme (#8990)
* Fix insecure shell command params handling in cmd_learn driver of
markasjunk plugin (#9005)
* Fix bug where some mail headers didn't work in cmd_learn driver of
markasjunk plugin (#9005)
* Fix PHP fatal error when importing vcf file using PHP 8.2 (#9025)
* Fix so output of log_date_format with microseconds contains time in server
time zone, not UTC
|
2023-07-06 11:43:03 by Thomas Klausner | Files touched by this commit (2483) |
Log message:
*: recursive bump for perl 5.38
|