Subject: CVS commit: [pkgsrc-2021Q4] pkgsrc/mail
From: Benny Siegert
Date: 2022-01-30 18:01:00
Message id: 20220130170100.4470BFB24@cvs.NetBSD.org

Log Message:
Pullup ticket #6575 - requested by taca
mail/roundcube: security fix

Revisions pulled up:
- mail/roundcube-plugin-password/distinfo                       1.28
- mail/roundcube/Makefile.common                                1.26
- mail/roundcube/PLIST                                          1.50
- mail/roundcube/distinfo                                       1.79

---
   Module Name:	pkgsrc
   Committed By:	taca
   Date:		Sat Jan 29 13:34:44 UTC 2022

   Modified Files:
   	pkgsrc/mail/roundcube: Makefile.common PLIST distinfo
   	pkgsrc/mail/roundcube-plugin-password: distinfo

   Log Message:
   mail/roundcube: update to 1.5.2

   This update contains security fix.

   Roundcube Webmail 1.5.1 (2021-11-28)

   This is the first service release to update the new stable version 1.5.  It
   provides a bunch of small fixes and improvements after getting your feedback
   from the 1.5.0 release.  See the full changelog below.

   Important note for MySQL and MariaDB database backends

   The change to full UTF-8 support in MySQL/MariaDB didn't work for everybody
   migrating an existing DB.  Hence here's an important notice from the
   UPGRADING instructions:

   If you use MySQL < 5.7.7 or MariaDB < 10.2.2 make sure to configure it with:

   	innodb_large_prefix=1
   	innodb_file_per_table=1
   	innodb_file_format=Barracuda

   This version is considered stable and we recommend to update all productive
   installations of Roundcube with it.  Please do backup your data before
   updating!

   CHANGELOG

   * Fix importing contacts with no email address (#8227)
   * Fix so session's search scope is not used if search is not active (#8199)
   * Fix some PHP8 warnings (#8239)
   * Fix so dark mode state is retained after closing the browser (#8237)
   * Fix bug where new messages were not added to the list on refresh if
     skip_deleted=true (#8234)
   * Fix colors on "Show source" page in dark mode (#8246)
   * Fix handling of dark_mode_support:false setting in skins meta.json - also
     when devel_mode=false (#8249)
   * Fix database initialization if db_prefix is a schema prefix (#8221)
   * Fix undefined constant error in Installer on Windows (#8258)
   * Fix installation/upgrade on MySQL 5.5 - Index column size too large (#8231)
   * Fix regression in setting of contact listing name (#8260)
   * Fix bug in Larry skin where headers toggle state was reset on full page
     preview (#8203)
   * Fix bug where \u200b characters were added into the recipient input
     preventing mail delivery (#8269)
   * Fix charset conversion errors on PHP < 8 for charsets not supported by
     mbstring (#8252)
   * Fix bug where adding a contact to trusted senders via "Always allow
     from..." button didn't work (#8264, #8268)
   * Fix bug with show_images setting where option 1 and 3 were swapped (#8268)
   * Fix PHP fatal error on an undefined constant in contacts import action
     (#8277)
   * Fix fetching headers of multiple message parts at once in
     rcube_imap_generic::fetchMIMEHeaders() (#8282)
   * Fix bug where attachment download could sometimes fail with a CSRF check
     error (#8283)
   * Fix an infinite loop when parsing environment variables with float/integer
     values (#8293)
   * Fix so 'small-dark' logo has more priority than the 'small' logo (#8298)

   Roundcube Webmail 1.5.2 (2021-12-30)

   This is the second service release to update the new stable version 1.5.  It
   provides a bunch of small fixes and improvements to the OAuth feature as
   well as a security fix to a recently reported XSS vulnerability.  See the
   full changelog below.

   Security fix

   * Cross-site scripting (XSS) via HTML messages with malicious CSS content

   This version is considered stable and we recommend to update all productive
   installations of Roundcube with it.  Please do backup your data before
   updating!

   CHANGELOG

   * OAuth: pass 'id_token' to 'oauth_login' plugin hook (#8214)
   * OAuth: fix expiration of short-lived oauth tokens (#8147)
   * OAuth: fix relative path to assets if /index.php/foo/bar url is used
     (#8144)
   * OAuth: no auto-redirect on imap login failures (#8370)
   * OAuth: refresh access token in 'refresh' plugin hook (#8224)
   * Fix so folder search parameters are honored by subscriptions_option plugin
     (#8312)
   * Fix password change with Directadmin driver (#8322, #8329)
   * Fix so css files in plugins/jqueryui/themes will be minified too (#8337)
   * Fix handling of unicode/special characters in custom From input (#8357)
   * Fix some PHP8 compatibility issues (#8363)
   * Fix chpass-wrapper.py helper compatibility with Python 3 (#8324)
   * Fix scrolling and missing Close button in the Select image dialog in
     Elastic/mobile (#8367)
   * Security: fix cross-site scripting (XSS) via HTML messages with malicious
     CSS content

Files:
RevisionActionfile
1.25.2.1modifypkgsrc/mail/roundcube/Makefile.common
1.49.2.1modifypkgsrc/mail/roundcube/PLIST
1.78.2.1modifypkgsrc/mail/roundcube/distinfo
1.27.2.1modifypkgsrc/mail/roundcube-plugin-password/distinfo