head 1.4;
access;
symbols
pkgsrc-2020Q1:1.3.0.14
pkgsrc-2020Q1-base:1.3
pkgsrc-2019Q4:1.3.0.16
pkgsrc-2019Q4-base:1.3
pkgsrc-2019Q3:1.3.0.12
pkgsrc-2019Q3-base:1.3
pkgsrc-2019Q2:1.3.0.10
pkgsrc-2019Q2-base:1.3
pkgsrc-2019Q1:1.3.0.8
pkgsrc-2019Q1-base:1.3
pkgsrc-2018Q4:1.3.0.6
pkgsrc-2018Q4-base:1.3
pkgsrc-2018Q3:1.3.0.4
pkgsrc-2018Q3-base:1.3
pkgsrc-2018Q2:1.3.0.2
pkgsrc-2018Q2-base:1.3
pkgsrc-2018Q1:1.2.0.22
pkgsrc-2018Q1-base:1.2
pkgsrc-2017Q4:1.2.0.20
pkgsrc-2017Q4-base:1.2
pkgsrc-2017Q3:1.2.0.18
pkgsrc-2017Q3-base:1.2
pkgsrc-2017Q2:1.2.0.14
pkgsrc-2017Q2-base:1.2
pkgsrc-2017Q1:1.2.0.12
pkgsrc-2017Q1-base:1.2
pkgsrc-2016Q4:1.2.0.10
pkgsrc-2016Q4-base:1.2
pkgsrc-2016Q3:1.2.0.8
pkgsrc-2016Q3-base:1.2
pkgsrc-2016Q2:1.2.0.6
pkgsrc-2016Q2-base:1.2
pkgsrc-2016Q1:1.2.0.4
pkgsrc-2016Q1-base:1.2
pkgsrc-2015Q4:1.2.0.2
pkgsrc-2015Q4-base:1.2
pkgsrc-2015Q3:1.1.0.4
pkgsrc-2015Q3-base:1.1
pkgsrc-2015Q2:1.1.0.2
pkgsrc-2015Q2-base:1.1;
locks; strict;
comment @# @;
1.4
date 2020.06.07.22.07.04; author taca; state dead;
branches;
next 1.3;
commitid 9wml6PbftDPYflbC;
1.3
date 2018.05.16.08.14.41; author triaxx; state Exp;
branches
1.3.14.1;
next 1.2;
commitid zBPyVZzADoO8RuCA;
1.2
date 2015.12.26.14.24.48; author taca; state Exp;
branches
1.2.22.1;
next 1.1;
commitid EbQXC0kR1pejVsOy;
1.1
date 2015.05.24.14.48.54; author jym; state Exp;
branches;
next ;
commitid kvyZN2zoEItOYHmy;
1.3.14.1
date 2020.06.09.11.51.50; author bsiegert; state dead;
branches;
next ;
commitid 7EwKoXVGjrRZMxbC;
1.2.22.1
date 2018.05.19.09.18.37; author spz; state Exp;
branches;
next ;
commitid 6m7w5dOSfnD57TCA;
desc
@@
1.4
log
@mail/roundcube: update to 1.4.5
Update roundcube to 1.4.5, including some security fixes.
pkgsrc change:
* Proper replace PHP interpreter.
* Fix php-sockets option to work.
RELEASE 1.4.5
-------------
- Fix bug in extracting required plugins from composer.json that led to spurious error in log (#7364)
- Fix so the database setup description is compatible with MySQL 8 (#7340)
- Markasjunk: Fix regression in jsevent driver (#7361)
- Fix missing flag indication on collapsed thread in Larry and Elastic (#7366)
- Fix default keyservers (use keys.openpgp.org), add note about CORS (#7373, #7367)
- Mailvelope: Use sender's address to find pubkeys to check signatures (#7348)
- Mailvelope: Fix Encrypt button hidden in Elastic (#7353)
- Fix PHP warning: count(): Parameter must be an array or an object... in ID command handler (#7392)
- Fix error when user-configured skin does not exist anymore (#7271)
- Elastic: Fix aspect ratio of a contact photo in mail preview (#7339)
- Fix bug where PDF attachments marked as inline could have not been attached on mail forward (#7382)
- Security: Fix a couple of XSS issues in Installer (#7406)
- Security: Fix XSS issue in template object 'username' (#7406)
- Security: Better fix for CVE-2020-12641
- Security: Fix cross-site scripting (XSS) via malicious XML attachment
@
text
@$NetBSD: patch-rcube_mime_default,v 1.3 2018/05/16 08:14:41 triaxx Exp $
Fix path to /etc/.
--- program/lib/Roundcube/rcube_mime.php.orig 2018-04-11 11:06:18.000000000 +0000
+++ program/lib/Roundcube/rcube_mime.php
@@@@ -790,12 +790,12 @@@@ class rcube_mime
$file_paths[] = 'C:/xampp/apache/conf/mime.types.';
}
else {
- $file_paths[] = '/etc/mime.types';
- $file_paths[] = '/etc/httpd/mime.types';
- $file_paths[] = '/etc/httpd2/mime.types';
- $file_paths[] = '/etc/apache/mime.types';
- $file_paths[] = '/etc/apache2/mime.types';
- $file_paths[] = '/etc/nginx/mime.types';
+ $file_paths[] = '@@PKG_SYSCONFBASE@@/mime.types';
+ $file_paths[] = '@@PKG_SYSCONFBASE@@/httpd/mime.types';
+ $file_paths[] = '@@PKG_SYSCONFBASE@@/httpd2/mime.types';
+ $file_paths[] = '@@PKG_SYSCONFBASE@@/apache/mime.types';
+ $file_paths[] = '@@PKG_SYSCONFBASE@@/apache2/mime.types';
+ $file_paths[] = '@@PKG_SYSCONFBASE@@/nginx/mime.types';
$file_paths[] = '/usr/local/etc/httpd/conf/mime.types';
$file_paths[] = '/usr/local/etc/apache/conf/mime.types';
$file_paths[] = '/usr/local/etc/apache24/mime.types';
@
1.3
log
@roundcube: update to 1.3.6
* add JavaScript dependencies listed in jsdeps.json
* put them on /pub/pkgsrc/distfiles/roundcube to avoid checksum error due
to archive automatic generation (e.g. tinymce_languages.zip)
* remove patch-ac
* add example configuration fragment for www/lighttpd
CHANGELOG Roundcube Webmail
===========================
RELEASE 1.3.6
-------------
- Fix parsing date strings (e.g. from a Date: mail header) with comments (#6216)
- Fix PHP 7.2: count(): Parameter must be an array in enchant-based spellchecker (#6234)
- Fix possible IMAP command injection and type juggling vulnerabilities (#6229)
- Enigma: Fix key selection for signing
- Enigma: Enable keypair generation on Internet Explorer 11
- Fix check_request() bypass in places using get_uids() [CVE-2018-9846] (#6238)
- Fix bug where usernames without domain part could be malformed or converted to lower-case on logon (#6224)
RELEASE 1.3.5
-------------
- Managesieve: Fix bug where text: syntax was forced for strings longer than 1024 characters (#6143)
- Managesieve: Fix missing Save button in Edit Filter Set page of Classic skin (#6154)
- Fix duplicated labels in Test SMTP Config section (#6166)
- Fix PHP Warning: exif_read_data(...): Illegal IFD size (#6169)
- Enigma: Fix key generation in Safari by upgrade to OpenPGP 2.6.2 (#6149)
- Fix security issue in remote content blocking on HTML image and style tags (#6178)
- Added 9pt and 11pt to the list of font sizes in HTML editor
- Fix handling encoding of HTML tags in "inline" JSON output (#6207)
- Fix bug where some unix timestamps were not handled correctly by rcube_utils::anytodatetime() (#6212)
RELEASE 1.3.4
-------------
- Fix bug where contacts search could skip some records (#6130)
- Fix possible information leak - add more strict sql error check on user creation (#6125)
- Fix a couple of warnings on PHP 7.2 (#6098)
- Fix broken long filenames when using imap4d server - workaround server bug (#6048)
- Fix so temp_dir misconfiguration prints an error to the log (#6045)
- Fix untagged COPYUID responses handling - again (#5982)
- Fix PHP warning "idn_to_utf8(): INTL_IDNA_VARIANT_2003 is deprecated" with PHP 7.2 (#6075)
- Fix bug where Archive folder wasn't auto-created on login with create_default_folders=true
- Fix performance issue when parsing malformed and long Date header (#6087)
- Fix syntax error in mssql.initial.sql (#6097)
- Fix bug where contacts export by selection returned no more than 10 entries (#6103)
- Fix searching contacts by address in LDAP source (#6084)
- Fix X-Frame-Options:ALLOW-FROM support, remove custom click-jacking protection (#6057)
RELEASE 1.3.3
-------------
- Fix decoding of mailto: links with + character in HTML messages (#6020)
- Fix false reporting of failed upgrade in installto.sh (#6019)
- Fix file disclosure vulnerability caused by insufficient input validation [CVE-2017-16651] (#6026)
- Fix mangled non-ASCII characters in links in HTML messages (#6028)
RELEASE 1.3.2
-------------
- Improve detection for Egde browser and add pointer event support (#5922)
- Fix bug where pink image was used instead of a thumbnail when image resize fails (#5933)
- Fix so files size/count limit is verified (client-side) also on drag-n-drop uploads (#5940)
- Fix invalid template loading on a message error in preview frame (#5941)
- Fix bug where HTML messages could have been rendered empty on some systems (#5957)
- Fix wording of "Mark previewed messages as read" to "Mark messages as read" (#5952)
- Enigma: Fix decryption of messages encoded with non-ascii charset (#5962)
- Fix missing cursor in HTML editor on mail reply (#5969)
- Fix (again) bug where image data URIs in css style were treated as evil/remote in mail preview (#5580)
- Fix bug where mail search could return empty result on servers without SORT capability (#5973)
- Fix bug where assets_path wasn't added to some watermark frames
- Fix so untagged COPYUID responses are also supported according to RFC6851 (#5982)
- Fix issue caused by non-default session.cookie_lifetime setting (#5961)
- Fix Edge encoding bug when pasting text into the HTML editor, update to TinyMCE 4.5.8 (#5885)
- Fix handling of unknown Content-Disposition type (#6002)
- Fix truncated folder name on messages list in multi-folder mode, for folders with non-ascii characters (#6004)
- Fix bug where removing the last subfolder did not hide toggle button on its parent record (#6007)
- Fix bug where ghost messages could be added to the list after fast delete (#5941)
RELEASE 1.3.1
-------------
- Don't ignore (global) userlogins/sendmail logs in per_user_logging mode
- Add Preferences > Mailbox View > Main Options > Layout (#5829)
- Password: Fix compatibility with PHP 7+ in cpanel_webmail driver (#5820)
- Managesieve: Fix parsing dot-staffed lines in multiline text (#5838)
- Managesieve: Fix AM/PM suffix in vacation time selectors
- Managesieve: Fix bug where 'exists' operator was reset to 'contains' (#5899)
- Remove non-printable characters from filenames on download/display (#5880)
- Fix decoding non-ascii attachment names from TNEF attachments (#5646, #5799)
- Fix uninitialized string offset in rcube_utils::bin2ascii() and make sure rcube_utils::random_bytes() result has always requested length (#5788)
- Fix bug where HTML messages with @@media styles could moddify style of page body (#5811)
- Fix style issue on selected and unfocused message that is part of a thread (#5798)
- Fix bug where a.button style from managesieve plugin could impact other elements (#5800)
- Fix position of selected icon for (Mailvelope) Encrypt button
- Fix fatal error when using DMY- or MDY-based date format in PostgreSQL (#5808)
- Fix bug where errors were not printed when using bin/update.sh (#5834)
- Fix PHP 7.2 warnings on count() use (#5845)
- Fix bug where Chrome could not upload the same file that was selected before (#5854)
- Fix duplicate messages on the list after deleting messages on the next to the last page (#5862)
- Fix bug where messages count was not updated after delete when imap_cache is set (#5872)
- Fix potential XSS vulnerability with malformed HTML message markup
- Fix sending message with "Too many public recipients" dialog buttons (#5924)
- Bring back double-click behavior on the message list which was removed in 1.3.0 (#5823)
- Enigma: Fix decrypting an encrypted+signed message when signature verification fails (#5914)
RELEASE 1.3.0
-------------
- Update to TinyMCE 4.5.7
- Fix bug where invalid recipients could be silently discarded (#5739)
- Fix conflict with _gid cookie of Google Analytics (#5748)
- Print error from CLI scripts when system/exec function is disabled (#5744)
- Fix bug where comment notation within style tag would cause the whole style to be ignored (#5747)
- Fix bug where it wasn't possible to scroll folders list in Edge (#5750)
- Fix folders list sorting on Windows - if php-intl is available (#5732)
- Fix addressbook searching by gender (#5757)
- Fix prevention from using % and * characters in folder name (#5762)
- Fix POST parameter reflection in default_charset selector (#5768)
- Enigma: Fix compatibility with assets_dir
- Managesieve: Skip redundant LISTSCRIPTS command
- Fix SQL syntax error on MariaDB 10.2 (#5774)
- Fix bug where zipdownload ignored files with the same name (#5777)
- Fix bug where it wasn't possible to set timezone to auto-detected value (#5782)
RELEASE 1.3-rc
--------------
- "Flattened" the larry theme: fresher look by removing shadows and gradients
- Support logging to php://stdout (#5721)
- Add support for DelSp=Yes in format=flowed messages (#5702)
- Update to jQuery 3.2.1
- Update to TinyMCE 4.5.6
- Plugin API: Call message_part_structure hook for sub-parts of multipart/alternative message (#5678)
- Enigma: Always use detached signatures (#5624)
- Enigma: Fix handling of messages with nested PGP encrypted parts (#5634)
- Minimize unwanted message loading in preview frame on drag (#5616)
- Fix failing database schema check in all engines except mysql (#5730)
- Fix autocomplete popup closing with click outside the input, don't handle Tab key as Enter (#5606)
- Fix jsdeps.json synchronization on update, warn about missing requirements of install-jsdeps.sh (#5598)
- Fix missing thread expand icon on search result in widescreen mode (#5613)
- Fix bug where image data URIs in css style were treated as evil/remote in mail preview (#5580)
- Fix bug where external content in src attribute of input/video tags was not secured (#5583)
- Fix PHP error on update of a contact with multiple email addresses when using PHP 7.1 (#5587)
- Fix bug where mail content frame couldn't be reset in some corner cases (#5608)
- Fix bug where some classic skin images were not displayed in IE/Edge (#5614)
- Fix bug where signature couldn't be added above the quote in Firefox 51 (#5628)
- Fix regression where groups with email address were resolved to its members' addresses
- Fix update of group name in the contacts list header on group rename (#5648)
- Add rewrite rule to disable access to /vendor/bin folder in .htaccess (#5630)
- Fix bug where it was too easy accidentally move a folder when using the subscription checkbox (#5655)
- Managesieve: Fix parser issue with empty lines between comments (#5657)
- Managesieve: Fix possible defect in handling \r\n in scripts (#5685)
- Fix/rephrase "unsaved changes" warning when cancelling a draft (#5610)
- Fix XSS issue in handling of a style tag inside of an svg element [CVE-2017-6820]
- Fix bug where settings/upload.inc could not be used by plugins (#5694)
- Fix regression in LDAP fuzzy search where it always used prefix search instead (#5713)
- Fix bug where namespace prefix could not be truncated on folders list if show_real_foldernames=true (#5695)
- Fix undesired effects when postgres database uses different timezone than PHP host (#5708)
- Installer: Fix DB schema initialization on MS SQL Server
- Fix bug where base_dn setting was ignored inside group_filters (#5720)
- Password: Fix security issue in virtualmin and sasl drivers [CVE-2017-8114]
RELEASE 1.3-beta
----------------
- Nicely handle contact deletion on contact edit (#5522)
- vcard_attachments: Add possibility to attach contact vCard to composed message (#4997)
- Preserve message internal/received date on import in mbox format (#5559)
- Zipdownload: Fix date format in mbox "From line"
- Possibility to display QR code for contacts data (#5030)
- Added identicon plugin
- Widescreen layout aka three column view (#5093)
- Unify automatic marking as \Seen in preview pane, full-page and extwin views (#5071)
- Disable double-click on the list when preview pane is on (#5199)
- Support hostname and hostname:port in force_https option (#5511)
- Support ALLOW-FROM in x_frame_options (#5122)
- Allow to omit a subject when sending an email (#5068)
- Warn about too many disclosed recipients in composed email [max_disclosed_recipients] (#5132)
- identity_select: Support Received header (#5085)
- Plugin API: Added get_compose_responses hook (#5457)
- Display error when trying to upload more files than specified in max_file_uploads (#5483)
- Add missing sql upgrade file for 'ip' column resize in session table (#5465)
- Do not show inline images of unsupported mimetype (#5463)
- Password: Added replacement variables support in password_pop_host (#5539)
- Password: Don't store passwords in temp files when using dovecotpw (#5531)
- Password: Added LDAP PPolicy driver (#5364)
- Password: Added cpanel_webmail driver (#5549)
- Password: Added possibility to nicely redirect from other plugins on password expiration (#5468)
- Implement separate action to mark all messages in a folder as \Seen (#5006)
- Implement marking as \Seen in all folders or in a folder and its subfolders (#5076)
- Archive: Don't reload messages list when it's not needed (#5225)
- Archive: Add option to automatically mark archived messages as \Seen (#5142)
- Improve randomness of password salts and random hashes (#5266)
- Password/cPanel: Add support for hash authentication and reseller accounts (#5252)
- Support host-specific imap_conn_options/smtp_conn_options/managesieve_conn_options (#5136)
- Center and scale images in attachment preview frame (#5421)
- Added max_message_size option enforced when attaching files to a composed message (#4993)
- Added Search button in quick search menus (#5312)
- Implement "one click" attachment/messages/photo upload (#5024)
- Squirrelmail_usercopy: Add option to define character set of data files
- Removed useless 'created' column from 'session' table (#5389)
- Dropped legacy browsers support (#5167)
- Removed legacy_browser plugin
- Removed hacks for IE < 10
- Update to jQuery 3.1.1 and jQuery-UI 1.12.0
- compile .min.js files with ECMASCRIPT5 option
- Require PHP >= 5.4
- Add possibility to preview and download attachments in mail compose (#5053)
- Add possibility to rename attachments in mail compose (#4996)
- Remove backward compatibility "layer" of bc.php (#4902)
- Support WEBP images in mail messages (#5362)
- Support MathML in HTML message preview (#5182)
- Rename Addressbook to Contacts (#5233)
- Remove PHP mail() support, smtp_server is required now (#5340)
- Display full message subject in onmouseover on truncated subject in mail view (#5346)
- Enigma: Support GnuPG 2.1 (#5313)
- Enigma: Support key generation for multiple identities (#5383)
- Enigma: Import keys from key-server(s) (#5286)
- Enigma: Search missing public keys on a key-server in mail compose (#5286)
- Enigma: Delete user keys when using deluser.sh script
- Enigma: Fix redundant list-secret-keys/list-public-keys calls on signing/encryption
- Enigma: Implement PGP encryption and signing in one go (#5302)
- Enigma: Display signature verification status for encrypted+signed messages (#5302)
- Display different attachment icon on encrypted messages
- Display different confirmation text when moving messages to Trash (#5220)
- Indicate that a collapsed thread has flagged children (#5013)
- Implemented message/rfc822 attachment preview
- Update to jsTimezoneDetect 1.0.6
- Managesieve: Add (optional) RAW script editor (#5414)
- Managesieve: Add option to automatically set vacation :from address (#5428)
- Managesieve: Support 'string' test from variables extension [RFC 5229] (#5248)
- Managesieve: Support 'duplicate' extension [RFC 7352]
- Managesieve: Unhide advanced rule controls if there are inputs with errors
- Managesieve: Display warning message when filter form contains errors
- Control search engine crawlers via X-Robots-Tag header instead of and robots.txt (#5098)
- Fixed redundancy in sql caching system and compatibility with Galera Cluster (#5439)
- Removed redundant 'created' column from cache and cache_shared tables
- Removed use of redundant data records
- Added missing primary keys (dictionary, cache, cache_shared tables)
- Fix so templating system does not mess with external (e.g. email) content (#5499)
- Fix redundant keep-alive/refresh after session error on compose page (#5500)
- Managesieve: Fix handling of scripts with nested rules (#5540)
- Fix variable substitution in ldap host for some use-cases, e.g. new_user_identity (#5544)
- Enigma: Fix PHP fatal error when decrypting a message with invalid signature (#5555)
- Fix adding images to new identity signatures
- Fix rsync error handling in installto.sh script (#5562)
- Fix some advanced search issues with multiple addressbooks (#5572)
- Fix so group/addressbook selection is retained on page refresh
@
text
@d1 1
a1 1
$NetBSD: patch-rcube_mime_default,v 1.2 2015/12/26 14:24:48 taca Exp $
@
1.3.14.1
log
@Pullup ticket #6231 - requested by taca
mail/roundcube: security fix
Revisions pulled up:
- mail/roundcube-plugin-password/distinfo 1.18-1.19
- mail/roundcube/Makefile 1.93
- mail/roundcube/Makefile.common 1.18-1.19
- mail/roundcube/distinfo 1.69-1.70
- mail/roundcube/options.mk 1.17
- mail/roundcube/patches/patch-program_lib_Roundcube_rcube__mime.php 1.3
- mail/roundcube/patches/patch-rcube_mime_default deleted
---
Module Name: pkgsrc
Committed By: taca
Date: Sun Jun 7 22:07:04 UTC 2020
Modified Files:
pkgsrc/mail/roundcube: Makefile Makefile.common distinfo options.mk
Added Files:
pkgsrc/mail/roundcube/patches:
patch-program_lib_Roundcube_rcube__mime.php
Removed Files:
pkgsrc/mail/roundcube/patches: patch-rcube_mime_default
Log Message:
mail/roundcube: update to 1.4.5
Update roundcube to 1.4.5, including some security fixes.
pkgsrc change:
* Proper replace PHP interpreter.
* Fix php-sockets option to work.
RELEASE 1.4.5
-------------
- Fix bug in extracting required plugins from composer.json that led to spurious error in log (#7364)
- Fix so the database setup description is compatible with MySQL 8 (#7340)
- Markasjunk: Fix regression in jsevent driver (#7361)
- Fix missing flag indication on collapsed thread in Larry and Elastic (#7366)
- Fix default keyservers (use keys.openpgp.org), add note about CORS (#7373, #7367)
- Mailvelope: Use sender's address to find pubkeys to check signatures (#7348)
- Mailvelope: Fix Encrypt button hidden in Elastic (#7353)
- Fix PHP warning: count(): Parameter must be an array or an object... in ID command handler (#7392)
- Fix error when user-configured skin does not exist anymore (#7271)
- Elastic: Fix aspect ratio of a contact photo in mail preview (#7339)
- Fix bug where PDF attachments marked as inline could have not been attached on mail forward (#7382)
- Security: Fix a couple of XSS issues in Installer (#7406)
- Security: Fix XSS issue in template object 'username' (#7406)
- Security: Better fix for CVE-2020-12641
- Security: Fix cross-site scripting (XSS) via malicious XML attachment
---
Module Name: pkgsrc
Committed By: taca
Date: Sun Jun 7 22:08:37 UTC 2020
Modified Files:
pkgsrc/mail/roundcube-plugin-password: distinfo
Log Message:
mail/roundcube-plugin-password: update to 1.4.5
Update roundcube-plugin-password to 1.4.5
RELEASE 1.4.5
-------------
- Password: Fix issue with Modoboa driver (#7372)
---
Module Name: pkgsrc
Committed By: taca
Date: Tue Jun 9 00:25:19 UTC 2020
Modified Files:
pkgsrc/mail/roundcube: Makefile.common distinfo
pkgsrc/mail/roundcube-plugin-password: distinfo
Log Message:
mail/roundcube: update to 1.14.6
Update roundcube to 1.14.6.
RELEASE 1.4.6
-------------
- Installer: Fix regression in SMTP test section (#7417)
@
text
@d1 1
a1 1
$NetBSD: patch-rcube_mime_default,v 1.3 2018/05/16 08:14:41 triaxx Exp $
@
1.2
log
@Update roundcube to 1.1.4 including security fixes.
* Fix a potential path traversal vulnerability.
* Adds some measures against brute-force attacks
RELEASE 1.1.4
-------------
- Add workaround for https://bugs.php.net/bug.php?id=70757 (#1490582)
- Fix duplicate messages in list and wrong count after delete (#1490572)
- Fix so Installer requires PHP5
- Make brute force attacks harder by re-generating security token on every failed login (#1490549)
- Slow down brute-force attacks by waiting for a second after failed login (#1490549)
- Fix .htaccess rewrite rules to not block .well-known URIs (#1490615)
- Fix mail view scaling on iOS (#1490551)
- Fix so database_attachments::cleanup() does not remove attachments from other sessions (#1490542)
- Fix responses list update issue after response name change (#1490555)
- Fix bug where message preview was unintentionally reset on check-recent action (#1490563)
- Fix bug where HTML messages with invalid/excessive css styles couldn't be displayed (#1490539)
- Fix redundant blank lines when using HTML and top posting (#1490576)
- Fix redundant blank lines on start of text after html to text conversion (#1490577)
- Fix HTML sanitizer to skip in output (#1490583)
- Fix invalid LDAP query in ACL user autocompletion (#1490591)
- Fix regression in displaying contents of message/rfc822 parts (#1490606)
- Fix handling of message/rfc822 attachments on replies and forwards (#1490607)
- Fix PDF support detection in Firefox > 19 (#1490610)
- Fix path traversal vulnerability (CWE-22) in setting a skin (#1490620)
- Fix so drag-n-drop of text (e.g. recipient addresses) on compose page actually works (#1490619)
@
text
@d1 1
a1 1
$NetBSD: patch-rcube_mime_default,v 1.1 2015/05/24 14:48:54 jym Exp $
d5 1
a5 1
--- program/lib/Roundcube/rcube_mime.php.orig 2015-12-23 09:18:12.000000000 +0000
d7 1
a7 1
@@@@ -770,12 +770,12 @@@@ class rcube_mime
d25 1
a25 1
}
@
1.2.22.1
log
@Pullup ticket #5759 - requested by bsiegert
mail/roundcube: security update
Revisions pulled up:
- mail/roundcube/Makefile 1.89
- mail/roundcube/Makefile.common 1.10
- mail/roundcube/PLIST 1.45
- mail/roundcube/distinfo 1.61
- mail/roundcube/files/apache.conf 1.2
- mail/roundcube/files/lighttpd.conf 1.1
- mail/roundcube/files/nginx.conf 1.2
- mail/roundcube/options.mk 1.16
- mail/roundcube/patches/patch-ac deleted
- mail/roundcube/patches/patch-rcube_mime_default 1.3
-------------------------------------------------------------------
Module Name: pkgsrc
Committed By: triaxx
Date: Wed May 16 08:14:41 UTC 2018
Modified Files:
pkgsrc/mail/roundcube: Makefile Makefile.common PLIST distinfo
options.mk
pkgsrc/mail/roundcube/files: apache.conf nginx.conf
pkgsrc/mail/roundcube/patches: patch-rcube_mime_default
Added Files:
pkgsrc/mail/roundcube/files: lighttpd.conf
Removed Files:
pkgsrc/mail/roundcube/patches: patch-ac
Log Message:
roundcube: update to 1.3.6
* add JavaScript dependencies listed in jsdeps.json
* put them on /pub/pkgsrc/distfiles/roundcube to avoid checksum error due
to archive automatic generation (e.g. tinymce_languages.zip)
* remove patch-ac
* add example configuration fragment for www/lighttpd
CHANGELOG Roundcube Webmail
===========================
RELEASE 1.3.6
-------------
- Fix parsing date strings (e.g. from a Date: mail header) with comments
(#6216)
- Fix PHP 7.2: count(): Parameter must be an array in enchant-based
spellchecker (#6234)
- Fix possible IMAP command injection and type juggling vulnerabilities
(#6229)
- Enigma: Fix key selection for signing
- Enigma: Enable keypair generation on Internet Explorer 11
- Fix check_request() bypass in places using get_uids() [CVE-2018-9846]
(#6238)
- Fix bug where usernames without domain part could be malformed or
converted to lower-case on logon (#6224)
RELEASE 1.3.5
-------------
- Managesieve: Fix bug where text: syntax was forced for strings longer
than 1024 characters (#6143)
- Managesieve: Fix missing Save button in Edit Filter Set page of Classic
skin (#6154)
- Fix duplicated labels in Test SMTP Config section (#6166)
- Fix PHP Warning: exif_read_data(...): Illegal IFD size (#6169)
- Enigma: Fix key generation in Safari by upgrade to OpenPGP 2.6.2 (#6149)
- Fix security issue in remote content blocking on HTML image and style
tags (#6178)
- Added 9pt and 11pt to the list of font sizes in HTML editor
- Fix handling encoding of HTML tags in "inline" JSON output (#6207)
- Fix bug where some unix timestamps were not handled correctly by
rcube_utils::anytodatetime() (#6212)
RELEASE 1.3.4
-------------
- Fix bug where contacts search could skip some records (#6130)
- Fix possible information leak - add more strict sql error check on user
creation (#6125)
- Fix a couple of warnings on PHP 7.2 (#6098)
- Fix broken long filenames when using imap4d server - workaround server
bug (#6048)
- Fix so temp_dir misconfiguration prints an error to the log (#6045)
- Fix untagged COPYUID responses handling - again (#5982)
- Fix PHP warning "idn_to_utf8(): INTL_IDNA_VARIANT_2003 is deprecated"
with PHP 7.2 (#6075)
- Fix bug where Archive folder wasn't auto-created on login with
create_default_folders=true
- Fix performance issue when parsing malformed and long Date header (#6087)
- Fix syntax error in mssql.initial.sql (#6097)
- Fix bug where contacts export by selection returned no more than 10
entries (#6103)
- Fix searching contacts by address in LDAP source (#6084)
- Fix X-Frame-Options:ALLOW-FROM support, remove custom click-jacking
protection (#6057)
RELEASE 1.3.3
-------------
- Fix decoding of mailto: links with + character in HTML messages (#6020)
- Fix false reporting of failed upgrade in installto.sh (#6019)
- Fix file disclosure vulnerability caused by insufficient input validation
[CVE-2017-16651] (#6026)
- Fix mangled non-ASCII characters in links in HTML messages (#6028)
RELEASE 1.3.2
-------------
- Improve detection for Egde browser and add pointer event support (#5922)
- Fix bug where pink image was used instead of a thumbnail when image
resize fails (#5933)
- Fix so files size/count limit is verified (client-side) also on
drag-n-drop uploads (#5940)
- Fix invalid template loading on a message error in preview frame (#5941)
- Fix bug where HTML messages could have been rendered empty on some
systems (#5957)
- Fix wording of "Mark previewed messages as read" to "Mark messages as
read" (#5952)
- Enigma: Fix decryption of messages encoded with non-ascii charset (#5962)
- Fix missing cursor in HTML editor on mail reply (#5969)
- Fix (again) bug where image data URIs in css style were treated as
evil/remote in mail preview (#5580)
- Fix bug where mail search could return empty result on servers without
SORT capability (#5973)
- Fix bug where assets_path wasn't added to some watermark frames
- Fix so untagged COPYUID responses are also supported according to RFC6851
(#5982)
- Fix issue caused by non-default session.cookie_lifetime setting (#5961)
- Fix Edge encoding bug when pasting text into the HTML editor, update to
TinyMCE 4.5.8 (#5885)
- Fix handling of unknown Content-Disposition type (#6002)
- Fix truncated folder name on messages list in multi-folder mode, for
folders with non-ascii characters (#6004)
- Fix bug where removing the last subfolder did not hide toggle button on
its parent record (#6007)
- Fix bug where ghost messages could be added to the list after fast delete
(#5941)
RELEASE 1.3.1
-------------
- Don't ignore (global) userlogins/sendmail logs in per_user_logging mode
- Add Preferences > Mailbox View > Main Options > Layout (#5829)
- Password: Fix compatibility with PHP 7+ in cpanel_webmail driver (#5820)
- Managesieve: Fix parsing dot-staffed lines in multiline text (#5838)
- Managesieve: Fix AM/PM suffix in vacation time selectors
- Managesieve: Fix bug where 'exists' operator was reset to 'contains'
(#5899)
- Remove non-printable characters from filenames on download/display (#5880)
- Fix decoding non-ascii attachment names from TNEF attachments (#5646,
#5799)
- Fix uninitialized string offset in rcube_utils::bin2ascii() and make sure
rcube_utils::random_bytes() result has always requested length (#5788)
- Fix bug where HTML messages with @@media styles could moddify style of
page body (#5811)
- Fix style issue on selected and unfocused message that is part of a
thread (#5798)
- Fix bug where a.button style from managesieve plugin could impact other
elements (#5800)
- Fix position of selected icon for (Mailvelope) Encrypt button
- Fix fatal error when using DMY- or MDY-based date format in PostgreSQL
(#5808)
- Fix bug where errors were not printed when using bin/update.sh (#5834)
- Fix PHP 7.2 warnings on count() use (#5845)
- Fix bug where Chrome could not upload the same file that was selected
before (#5854)
- Fix duplicate messages on the list after deleting messages on the next to
the last page (#5862)
- Fix bug where messages count was not updated after delete when imap_cache
is set (#5872)
- Fix potential XSS vulnerability with malformed HTML message markup
- Fix sending message with "Too many public recipients" dialog buttons
(#5924)
- Bring back double-click behavior on the message list which was removed in
1.3.0 (#5823)
- Enigma: Fix decrypting an encrypted+signed message when signature
verification fails (#5914)
RELEASE 1.3.0
-------------
- Update to TinyMCE 4.5.7
- Fix bug where invalid recipients could be silently discarded (#5739)
- Fix conflict with _gid cookie of Google Analytics (#5748)
- Print error from CLI scripts when system/exec function is disabled (#5744)
- Fix bug where comment notation within style tag would cause the whole
style to be ignored (#5747)
- Fix bug where it wasn't possible to scroll folders list in Edge (#5750)
- Fix folders list sorting on Windows - if php-intl is available (#5732)
- Fix addressbook searching by gender (#5757)
- Fix prevention from using % and * characters in folder name (#5762)
- Fix POST parameter reflection in default_charset selector (#5768)
- Enigma: Fix compatibility with assets_dir
- Managesieve: Skip redundant LISTSCRIPTS command
- Fix SQL syntax error on MariaDB 10.2 (#5774)
- Fix bug where zipdownload ignored files with the same name (#5777)
- Fix bug where it wasn't possible to set timezone to auto-detected value
(#5782)
RELEASE 1.3-rc
--------------
- "Flattened" the larry theme: fresher look by removing shadows and
gradients
- Support logging to php://stdout (#5721)
- Add support for DelSp=Yes in format=flowed messages (#5702)
- Update to jQuery 3.2.1
- Update to TinyMCE 4.5.6
- Plugin API: Call message_part_structure hook for sub-parts of
multipart/alternative message (#5678)
- Enigma: Always use detached signatures (#5624)
- Enigma: Fix handling of messages with nested PGP encrypted parts (#5634)
- Minimize unwanted message loading in preview frame on drag (#5616)
- Fix failing database schema check in all engines except mysql (#5730)
- Fix autocomplete popup closing with click outside the input, don't handle
Tab key as Enter (#5606)
- Fix jsdeps.json synchronization on update, warn about missing
requirements of install-jsdeps.sh (#5598)
- Fix missing thread expand icon on search result in widescreen mode (#5613)
- Fix bug where image data URIs in css style were treated as evil/remote in
mail preview (#5580)
- Fix bug where external content in src attribute of input/video tags was
not secured (#5583)
- Fix PHP error on update of a contact with multiple email addresses when
using PHP 7.1 (#5587)
- Fix bug where mail content frame couldn't be reset in some corner cases
(#5608)
- Fix bug where some classic skin images were not displayed in IE/Edge
(#5614)
- Fix bug where signature couldn't be added above the quote in Firefox 51
(#5628)
- Fix regression where groups with email address were resolved to its
members' addresses
- Fix update of group name in the contacts list header on group rename
(#5648)
- Add rewrite rule to disable access to /vendor/bin folder in .htaccess
(#5630)
- Fix bug where it was too easy accidentally move a folder when using the
subscription checkbox (#5655)
- Managesieve: Fix parser issue with empty lines between comments (#5657)
- Managesieve: Fix possible defect in handling \r\n in scripts (#5685)
- Fix/rephrase "unsaved changes" warning when cancelling a draft (#5610)
- Fix XSS issue in handling of a style tag inside of an svg element
[CVE-2017-6820]
- Fix bug where settings/upload.inc could not be used by plugins (#5694)
- Fix regression in LDAP fuzzy search where it always used prefix search
instead (#5713)
- Fix bug where namespace prefix could not be truncated on folders list if
show_real_foldernames=true (#5695)
- Fix undesired effects when postgres database uses different timezone than
PHP host (#5708)
- Installer: Fix DB schema initialization on MS SQL Server
- Fix bug where base_dn setting was ignored inside group_filters (#5720)
- Password: Fix security issue in virtualmin and sasl drivers
[CVE-2017-8114]
RELEASE 1.3-beta
----------------
- Nicely handle contact deletion on contact edit (#5522)
- vcard_attachments: Add possibility to attach contact vCard to composed
message (#4997)
- Preserve message internal/received date on import in mbox format (#5559)
- Zipdownload: Fix date format in mbox "From line"
- Possibility to display QR code for contacts data (#5030)
- Added identicon plugin
- Widescreen layout aka three column view (#5093)
- Unify automatic marking as \Seen in preview pane, full-page and extwin
views (#5071)
- Disable double-click on the list when preview pane is on (#5199)
- Support hostname and hostname:port in force_https option (#5511)
- Support ALLOW-FROM in x_frame_options (#5122)
- Allow to omit a subject when sending an email (#5068)
- Warn about too many disclosed recipients in composed email
[max_disclosed_recipients] (#5132)
- identity_select: Support Received header (#5085)
- Plugin API: Added get_compose_responses hook (#5457)
- Display error when trying to upload more files than specified in
max_file_uploads (#5483)
- Add missing sql upgrade file for 'ip' column resize in session table
(#5465)
- Do not show inline images of unsupported mimetype (#5463)
- Password: Added replacement variables support in password_pop_host (#5539)
- Password: Don't store passwords in temp files when using dovecotpw (#5531)
- Password: Added LDAP PPolicy driver (#5364)
- Password: Added cpanel_webmail driver (#5549)
- Password: Added possibility to nicely redirect from other plugins on
password expiration (#5468)
- Implement separate action to mark all messages in a folder as \Seen
(#5006)
- Implement marking as \Seen in all folders or in a folder and its
subfolders (#5076)
- Archive: Don't reload messages list when it's not needed (#5225)
- Archive: Add option to automatically mark archived messages as \Seen
(#5142)
- Improve randomness of password salts and random hashes (#5266)
- Password/cPanel: Add support for hash authentication and reseller
accounts (#5252)
- Support host-specific
imap_conn_options/smtp_conn_options/managesieve_conn_options (#5136)
- Center and scale images in attachment preview frame (#5421)
- Added max_message_size option enforced when attaching files to a composed
message (#4993)
- Added Search button in quick search menus (#5312)
- Implement "one click" attachment/messages/photo upload (#5024)
- Squirrelmail_usercopy: Add option to define character set of data files
- Removed useless 'created' column from 'session' table (#5389)
- Dropped legacy browsers support (#5167)
- Removed legacy_browser plugin
- Removed hacks for IE < 10
- Update to jQuery 3.1.1 and jQuery-UI 1.12.0
- compile .min.js files with ECMASCRIPT5 option
- Require PHP >= 5.4
- Add possibility to preview and download attachments in mail compose
(#5053)
- Add possibility to rename attachments in mail compose (#4996)
- Remove backward compatibility "layer" of bc.php (#4902)
- Support WEBP images in mail messages (#5362)
- Support MathML in HTML message preview (#5182)
- Rename Addressbook to Contacts (#5233)
- Remove PHP mail() support, smtp_server is required now (#5340)
- Display full message subject in onmouseover on truncated subject in mail
view (#5346)
- Enigma: Support GnuPG 2.1 (#5313)
- Enigma: Support key generation for multiple identities (#5383)
- Enigma: Import keys from key-server(s) (#5286)
- Enigma: Search missing public keys on a key-server in mail compose (#5286)
- Enigma: Delete user keys when using deluser.sh script
- Enigma: Fix redundant list-secret-keys/list-public-keys calls on
signing/encryption
- Enigma: Implement PGP encryption and signing in one go (#5302)
- Enigma: Display signature verification status for encrypted+signed
messages (#5302)
- Display different attachment icon on encrypted messages
- Display different confirmation text when moving messages to Trash (#5220)
- Indicate that a collapsed thread has flagged children (#5013)
- Implemented message/rfc822 attachment preview
- Update to jsTimezoneDetect 1.0.6
- Managesieve: Add (optional) RAW script editor (#5414)
- Managesieve: Add option to automatically set vacation :from address
(#5428)
- Managesieve: Support 'string' test from variables extension [RFC 5229]
(#5248)
- Managesieve: Support 'duplicate' extension [RFC 7352]
- Managesieve: Unhide advanced rule controls if there are inputs with errors
- Managesieve: Display warning message when filter form contains errors
- Control search engine crawlers via X-Robots-Tag header instead of
and robots.txt (#5098)
- Fixed redundancy in sql caching system and compatibility with Galera
Cluster (#5439)
- Removed redundant 'created' column from cache and cache_shared tables
- Removed use of redundant data records
- Added missing primary keys (dictionary, cache, cache_shared tables)
- Fix so templating system does not mess with external (e.g. email) content
(#5499)
- Fix redundant keep-alive/refresh after session error on compose page
(#5500)
- Managesieve: Fix handling of scripts with nested rules (#5540)
- Fix variable substitution in ldap host for some use-cases, e.g.
new_user_identity (#5544)
- Enigma: Fix PHP fatal error when decrypting a message with invalid
signature (#5555)
- Fix adding images to new identity signatures
- Fix rsync error handling in installto.sh script (#5562)
- Fix some advanced search issues with multiple addressbooks (#5572)
- Fix so group/addressbook selection is retained on page refresh
To generate a diff of this commit:
cvs rdiff -u -r1.88 -r1.89 pkgsrc/mail/roundcube/Makefile
cvs rdiff -u -r1.9 -r1.10 pkgsrc/mail/roundcube/Makefile.common
cvs rdiff -u -r1.44 -r1.45 pkgsrc/mail/roundcube/PLIST
cvs rdiff -u -r1.60 -r1.61 pkgsrc/mail/roundcube/distinfo
cvs rdiff -u -r1.15 -r1.16 pkgsrc/mail/roundcube/options.mk
cvs rdiff -u -r1.1 -r1.2 pkgsrc/mail/roundcube/files/apache.conf \
pkgsrc/mail/roundcube/files/nginx.conf
cvs rdiff -u -r0 -r1.1 pkgsrc/mail/roundcube/files/lighttpd.conf
cvs rdiff -u -r1.10 -r0 pkgsrc/mail/roundcube/patches/patch-ac
cvs rdiff -u -r1.2 -r1.3 \
pkgsrc/mail/roundcube/patches/patch-rcube_mime_default
@
text
@d1 1
a1 1
$NetBSD$
d5 1
a5 1
--- program/lib/Roundcube/rcube_mime.php.orig 2018-04-11 11:06:18.000000000 +0000
d7 1
a7 1
@@@@ -790,12 +790,12 @@@@ class rcube_mime
d25 1
a25 1
$file_paths[] = '/usr/local/etc/apache24/mime.types';
@
1.1
log
@- install SQL update scripts used by installer for upgrading DB schemas;
- change rights for the spool, log and tmp directories from 0755 to 0750,
they contain sensitive information depending on configuration;
- fix the default paths of potential mime.types files;
- change config.inc.php to respect pkgsrc paths especially VARBASE;
No regression expected. Bump rev.
ok taca@@.
@
text
@d1 2
a2 1
$NetBSD$
d4 2
a5 1
--- program/lib/Roundcube/rcube_mime.php.orig 2015-03-16 20:54:50.000000000 +0000
d7 1
a7 1
@@@@ -807,12 +807,12 @@@@ class rcube_mime
@