From 57096ba346f7417a2a31c9f88ebd73beb6ccce0b1264d1e1374a9524097ece71 Mon Sep 17 00:00:00 2001 From: Alexander Bergmann Date: Wed, 4 Mar 2026 12:49:31 +0000 Subject: [PATCH] Sycn with factory to fix several security issues. --- roundcubemail-1.6.13-complete.tar.gz | 3 + roundcubemail-1.6.13-complete.tar.gz.asc | 17 ++++ roundcubemail-httpd.conf | 115 ++++++++++++----------- roundcubemail.changes | 91 ++++++++++++++++++ roundcubemail.spec | 4 +- 5 files changed, 175 insertions(+), 55 deletions(-) create mode 100644 roundcubemail-1.6.13-complete.tar.gz create mode 100644 roundcubemail-1.6.13-complete.tar.gz.asc diff --git a/roundcubemail-1.6.13-complete.tar.gz b/roundcubemail-1.6.13-complete.tar.gz new file mode 100644 index 0000000..b6ba91e --- /dev/null +++ b/roundcubemail-1.6.13-complete.tar.gz @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:bdd1bafe79149a6b63f699fa94e7626189ec60e2c37954de7e84ee685dbbf5bb +size 5841171 diff --git a/roundcubemail-1.6.13-complete.tar.gz.asc b/roundcubemail-1.6.13-complete.tar.gz.asc new file mode 100644 index 0000000..db8a3d6 --- /dev/null +++ b/roundcubemail-1.6.13-complete.tar.gz.asc @@ -0,0 +1,17 @@ +-----BEGIN PGP SIGNATURE----- + +iQJHBAABCgAxFiEEiXDjemmK93XYfVkNwpRqlgnNVrQFAmmIWisTHGRldnNAcm91 +bmRjdWJlLm5ldAAKCRDClGqWCc1WtHfsD/9nhfaUY/KWPPtTD4vxApEgIfHpl9VG +9EEABhAB0BYMuOkWOU1XVJQ6Qcce3OeydACMmdNDMZg+5UyFBV+/QdTCzSDM4XpR +k7X4gJ8nU57sPjYWMp3ZJdxQn7V97YtMIS96UKcUYIGZl2VYZeCY6ILibPs6awyT +TUw5raq1gNgR8enfnCIAHN6/W+Fc6KwOZqGzlLe9xAOZGLJsr4wRqS9LoNJDp+On +sJV7YHLo8jLniEw8D3zeM+x5cBkQDh8kSONvPCARnSuqzzKJubdcx7jTztfiurJN +r0Dz7v5Qqf/cevI80v5YFXpWvhRG1V0DMf4rgJMQXWcewIAMX2IuOPVtNnKaOlj/ +dXleoK70wJawmIt1QECr9ztpM7JSkfkTC7FXcv59wUFAeILQlkJqfRDMTrmMNnUq ++opaNFOkig8BYXH5ibR+65+17tUwkkfaP5cekTzBpEcwhO24pdyS+yqsfJX2KDa6 +XNM1rb5Jad47L4fef3JjO4ChmSoyjM8KeQqO2r3BXSeIIzSA546l06QdBOdqlN8H +jwKSlAo4GGI9AfYaNB77DjZl9UfEEtCbcQKS0I/pNOCXFzlwZ0EIzUyUdcOkrSF3 +9J058LfEJHkDYMxaVoB8lg73GJLNsQ5UFvkxbjbOyIC4pLJJAs9jPSR2JbX+FlYH +BQWksYXS0dltrA== +=Y8kl +-----END PGP SIGNATURE----- diff --git a/roundcubemail-httpd.conf b/roundcubemail-httpd.conf index 34699d6..134de84 100644 --- a/roundcubemail-httpd.conf +++ b/roundcubemail-httpd.conf @@ -2,10 +2,10 @@ # not a requirement. You can as well reach the server under its # common name under https://yourroundcubeserver.example.com/ # -# NameVirtualHost * -# -# ServerName yourroundcubeserver.example.com -# DocumentRoot __ROUNDCUBEPATH__ +#NameVirtualHost * +# +# ServerName yourroundcubeserver.example.com +# DocumentRoot __ROUNDCUBEPATH__ @@ -17,38 +17,25 @@ AddType text/x-component .htc - - - Order allow,deny - Allow from all - - = 2.4> - - Require all granted - - - Order allow,deny - Allow from all - - + + Require all granted - + Order allow,deny Allow from all - + Include @apache_sysconfdir@/conf.d/@name@.inc - - + Include @apache_sysconfdir@/conf.d/@name@.inc Options +SymLinksIfOwnerMatch RewriteEngine On - RewriteRule ^favicon\.ico$ skins/larry/images/favicon.ico + RewriteRule ^favicon\.ico$ static.php/skins/elastic/images/favicon.ico # security rules: # - deny access to files not containing a dot or starting with a dot @@ -75,38 +62,24 @@ AddType text/x-component .htc - AddOutputFilterByType DEFLATE application/javascript - AddOutputFilterByType DEFLATE application/x-javascript - AddOutputFilterByType DEFLATE application/xhtml+xml - AddOutputFilterByType DEFLATE application/xml - AddOutputFilterByType DEFLATE application/json - AddOutputFilterByType DEFLATE text/css - AddOutputFilterByType DEFLATE text/html - AddOutputFilterByType DEFLATE text/plain - AddOutputFilterByType DEFLATE text/x-component - AddOutputFilterByType DEFLATE text/xml + AddOutputFilterByType DEFLATE application/javascript + AddOutputFilterByType DEFLATE application/x-javascript + AddOutputFilterByType DEFLATE application/xhtml+xml + AddOutputFilterByType DEFLATE application/xml + AddOutputFilterByType DEFLATE application/json + AddOutputFilterByType DEFLATE text/css + AddOutputFilterByType DEFLATE text/html + AddOutputFilterByType DEFLATE text/plain + AddOutputFilterByType DEFLATE text/x-component + AddOutputFilterByType DEFLATE text/xml - SetEnvIfNoCase Request_URI .(?:gif|jpe?g|png)$ no-gzip dont-vary - BrowserMatch ^Mozilla/4 gzip-only-text/html - BrowserMatch ^Mozilla/4.0[678] no-gzip - BrowserMatch bMSIE !no-gzip !gzip-only-text/html + SetEnvIfNoCase Request_URI .(?:gif|jpe?g|png)$ no-gzip dont-vary + BrowserMatch ^Mozilla/4 gzip-only-text/html + BrowserMatch ^Mozilla/4.0[678] no-gzip + BrowserMatch bMSIE !no-gzip !gzip-only-text/html - - # for better privacy/security ask browsers to not set the Referer - Header set Content-Security-Policy "referrer no-referrer" - # don't cache, please - Header merge Cache-Control public env=!NO_CACHE - - # HSTS - HTTP Strict Transport Security - Header always set Strict-Transport-Security "max-age=31536000; preload" env=HTTPS - - # X-Xss-Protection - # This header is used to configure the built in reflective XSS protection found in Internet Explorer, Chrome and Safari (Webkit). - Header set X-XSS-Protection "1; mode=block" - - ExpiresActive On ExpiresDefault "access plus 1 month" @@ -117,6 +90,43 @@ AddType text/x-component .htc Options -Indexes + + + # Disable page indexing + Header set X-Robots-Tag "noindex, nofollow" + + # for better privacy/security ask browsers to not set the Referer + Header set Content-Security-Policy "referrer no-referrer" + + # don't cache, please + Header merge Cache-Control public env=!NO_CACHE + + # Optional security headers + # Only provides increased security if the browser supports those features + # Be careful! Testing is required! They should be adjusted to your installation / user environment + + + # HSTS - HTTP Strict Transport Security + Header always set Strict-Transport-Security "max-age=31536000; preload" env=HTTPS + + + # HPKP - HTTP Public Key Pinning + # Only template - fill with your values + #Header always set Public-Key-Pins "max-age=3600; report-uri=\"\"; pin-sha256=\"\"; pin-sha256=\"\"" env=HTTPS + + # X-Xss-Protection + # This header is used to configure the built in reflective XSS protection found in Internet Explorer, Chrome and Safari (Webkit). + Header set X-XSS-Protection "1; mode=block" + + # X-Frame-Options + # The X-Frame-Options header (RFC), or XFO header, protects your visitors against clickjacking attacks + # Already set by php code! Do not activate both options + #Header set X-Frame-Options SAMEORIGIN + + # X-Content-Type-Options + # It prevents Google Chrome and Internet Explorer from trying to mime-sniff the content-type of a response away from the one being declared by the server. + #Header set X-Content-Type-Options "nosniff" + # @@ -319,5 +329,4 @@ AddType text/x-component .htc # -# - +# diff --git a/roundcubemail.changes b/roundcubemail.changes index f7c57e1..85673bc 100644 --- a/roundcubemail.changes +++ b/roundcubemail.changes @@ -1,3 +1,94 @@ +------------------------------------------------------------------- +Sun Feb 8 12:51:32 UTC 2026 - Lars Vogdt + +- update to 1.6.13 + This is a security update to the stable version 1.6 of Roundcube Webmail. + It provides fixes to recently reported security vulnerabilities: + + Fix CSS injection vulnerability reported by CERT Polska (boo#1258052, + CVE-2026-26079). + + Fix remote image blocking bypass via SVG content reported by nullcathedral + (boo#1257909, CVE-2026-25916). + + This version is considered stable and we recommend to update all productive + installations of Roundcube 1.6.x with it. Please do backup your data + before updating! + + CHANGELOG + + Managesieve: Fix handling of string-list format values for date + tests in Out of Office (#10075) + + Fix CSS injection vulnerability reported by CERT Polska. + + Fix remote image blocking bypass via SVG content reported by nullcathedral. + +------------------------------------------------------------------- +Mon Dec 15 13:38:36 UTC 2025 - Lars Vogdt + +- update to 1.6.12 + This is a security update to the stable version 1.6 of Roundcube Webmail. + It provides fixes to recently reported security vulnerabilities: + + + Fix Cross-Site-Scripting vulnerability via SVG's animate tag + reported by Valentin T., CrowdStrike (boo#1255308, CVE-2025-68461). + + Fix Information Disclosure vulnerability in the HTML style + sanitizer reported by somerandomdev (boo#1255306, CVE-2025-68460). + + This version is considered stable and we recommend to update all + productive installations of Roundcube 1.6.x with it. + + + Support IPv6 in database DSN (#9937) + + Don't force specific error_reporting setting + + Fix compatibility with PHP 8.5 regarding array_first() + + Remove X-XSS-Protection example from .htaccess file (#9875) + + Fix "Assign to group" action state after creation of a first group (#9889) + + Fix bug where contacts search would fail if contactlist_fields contained vcard fields (#9850) + + Fix bug where an mbox export file could include inconsistent message delimiters (#9879) + + Fix parsing of inline styles that aren't well-formatted (#9948) + + Fix Cross-Site-Scripting vulnerability via SVG's animate tag + + Fix Information Disclosure vulnerability in the HTML style sanitizer + +------------------------------------------------------------------- +Sun Jun 1 17:11:22 UTC 2025 - Aeneas Jaißle + +- update to 1.6.11 + This is a security update to the stable version 1.6 of Roundcube Webmail. + It provides fixes to recently reported security vulnerabilities: + * Fix Post-Auth RCE via PHP Object Deserialization reported by firs0v. + +- CHANGELOG + * Managesieve: Fix match-type selector (remove unsupported options) in delete header action (#9610) + * Improve installer to fix confusion about disabling SMTP authentication (#9801) + * Fix PHP warning in index.php (#9813) + * OAuth: Fix/improve token refresh + * Fix dark mode bug where wrong colors were used for blockquotes in HTML mail preview (#9820) + * Fix HTML message preview if it contains floating tables (#9804) + * Fix removing/expiring redis/memcache records when using a key prefix + * Fix bug where a wrong SPECIAL-USE folder could have been detected, if there were more than one per-type (#9781) + * Fix a default value and documentation of password_ldap_encodage option (#9658) + * Remove mobile/floating Create button from the list in Settings > Folders (#9661) + * Fix Delete and Empty buttons state while creating a folder (#9047) + * Fix connecting to LDAP using ldapi:// URI (#8990) + * Fix cursor position on "below the quote" reply in HTML mode (#8700) + * Fix bug where attachments with content type of application/vnd.ms-tnef were not parsed (#7119) + +------------------------------------------------------------------- +Sun Feb 9 16:28:20 UTC 2025 - Aeneas Jaißle + +- update to 1.6.10 + This is the next service release to update the stable version 1.6. + * IMAP: Partial support for ANNOTATE-EXPERIMENT-1 extension (RFC 5257) + * OAuth: Support standard authentication with short-living password received with OIDC token (#9530) + * Fix PHP warnings (#9616, #9611) + * Fix whitespace handling in vCard line continuation (#9637) + * Fix current script state after initial scripts creation in managesieve_kolab_master mode + * Fix rcube_imap::get_vendor() result (and PHP warning) on Zimbra server (#9650) + * Fix regression causing inline SVG images to be missing in mail preview (#9644) + * Fix plugin "virtuser_file" to handle backward slashes in username (#9668) + * Fix PHP fatal error when parsing some malformed BODYSTRUCTURE responses (#9689) + * Fix insert_or_update() and reading database server config on PostgreSQL (#9710) + * Fix Oauth issues with use_secure_urls=true (#9722) + * Fix handling of binary mail parts (e.g. PDF) encoded with quoted-printable (#9728) + * Fix links in comments and config to https:// where available (#9759, #9756) + * Fix decoding of attachment names encoded using both RFC2231 and RFC2047 standards (#9725) + ------------------------------------------------------------------- Sat Sep 28 07:12:55 UTC 2024 - Thorsten Kukuk diff --git a/roundcubemail.spec b/roundcubemail.spec index 77c5c89..4249abe 100644 --- a/roundcubemail.spec +++ b/roundcubemail.spec @@ -1,7 +1,7 @@ # # spec file for package roundcubemail # -# Copyright (c) 2024 SUSE LLC +# Copyright (c) 2026 SUSE LLC and contributors # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed @@ -20,7 +20,7 @@ %define roundcubeconfigpath %{_sysconfdir}/%{name} Name: roundcubemail -Version: 1.6.9 +Version: 1.6.13 Release: 0 Summary: A browser-based multilingual IMAP client License: BSD-3-Clause AND GPL-2.0-only AND GPL-3.0-or-later -- 2.51.1