Sycn with factory to fix several security issues. #3
BIN
roundcubemail-1.6.13-complete.tar.gz
LFS
Normal file
BIN
roundcubemail-1.6.13-complete.tar.gz
LFS
Normal file
Binary file not shown.
17
roundcubemail-1.6.13-complete.tar.gz.asc
Normal file
17
roundcubemail-1.6.13-complete.tar.gz.asc
Normal file
@@ -0,0 +1,17 @@
|
||||
-----BEGIN PGP SIGNATURE-----
|
||||
|
||||
iQJHBAABCgAxFiEEiXDjemmK93XYfVkNwpRqlgnNVrQFAmmIWisTHGRldnNAcm91
|
||||
bmRjdWJlLm5ldAAKCRDClGqWCc1WtHfsD/9nhfaUY/KWPPtTD4vxApEgIfHpl9VG
|
||||
9EEABhAB0BYMuOkWOU1XVJQ6Qcce3OeydACMmdNDMZg+5UyFBV+/QdTCzSDM4XpR
|
||||
k7X4gJ8nU57sPjYWMp3ZJdxQn7V97YtMIS96UKcUYIGZl2VYZeCY6ILibPs6awyT
|
||||
TUw5raq1gNgR8enfnCIAHN6/W+Fc6KwOZqGzlLe9xAOZGLJsr4wRqS9LoNJDp+On
|
||||
sJV7YHLo8jLniEw8D3zeM+x5cBkQDh8kSONvPCARnSuqzzKJubdcx7jTztfiurJN
|
||||
r0Dz7v5Qqf/cevI80v5YFXpWvhRG1V0DMf4rgJMQXWcewIAMX2IuOPVtNnKaOlj/
|
||||
dXleoK70wJawmIt1QECr9ztpM7JSkfkTC7FXcv59wUFAeILQlkJqfRDMTrmMNnUq
|
||||
+opaNFOkig8BYXH5ibR+65+17tUwkkfaP5cekTzBpEcwhO24pdyS+yqsfJX2KDa6
|
||||
XNM1rb5Jad47L4fef3JjO4ChmSoyjM8KeQqO2r3BXSeIIzSA546l06QdBOdqlN8H
|
||||
jwKSlAo4GGI9AfYaNB77DjZl9UfEEtCbcQKS0I/pNOCXFzlwZ0EIzUyUdcOkrSF3
|
||||
9J058LfEJHkDYMxaVoB8lg73GJLNsQ5UFvkxbjbOyIC4pLJJAs9jPSR2JbX+FlYH
|
||||
BQWksYXS0dltrA==
|
||||
=Y8kl
|
||||
-----END PGP SIGNATURE-----
|
||||
@@ -2,10 +2,10 @@
|
||||
# not a requirement. You can as well reach the server under its
|
||||
# common name under https://yourroundcubeserver.example.com/
|
||||
#
|
||||
# NameVirtualHost *
|
||||
# <VirtualHost *>
|
||||
# ServerName yourroundcubeserver.example.com
|
||||
# DocumentRoot __ROUNDCUBEPATH__
|
||||
#NameVirtualHost *
|
||||
#<VirtualHost *>
|
||||
# ServerName yourroundcubeserver.example.com
|
||||
# DocumentRoot __ROUNDCUBEPATH__
|
||||
|
||||
|
||||
<IfModule mod_alias.c>
|
||||
@@ -17,38 +17,25 @@
|
||||
AddType text/x-component .htc
|
||||
|
||||
<Directory "__ROUNDCUBEPATH__/public_html">
|
||||
<IfModule mod_version.c>
|
||||
<IfVersion < 2.4>
|
||||
Order allow,deny
|
||||
Allow from all
|
||||
</IfVersion>
|
||||
<IfVersion >= 2.4>
|
||||
<IfModule mod_authz_core.c>
|
||||
Require all granted
|
||||
</IfModule>
|
||||
<IfModule mod_access_compat.c>
|
||||
Order allow,deny
|
||||
Allow from all
|
||||
</IfModule>
|
||||
</IfVersion>
|
||||
<IfModule mod_authz_core.c>
|
||||
Require all granted
|
||||
</IfModule>
|
||||
<IfModule !mod_version.c>
|
||||
<IfModule !mod_authz_core.c>
|
||||
Order allow,deny
|
||||
Allow from all
|
||||
</IfModule>
|
||||
|
||||
<IfModule mod_php5.c>
|
||||
<IfModule mod_php7.c>
|
||||
Include @apache_sysconfdir@/conf.d/@name@.inc
|
||||
</IfModule>
|
||||
|
||||
<IfModule mod_php7.c>
|
||||
<IfModule mod_php8.c>
|
||||
Include @apache_sysconfdir@/conf.d/@name@.inc
|
||||
</IfModule>
|
||||
|
||||
<IfModule mod_rewrite.c>
|
||||
Options +SymLinksIfOwnerMatch
|
||||
RewriteEngine On
|
||||
RewriteRule ^favicon\.ico$ skins/larry/images/favicon.ico
|
||||
RewriteRule ^favicon\.ico$ static.php/skins/elastic/images/favicon.ico
|
||||
|
||||
# security rules:
|
||||
# - deny access to files not containing a dot or starting with a dot
|
||||
@@ -75,38 +62,24 @@ AddType text/x-component .htc
|
||||
</IfModule>
|
||||
|
||||
<IfModule mod_filter.c>
|
||||
AddOutputFilterByType DEFLATE application/javascript
|
||||
AddOutputFilterByType DEFLATE application/x-javascript
|
||||
AddOutputFilterByType DEFLATE application/xhtml+xml
|
||||
AddOutputFilterByType DEFLATE application/xml
|
||||
AddOutputFilterByType DEFLATE application/json
|
||||
AddOutputFilterByType DEFLATE text/css
|
||||
AddOutputFilterByType DEFLATE text/html
|
||||
AddOutputFilterByType DEFLATE text/plain
|
||||
AddOutputFilterByType DEFLATE text/x-component
|
||||
AddOutputFilterByType DEFLATE text/xml
|
||||
AddOutputFilterByType DEFLATE application/javascript
|
||||
AddOutputFilterByType DEFLATE application/x-javascript
|
||||
AddOutputFilterByType DEFLATE application/xhtml+xml
|
||||
AddOutputFilterByType DEFLATE application/xml
|
||||
AddOutputFilterByType DEFLATE application/json
|
||||
AddOutputFilterByType DEFLATE text/css
|
||||
AddOutputFilterByType DEFLATE text/html
|
||||
AddOutputFilterByType DEFLATE text/plain
|
||||
AddOutputFilterByType DEFLATE text/x-component
|
||||
AddOutputFilterByType DEFLATE text/xml
|
||||
<IfModule mod_setenvif.c>
|
||||
SetEnvIfNoCase Request_URI .(?:gif|jpe?g|png)$ no-gzip dont-vary
|
||||
BrowserMatch ^Mozilla/4 gzip-only-text/html
|
||||
BrowserMatch ^Mozilla/4.0[678] no-gzip
|
||||
BrowserMatch bMSIE !no-gzip !gzip-only-text/html
|
||||
SetEnvIfNoCase Request_URI .(?:gif|jpe?g|png)$ no-gzip dont-vary
|
||||
BrowserMatch ^Mozilla/4 gzip-only-text/html
|
||||
BrowserMatch ^Mozilla/4.0[678] no-gzip
|
||||
BrowserMatch bMSIE !no-gzip !gzip-only-text/html
|
||||
</IfModule>
|
||||
</IfModule>
|
||||
|
||||
<IfModule mod_headers.c>
|
||||
# for better privacy/security ask browsers to not set the Referer
|
||||
Header set Content-Security-Policy "referrer no-referrer"
|
||||
# don't cache, please
|
||||
Header merge Cache-Control public env=!NO_CACHE
|
||||
<IfModule mod_ssl.c>
|
||||
# HSTS - HTTP Strict Transport Security
|
||||
Header always set Strict-Transport-Security "max-age=31536000; preload" env=HTTPS
|
||||
</IfModule>
|
||||
# X-Xss-Protection
|
||||
# This header is used to configure the built in reflective XSS protection found in Internet Explorer, Chrome and Safari (Webkit).
|
||||
Header set X-XSS-Protection "1; mode=block"
|
||||
</IfModule>
|
||||
|
||||
<IfModule mod_expires.c>
|
||||
ExpiresActive On
|
||||
ExpiresDefault "access plus 1 month"
|
||||
@@ -117,6 +90,43 @@ AddType text/x-component .htc
|
||||
<IfModule mod_autoindex.c>
|
||||
Options -Indexes
|
||||
</ifModule>
|
||||
|
||||
<IfModule mod_headers.c>
|
||||
# Disable page indexing
|
||||
Header set X-Robots-Tag "noindex, nofollow"
|
||||
|
||||
# for better privacy/security ask browsers to not set the Referer
|
||||
Header set Content-Security-Policy "referrer no-referrer"
|
||||
|
||||
# don't cache, please
|
||||
Header merge Cache-Control public env=!NO_CACHE
|
||||
|
||||
# Optional security headers
|
||||
# Only provides increased security if the browser supports those features
|
||||
# Be careful! Testing is required! They should be adjusted to your installation / user environment
|
||||
|
||||
<IfModule mod_ssl.c>
|
||||
# HSTS - HTTP Strict Transport Security
|
||||
Header always set Strict-Transport-Security "max-age=31536000; preload" env=HTTPS
|
||||
</IfModule>
|
||||
|
||||
# HPKP - HTTP Public Key Pinning
|
||||
# Only template - fill with your values
|
||||
#Header always set Public-Key-Pins "max-age=3600; report-uri=\"\"; pin-sha256=\"\"; pin-sha256=\"\"" env=HTTPS
|
||||
|
||||
# X-Xss-Protection
|
||||
# This header is used to configure the built in reflective XSS protection found in Internet Explorer, Chrome and Safari (Webkit).
|
||||
Header set X-XSS-Protection "1; mode=block"
|
||||
|
||||
# X-Frame-Options
|
||||
# The X-Frame-Options header (RFC), or XFO header, protects your visitors against clickjacking attacks
|
||||
# Already set by php code! Do not activate both options
|
||||
#Header set X-Frame-Options SAMEORIGIN
|
||||
|
||||
# X-Content-Type-Options
|
||||
# It prevents Google Chrome and Internet Explorer from trying to mime-sniff the content-type of a response away from the one being declared by the server.
|
||||
#Header set X-Content-Type-Options "nosniff"
|
||||
</IfModule>
|
||||
</Directory>
|
||||
|
||||
#
|
||||
@@ -319,5 +329,4 @@ AddType text/x-component .htc
|
||||
</Directory>
|
||||
|
||||
#
|
||||
# </VirtualHost>
|
||||
|
||||
#</VirtualHost>
|
||||
|
||||
@@ -1,3 +1,94 @@
|
||||
-------------------------------------------------------------------
|
||||
Sun Feb 8 12:51:32 UTC 2026 - Lars Vogdt <lars@linux-schulserver.de>
|
||||
|
||||
- update to 1.6.13
|
||||
This is a security update to the stable version 1.6 of Roundcube Webmail.
|
||||
It provides fixes to recently reported security vulnerabilities:
|
||||
+ Fix CSS injection vulnerability reported by CERT Polska (boo#1258052,
|
||||
CVE-2026-26079).
|
||||
+ Fix remote image blocking bypass via SVG content reported by nullcathedral
|
||||
(boo#1257909, CVE-2026-25916).
|
||||
|
||||
This version is considered stable and we recommend to update all productive
|
||||
installations of Roundcube 1.6.x with it. Please do backup your data
|
||||
before updating!
|
||||
|
||||
CHANGELOG
|
||||
+ Managesieve: Fix handling of string-list format values for date
|
||||
tests in Out of Office (#10075)
|
||||
+ Fix CSS injection vulnerability reported by CERT Polska.
|
||||
+ Fix remote image blocking bypass via SVG content reported by nullcathedral.
|
||||
|
||||
-------------------------------------------------------------------
|
||||
Mon Dec 15 13:38:36 UTC 2025 - Lars Vogdt <lars@linux-schulserver.de>
|
||||
|
||||
- update to 1.6.12
|
||||
This is a security update to the stable version 1.6 of Roundcube Webmail.
|
||||
It provides fixes to recently reported security vulnerabilities:
|
||||
|
||||
+ Fix Cross-Site-Scripting vulnerability via SVG's animate tag
|
||||
reported by Valentin T., CrowdStrike (boo#1255308, CVE-2025-68461).
|
||||
+ Fix Information Disclosure vulnerability in the HTML style
|
||||
sanitizer reported by somerandomdev (boo#1255306, CVE-2025-68460).
|
||||
|
||||
This version is considered stable and we recommend to update all
|
||||
productive installations of Roundcube 1.6.x with it.
|
||||
|
||||
+ Support IPv6 in database DSN (#9937)
|
||||
+ Don't force specific error_reporting setting
|
||||
+ Fix compatibility with PHP 8.5 regarding array_first()
|
||||
+ Remove X-XSS-Protection example from .htaccess file (#9875)
|
||||
+ Fix "Assign to group" action state after creation of a first group (#9889)
|
||||
+ Fix bug where contacts search would fail if contactlist_fields contained vcard fields (#9850)
|
||||
+ Fix bug where an mbox export file could include inconsistent message delimiters (#9879)
|
||||
+ Fix parsing of inline styles that aren't well-formatted (#9948)
|
||||
+ Fix Cross-Site-Scripting vulnerability via SVG's animate tag
|
||||
+ Fix Information Disclosure vulnerability in the HTML style sanitizer
|
||||
|
||||
-------------------------------------------------------------------
|
||||
Sun Jun 1 17:11:22 UTC 2025 - Aeneas Jaißle <aj@ajaissle.de>
|
||||
|
||||
- update to 1.6.11
|
||||
This is a security update to the stable version 1.6 of Roundcube Webmail.
|
||||
It provides fixes to recently reported security vulnerabilities:
|
||||
* Fix Post-Auth RCE via PHP Object Deserialization reported by firs0v.
|
||||
|
||||
- CHANGELOG
|
||||
* Managesieve: Fix match-type selector (remove unsupported options) in delete header action (#9610)
|
||||
* Improve installer to fix confusion about disabling SMTP authentication (#9801)
|
||||
* Fix PHP warning in index.php (#9813)
|
||||
* OAuth: Fix/improve token refresh
|
||||
* Fix dark mode bug where wrong colors were used for blockquotes in HTML mail preview (#9820)
|
||||
* Fix HTML message preview if it contains floating tables (#9804)
|
||||
* Fix removing/expiring redis/memcache records when using a key prefix
|
||||
* Fix bug where a wrong SPECIAL-USE folder could have been detected, if there were more than one per-type (#9781)
|
||||
* Fix a default value and documentation of password_ldap_encodage option (#9658)
|
||||
* Remove mobile/floating Create button from the list in Settings > Folders (#9661)
|
||||
* Fix Delete and Empty buttons state while creating a folder (#9047)
|
||||
* Fix connecting to LDAP using ldapi:// URI (#8990)
|
||||
* Fix cursor position on "below the quote" reply in HTML mode (#8700)
|
||||
* Fix bug where attachments with content type of application/vnd.ms-tnef were not parsed (#7119)
|
||||
|
||||
-------------------------------------------------------------------
|
||||
Sun Feb 9 16:28:20 UTC 2025 - Aeneas Jaißle <aj@ajaissle.de>
|
||||
|
||||
- update to 1.6.10
|
||||
This is the next service release to update the stable version 1.6.
|
||||
* IMAP: Partial support for ANNOTATE-EXPERIMENT-1 extension (RFC 5257)
|
||||
* OAuth: Support standard authentication with short-living password received with OIDC token (#9530)
|
||||
* Fix PHP warnings (#9616, #9611)
|
||||
* Fix whitespace handling in vCard line continuation (#9637)
|
||||
* Fix current script state after initial scripts creation in managesieve_kolab_master mode
|
||||
* Fix rcube_imap::get_vendor() result (and PHP warning) on Zimbra server (#9650)
|
||||
* Fix regression causing inline SVG images to be missing in mail preview (#9644)
|
||||
* Fix plugin "virtuser_file" to handle backward slashes in username (#9668)
|
||||
* Fix PHP fatal error when parsing some malformed BODYSTRUCTURE responses (#9689)
|
||||
* Fix insert_or_update() and reading database server config on PostgreSQL (#9710)
|
||||
* Fix Oauth issues with use_secure_urls=true (#9722)
|
||||
* Fix handling of binary mail parts (e.g. PDF) encoded with quoted-printable (#9728)
|
||||
* Fix links in comments and config to https:// where available (#9759, #9756)
|
||||
* Fix decoding of attachment names encoded using both RFC2231 and RFC2047 standards (#9725)
|
||||
|
||||
-------------------------------------------------------------------
|
||||
Sat Sep 28 07:12:55 UTC 2024 - Thorsten Kukuk <kukuk@suse.com>
|
||||
|
||||
|
||||
@@ -1,7 +1,7 @@
|
||||
#
|
||||
# spec file for package roundcubemail
|
||||
#
|
||||
# Copyright (c) 2024 SUSE LLC
|
||||
# Copyright (c) 2026 SUSE LLC and contributors
|
||||
#
|
||||
# All modifications and additions to the file contributed by third parties
|
||||
# remain the property of their copyright owners, unless otherwise agreed
|
||||
@@ -20,7 +20,7 @@
|
||||
%define roundcubeconfigpath %{_sysconfdir}/%{name}
|
||||
|
||||
Name: roundcubemail
|
||||
Version: 1.6.9
|
||||
Version: 1.6.13
|
||||
Release: 0
|
||||
Summary: A browser-based multilingual IMAP client
|
||||
License: BSD-3-Clause AND GPL-2.0-only AND GPL-3.0-or-later
|
||||
|
||||
Reference in New Issue
Block a user