diff --git a/README.openSUSE b/README.openSUSE
index 1f5b485..441e389 100644
--- a/README.openSUSE
+++ b/README.openSUSE
@@ -1,5 +1,4 @@
-
This README contains additional information specific to the
openSUSE package of roundcube.
@@ -27,16 +26,15 @@ roundcube user. Here is an example of that procedure:
# mysql
> CREATE DATABASE roundcubemail /*!40101 CHARACTER SET utf8 COLLATE utf8_general_ci */;
-> GRANT ALL PRIVILEGES ON roundcubemail.* TO roundcube@localhost
- IDENTIFIED BY 'password';
+> GRANT ALL PRIVILEGES ON roundcubemail.* TO 'roundcube'@'localhost' IDENTIFIED BY 'password';
+> FLUSH PRIVILEGES;
> quit
# mysql roundcubemail < /usr/share/doc/packages/roundcubemail/SQL/mysql.initial.sql
Note 1: 'password' is the master password for the roundcube user. It is strongly
recommended you replace this with a more secure password. Please keep in
-mind: You need to specify this password later in '/etc/roundcubemail/db.inc.php'.
-
+mind: You need to specify this password later in '/etc/roundcubemail/config.inc.php'.
To use the integrated web based installer you need to enable it first
in /etc/roundcubemail/config.inc.php:
diff --git a/roundcubemail-1.3.7-complete.tar.gz b/roundcubemail-1.3.7-complete.tar.gz
deleted file mode 100644
index 4f65257..0000000
--- a/roundcubemail-1.3.7-complete.tar.gz
+++ /dev/null
@@ -1,3 +0,0 @@
-version https://git-lfs.github.com/spec/v1
-oid sha256:31bd37d0f89dc634064f170c6ed8981c258754b6f81eccb59a2634b29d0bb01c
-size 5533537
diff --git a/roundcubemail-1.3.7-complete.tar.gz.asc b/roundcubemail-1.3.7-complete.tar.gz.asc
deleted file mode 100644
index 074dea3..0000000
--- a/roundcubemail-1.3.7-complete.tar.gz.asc
+++ /dev/null
@@ -1,17 +0,0 @@
------BEGIN PGP SIGNATURE-----
-
-iQJHBAABCAAxFiEEiXDjemmK93XYfVkNwpRqlgnNVrQFAlteH0YTHGRldnNAcm91
-bmRjdWJlLm5ldAAKCRDClGqWCc1WtGUBD/9weX0OS7fz0pengfr573VoKOvLZmDS
-6EqNwFjHbky2D3QozCKFCa8GinJKtdU8vr9RBIsTZTU31IWFWpsU/AYyh6hyP6o5
-z5gnF7/mbgvViLjGO75uKAluHXShT81wpMY+PeTWtkM2gzknwYfJ+kWCLj/ZYHtL
-GrimnfgUYsro3zZaYDxW7Y2gY5l+A1M2UsDiYe6crgKccqq0qgyVA3dMrgPpbgkG
-9y3AopghJYkVqO+KLRBduOdJ51k+0KgE+JAT60pqDySGP7bhn/iFcFtJCwP8Moib
-OSlj/ciEQeUn2U3ipgh3HwOYAH2wqEpdqkfuRHG8j33LD/v/2cOwXii9vQkGt75V
-gfEYQ+vXfsgwkanQLV3Bg7uZH7T01iwWEIyXw3rpPCoPb9VuW6M+ZJd/IR9taPEz
-tX8em/vIDCfp7iyPhfv3ESyFNR8PvBPLFa39UYVtyaLgjzUf+iQFwfEk/kogYfTy
-8WPM+NdHMpYO78NmvQs/L49HkfdEeG5UshsaPJwBKcGGNGBPIjm9f0iIqGCHW+u3
-gUjnUxX02cjBf8aTR7590/hohnOcfxIcuwa/rkzH0XZu32comDl2bTdJbQXHQAih
-HmNs6rpE4n65OcG0CjracNXT3IPaY6rr34+DN6SHzC8il8M8vVzwS872OzSrkurq
-GxPJco3HalPeGQ==
-=R+Kb
------END PGP SIGNATURE-----
diff --git a/roundcubemail-1.3.8-complete.tar.gz b/roundcubemail-1.3.8-complete.tar.gz
new file mode 100644
index 0000000..049e917
--- /dev/null
+++ b/roundcubemail-1.3.8-complete.tar.gz
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:c49e33f9643f98311b700138a1e1a0358c37b1205250e1124bd43d7f9a920d05
+size 5534385
diff --git a/roundcubemail-1.3.8-complete.tar.gz.asc b/roundcubemail-1.3.8-complete.tar.gz.asc
new file mode 100644
index 0000000..ea6d4cc
--- /dev/null
+++ b/roundcubemail-1.3.8-complete.tar.gz.asc
@@ -0,0 +1,17 @@
+-----BEGIN PGP SIGNATURE-----
+
+iQJHBAABCAAxFiEEiXDjemmK93XYfVkNwpRqlgnNVrQFAlvSqV0THGRldnNAcm91
+bmRjdWJlLm5ldAAKCRDClGqWCc1WtGlbD/9YH2OUN+jESTiQK09e5KHzd9F4cDB1
+GGHQpz4fLC4a3NS3UOdSG80lCWW7S8UOcYW/Pl9Rw8qchrpHDM9fTiN4SqmzeY1A
+WyneE4zr0Ew7udH6hdv+hWyhnxJxkxNPoGFA4MIIPIhSg3EW/DO3Zr4caxyR8j/6
+XWizMEfG1qm8ujBc3gv0SQ/8NwekmB+laajnCZ5BBErIkbMz4rI1RXCvyLJVV+iD
+YLb7eonrMVh2lKqlclpKGpH+jpD1vMwTOqOyVSE7pGcSRLdDM2ZgcCXMt109b5TJ
+pg9MvR8wWnDttjPJ5OtUsuW/0QrxW0HLmOHZCvTn/52w/hQDH7eCLFqHHiMRWGj9
+TM3JdizYKave/6kw0COuSGdvw5t24t5WNn4yUHWx/49jiI9RfpMrpvj7SXyJgEZM
+n2kE5fvNfho23VCL9B6k3hpAhUYL3TP1xoxpV4+ci9DWBFnHGZnEYZsMmHtGCxH2
+DY8sQ/x3PaM1zb37oka3M10rLC+BuexYKlM2FUGZysYzxNEsw9mGBuz+M2jpmGnT
+411SIngWhvBjaBQcHvc4V9T8TaInXhpOBG0gjF4clDrLYJ7pV/63vLrtFdspFax4
+Is79zlmh6g3LARbplmTIpwwdVTuGHkmHhX7CmymOUrpL7luwc8HhzUdqB5+EIT9b
+8F3Ux+ohH1z1mg==
+=4zqI
+-----END PGP SIGNATURE-----
diff --git a/roundcubemail-httpd.conf b/roundcubemail-httpd.conf
index a49b0b0..db9ad1f 100644
--- a/roundcubemail-httpd.conf
+++ b/roundcubemail-httpd.conf
@@ -57,6 +57,8 @@ AddType text/x-component .htc
php_value session.gc_maxlifetime 21600
php_value session.gc_divisor 500
php_value session.gc_probability 1
+ # http://bugs.php.net/bug.php?id=30766
+ php_value mbstring.func_overload 0
@@ -80,6 +82,8 @@ AddType text/x-component .htc
php_value session.gc_maxlifetime 21600
php_value session.gc_divisor 500
php_value session.gc_probability 1
+ # http://bugs.php.net/bug.php?id=30766
+ php_value mbstring.func_overload 0
@@ -92,11 +96,11 @@ AddType text/x-component .htc
# in all locations except installer directory
RewriteRule ^(?!installer|\.well-known\/|[a-f0-9]{16})(\.?[^\.]+)$ - [F]
# - deny access to some locations
- RewriteRule ^/?(\.git|\.tx|SQL|bin|config|logs|temp|tests|program\/(include|lib|localization|steps)) - [F]
+ RewriteRule ^/?(\.git|\.tx|\.md|SQL|bin|config|logs|temp|tests|program\/(include|lib|localization|steps)) - [F]
# - deny access to composer binaries
RewriteRule ^/vendor\/bin\/.* - [F]
# - deny access to some documentation files
- RewriteRule /?(README\.md|composer\.json-dist|composer\.json|package\.xml|Dockerfile)$ - [F]
+ RewriteRule /?(README|INSTALL|LICENSE|CHANGELOG|composer\.json-dist|composer\.json|package\.xml|Dockerfile)$ - [F]
# security rules
@@ -105,9 +109,17 @@ AddType text/x-component .htc
- #Header merge Cache-Control public env=!NO_CACHE
# for better privacy/security ask browsers to not set the Referer
- #Header set Content-Security-Policy "referrer no-referrer"
+ Header set Content-Security-Policy "referrer no-referrer"
+ # don't cache, please
+ Header merge Cache-Control public env=!NO_CACHE
+
+ # HSTS - HTTP Strict Transport Security
+ Header always set Strict-Transport-Security "max-age=31536000; preload" env=HTTPS
+
+ # X-Xss-Protection
+ # This header is used to configure the built in reflective XSS protection found in Internet Explorer, Chrome and Safari (Webkit).
+ Header set X-XSS-Protection "1; mode=block"
diff --git a/roundcubemail.changes b/roundcubemail.changes
index d943fbb..996fc54 100644
--- a/roundcubemail.changes
+++ b/roundcubemail.changes
@@ -1,3 +1,34 @@
+-------------------------------------------------------------------
+Fri Oct 26 14:19:46 UTC 2018 - lars@linux-schulserver.de - 1.3.8
+
+- Upgrade to version 1.3.8:
+ * Fix PHP warnings on dummy QUOTA responses in Courier-IMAP 4.17.1 (#6374)
+ * Fix so fallback from BINARY to BODY FETCH is used also on [PARSE] errors in dovecot 2.3 (#6383)
+ * Enigma: Fix deleting keys with authentication subkeys (#6381)
+ * Fix invalid regular expressions that throw warnings on PHP 7.3 (#6398)
+ * Fix so Classic skin splitter does not escape out of window (#6397)
+ * Fix XSS issue in handling invalid style tag content (#6410)
+ * Fix compatibility with MySQL 8 - error on 'system' table use
+ * Managesieve: Fix bug where show_real_foldernames setting wasn't respected (#6422)
+ * New_user_identity: Fix %fu/%u vars substitution in user specific LDAP params (#6419)
+ * Fix support for "allow-from " in x_frame_options config option (#6449)
+ * Fix bug where valid content between HTML comments could have been skipped in some cases (#6464)
+ * Fix multiple VCard field search (#6466)
+ * Fix session issue on long running requests (#6470)
+- add files with .log entry to logrotate config
+- enhance apache configuration by:
+ + disable mbstring function overload (http://bugs.php.net/bug.php?id=30766)
+ + do not allow to see README*, INSTALL, LICENSE or CHANGELOG files
+ + set additional headers:
+ ++ Content-Security-Policy: ask browsers to not set the referrer
+ ++ Cache-Control: ask not to cache the content
+ ++ Strict-Transport-Security: set HSTS rules for SSL traffic
+ ++ X-XSS-Protection: configure built in reflective XSS protection
+- adjust README.openSUSE:
+ + db.inc.php is not used any longer
+ + flush privileges after creating/changing users in mysql
+- use %%license macro on newer distributions
+
-------------------------------------------------------------------
Sat Aug 4 20:59:18 UTC 2018 - michael@stroeder.com
diff --git a/roundcubemail.logrotate b/roundcubemail.logrotate
index 1ddd73b..28d3f06 100644
--- a/roundcubemail.logrotate
+++ b/roundcubemail.logrotate
@@ -1,4 +1,14 @@
-/var/log/roundcubemail/console /var/log/roundcubemail/errors /var/log/roundcubemail/imap /var/log/roundcubemail/ldap /var/log/roundcubemail/sendmail /var/log/roundcubemail/sieve /var/log/roundcubemail/smtp /var/log/roundcubemail/sql /var/log/roundcubemail/userlogins {
+/var/log/roundcubemail/console
+/var/log/roundcubemail/errors
+/var/log/roundcubemail/imap
+/var/log/roundcubemail/ldap
+/var/log/roundcubemail/sendmail
+/var/log/roundcubemail/sieve
+/var/log/roundcubemail/smtp
+/var/log/roundcubemail/sql
+/var/log/roundcubemail/userlogins
+/var/log/roundcubemail/*.log
+{
missingok
compress
notifempty
diff --git a/roundcubemail.spec b/roundcubemail.spec
index 1607eda..97d83da 100644
--- a/roundcubemail.spec
+++ b/roundcubemail.spec
@@ -12,12 +12,12 @@
# license that conforms to the Open Source Definition (Version 1.9)
# published by the Open Source Initiative.
-# Please submit bugfixes or comments via http://bugs.opensuse.org/
+# Please submit bugfixes or comments via https://bugs.opensuse.org/
#
Name: roundcubemail
-Version: 1.3.7
+Version: 1.3.8
Release: 0
Summary: A browser-based multilingual IMAP client
License: GPL-3.0-or-later AND GPL-2.0-only AND BSD-3-Clause
@@ -261,7 +261,11 @@ exit 0
%files
%defattr(0644, root, root,0755)
%doc CHANGELOG
+%if 0%{?suse_version} >= 1500
+%license LICENSE
+%else
%doc LICENSE
+%endif
%doc README.md
%doc README.openSUSE
%doc UPGRADING