From aaea9d8cf8685976758c4d5ae36d216729f6365cb4918f813984158758a6e36f Mon Sep 17 00:00:00 2001
From: Lars Vogdt <lrupp@suse.com>
Date: Sun, 19 May 2024 17:47:04 +0000
Subject: [PATCH] Accepting request 1175253 from
 home:lrupp:branches:server:php:applications
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

- update to 1.6.7
  This is a security update to the stable version 1.6 of Roundcube Webmail.
  It provides a fix to a recently reported XSS vulnerabilities:
  * Fix cross-site scripting (XSS) vulnerability in handling SVG animate attributes.
    Reported by Valentin T. and Lutz Wolf of CrowdStrike.
  * Fix cross-site scripting (XSS) vulnerability in handling list columns from user preferences.
    Reported by Huy Nguyễn Phạm Nhật.
  * Fix command injection via crafted im_convert_path/im_identify_path on Windows.
    Reported by Huy Nguyễn Phạm Nhật.
  CHANGELOG
  * Makefile: Use phpDocumentor v3.4 for the Framework docs (#9313)
  * Fix bug where HTML entities in URLs were not decoded on HTML to plain text conversion (#9312)
  * Fix bug in collapsing/expanding folders with some special characters in names (#9324)
  * Fix PHP8 warnings (#9363, #9365, #9429)
  * Fix missing field labels in CSV import, for some locales (#9393)
  * Fix cross-site scripting (XSS) vulnerability in handling SVG animate attributes
  * Fix cross-site scripting (XSS) vulnerability in handling list columns from user preferences
  * Fix command injection via crafted im_convert_path/im_identify_path on Windows

OBS-URL: https://build.opensuse.org/request/show/1175253
OBS-URL: https://build.opensuse.org/package/show/server:php:applications/roundcubemail?expand=0&rev=173
---
 roundcubemail-1.6.6-complete.tar.gz     |  3 ---
 roundcubemail-1.6.6-complete.tar.gz.asc | 16 ----------------
 roundcubemail-1.6.7-complete.tar.gz     |  3 +++
 roundcubemail-1.6.7-complete.tar.gz.asc | 16 ++++++++++++++++
 roundcubemail.changes                   | 22 ++++++++++++++++++++++
 roundcubemail.spec                      |  2 +-
 6 files changed, 42 insertions(+), 20 deletions(-)
 delete mode 100644 roundcubemail-1.6.6-complete.tar.gz
 delete mode 100644 roundcubemail-1.6.6-complete.tar.gz.asc
 create mode 100644 roundcubemail-1.6.7-complete.tar.gz
 create mode 100644 roundcubemail-1.6.7-complete.tar.gz.asc

diff --git a/roundcubemail-1.6.6-complete.tar.gz b/roundcubemail-1.6.6-complete.tar.gz
deleted file mode 100644
index 44ae4a9..0000000
--- a/roundcubemail-1.6.6-complete.tar.gz
+++ /dev/null
@@ -1,3 +0,0 @@
-version https://git-lfs.github.com/spec/v1
-oid sha256:c1b93a3edbe297457396b0a031d8b13c8a5dc30c9370704dfb9b2c1225017d52
-size 5895753
diff --git a/roundcubemail-1.6.6-complete.tar.gz.asc b/roundcubemail-1.6.6-complete.tar.gz.asc
deleted file mode 100644
index b5e3ac1..0000000
--- a/roundcubemail-1.6.6-complete.tar.gz.asc
+++ /dev/null
@@ -1,16 +0,0 @@
------BEGIN PGP SIGNATURE-----
-
-iQIzBAABCgAdFiEEiXDjemmK93XYfVkNwpRqlgnNVrQFAmWrn64ACgkQwpRqlgnN
-VrQb3Q/+MsO0rPJXOE04LIKtsxj9Bfh/avFSasKmX9+c5MdjABV7mHR0hoqbkGR8
-kqf7LtUyFQrQ/QXWV09hCdGY8I8IwoRIqMkmc/VA56/DZ+SrEe69wGCdzd3ruMQJ
-XNK7RrcWthxPEro+pHuCGvZ4AyvUDDnO08W5juxRFoepoW2fPqfbPZfvsAoea8Ep
-Sh+4PGWHNyyybH/0U4NtPHRPuprwUqBo0uZlp7CTUCN6vR3Mlqt3Ivgj8T+FtoIV
-t8CXUtVCSRmC5tFppdE9icGoA+hFWpKuFzz4qv6fVwD+yQ7aFYBidWHPNBl0kEh+
-IwB7AvoxPpFkNwT6ai3462Pfe5aJyhszkVvs4+Zrnb3+ZbmFrYKt0CgZvlAAR76e
-bEoU+cWKJX0kME3ZUe6Ee5N6NK+S8M6DYLJ/xWyywU9aMlpmq1hcHXbLjUB/GZWJ
-rTNP7V20pULgP0iK1iuApvWW/ogCNsDuORXM36cVLWG+5tzgYA9vcBY7dr10s+au
-P8yagXJomhTq/VyIeyrCAWQZjXrRCndc+1ZkL81JwqTbqMCNdzPkIs+p2Mnujy05
-3bhNkJTWrdoyHPCK03iJT6IY+WOZBfs6GGf/H1L9ai9m72yg276OZ0Jeg6MMH5CQ
-oq/QD4pLjF09hieWNW61d+ubBYOiZAwyDsQBTHWcKI8c6ISCSd0=
-=cl9d
------END PGP SIGNATURE-----
diff --git a/roundcubemail-1.6.7-complete.tar.gz b/roundcubemail-1.6.7-complete.tar.gz
new file mode 100644
index 0000000..b9457ca
--- /dev/null
+++ b/roundcubemail-1.6.7-complete.tar.gz
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:cf52515e65b2818cb02fd7a202c766367b8c54d8b7fea27dda9c81aa7ce1d3a6
+size 5899345
diff --git a/roundcubemail-1.6.7-complete.tar.gz.asc b/roundcubemail-1.6.7-complete.tar.gz.asc
new file mode 100644
index 0000000..ba45b81
--- /dev/null
+++ b/roundcubemail-1.6.7-complete.tar.gz.asc
@@ -0,0 +1,16 @@
+-----BEGIN PGP SIGNATURE-----
+
+iQIzBAABCgAdFiEEiXDjemmK93XYfVkNwpRqlgnNVrQFAmZJ0UIACgkQwpRqlgnN
+VrRndRAAicU/OXjddhgBxfUn2OwfuQCVgC3lj8dvquVkdYfGMUieoxaGiJuzUO+2
+K6Ohm+ztsosGDG5qb8stI1wki00dFZ8vNQ4rmZOXy4fv94zT5Ytm4kUojUVfvERr
+Ksd/LHEnbNxIQNnBcD5aUrkVv9OxD4lnwYkBkt4vA2G7IDNDC9raDWLcJTZSUvQb
+juQ7HIvUp5tzQ0Y9coMhB52jpVJYLZlCdNLvd9zGTebwO/TBBAPLasLusVacQN4W
+Sp33RSS/VMQjx1rnmvnltu+0TKXFUYL620Mn6woEhiF/ahXYgcRqz2im2520YNIK
+mpz6laU6kc4bNTD6ynQtZ+ZWorC+NrENMhh+T8oX7BPqBKK6T/fuLSiGJfNecaUH
+TfH2O9DIiZZ0AP8sAz+Dcjz21sm0Sh2iRSntycbIrhON5nvV/mVDXxOjZ0ZbS3wm
+fs8JRvMOk5tXcH4u8y6Z66z19JGjcXnp6FpTfn0mjfy7HcMGN/6OaykVDDQbng7q
+Z9DLXlXjN1dNiLELPVQAfUZNy/KbUPy4GI7uifcCGIcx4V1kW2XDGe8tzDMwNUhS
+ToS8r0F2VnYcfu+dPXZ2OOWxf+ZT1Mp5shzbCK+ZWWn2/e8t2h2pRFCMgVOmJrWd
+yRpNS/zoDjcGp6eLBWragpA2fhOPNktXMH4r2iYfhQkkk+qIrr4=
+=s8Ri
+-----END PGP SIGNATURE-----
diff --git a/roundcubemail.changes b/roundcubemail.changes
index a077250..4e443a1 100644
--- a/roundcubemail.changes
+++ b/roundcubemail.changes
@@ -1,3 +1,25 @@
+-------------------------------------------------------------------
+Sun May 19 17:12:36 UTC 2024 - Lars Vogdt <lars@linux-schulserver.de>
+
+- update to 1.6.7
+  This is a security update to the stable version 1.6 of Roundcube Webmail.
+  It provides a fix to a recently reported XSS vulnerabilities:
+  * Fix cross-site scripting (XSS) vulnerability in handling SVG animate attributes.
+    Reported by Valentin T. and Lutz Wolf of CrowdStrike.
+  * Fix cross-site scripting (XSS) vulnerability in handling list columns from user preferences.
+    Reported by Huy Nguyễn Phạm Nhật.
+  * Fix command injection via crafted im_convert_path/im_identify_path on Windows.
+    Reported by Huy Nguyễn Phạm Nhật.
+  CHANGELOG
+  * Makefile: Use phpDocumentor v3.4 for the Framework docs (#9313)
+  * Fix bug where HTML entities in URLs were not decoded on HTML to plain text conversion (#9312)
+  * Fix bug in collapsing/expanding folders with some special characters in names (#9324)
+  * Fix PHP8 warnings (#9363, #9365, #9429)
+  * Fix missing field labels in CSV import, for some locales (#9393)
+  * Fix cross-site scripting (XSS) vulnerability in handling SVG animate attributes
+  * Fix cross-site scripting (XSS) vulnerability in handling list columns from user preferences
+  * Fix command injection via crafted im_convert_path/im_identify_path on Windows
+
 -------------------------------------------------------------------
 Fri Feb 23 11:43:56 UTC 2024 - Dominique Leuenberger <dimstar@opensuse.org>
 
diff --git a/roundcubemail.spec b/roundcubemail.spec
index dc7806a..0aa13fa 100644
--- a/roundcubemail.spec
+++ b/roundcubemail.spec
@@ -20,7 +20,7 @@
 %define roundcubeconfigpath %{_sysconfdir}/%{name}
 
 Name:           roundcubemail
-Version:        1.6.6
+Version:        1.6.7
 Release:        0
 Summary:        A browser-based multilingual IMAP client
 License:        BSD-3-Clause AND GPL-2.0-only AND GPL-3.0-or-later