Accepting request 1281843 from server:php:applications

OBS-URL: https://build.opensuse.org/request/show/1281843
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/roundcubemail?expand=0&rev=89

roundcubemail-1.6.11-complete.tar.gz

@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:a230e432065555bfa27bea3fcf4ac672f2359ef28ad84f5945ea3ccf702e7466
+size 5839956

roundcubemail-1.6.11-complete.tar.gz.asc

@@ -0,0 +1,17 @@
+-----BEGIN PGP SIGNATURE-----
+
+iQJHBAABCgAxFiEEiXDjemmK93XYfVkNwpRqlgnNVrQFAmg8CX4THGRldnNAcm91
+bmRjdWJlLm5ldAAKCRDClGqWCc1WtMQQEAClLQwYrLarXzQzaxyZFK6pfWAZaCrD
+bDsSmyjgM1AM9BRij/hq1LoJMGdl3316EIX3Pys820tkt5ZJ524KV77z3LFeRmbr
+ZvMveW4wNkpXAryq9Dw1pe293bEVOcxn4w+Le0yfszve1bBeokPrrmQ/q/3+J0+Q
+B81Nca3wuwbMUMKX9KSkXw0PDAjlV5D6dFNdDXX1WKw9TJd7m1EoNcRfK92Tn/4h
+5Qq6/9iQ5WMUYo/TH/dlgEM3d9rUYP3Dj72g89BMKZuqVOl6CG0orOjxQwlU1Yai
+22YvRhjN1NcU9w2uyQHRrEgOPmKkS/A4GFQYSpAxb0neRhXf71/WSSpMz9E8g6cY
+hzYTs2kwqF0VOO9aUN1iBelMp91lKqsY8FNtOK7vJLrAw75MdGddWkZTFgVHGOCr
+B0yP79rjr0VcLI2CjDnQd6DFM9k+aLDcUtUQaCUuHE4BeF4whled5/5hxFu4WP2k
+1c7IWs8KGj0NLBryTGWG0iOnDQzFbxaXvnDZh7H50CrAbvJDcxESaNVxA7nsGqCE
+aZjtfpCKhJlYogdTPfhPOYOlOYFkxNPP12U4RlOc4GBUTpTP2ojKml+bxvRN1keD
+hALkRJzilkc/DW28CJ3LYuNPVUvBHe2+KPC/arIlRl1VbGKfAoMZxhl8yS3DicmG
+SdpSzn3eJxscoQ==
+=fh2B
+-----END PGP SIGNATURE-----

roundcubemail-1.6.9-complete.tar.gz

@@ -1,3 +0,0 @@
-version https://git-lfs.github.com/spec/v1
-oid sha256:b61a5f5c22f890c299e935aacfcf0870676990d8aebff0d6cdff075bf17cef4f
-size 5899444

roundcubemail-1.6.9-complete.tar.gz.asc

@@ -1,17 +0,0 @@
------BEGIN PGP SIGNATURE-----
-
-iQJHBAABCgAxFiEEiXDjemmK93XYfVkNwpRqlgnNVrQFAmbUI18THGRldnNAcm91
-bmRjdWJlLm5ldAAKCRDClGqWCc1WtH0gD/9NelCSaDRSXciqL+93I6NHOu8hGitt
-y32JSEhv8AviKjSxPqVJ83x9gjDUW08QASdQtppAPMVsid19J7egZesLE4geCStE
-ryrHW/ELvAqG865SydO5iLxfkzRcnK5sJ5ZKi1tgWXaBoctakV41OqnJVO0Q+YtL
-bCu/tF3tqaLsRjCXLcT8+JEV+jAPHMxLgiWcy6QJ+UX5bhY7Op1ZFT5hgcgwFtqE
-KGWGktd6Igix97/kFcJ71GnV7MyYIsvtQ94o7B0Uvh4Y7X4iPfwsxBMdAbch1oq1
-h2R6QBIrJQmP5V+xB2QMXO4w/PTekT3p3exS3HKROdKyGlLUrNdGYPerqglZ/Wr+
-VD3gGGw2tSSPNigmqMx7Zsglwe9waWD/hQEKnfH/lckyK1tp67+2aFdIQK7y5K32
-M/4vLmWRLCjjbdROipbrXl2vr/ND7l8Sm6+joVQco8O1dankSuJ8YcQeq4NMu++S
-zXdSTe2XQi5M6QZTIEGSG+J6jDBNXoq2wNRv9QcjFrW9/vSgQb7SzG/v3U7tXUWf
-qt9b2ieKORbqMPeJyLy6raxZrvCnziB+DfmFJKCfCzgi+ZaGXazDbcpSf/UzXrz3
-CPJKjzkiVG9yi/x1IwN6ZZTXA6orQDw5cgcB7tCFtK6/BTvrDUmpAW86sWqJ7JWu
-Txz5ibozQbQPgA==
-=WHA/
------END PGP SIGNATURE-----

roundcubemail-httpd.conf

@@ -17,38 +17,25 @@
 AddType text/x-component .htc
 
 <Directory "__ROUNDCUBEPATH__/public_html">
-    <IfModule mod_version.c>
-        <IfVersion < 2.4>
-            Order allow,deny
-            Allow from all
-        </IfVersion>
-        <IfVersion >= 2.4>
     <IfModule mod_authz_core.c>
         Require all granted
     </IfModule>
-            <IfModule mod_access_compat.c>
+    <IfModule !mod_authz_core.c>
         Order allow,deny
         Allow from all
     </IfModule>
-        </IfVersion>
-    </IfModule>
-    <IfModule !mod_version.c>
-        Order allow,deny
-        Allow from all
-    </IfModule>
-
-    <IfModule mod_php5.c>
-        Include @apache_sysconfdir@/conf.d/@name@.inc
-    </IfModule>
 
     <IfModule mod_php7.c>
         Include @apache_sysconfdir@/conf.d/@name@.inc
     </IfModule>
+    <IfModule mod_php8.c>
+        Include @apache_sysconfdir@/conf.d/@name@.inc
+    </IfModule>
 
     <IfModule mod_rewrite.c>
         Options +SymLinksIfOwnerMatch
         RewriteEngine On
-        RewriteRule ^favicon\.ico$ skins/larry/images/favicon.ico
+        RewriteRule ^favicon\.ico$ static.php/skins/elastic/images/favicon.ico
 
         # security rules:
         # - deny access to files not containing a dot or starting with a dot
@@ -93,20 +80,6 @@ AddType text/x-component .htc
         </IfModule>
     </IfModule>
 
-    <IfModule mod_headers.c>
-        # for better privacy/security ask browsers to not set the Referer
-        Header set Content-Security-Policy "referrer no-referrer"
-        # don't cache, please
-        Header merge Cache-Control public env=!NO_CACHE
-        <IfModule mod_ssl.c>
-            # HSTS - HTTP Strict Transport Security
-            Header always set Strict-Transport-Security "max-age=31536000; preload" env=HTTPS
-        </IfModule>
-        # X-Xss-Protection
-        # This header is used to configure the built in reflective XSS protection found in Internet Explorer, Chrome and Safari (Webkit). 
-        Header set X-XSS-Protection "1; mode=block"
-    </IfModule>
-
     <IfModule mod_expires.c>
         ExpiresActive On
         ExpiresDefault "access plus 1 month"
@@ -117,6 +90,43 @@ AddType text/x-component .htc
     <IfModule mod_autoindex.c>
         Options -Indexes
     </ifModule>
+
+    <IfModule mod_headers.c>
+        # Disable page indexing
+        Header set X-Robots-Tag "noindex, nofollow"
+
+        # for better privacy/security ask browsers to not set the Referer
+        Header set Content-Security-Policy "referrer no-referrer"
+
+        # don't cache, please
+        Header merge Cache-Control public env=!NO_CACHE
+
+        # Optional security headers
+        # Only provides increased security if the browser supports those features
+        # Be careful! Testing is required! They should be adjusted to your installation / user environment
+
+        <IfModule mod_ssl.c>
+            # HSTS - HTTP Strict Transport Security
+            Header always set Strict-Transport-Security "max-age=31536000; preload" env=HTTPS
+        </IfModule>
+
+        # HPKP - HTTP Public Key Pinning
+        # Only template - fill with your values
+        #Header always set Public-Key-Pins "max-age=3600; report-uri=\"\"; pin-sha256=\"\"; pin-sha256=\"\"" env=HTTPS
+
+        # X-Xss-Protection
+        # This header is used to configure the built in reflective XSS protection found in Internet Explorer, Chrome and Safari (Webkit). 
+        Header set X-XSS-Protection "1; mode=block"
+
+        # X-Frame-Options
+        # The X-Frame-Options header (RFC), or XFO header, protects your visitors against clickjacking attacks
+        # Already set by php code! Do not activate both options
+        #Header set X-Frame-Options SAMEORIGIN
+
+        # X-Content-Type-Options
+        # It prevents Google Chrome and Internet Explorer from trying to mime-sniff the content-type of a response away from the one being declared by the server.
+        #Header set X-Content-Type-Options "nosniff"
+    </IfModule>
 </Directory>
 
 #
@@ -320,4 +330,3 @@ AddType text/x-component .htc
 
 #
 #</VirtualHost>
-

roundcubemail.changes

@@ -1,3 +1,52 @@
+-------------------------------------------------------------------
+Sun Jun  1 17:11:22 UTC 2025 - Aeneas Jaißle <aj@ajaissle.de>
+
+- update to 1.6.11
+  This is a security update to the stable version 1.6 of Roundcube Webmail.
+  It provides fixes to recently reported security vulnerabilities:
+  * Fix Post-Auth RCE via PHP Object Deserialization reported by firs0v.
+
+- CHANGELOG
+  * Managesieve: Fix match-type selector (remove unsupported options) in delete header action (#9610)
+  * Improve installer to fix confusion about disabling SMTP authentication (#9801)
+  * Fix PHP warning in index.php (#9813)
+  * OAuth: Fix/improve token refresh
+  * Fix dark mode bug where wrong colors were used for blockquotes in HTML mail preview (#9820)
+  * Fix HTML message preview if it contains floating tables (#9804)
+  * Fix removing/expiring redis/memcache records when using a key prefix
+  * Fix bug where a wrong SPECIAL-USE folder could have been detected, if there were more than one per-type (#9781)
+  * Fix a default value and documentation of password_ldap_encodage option (#9658)
+  * Remove mobile/floating Create button from the list in Settings > Folders (#9661)
+  * Fix Delete and Empty buttons state while creating a folder (#9047)
+  * Fix connecting to LDAP using ldapi:// URI (#8990)
+  * Fix cursor position on "below the quote" reply in HTML mode (#8700)
+  * Fix bug where attachments with content type of application/vnd.ms-tnef were not parsed (#7119)
+
+-------------------------------------------------------------------
+Sun Feb  9 16:28:20 UTC 2025 - Aeneas Jaißle <aj@ajaissle.de>
+
+- update to 1.6.10
+  This is the next service release to update the stable version 1.6.
+  * IMAP: Partial support for ANNOTATE-EXPERIMENT-1 extension (RFC 5257)
+  * OAuth: Support standard authentication with short-living password received with OIDC token (#9530)
+  * Fix PHP warnings (#9616, #9611)
+  * Fix whitespace handling in vCard line continuation (#9637)
+  * Fix current script state after initial scripts creation in managesieve_kolab_master mode
+  * Fix rcube_imap::get_vendor() result (and PHP warning) on Zimbra server (#9650)
+  * Fix regression causing inline SVG images to be missing in mail preview (#9644)
+  * Fix plugin "virtuser_file" to handle backward slashes in username (#9668)
+  * Fix PHP fatal error when parsing some malformed BODYSTRUCTURE responses (#9689)
+  * Fix insert_or_update() and reading database server config on PostgreSQL (#9710)
+  * Fix Oauth issues with use_secure_urls=true (#9722)
+  * Fix handling of binary mail parts (e.g. PDF) encoded with quoted-printable (#9728)
+  * Fix links in comments and config to https:// where available (#9759, #9756)
+  * Fix decoding of attachment names encoded using both RFC2231 and RFC2047 standards (#9725)
+
+-------------------------------------------------------------------
+Sat Sep 28 07:12:55 UTC 2024 - Thorsten Kukuk <kukuk@suse.com>
+
+- Add /srv/www directories to filelist [bsc#1231027]
+
 -------------------------------------------------------------------
 Wed Sep  4 06:54:31 UTC 2024 - Aeneas Jaißle <aj@ajaissle.de>
 

roundcubemail.spec

@@ -1,7 +1,7 @@
 #
 # spec file for package roundcubemail
 #
-# Copyright (c) 2024 SUSE LLC
+# Copyright (c) 2025 SUSE LLC
 #
 # All modifications and additions to the file contributed by third parties
 # remain the property of their copyright owners, unless otherwise agreed
@@ -20,7 +20,7 @@
 %define roundcubeconfigpath %{_sysconfdir}/%{name}
 
 Name:           roundcubemail
-Version:        1.6.9
+Version:        1.6.11
 Release:        0
 Summary:        A browser-based multilingual IMAP client
 License:        BSD-3-Clause AND GPL-2.0-only AND GPL-3.0-or-later
@@ -307,6 +307,7 @@ exit 0
 %doc LICENSE
 %endif
 %doc %{_defaultdocdir}/%{name}
+%dir %{apache_serverroot}
 %dir %{roundcubepath}
 %dir %{roundcubeconfigpath}
 %dir %{roundcubeconfigpath}/skins