------------------------------------------------------------------- Fri Jul 28 09:59:22 UTC 2017 - chris@computersalat.de - fix for boo#1050980 * php-mcrypt will be removed with php >= 7.2 * anyway not a dependency anymore since roundcube version 1.2 ------------------------------------------------------------------- Wed May 3 18:19:03 UTC 2017 - michael@stroeder.com - Update to 1.2.5 which fixes vulnerability in the virtualmin and sasl drivers of the password plugin (CVE-2017-8114, bsc#1036955) ------------------------------------------------------------------- Thu Mar 16 18:20:18 UTC 2017 - aj@ajaissle.de - Update to 1.2.4 [boo#1029035] - Managesieve: Fix handling of scripts with nested rules (#5540) - Managesieve: Fix parser issue with empty lines between comments (#5657) - Managesieve: Fix possible defect in handling \r\n in scripts (#5685) - Enigma: Fix handling of messages with nested PGP encrypted parts (#5634) - Enigma: Fix PHP fatal error when decrypting a message with invalid signature (#5555) - Enigma: Fix missing require statement for Crypt_GPG_KeyGenerator (#5641) - Fix variable substitution in ldap host for some use-cases, e.g. new_user_identity (#5544) - Fix adding images to new identity signatures - Fix rsync error handling in installto.sh script (#5562) - Fix some advanced search issues with multiple addressbooks (#5572) - Fix so group/addressbook selection is retained on page refresh - Fix bug where image data URIs in css style were treated as evil/remote in mail preview (#5580) - Fix bug where external content in src attribute of input/video tags was not secured (#5583) - Fix PHP error on update of a contact with multiple email addresses when using PHP 7.1 (#5587) - Fix bug where mail content frame couldn't be reset in some corner cases (#5608) - Fix bug where some classic skin images were not displayed in IE/Edge (#5614) - Fix bug where signature couldn't be added above the quote in Firefox 51 (#5628) - Fix regression where groups with email address were resolved to its members' addresses - Fix update of group name in the contacts list header on group rename (#5648) - Add rewrite rule to disable access to /vendor/bin folder in .htaccess (#5630) - Fix bug where it was too easy accidentally move a folder when using the subscription checkbox (#5655) - Fix XSS issue in handling of a style tag inside of an svg element [CVE-2017-6820] ------------------------------------------------------------------- Tue Nov 29 10:34:37 UTC 2016 - aj@ajaissle.de - Update to 1.2.3 [boo#1012493] - Searching in both contacts and groups when LDAP addressbook with group_filters option is used - Fix vulnerability in handling of mail()'s 5th argument [boo#1012493] - Fix To: header encoding in mail sent with mail() method (#5475) - Fix flickering of header topline in min-mode (#5426) - Fix bug where folders list would scroll to top when clicking on subscription checkbox (#5447) - Fix decoding of GB2312/GBK text when iconv is not installed (#5448) - Fix regression where creation of default folders wasn't functioning without prefix (#5460) - Enigma: Fix bug where last records on keys list were hidden (#5461) - Enigma: Fix key search with keyword containing non-ascii characters (#5459) - Fix bug where deleting folders with subfolders could fail in some cases (#5466) - Fix bug where IMAP password could be exposed via error message (#5472) - Fix bug where it wasn't possible to store more that 2MB objects in memcache/apc, Added memcache_max_allowed_packet and apc_max_allowed_packet settings (#5452) - Fix "Illegal string offset" warning in rcube::log_bug() on PHP 7.1 (#5508) - Fix storing "empty" values in rcube_cache/rcube_cache_shared (#5519) - Fix missing content check when image resize fails on attachment thumbnail generation (#5485) - Fix displaying attached images with wrong Content-Type specified (#5527) ------------------------------------------------------------------- Wed Oct 5 16:30:35 UTC 2016 - astieger@suse.com - verify source signature ------------------------------------------------------------------- Thu Sep 29 14:23:42 UTC 2016 - aj@ajaissle.de - Update to 1.2.2 [boo#1001856] - Enigma: Add possibility to configure gpg-agent binary location (enigma_pgp_agent) - Enigma: Fix signature verification with some IMAP servers, e.g. Gmail, DBMail (#5371) - Enigma: Make recipient key searches case-insensitive (#5434) - Fix regression in resizing JPEG images with Imagick (#5376) - Managesieve: Fix parsing of vacation date-time with non-default date_format (#5372) - Use SymLinksIfOwnerMatch in .htaccess instead of FollowSymLinks disabled on some hosts for security reasons (#5370) - Wash position:fixed style in HTML mail for better security (#5264) [boo#1001856] - Fix bug where memcache_debug didn't work for session operations - Fix bug where Message-ID domain part was tied to username instead of current identity (#5385) - Fix bug where blocked.gif couldn't be attached to reply/forward with insecure content - Fix E_DEPRECATED warning when using Auth_SASL::factory() (#5401) - Fix bug where names of downloaded files could be malformed when derived from the message subject (#5404) - Fix so "All" messages selection is resetted on search reset (#5413) - Fix bug where folder creation could fail if personal namespace contained more than one entry (#5403) - Fix error causing empty INBOX listing in Firefox when using an URL with user:password specified (#5400) - Fix PHP warning when handling shared namespace with empty prefix (#5420) - Fix so folders list is scrolled to the selected folder on page load (#5424) - Fix so when moving to Trash we make sure the folder exists (#5192) - Fix displaying size of attachments with zero size - Fix so "Action disabled" error uses more appropriate 404 code (#5440) ------------------------------------------------------------------- Thu Aug 11 17:02:25 UTC 2016 - aj@ajaissle.de - Update to 1.2.1 - Update TinyMCE to version 4.3.13 (#5309) - Fix bug where errors could have been not logged when per_user_logging=true - Fix bug where message list columns could be in wrong order after column drag-n-drop and list sorting - Fix so minified publickey.js (with cache-buster) is used when available (#5254) - Fix (replace) application/x-tar file extension test as it might not exist in nginx config (#5253) - Fix PHP warning when password_hosts is set, but is not an array (#5260) - Fix redundant keep-alive requests when session_lifetime is greater than ~20000 (#5273) - Fix so subfolders of INBOX can be set as Archive (#5274) - Fix bug where multi-folder search could choose a wrong folder in "this and subfolders" scope (#5282) - Fix bug where multi-folder search didn't work for unsubscribed INBOX (#5259) - Fix bug where "no body" alert could be displayed when sending mailvelope email - Enigma: Fix keys import from inside of an encrypted message (#5285) - Enigma: Fix malformed signed messages with force_7bit=true (#5292) - Enigma: Add possibility to configure gpg binary location (enigma_pgp_binary) - Enigma: Add possibility to export private keys (#5321) - Fix searching by email address in contacts with multiple addresses (#5291) - Fix handling of --delete argument in moduserprefs.sh script (#5296) - Workaround PHP issue by calling closelog() on script shutdown when using log_driver=syslog (#5289) - Fix so upgrade script makes sure program/lib directory does not contain old libraries (#5287) - Fix subscription checkbox state on error in folder subscribe/unsubscribe action (#5243) - Fix bug where microsecond format in logged date didn't work in some cases - Fix conflict in new_user_dialog and password_force_new_user settings (#5275) - Don't create multipart/alternative messages with empty text/plain part (#5283) - Use contact_search_name format in popup on results in compose contacts search - Fix handling of 'mailto' and 'error' arguments in message_before_send hook (#5347) - Fix missing localization of HTML editor when assets_dir != INSTALL_PATH - Fix handling of blockquote tags with mixed case on html2text conversion (#5363) - Fix javascript errors in IE on page with iframe that points to another domain ------------------------------------------------------------------- Tue May 24 07:21:22 UTC 2016 - opensuse@dstoecker.de - update to version 1.2.0 [boo#982003] [CVE-2016-5103] PHP7 compatibility PGP encryption Drag-n-drop attachments from mail preview to compose window Mail messages searching with predefined date interval Improved security measures to protect from brute-force attacks And of course plenty of small improvements and bug fixes. ------------------------------------------------------------------- Mon Apr 25 09:46:41 UTC 2016 - lars@linux-schulserver.de - Update to 1.1.5 Plugin API: Add html2text hook Plugin API: Added addressbook_export hook Fix missing emoticons on html-to-text conversion Fix random "access to this resource is secured against CSRF" message at logout (#4956) Fix missing language name in "Add to Dictionary" request in HTML mode (#4951) Enable use of TLSv1.1 and TLSv1.2 for IMAP (#4955) Fix XSS issue in SVG images handling (#4949) Fix (again) security issue in DBMail driver of password plugin CVE-2015-2181 Fix bug where Archive/Junk buttons were not active after page jump with select=all mode (#4961) Fix bug in long recipients list parsing for cases where recipient name contained @-char (#4964) Fix additional_message_headers plugin compatibility with Mail_Mime >= 1.9 (#4966) Hide DSN option in Preferences when smtp_server is not used (#4967) Protect download urls against CSRF using unique request tokens (#4957) newmail_notifier: Refactor desktop notifications Fix so contactlist_fields option can be set via config file Fix so SPECIAL-USE assignments are forced only until user sets special folders (#4782) Fix performance in reverting order of THREAD result Fix converting mail addresses with @www. into mailto links (#5197) ------------------------------------------------------------------- Fri Feb 5 15:13:42 UTC 2016 - aj@ajaissle.de - Added "Suggests:" for apache2 ------------------------------------------------------------------- Fri Jan 15 11:57:10 UTC 2016 - aj@ajaissle.de - Changed apache2 config ------------------------------------------------------------------- Thu Dec 31 10:42:03 UTC 2015 - lars@linux-schulserver.de - Update to 1.1.4 Add workaround for ​https://bugs.php.net/bug.php?id=70757 (#1490582) Fix duplicate messages in list and wrong count after delete (#1490572) Fix so Installer requires PHP5 Make brute force attacks harder by re-generating security token on every failed login (#1490549) Slow down brute-force attacks by waiting for a second after failed login (#1490549) Fix .htaccess rewrite rules to not block .well-known URIs (#1490615) Fix mail view scaling on iOS (#1490551) Fix so database_attachments::cleanup() does not remove attachments from other sessions (#1490542) Fix responses list update issue after response name change (#1490555) Fix bug where message preview was unintentionally reset on check-recent action (#1490563) Fix bug where HTML messages with invalid/excessive css styles couldn't be displayed (#1490539) Fix redundant blank lines when using HTML and top posting (#1490576) Fix redundant blank lines on start of text after html to text conversion (#1490577) Fix HTML sanitizer to skip in output (#1490583) Fix invalid LDAP query in ACL user autocompletion (#1490591) Fix regression in displaying contents of message/rfc822 parts (#1490606) Fix handling of message/rfc822 attachments on replies and forwards (#1490607) Fix PDF support detection in Firefox > 19 (#1490610) Fix path traversal vulnerability (CWE-22) in setting a skin (#1490620) [CVE-2015-8770] [bnc#962067] Fix so drag-n-drop of text (e.g. recipient addresses) on compose page actually works (#1490619) - explicitely add required PHP packages (according to INSTALL): + php-dom, php-json, php-sockets - also recommend additional PHP packages: + php-zip, php-pear-Crypt_GPG - use generic php- prefix also for recommended packages (no explicit php5-) - no Dockerfile readme any more ------------------------------------------------------------------- Fri Oct 23 11:55:15 UTC 2015 - aj@ajaissle.de - Changed roundcubemail-httpd.conf - Enable mod_version.c per default [boo#938840] ------------------------------------------------------------------- Tue Sep 15 10:27:10 UTC 2015 - aj@ajaissle.de - Update to 1.1.3 Fix closing of nested menus (#1490443) Fix so E_DEPRECATED errors from PEAR libs are ignored by error_reporting change (#1490281) Fix compatibility with PHP 5.3 in rcube_ldap class (#1490424) Get rid of Mail_mimeDecode package dependency (#1490416) Fix "Importing..." message does not hide on error (#1490422) Fix SQL error on logout when using session_storage=php (#1490421) Update to jQuery 2.1.4 (#1490406) Fix Compose action in addressbook for results from multiple addressbooks (#1490413) Fix bug where some messages in multi-folder search couldn't be viewed/printed/downloaded (#1490426) Fix unintentional messages list page change on page switch in compose addressbook (#1490427) Fix race-condition in saving user preferences and loading plugin config (#1490431) Fix so plain text signature field uses monospace font (#1490435) Fix so links with href == content aren't added to links list on html to text conversion (#1490434) Fix handling of non-break spaces in html to text conversion (#1490436) Fix self-reply detection issues (#1490439) Fix multi-folder search result sorting by arrival date (#1490450) Fix so *-request@ addresses in Sender: header are also ignored on reply-all (#1490452) Update to TinyMCE 4.1.10 (#1490405) Fix draft removal after a message is sent and storing sent message is disabled (#1490467) Fix so imap folder attribute comparisons are case-insensitive (#1490466) Fix bug where new messages weren't added to the list in search mode Fix wrong positioning of message list header on page scroll in Webkit browsers (#1490035) Fix some javascript errors in rare situations (#1490441) Fix error when using back button after sending an email (#1490009) Fix removing signature when switching to identity with an empty sig in HTML mode (#1490470) Disable links list generation on html-to-text conversion of identities or composed message (#1490437) Fix "washing" of style elements wrapped into many lines Fix so input field (e.g. search box) does not loose focus on list load (#1490455) Fix minor XSS issue in drag-n-drop file uploads (#1490530) ------------------------------------------------------------------- Mon Jun 8 20:45:27 UTC 2015 - draht@schaltsekun.de - Update to 1.1.2 Add new plugin hook 'identity_create_after' providing the ID of the inserted identity (#1490358) Add option to place signature at bottom of the quoted text even in top-posting mode [sig_below] Fix handling of %-encoded entities in mailto: URLs (#1490346) Fix zipped messages downloads after selecting all messages in a folder (#1490339) Fix vpopmaild driver of password plugin Fix PHP warning: Non-static method PEAR::setErrorHandling() should not be called statically (#1490343) Fix tables listing routine on mysql and postgres so it skips system or other database tables and views (#1490337) Fix message list header in classic skin on window resize in Internet Explorer (#1490213) Fix so text/calendar parts are listed as attachments even if not marked as such (#1490325) Fix lack of signature separator for plain text signatures in html mode (#1490352) Fix font artifact in Google Chrome on Windows (#1490353) Fix bug where forced extwin page reload could exit from the extwin mode (#1490350) Fix bug where some unrelated attachments in multipart/related message were not listed (#1490355) Fix mouseup event handling when dragging a list record (#1490359) Fix bug where preview_pane setting wasn't always saved into user preferences (#1490362) Fix bug where messages count was not updated after message move/delete with skip_deleted=false (#1490372) Fix security issue in contact photo handling (#1490379) Fix possible memcache/apc cache data consistency issues (#1490390) Fix bug where imap_conn_options were ignored in IMAP connection test (#1490392) Fix bug where some files could have "executable" extension when stored in temp folder (#1490377) Fix attached file path unsetting in database_attachments plugin (#1490393) Fix issues when using moduserprefs.sh without --user argument (#1490399) Fix potential info disclosure issue by protecting directory access (#1490378) Fix blank image in html_signature when saving identity changes (#1490412) Installer: Use openssl_random_pseudo_bytes() (if available) to generate des_key (#1490402) Fix XSS vulnerability in _mbox argument handling (#1490417) ------------------------------------------------------------------- Thu Mar 26 08:47:49 UTC 2015 - aj@ajaissle.de - Update to 1.1.1 ACL: Allow other plugins to adjust the list of permissions and groups to edit Add possibility to print contact information (of a single contact) Add possibility to configure max_allowed_packet value for all database engines (#1490283) Improved handling of storage errors after message is sent Update to TinyMCE 4.1.9 Unified request* event arguments handling, added support for _unlock and _action parameters Security: Generate random hash for the per-user local storage prefix (#1490279) Fix refreshing of drafts list when sending a message which was saved in meantime (#1490238) Fix saving/sending emoticon images when assets_dir is set Fix PHP fatal error when visiting Vacation interface and there's no sieve script yet (#1490292) Fix setting max packet size for DB caches and check packet size also in shared cache Fix needless security warning on BMP attachments display (#1490282) Fix handling of some improper constructs in format=flowed text as per the RFC3676[4.5] (#1490284) Fix performance of rcube_db_mysql::get_variable() Fix missing or not up-to-date CATEGORIES entry in vCard export (#1490277) Fix fatal errors on systems without mbstring extension or mb_regex_encoding() function (#1490280) Fix cursor position on reply below the quote in HTML mode (#1490263) Fix so "over quota" errors are displayed also in message compose page Fix duplicate entries supression in autocomplete result (#1490290) Fix "Non-static method PEAR::isError() should not be called statically" errors (#1490281) Fix parsing invalid HTML messages with BOM after (#1490291) Fix duplicate entry on timezones list in rcube_config::timezone_name_from_abbr() (#1490293) Fix so localized folder name is displayed in multi-folder search result (#1490243) Fix javascript error after creating a folder which is a subfolder of another one (#1490297) Fix bug where subject of sent/saved message was removed if mbstring wasn't installed (#1490295) Fix missing vcard_attachment icon on messages list (#1490303) Fix storing signatures with big images in MySQL database (#1490306) Fix Opera browser detection in javascript (#1490307) Fix so search filter, scope and fields are reset on folder change Fix rows count when messages search fails (#1490266) Fix bug where spellchecking in HTML editor do not work after switching editor type more than once (#1490311) Fix bug where TinyMCE area height was too small on slow network connection (#1490310) Fix backtick character handling in sql queries (#1490312) Fix redirect URL for attachments loaded in an iframe when behind a proxy (#1490191) Fix menu container references to point to the actual