------------------------------------------------------------------- Mon Dec 28 10:17:11 UTC 2020 - Lars Vogdt - update to 1.4.10: * Stored cross-site scripting (XSS) via HTML or plain text messages with malicious content [CVE-2020-35730] * Fix extra angle brackets in In-Reply-To header derived from mailto: params (#7655) * Fix folder list issue when special folder is a subfolder (#7647) * Fix Elastic's folder subscription toggle in search result (#7653) * Fix state of subscription toggle on folders list after changing folder state from the search result (#7653) * Security: Fix cross-site scripting (XSS) via HTML or plain text messages with malicious content ------------------------------------------------------------------- Tue Dec 1 14:37:42 UTC 2020 - pgajdos@suse.com - use system apache rpm macros ------------------------------------------------------------------- Mon Sep 28 07:38:28 UTC 2020 - Michael Ströder - update to 1.4.9: * Fix HTML editor in latest Chrome 85.0.4183.102, update to TinyMCE 4.9.11 (#7615) * Add missing localization for some label/legend elements in userinfo plugin (#7478) * Fix importing birthday dates from Gmail vCards (BDAY:YYYYMMDD) * Fix restoring Cc/Bcc fields from local storage (#7554) * Fix jstz.min.js installation, bump version to 1.0.7 * Fix incorrect PDO::lastInsertId() use in sqlsrv driver (#7564) * Fix link to closure compiler in bin/jsshrink.sh script (#7567) * Fix bug where some parts of a message could have been missing in a reply/forward body (#7568) * Fix empty space on mail printouts in Chrome (#7604) * Fix empty output from HTML5 parser when content contains XML tag (#7624) * Fix scroll jump on key press in plain text mode of the HTML editor (#7622) * Fix so autocompletion list does not hide on scroll inside it (#7592) ------------------------------------------------------------------- Thu Aug 13 15:37:19 UTC 2020 - Lars Vogdt - finally renamed roundcubemail-1.4.8-config_dir.patch to roundcubemail-config_dir.patch to avoid additional roundtrip times with each submission: + removed roundcubemail-1.4.7-config_dir.patch + added roundcubemail-config_dir.patch ------------------------------------------------------------------- Tue Aug 11 03:52:20 UTC 2020 - Michael Ströder - update to 1.4.8 with security fixes: * Fix cross-site scripting (XSS) via HTML messages with malicious svg content (CVE-2020-16145) * Fix cross-site scripting (XSS) via HTML messages with malicious math content ------------------------------------------------------------------- Mon Jul 6 12:00:02 UTC 2020 - Michael Ströder - update to 1.4.7 with security fix: * Security: Fix cross-site scripting (XSS) via HTML messages with malicious svg/namespace * Fix bug where subfolders of special folders could have been duplicated on folder list * Increase maximum size of contact jobtitle and department fields to 128 characters * Fix missing newline after the logged line when writing to stdout (#7418) * Elastic: Fix context menu (paste) on the recipient input (#7431) * Fix problem with forwarding inline images attached to messages with no HTML part (#7414) * Fix problem with handling attached images with same name when using database_attachments/redundant_attachments (#7455) - renamed roundcubemail-1.4.6-config_dir.patch to roundcubemail-1.4.7-config_dir.patch ------------------------------------------------------------------- Fri Jul 3 18:43:00 UTC 2020 - chris@computersalat.de - add http.inc file * include one file for php5/php7 admin flags/values ------------------------------------------------------------------- Sun Jun 7 14:27:25 UTC 2020 - Michael Ströder - update to 1.4.6 * Installer: Fix regression in SMTP test section (#7417) - renamed roundcubemail-1.4.5-config_dir.patch to roundcubemail-1.4.6-config_dir.patch ------------------------------------------------------------------- Wed Jun 3 08:20:49 UTC 2020 - Lars Vogdt - update to 1.4.5 Security fixes * Fix XSS issue in template object 'username' (#7406) * Fix cross-site scripting (XSS) via malicious XML attachment * Fix a couple of XSS issues in Installer (#7406) * Better fix for CVE-2020-12641 Other changes * Fix bug in extracting required plugins from composer.json that led to spurious error in log (#7364) * Fix so the database setup description is compatible with MySQL 8 (#7340) * Markasjunk: Fix regression in jsevent driver (#7361) * Fix missing flag indication on collapsed thread in Larry and Elastic (#7366) * Fix default keyservers (use keys.openpgp.org), add note about CORS (#7373, #7367) * Password: Fix issue with Modoboa driver (#7372) * Mailvelope: Use sender's address to find pubkeys to check signatures (#7348) * Mailvelope: Fix Encrypt button hidden in Elastic (#7353) * Fix PHP warning: count(): Parameter must be an array or an object... in ID command handler (#7392) * Fix error when user-configured skin does not exist anymore (#7271) * Elastic: Fix aspect ratio of a contact photo in mail preview (#7339) * Fix bug where PDF attachments marked as inline could have not been attached on mail forward (#7382) * Security: Fix a couple of XSS issues in Installer (#7406) * Security: Fix XSS issue in template object 'username' (#7406) * Security: Fix cross-site scripting (XSS) via malicious XML attachment * Security: Better fix for CVE-2020-12641 - renamed roundcubemail-1.4.4-config_dir.patch to roundcubemail-1.4.5-config_dir.patch ------------------------------------------------------------------- Wed Apr 29 22:16:50 UTC 2020 - Michael Ströder - update to 1.4.4 * Fix bug where attachments with Content-Id were attached to the message on reply (#7122) * Fix identity selection on reply when both sender and recipient addresses are included in identities (#7211) * Elastic: Fix text selection with Shift+PageUp and Shift+PageDown in plain text editor when using Chrome (#7230) * Elastic: Fix recipient input bug when using click to select a contact from autocomplete list (#7231) * Elastic: Fix color of a folder with recent messages (#7281) * Elastic: Restrict logo size in print view (#7275) * Fix invalid Content-Type for messages with only html part and inline images * Mail_Mime-1.10.7 (#7261) * Fix missing contact display name in QR Code data (#7257) * Fix so button label in Select image/media dialogs is "Close" not "Cancel" (#7246) * Fix regression in testing database schema on MSSQL (#7227) * Fix cursor position after inserting a group to a recipient input using autocompletion (#7267) * Fix string literals handling in IMAP STATUS (and various other) responses (#7290) * Fix bug where multiple images in a message were replaced by the first one on forward/reply/edit (#7293) * Fix handling keyservers configured with protocol prefix (#7295) * Markasjunk: Fix marking as spam/ham on moving messages with Move menu (#7189) * Markasjunk: Fix bug where moving to Junk was failing on messages selected with Select > All (#7206) * Fix so imap error message is displayed to the user on folder create/update (#7245) * Fix bug where a special folder couldn't be created if a special-use flag is not supported (#7147) * Mailvelope: Fix bug where recipients with name were not handled properly in mail compose (#7312) * Fix characters encoding in group rename input after group creation/rename (#7330) * Fix bug where some message/rfc822 parts could not be attached on forward (#7323) * Make install-jsdeps.sh script working without the 'file' program installed (#7325) * Fix performance issue of parsing big HTML messages by disabling HTML5 parser for these (#7331) * Fix so Print button for PDF attachments works on Firefox >= 75 (#5125) * Security: Fix XSS issue in handling of CDATA in HTML messages * Security: Fix remote code execution via crafted 'im_convert_path' or 'im_identify_path' settings * Security: Fix local file inclusion (and code execution) via crafted 'plugins' option * Security: Fix CSRF bypass that could be used to log out an authenticated user (#7302) - adjusted/renamed roundcubemail-1.4.3-config_dir.patch to roundcubemail-1.4.4-config_dir.patch ------------------------------------------------------------------- Thu Feb 20 09:55:08 UTC 2020 - Michael Ströder - update to 1.4.3 * Enigma: Fix so key list selection is reset when opening key creation form (#7154) * Enigma: Fix so using list checkbox selection does not load the key preview frame * Enigma: Fix generation of key pairs for identities with IDN domains (#7181) * Enigma: Display IDN domains of key users and identities in UTF8 * Enigma: Fix bug where "Send unencrypted" button didn't work in Elastic skin (#7205) * Managesieve: Fix bug where it wasn't possible to save flag actions (#7188) * Markasjunk: Fix bug where marking as spam/ham didn't work on moving messages with drag-and-drop (#7137) * Password: Make chpass-wrapper.py Python 3 compatible (#7135) * Elastic: Fix disappearing sidebar in mail compose after clicking Mail button * Elastic: Fix incorrect aria-disabled attribute on Mail taskmenu button in mail compose * Elastic: Fix bug where it was possible to switch editor mode when 'htmleditor' was in 'dont_override' (#7143) * Elastic: Fix text selection in recipient inputs (#7129) * Elastic: Fix missing Close button in "more recipients" dialog * Elastic: Fix non-working folder subscription checkbox for newly added folders (#7174) * Fix regression where "Open in new window" action didn't work (#7155) * Fix PHP Warning: array_filter() expects parameter 1 to be array, null given in subscriptions_option plugin (#7165) * Fix unexpected error message when mail refresh involves folder auto-unsubscribe (#6923) * Fix recipient duplicates in print-view when the recipient list has been expanded (#7169) * Fix bug where files in skins/ directory were listed on skins list (#7180) * Fix bug where message parts with no Content-Disposition header and no name were not listed on attachments list (#7117) * Fix display issues with mail subject that contains line-breaks (#7191) * Fix invalid Content-Transfer-Encoding on multipart messages - Mail_Mime fix (#7170) * Fix regression where using an absolute path to SQLite database file on Windows didn't work (#7196) * Fix using unix:///path/to/socket.file in memcached driver (#7210) - adjusted/renamed roundcubemail-1.4.2-config_dir.patch to roundcubemail-1.4.3-config_dir.patch ------------------------------------------------------------------- Tue Feb 18 11:39:33 UTC 2020 - Lars Vogdt - prefer brotli over gzip if brotli is available: + enable mod_brotli in roundcubemail-httpd.conf (after deflate) + enable brotli via a2enmod for new installations ------------------------------------------------------------------- Thu Jan 2 19:43:40 UTC 2020 - Lars Vogdt - update to 1.4.2: * Plugin API: Make actionbefore, before, actionafter and after events working with plugin actions (#7106) * Managesieve: Replace "Filter disabled" with "Filter enabled" (#7028) * Managesieve: Fix so modifier type select wasn't hidden after hiding modifier select on header change * Managesieve: Fix filter selection after removing a first filter (#7079) * Markasjunk: Fix marking more than one message as spam/ham with email_learn driver (#7121) * Password: Fix kpasswd and smb drivers' double-escaping bug (#7092) * Enigma: Add script to import keys from filesystem to the db storage (for multihost) * Installer: Fix DB Write test on SQLite database ("database is locked" error) (#7064) * Installer: Fix so SQLite DSN with a relative path to the database file works in Installer * Elastic: Fix contrast of warning toasts (#7058) * Elastic: Simple search in pretty selects (#7072) * Elastic: Fix hidden list widget on mobile/tablet when selecting folder while search menu is open (#7120) * Fix so type attribute on script tags is not used on HTML5 pages (#6975) * Fix unread count after purge on a folder that is not currently selected (#7051) * Fix bug where Enter key didn't work on messages list in "List" layout (#7052) * Fix bug where deleting a saved search in addressbook caused display issue on sources/groups list (#7061) * Fix bug where a new saved search added after removing all searches wasn't added to the list (#7061) * Fix bug where a new contact group added after removing all groups from addressbook wasn't added to the list * Fix so install-jsdeps.sh removes Bootstrap's sourceMappingURL (#7035) * Fix so use of Ctrl+A does not scroll the list (#7020) * Fix/remove useless keyup event handler on username input in logon form (#6970) * Fix bug where cancelling switching from HTML to plain text didn't set the flag properly (#7077) * Fix bug where HTML reply could add an empty line with extra indentation above the original message (#7088) * Fix matching multiple X-Forwarded-For addresses with 'proxy_whitelist' (#7107) * Fix so displayed maximum attachment size depends also on 'max_message_size' (#7105) * Fix bug where 'skins_allowed' option didn't enforce user skin preference (#7080) * Fix so contact's organization field accepts up to 128 characters (it was 50) * Fix bug where listing tables in PostgreSQL database with db_prefix didn't work (#7093) * Fix bug where 'text' attribute on body tag was ignored when displaying HTML message (#7109) * Fix bug where next message wasn't displayed after delete in List mode (#7096) * Fix so number of contacts in a group is not limited to 200 when redirecting to mail composer from Contacts (#6972) * Fix malformed characters in HTML message with charset meta tag not in head (#7116) - renamed patches: - roundcubemail-1.1-beta-config_dir.patch + roundcubemail-1.4.2-config_dir.patch ------------------------------------------------------------------- Mon Dec 16 09:48:52 UTC 2019 - Lars Vogdt - remove more cruft from the source (like .tavis or .gitignore) - php documentor is not needed on a productive system -> remove - also fix /usr/bin/env calls for two vendor scripts - skins now have some configurable files in their directories: move those files over to /etc/roundcubemail/skins/ - move other text files (incl. vendor ones) out of the root directory (and handle the LICENSE file a bit different) - enable mod_filter and add AddOutputFilterByType for common media types like html, javascript or xml - enable php7 on newer openSUSE versions - enable deflate, expires, filter, headers and setenvif on a new installation - do not enable any module in case of an update - recommend php-imagick for additional features ------------------------------------------------------------------- Fri Dec 6 14:39:12 UTC 2019 - Johannes Weberhofer - Updated dependencies - Moved LICENCE file to proper directory - removed travis files - fixed most of the shell scripts to contain /usr/bin/php ------------------------------------------------------------------- Fri Nov 22 14:49:44 UTC 2019 - Michael Ströder - Upgrade to version 1.4.1: * new defaults for smtp_* config options * changed default password_charset to UTF-8 * login page returning 401 Unauthorized status ------------------------------------------------------------------- Sun Nov 10 09:47:19 UTC 2019 - Michael Ströder - Upgrade to version 1.4.0: * Update to jQuery 3.4.1 * Update to TinyMCE 4.8.2 * Update to jQuery-MiniColors 2.3.4 * Clarified 'address_book_type' option behavior (#6680) * Added cookie mismatch detection, display an error message informing the user to clear cookies * Renamed 'log_session' option to 'session_debug' * Removed 'delete_always' option (#6782) * Don't log full session identifiers in userlogins log (#6625) * Support $HasAttachment/$HasNoAttachment keywords (#6201) * Support PECL memcached extension as a session and cache storage driver (experimental) * Switch to IDNA2008 variant (#6806) * installto.sh: Add possibility to run the update even on the up-to-date installation (#6533) * Plugin API: Add 'render_folder_selector' hook * Added 'keyservers' option to define list of HKP servers for Enigma/Mailvelope (#6326) * Added flag to disable server certificate validation via Mysql DSN argument (#6848) * Select all records on the current list page with CTRL + A (#6813) * Use Left/Right Arrow keys to faster move over threaded messages list (#6399) * Changes in display_next setting (#6795): * * Move it to Preferences > User Interface > Main Options * * Make it apply to Contacts interface too * * Make it apply only if deleting/moving a previewed message/contact * Redis: Support connection to unix socket * Put charset meta specification before a title tag, add page title automatically (#6811) * Elastic: Various internal refactorings * Elastic: Add Prev/Next buttons on message page toolbar (#6648) * Elastic: Close search options on Enter key press in quick-search input (#6660) * Elastic: Changed some icons (#6852) * Elastic: Changed read/unread icons (#6636) * Elastic: Changed "Move to..." icon (#6637) * Elastic: Add hide/show for advanced preferences (#6632) * Elastic: Add default icon on Settings/Preferences lists for external plugins (#6814) * Elastic: Add indicator for popover menu items that open a submenu (#6868) * Elastic: Move compose attachments/options to the right side (#6839) * Elastic: Add border/background to attachments list widget (#6842) * Elastic: Add "Show unread messages" button to the search bar (#6587) * Elastic: Fix bug where toolbar disappears on attachment menu use in Chrome (#6677) * Elastic: Fix folders list scrolling on touch devices (#6706) * Elastic: Fix non-working pretty selects in Chrome browser (#6705) * Elastic: Fix issue with absolute positioned mail content (#6739) * Elastic: Fix bug where some menu actions could cause a browser popup warning * Elastic: Fix handling mailto: URL parameters in contact menu (#6751) * Elastic: Fix keyboard navigation in some menus, e.g. the contact menu * Elastic: Fix visual issue with long buttons in .boxwarning (#6797) * Elastic: Fix handling new-line in text pasted to a recipient input * Elastic: Fix so search is not reset when returning from the message preview page (#6847) * Larry: Fix regression where menu actions didn't work with keyboard (#6740) * ACL: Display user/group names (from ldap) instead of acl identifier * Password: Added ldap_exop driver (#4992) * Password: Added support for SSHA512 password algorithm (#6805) * Managesieve: Fix bug where global includes were requested for vacation (#6716) * Managesieve: Use RFC-compliant line endings, CRLF instead of LF (#6686) * Managesieve: Fix so "Create filter" option does not show up when Filters menu is disabled (#6723) * Enigma: For verified signatures, display the user id associated with the sender address (#5958) * Enigma: Fix bug where revoked users/keys were not greyed out in key info * Enigma: Fix error message when trying to encrypt with a revoked key (#6607) * Enigma: Fix "decryption oracle" bug [CVE-2019-10740] (#6638) * Enigma: Fix bug where signature verification could have been skipped for some message structures (#6838) * Fix language selection for spellchecker in html mode (#6915) * Fix css styles leak from replied/forwarded message to the rest of the composed text (#6831) * Fix invalid path to "add contact" icon when using assets_path setting * Fix invalid path to blocked.gif when using assets_path setting (#6752) * Fix so advanced search dialog is not automatically displayed on searchonly addressbooks (#6679) * Fix so an error is logged when more than one attachment plugin has been enabled, initialize the first one (#6735) * Fix bug where flag change could have been passed to a preview frame when not expected * Fix bug in HTML parser that could cause missing text fragments when there was no head/body tag (#6713) * Fix bug where HTML messages with a xml:namespace tag were not rendered (#6697) * Fix TinyMCE download location (#6694) * Fix so "Open in new window" consistently displays "external window" interface (#6659) * Fix bug where next row wasn't selected after deleting a collapsed thread (#6655) * Fix bug where external content (e.g. mail body) was passed to templates parsing code (#6640) * Fix bug where attachment preview didn't work with x_frame_options=deny (#6688) * Fix so bin/install-jsdeps.sh returns error code on error (#6704) * Fix bug where bmp images couldn't be displayed on some systems (#6728) * Fix bug in parsing vCard data using PHP 7.3 due to an invalid regexp (#6744) * Fix bug where bold/strong text was converted to upper-case on html-to-text conversion (6758) * Fix bug in rcube_utils::parse_hosts() where %t, %d, %z could return only tld (#6746) * Fix bug where Next/Prev button in mail view didn't work with multi-folder search result (#6793) * Fix bug where selection of columns on messages list wasn't working * Fix bug in converting multi-page Tiff images to Jpeg (#6824) * Fix bug where handling multiple messages from multi-folder search result could not work (#6845) * Fix bug where unread count wasn't updated after moving multi-folder result (#6846) * Fix wrong messages order after returning to a multi-folder search result (#6836) * Fix some PHP 7.4 compat. issues (#6884, #6866) * Fix bug where it was possible to bypass the position:fixed CSS check in received messages (#6898) * Fix bug where some strict remote URIs in url() style were unintentionally blocked (#6899) * Fix bug where it was possible to bypass the CSS jail in HTML messages using :root pseudo-class (#6897) * Fix bug where it was possible to bypass href URI check with data:application/xhtml+xml URIs (#6896) * Changed 'password_charset' default to 'UTF-8' (#6522) * Add skins_allowed option (#6483) * SMTP GSSAPI support via krb_authentication plugin (#6417) * Avoid Referer leaking by using Referrer-Policy:same-origin header (#6385) * Removed 'referer_check' option (#6440) * Use constant prefix for temp file names, don't remove temp files from other apps (#6511) * Ignore 'Sender' header on Reply-All action (#6506) * deluser.sh: Add option to delete users who have not logged in for more than X days (#6340) * HTML5 Upload Progress - as a replacement for the old server-side solution (#6177) * Prevent from using deprecated timezone names from jsTimezoneDetect * Force session.gc_probability=1 when using custom session handlers (#6560) * Support simple field labels (e.g. LetterHub examples) in csv imports (#6541) * Add cache busters also to images used by templates (#6610) * Plugin API: Added 'raise_error' hook (#6199) * Plugin API: Added 'common_headers' hook (#6385) * Plugin API: Added 'ldap_connected' hook * Enigma: Update to OpenPGPjs 4.2.1 - fixes user name encoding issues in key generation (#6524) * Enigma: Fixed multi-host synchronization of private and deleted keys and pubring.kbx file * Managesieve: Added support for 'editheader' extension - RFC5293 (#5954) * Managesieve: Fix bug where custom header or variable could be lost on form submission (#6594) * Markasjunk: Integrate markasjunk2 features into markasjunk - marking as non-junk + learning engine (#6504) * Password: Added 'modoboa' driver (#6361) * Password: Fix bug where password_dovecotpw_with_method setting could be ignored (#6436) * Password: Fix bug where new users could skip forced password change (#6434) * Password: Allow drivers to override default password comparisons (eg new is not same as current) (#6473) * Password: Allow drivers to override default strength checks (eg allow for 'not the same as last x passwords') (#246) * Passowrd: Allow drivers to define password strength rules displayed to the user * Password: Allow separate password saving and strength drivers for use of strength checking services (#5040) * Password: Add zxcvbn driver for checking password strength (#6479) * Password: Disallow control characters in passwords * Password: Add support for Plesk >= 17.8 (#6526) * Elastic: Improved datepicker displayed always in parent window * Elastic: On touch devices display attachment icons on messages list (#6296) * Elastic: Make menu button inactive if all subactions are inactive (#6444) * Elastic: On mobile/tablet jump to the list on folder selection (#6415) * Elastic: Various improvements on mail compose screen (#6413) * Elastic: Support new-line char as a separator for pasted recipients (#6460) * Elastic: Improved UX of search dialogs (#6416) * Elastic: Fix unwanted thread expanding when selecting a collapsed thread in non-mobile mode (#6445) * Elastic: Fix too small height of mailvelope mail preview frame (#6600) * Elastic: Add "status bar" for mobile in mail composer * Elastic: Add selection options on contacts list (#6595) * Elastic: Fix unintentional layout preference overwrite (#6613) * Elastic: Fix bug where Enigma options in mail compose could sometimes be ignored (#6515) * Log errors caused by low pcre.backtrack_limit when sending a mail message (#6433) * Fix regression where drafts were not deleted after sending the message (#6756) * Fix so max_message_size limit is checked also when forwarding messages as attachments (#6580) * Fix so performance stats are logged to the main console log also when per_user_logging=true * Fix malformed message saved into Sent folder when using big attachments and low memory limit (#6498) * Fix incorrect IMAP SASL GSSAPI negotiation (#6308) * Fix so unicode in local part of the email address is also supported in recipient inputs (#6490) * Fix bug where autocomplete list could be displayed out of screen (#6469) * Fix style/navigation on error page depending on authentication state (#6362) * Fix so invalid smtp_helo_host is never used, fallback to localhost (#6408) * Fix custom logo size in Elastic (#6424) * Fix listing the same attachment multiple times on forwarded messages * Fix bug where a message/rfc822 part without a filename wasn't listed on the attachments list (#6494) * Fix inconsistent offset for various time zones - always display Standard Time offset (#6531) * Fix dummy Message-Id when resuming a draft without Message-Id header (#6548) * Fix handling of empty entries in vCard import (#6564) * Fix bug in parsing some IMAP command responses that include unsolicited replies (#6577) * Fix PHP 7.2 compatibility in debug_logger plugin (#6586) * Fix so ANY record is not used for email domain validation, use A, MX, CNAME, AAAA instead (#6581) * Fix so mime_content_type check in Installer uses files that should always be available (i.e. from program/resources) (#6599) * Fix missing CSRF token on a link to download too-big message part (#6621) * Fix bug when aborting dragging with ESC key didn't stop the move action (#6623) * Improved Mailvelope integration * * Added private key listing and generating to identity settings * * Enable encrypt & sign option if Mailvelope supports it * Allow contacts without an email address (#5079) * Support SMTPUTF8 and relax email address validation to support unicode in local part (#5120) * Support for IMAP folders that cannot contain both folders and messages (#5057) * Remove sample PHP configuration from .htaccess and .user.ini files (#5850) * Extend skin_logo setting to allow per skin logos (#6272) * Use Masterminds/HTML5 parser for better HTML5 support (#5761) * Add More actions button in Contacts toolbar with Copy/Move actions (#6081) * Display an error when clicking disabled link to register protocol handler (#6079) * Add option trusted_host_patterns (#6009, #5752) * Support additional connect parameters in PostgreSQL database wrapper * Use UI dialogs instead of confirm() and alert() where possible * Display value of the SMTP message size limit in the error message (#6032) * Show message flagged status in message view (#5080) * Skip redundant INSERT query on successful logon when using PHP7 * Replace display_version with display_product_version (#5904) * Extend disabled_actions config so it accepts also button names (#5903) * Handle remote stylesheets the same as remote images, ask the user to allow them (#5994) * Add Message-ID to the sendmail log (#5871) * Add option to hide folders in share/other-user namespace or outside of the personal namespace root (#5073) * Archive: Fix archiving by sender address on cyrus-imap * Archive: Style Archive folder also on folder selector and folder manager lists * Archive: Add Thunderbird compatible Month option (#5623) * Archive: Create archive folder automatically if it's configured, but does not exist (#6076) * Enigma: Add button to send mail unencrypted if no key was found (#5913) * Enigma: Add options to set PGP cipher/digest algorithms (#5645) * Enigma: Multi-host support * Managesieve: Add ability to disable filter sets and other actions (#5496, #5898) * Managesieve: Add option managesieve_forward to enable settings dialog for simple forwarding (#6021) * Managesieve: Support filter action with custom IMAP flags (#6011) * Managesieve: Support 'mime' extension tests - RFC5703 (#5832) * Managesieve: Support GSSAPI authentication with krb_authentication plugin (#5779) * Managesieve: Support enabling the plugin for specified hosts only (#6292) * Password: Support host variables in password_db_dsn option (#5955) * Password: Automatic virtualmin domain setting, removed password_virtualmin_format option (#5759) * Password: Added password_username_format option (#5766) * subscriptions_option: show \Noselect folders greyed out (#5621) * zipdownload: Added option to define size limit for multiple messages download (#5696) * vcard_attachments: Add possibility to send contact vCard from Contacts toolbar (#6080) * Changed defaults for smtp_user (%u), smtp_pass (%p) and smtp_port (587) * Composer: Fix certificate validation errors by using packagist only (#5148) * Add --get and --extract arguments and CACHEDIR env-variable support to install-jsdeps.sh (#5882) * Support _filter and _scope as GET arguments for opening mail UI (#5825) * Various improvements for templating engine and skin behaviours * * Support conditional include * * Support for 'link' objects * * Support including files with path relative to templates directory * * Use instead of for submit button on logon screen * Support skin localization (#5853) * Reset onerror on images if placeholder does not exist to prevent from requests storm * Unified and simplified code for loading content frame for responses and identities * Display contact import and advanced search in popup dialogs * Display a dialog for mail import with supported format description and upload size hint * Make possible to set (some) config options from a skin * Added optional checkbox selection for the list widget * Make 'compose' command always enabled * Add .log suffix to all log file names, add option log_file_ext to control this (#313) * Return "401 Unauthorized" status when login fails (#5663) * Support both comma and semicolon as recipient separator, drop recipients_separator option (#5092) * Plugin API: Added 'show_bytes' hook (#5001) * Add option to not indent quoted text on top-posting reply (#5105) * Removed global $CONFIG variable * Removed debug_level setting * Support AUTHENTICATE LOGIN for IMAP connections (#5563) * Support LDAP GSSAPI authentication (#5703) * Localized timezone selector (#4983) * Use 7bit encoding for ISO-2022-* charsets in sent mail (#5640) * Handle inline images also inside multipart/mixed messages (#5905) * Allow style tags in HTML editor on composed/reply messages (#5751) * Use Github API as a fallback to fetch js dependencies to workaround throttling issues (#6248) * Show confirm dialog when moving folders using drag and drop (#6119) * Fix bug where new_user_dialog email check could have been circumvented by deleting / abandoning session (#5929) * Fix skin extending for assets (#5115) * Fix handling of forwarded messages inside of a TNEF message (#5632) * Fix bug where attachment size wasn't visible when the filename was too long (#6033) * Fix checking table columns when there's more schemas/databases in postgres/mysql (#6047) * Fix css conflicts in user interface and e-mail content (#5891) * Fix duplicated signature when using Back button in Chrome (#5809) * Fix touch event issue on messages list in IE/Edge (#5781) * Fix so links over images are not removed in plain text signatures converted from HTML (#4473) * Fix various issues when downloading files with names containing non-ascii chars, use RFC 2231 (#5772) ------------------------------------------------------------------- Wed Aug 28 21:57:02 UTC 2019 - Michael Ströder - Upgrade to version 1.3.10: * Managesieve: Fix so "Create filter" option does not show up when Filters menu is disabled (#6723) * Enigma: Fix bug where revoked users/keys were not greyed out in key info * Enigma: Fix error message when trying to encrypt with a revoked key (#6607) * Enigma: Fix "decryption oracle" bug [CVE-2019-10740] (#6638) * Fix compatibility with kolab/net_ldap3 > 1.0.7 (#6785) * Fix bug where bmp images couldn't be displayed on some systems (#6728) * Fix bug in parsing vCard data using PHP 7.3 due to an invalid regexp (#6744) * Fix bug where bold/strong text was converted to upper-case on html-to-text conversion (6758) * Fix bug in rcube_utils::parse_hosts() where %t, %d, %z could return only tld (#6746) * Fix bug where Next/Prev button in mail view didn't work with multi-folder search result (#6793) * Fix bug where selection of columns on messages list wasn't working * Fix bug in converting multi-page Tiff images to Jpeg (#6824) * Fix wrong messages order after returning to a multi-folder search result (#6836) * Fix PHP 7.4 deprecation: implode() wrong parameter order (#6866) * Fix bug where it was possible to bypass the position:fixed CSS check in received messages (#6898) * Fix bug where some strict remote URIs in url() style were unintentionally blocked (#6899) * Fix bug where it was possible to bypass the CSS jail in HTML messages using :root pseudo-class (#6897) * Fix bug where it was possible to bypass href URI check with data:application/xhtml+xml URIs (#6896) ------------------------------------------------------------------- Sun Mar 31 17:58:42 UTC 2019 - Michael Ströder - Upgrade to version 1.3.9: * Fix TinyMCE download location(s) (#6694) * Fix bug where a message/rfc822 part without a filename wasn't listed on the attachments list (#6494) * Fix handling of empty entries in vCard import (#6564) * Fix bug in parsing some IMAP command responses that include unsolicited replies (#6577) * Fix PHP 7.2 compatibility in debug_logger plugin (#6586) * Fix so ANY record is not used for email domain validation, use A, MX, CNAME, AAAA instead (#6581) * Fix so mime_content_type check in Installer uses files that should always be available (i.e. from program/resources) (#6599) * Fix missing CSRF token on a link to download too-big message part (#6621) * Fix bug when aborting dragging with ESC key didn't stop the move action (#6623) * Fix bug where next row wasn't selected after deleting a collapsed thread (#6655) ------------------------------------------------------------------- Fri Oct 26 14:19:46 UTC 2018 - lars@linux-schulserver.de - 1.3.8 - Upgrade to version 1.3.8: * Fix PHP warnings on dummy QUOTA responses in Courier-IMAP 4.17.1 (#6374) * Fix so fallback from BINARY to BODY FETCH is used also on [PARSE] errors in dovecot 2.3 (#6383) * Enigma: Fix deleting keys with authentication subkeys (#6381) * Fix invalid regular expressions that throw warnings on PHP 7.3 (#6398) * Fix so Classic skin splitter does not escape out of window (#6397) * Fix XSS issue in handling invalid style tag content (#6410) * Fix compatibility with MySQL 8 - error on 'system' table use * Managesieve: Fix bug where show_real_foldernames setting wasn't respected (#6422) * New_user_identity: Fix %fu/%u vars substitution in user specific LDAP params (#6419) * Fix support for "allow-from " in x_frame_options config option (#6449) * Fix bug where valid content between HTML comments could have been skipped in some cases (#6464) * Fix multiple VCard field search (#6466) * Fix session issue on long running requests (#6470) - add files with .log entry to logrotate config - enhance apache configuration by: + disable mbstring function overload (http://bugs.php.net/bug.php?id=30766) + do not allow to see README*, INSTALL, LICENSE or CHANGELOG files + set additional headers: ++ Content-Security-Policy: ask browsers to not set the referrer ++ Cache-Control: ask not to cache the content ++ Strict-Transport-Security: set HSTS rules for SSL traffic ++ X-XSS-Protection: configure built in reflective XSS protection - adjust README.openSUSE: + db.inc.php is not used any longer + flush privileges after creating/changing users in mysql - use %%license macro on newer distributions ------------------------------------------------------------------- Sat Aug 4 20:59:18 UTC 2018 - michael@stroeder.com - upstream fixed broken tar.gz archive keeping same version 1.3.7 ------------------------------------------------------------------- Sat Jul 28 12:21:12 UTC 2018 - michael@stroeder.com - Upgrade to version 1.3.7 * Fix PHP Warning: Use of undefined constant IDNA_DEFAULT on systems without php-intl (#6244) * Fix bug where some parts of quota information could have been ignored (#6280) * Fix bug where some escape sequences in html styles could bypass security checks * Fix bug where some forbidden characters on Cyrus-IMAP were not prevented from use in folder names * Fix bug where only attachments with the same name would be ignored on zip download (#6301) * Fix bug where unicode contact names could have been broken/emptied or caused DB errors (#6299) * Fix bug where after "mark all folders as read" action message counters were not reset (#6307) * Enigma: [EFAIL] Don't decrypt PGP messages with no MDC protection (#6289) * Fix bug where some HTML comments could have been malformed by HTML parser (#6333) ------------------------------------------------------------------- Fri Apr 13 06:40:00 UTC 2018 - kbabioch@suse.com - Upgrade to version 1.3.6 * Fix parsing date strings (e.g. from a Date: mail header) with comments * Fix PHP 7.2: count(): Parameter must be an array in enchant-based spellchecker * Fix possible IMAP command injection and type juggling vulnerabilities * Enigma: Fix key selection for signing * Enigma: Enable keypair generation on Internet Explorer 11 * Fix check_request() bypass in places using get_uids() (CVE-2018-9846 boo#1067574) * Fix bug where usernames without domain part could be malformed or converted to lower-case on logon ------------------------------------------------------------------- Fri Mar 16 08:57:47 UTC 2018 - joop.boonen@opensuse.org - Upgrade to version 1.3.5 * Added new skin with mobile support - the Elastic * Support Redis cache * Improved Mailvelope integration - Added private key listing and generating to identity settings - Enable encrypt & sign option if Mailvelope supports it * Update to jQuery-3.3.1 * vcard_attachments: Add possibility to send contact vCard from Contacts toolbar (#6080) * Add More actions button in Contacts toolbar with Copy/Move actions (#6081) * Display an error when clicking disabled link to register protocol handler (#6079) * Add option trusted_host_patterns (#6009, #5752) * Support SMTPUTF8 and relax email address validation to support unicode in local part (#5120) * Support additional connect parameters in PostgreSQL database wrapper * Use UI dialogs instead of confirm() and alert() where possible * Display value of the SMTP message size limit in the error message (#6032) * Skip redundant INSERT query on successful logon when using PHP7 * Replace display_version with display_product_version (#5904) * Extend disabled_actions config so it accepts also button names (#5903) * Handle remote stylesheets the same as remote images, ask the user to allow them (#5994) * Add Message-ID to the sendmail log (#5871) * Managesieve: Add ability to disable filter sets and other actions (#5496, #5898) * Managesieve: Add option managesieve_forward to enable settings dialog for simple forwarding (#6021) * Managesieve: Support filter action with custom IMAP flags (#6011) * Managesieve: Support 'mime' extension tests - RFC5703 (#5832) * Managesieve: Support GSSAPI authentication with krb_authentication plugin (#5779) * Changed defaults for smtp_user (%u), smtp_pass (%p) and smtp_port (587) * Composer: Fix certificate validation errors by using packagist only (#5148) * Enigma: Add button to send mail unencrypted if no key was found (#5913) * Enigma: Add options to set PGP cipher/digest algorithms (#5645) * Enigma: Multi-host support * Add --get and --extract arguments and CACHEDIR env-variable support to install-jsdeps.sh (#5882) * Update to jquery-minicolors 2.2.6 * Support _filter and _scope as GET arguments for opening mail UI (#5825) * Support for IMAP folders that cannot contain both folders and messages (#5057) * Added .user.ini file for php-fpm (#5846) * Email Resent (Bounce) feature (#4985) * Various improvements for templating engine and skin behaviours - Support conditional include - Support for 'link' objects - Support including files with path relative to templates directory - Use