Your message dated Sat, 07 Oct 2023 12:41:28 +0100 with message-id <84bb5ff8312f749ebe536897993782bf35aa1977.ca...@adam-barratt.org.uk> and subject line Closing opu requests for updates included in 11.8 has caused the Debian Bug report #1052611, regarding bullseye-pu: package roundcube/1.4.14+dfsg.1-1~deb11u1 to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 1052611: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1052611 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
--- Begin Message ---Package: release.debian.org Severity: normal Tags: bullseye User: release.debian....@packages.debian.org Usertags: pu X-Debbugs-Cc: roundc...@packages.debian.org Control: affects -1 + src:roundcube [ Reason ] roundcube 1.4.13+dfsg.1-1~deb11u1 is vulnerable to CVE-2023-43770: cross-site scripting (XSS) vulnerability in handling of linkrefs in plain text messages. The Security Team decided not to issue a DSA for that CVE, but it's now fixed in buster-security (1.3.17+dfsg.1-1~deb10u3) as well as testing/sid (1.6.3+dfsg-1), so it makes sense to fix it via (o)s-pu too. [ Impact ] Roundcube users will remain vulnerable to the XSS issue. For users uprading from buster-security to bullseye, that would be a security regression. [ Tests ] The XSS fix is covered by automated tests (phpunit) at build time, and I also manually tested the fix. [ Risks ] I believe the regression risk is very low, given the diff is fairly simple, and this is not a backport but an official upstream release from the LTS branch. [ Checklist ] [x] *all* changes are documented in the d/changelog [x] I reviewed all changes and I approve them [x] attach debdiff against the package in oldstable [x] the issue is verified as fixed in unstable [ Changes ] * New security/bugfix upstream release: + Fix CVE-2023-43770: cross-site scripting (XSS) vulnerability in handling of linkrefs in plain text messages. (Closes: #1052059) + Enigma: Fix initial synchronization of private keys. * d/u/signing-key.asc: Add Alec's key BEE674A019359DC1. * Refresh d/patches. [ Other info ] bullseye(-security) has been following the upstream 1.4 branch, so I propose to upload 1.4.14+dfsg.1-1~deb11u1 rather than cherry-pick the CVE-2023-43770 fix on top of 1.4.13+dfsg.1-1~deb11u1. -- Guilhem.diffstat for roundcube-1.4.13+dfsg.1 roundcube-1.4.14+dfsg.1 CHANGELOG | 8 composer.json-dist | 5 debian/changelog | 11 debian/patches/fix-FTBFS-with-phpunit-8.5.13-1.patch | 4 debian/patches/fix-FTBFS-with-phpunit-9.5.0-1.patch | 8 debian/patches/fix-install-path.patch | 4 debian/patches/hint-at-which-packages-needs-installing-under-PHP8.patch | 2 debian/patches/update-composer.patch | 9 debian/patches/update-script.patch | 2 debian/upstream/signing-key.asc | 199 +++++++--- index.php | 2 installer/index.php | 2 plugins/enigma/lib/enigma_driver_gnupg.php | 7 program/include/iniset.php | 2 program/lib/Roundcube/bootstrap.php | 2 program/lib/Roundcube/rcube_string_replacer.php | 4 public_html/index.php | 2 public_html/plugins/enigma/lib/enigma_driver_gnupg.php | 7 tests/Framework/StringReplacer.php | 12 tests/Framework/Text2Html.php | 17 20 files changed, 223 insertions(+), 86 deletions(-) diff -Nru roundcube-1.4.13+dfsg.1/CHANGELOG roundcube-1.4.14+dfsg.1/CHANGELOG --- roundcube-1.4.13+dfsg.1/CHANGELOG 2021-12-29 23:45:05.000000000 +0100 +++ roundcube-1.4.14+dfsg.1/CHANGELOG 2023-09-16 22:01:19.000000000 +0200 @@ -1,5 +1,9 @@ -CHANGELOG Roundcube Webmail -=========================== +# Changelog Roundcube Webmail + +RELEASE 1.4.14 +-------------- +- Fix cross-site scripting (XSS) vulnerability in handling of linkrefs in plain text messages +- Enigma: Fix initial synchronization of private keys RELEASE 1.4.13 -------------- diff -Nru roundcube-1.4.13+dfsg.1/composer.json-dist roundcube-1.4.14+dfsg.1/composer.json-dist --- roundcube-1.4.13+dfsg.1/composer.json-dist 2021-12-29 23:45:05.000000000 +0100 +++ roundcube-1.4.14+dfsg.1/composer.json-dist 2023-09-16 22:01:19.000000000 +0200 @@ -27,5 +27,10 @@ "suggest": { "kolab/net_ldap3": "~1.1.1 required for connecting to LDAP", "mkopinsky/zxcvbn-php": "^4.4.2 required for Zxcvbn password strength driver" + }, + "config": { + "allow-plugins": { + "roundcube/plugin-installer": true + } } } diff -Nru roundcube-1.4.13+dfsg.1/debian/changelog roundcube-1.4.14+dfsg.1/debian/changelog --- roundcube-1.4.13+dfsg.1/debian/changelog 2022-01-06 08:51:41.000000000 +0100 +++ roundcube-1.4.14+dfsg.1/debian/changelog 2023-09-25 11:32:59.000000000 +0200 @@ -1,3 +1,14 @@ +roundcube (1.4.14+dfsg.1-1~deb11u1) bullseye; urgency=high + + * New security/bugfix upstream release: + + Fix CVE-2023-43770: cross-site scripting (XSS) vulnerability in handling + of linkrefs in plain text messages. (Closes: #1052059) + + Enigma: Fix initial synchronization of private keys. + * d/u/signing-key.asc: Add Alec's key BEE674A019359DC1. + * Refresh d/patches. + + -- Guilhem Moulin <guil...@debian.org> Mon, 25 Sep 2023 11:32:59 +0200 + roundcube (1.4.13+dfsg.1-1~deb11u1) bullseye-security; urgency=high * New security upstream release, with fix for CVE-2021-46144: XSS diff -Nru roundcube-1.4.13+dfsg.1/debian/patches/fix-FTBFS-with-phpunit-8.5.13-1.patch roundcube-1.4.14+dfsg.1/debian/patches/fix-FTBFS-with-phpunit-8.5.13-1.patch --- roundcube-1.4.13+dfsg.1/debian/patches/fix-FTBFS-with-phpunit-8.5.13-1.patch 2022-01-06 08:51:41.000000000 +0100 +++ roundcube-1.4.14+dfsg.1/debian/patches/fix-FTBFS-with-phpunit-8.5.13-1.patch 2023-09-25 11:32:59.000000000 +0200 @@ -1335,7 +1335,7 @@ /** diff --git a/tests/Framework/StringReplacer.php b/tests/Framework/StringReplacer.php -index ace8bf6..9d56fe2 100644 +index 16dff6a..756eddd 100644 --- a/tests/Framework/StringReplacer.php +++ b/tests/Framework/StringReplacer.php @@ -5,7 +5,7 @@ @@ -1348,7 +1348,7 @@ /** diff --git a/tests/Framework/Text2Html.php b/tests/Framework/Text2Html.php -index db2dbac..273eeed 100644 +index 1d6ffd2..8f86b86 100644 --- a/tests/Framework/Text2Html.php +++ b/tests/Framework/Text2Html.php @@ -5,7 +5,7 @@ diff -Nru roundcube-1.4.13+dfsg.1/debian/patches/fix-FTBFS-with-phpunit-9.5.0-1.patch roundcube-1.4.14+dfsg.1/debian/patches/fix-FTBFS-with-phpunit-9.5.0-1.patch --- roundcube-1.4.13+dfsg.1/debian/patches/fix-FTBFS-with-phpunit-9.5.0-1.patch 2022-01-06 08:51:41.000000000 +0100 +++ roundcube-1.4.14+dfsg.1/debian/patches/fix-FTBFS-with-phpunit-9.5.0-1.patch 2023-09-25 11:32:59.000000000 +0200 @@ -52,19 +52,19 @@ function test_links() diff --git a/tests/Framework/StringReplacer.php b/tests/Framework/StringReplacer.php -index 9d56fe2..d60cbd0 100644 +index 756eddd..32ce877 100644 --- a/tests/Framework/StringReplacer.php +++ b/tests/Framework/StringReplacer.php -@@ -75,8 +75,8 @@ class Framework_StringReplacer extends \PHPUnit\Framework\TestCase +@@ -77,8 +77,8 @@ class Framework_StringReplacer extends \PHPUnit\Framework\TestCase $result = $replacer->replace($input); $result = $replacer->resolve($result); - $this->assertContains('[<a href="http://en.wikipedia.org/wiki/Email">1</a>] to', $result, "Numeric linkref replacements"); - $this->assertContains('[<a href="http://www.link-ref.com">ref0</a>] repl', $result, "Alphanum linkref replacements"); -- $this->assertContains('of [Roundcube].', $result, "Don't touch strings wihtout an index entry"); +- $this->assertContains('of [Roundcube].[ref<0]', $result, "Don't touch strings wihtout an index entry"); + $this->assertStringContainsString('[<a href="http://en.wikipedia.org/wiki/Email">1</a>] to', $result, "Numeric linkref replacements"); + $this->assertStringContainsString('[<a href="http://www.link-ref.com">ref0</a>] repl', $result, "Alphanum linkref replacements"); -+ $this->assertStringContainsString('of [Roundcube].', $result, "Don't touch strings wihtout an index entry"); ++ $this->assertStringContainsString('of [Roundcube].[ref<0]', $result, "Don't touch strings wihtout an index entry"); } } diff --git a/tests/Framework/Utils.php b/tests/Framework/Utils.php diff -Nru roundcube-1.4.13+dfsg.1/debian/patches/fix-install-path.patch roundcube-1.4.14+dfsg.1/debian/patches/fix-install-path.patch --- roundcube-1.4.13+dfsg.1/debian/patches/fix-install-path.patch 2022-01-06 08:51:41.000000000 +0100 +++ roundcube-1.4.14+dfsg.1/debian/patches/fix-install-path.patch 2023-09-25 11:32:59.000000000 +0200 @@ -161,10 +161,10 @@ require_once INSTALL_PATH . 'program/include/clisetup.php'; diff --git a/program/include/iniset.php b/program/include/iniset.php -index 1f8bfd7..a26900e 100644 +index d9388db..11142d2 100644 --- a/program/include/iniset.php +++ b/program/include/iniset.php -@@ -28,7 +28,7 @@ define('RCMAIL_VERSION', '1.4.13'); +@@ -28,7 +28,7 @@ define('RCMAIL_VERSION', '1.4.14'); define('RCMAIL_START', microtime(true)); if (!defined('INSTALL_PATH')) { diff -Nru roundcube-1.4.13+dfsg.1/debian/patches/hint-at-which-packages-needs-installing-under-PHP8.patch roundcube-1.4.14+dfsg.1/debian/patches/hint-at-which-packages-needs-installing-under-PHP8.patch --- roundcube-1.4.13+dfsg.1/debian/patches/hint-at-which-packages-needs-installing-under-PHP8.patch 2022-01-06 08:51:41.000000000 +0100 +++ roundcube-1.4.14+dfsg.1/debian/patches/hint-at-which-packages-needs-installing-under-PHP8.patch 2023-09-25 11:32:59.000000000 +0200 @@ -15,7 +15,7 @@ 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/program/include/iniset.php b/program/include/iniset.php -index 3919f74..cb6636b 100644 +index 9c4c773..956750d 100644 --- a/program/include/iniset.php +++ b/program/include/iniset.php @@ -20,7 +20,9 @@ diff -Nru roundcube-1.4.13+dfsg.1/debian/patches/update-composer.patch roundcube-1.4.14+dfsg.1/debian/patches/update-composer.patch --- roundcube-1.4.13+dfsg.1/debian/patches/update-composer.patch 2022-01-06 08:51:41.000000000 +0100 +++ roundcube-1.4.14+dfsg.1/debian/patches/update-composer.patch 2023-09-25 11:32:59.000000000 +0200 @@ -20,10 +20,10 @@ 1 file changed, 10 insertions(+), 12 deletions(-) diff --git a/composer.json-dist b/composer.json-dist -index 192551a..2307894 100644 +index 13064ce..a73e69d 100644 --- a/composer.json-dist +++ b/composer.json-dist -@@ -10,22 +10,20 @@ +@@ -10,23 +10,21 @@ ], "require": { "php": ">=5.4.0 <8", @@ -54,5 +54,6 @@ + "kolab/net_ldap3": ">=1.1.1", + "pear-pear.php.net/crypt_gpg": ">=1.6.0", + "mkopinsky/zxcvbn-php": ">=4.4.2 required for Zxcvbn password strength driver" - } - } + }, + "config": { + "allow-plugins": { diff -Nru roundcube-1.4.13+dfsg.1/debian/patches/update-script.patch roundcube-1.4.14+dfsg.1/debian/patches/update-script.patch --- roundcube-1.4.13+dfsg.1/debian/patches/update-script.patch 2022-01-06 08:51:41.000000000 +0100 +++ roundcube-1.4.14+dfsg.1/debian/patches/update-script.patch 2023-09-25 11:32:59.000000000 +0200 @@ -88,7 +88,7 @@ // update composer dependencies diff --git a/program/include/iniset.php b/program/include/iniset.php -index a26900e..3919f74 100644 +index 11142d2..9c4c773 100644 --- a/program/include/iniset.php +++ b/program/include/iniset.php @@ -39,6 +39,10 @@ if (!defined('RCUBE_LOCALIZATION_DIR')) { diff -Nru roundcube-1.4.13+dfsg.1/debian/upstream/signing-key.asc roundcube-1.4.14+dfsg.1/debian/upstream/signing-key.asc --- roundcube-1.4.13+dfsg.1/debian/upstream/signing-key.asc 2022-01-06 08:51:41.000000000 +0100 +++ roundcube-1.4.14+dfsg.1/debian/upstream/signing-key.asc 2023-09-25 11:32:59.000000000 +0200 @@ -116,62 +116,145 @@ R5Tx6/YtysHeydQLrqjev9NSVUVjzcmqLSUB1Ra4smTRg76CW5jsAXId0t/s4OpK IZLniDIPYJLrbB0voZ54UsTc9DzlpgRSJTzmAvd3WphohnVZRGSrYVWZFUrrFQjB NGo9AhuRBH5dioO2iTlq+Hqers1fGK8XhSw84XWedJL/itdEpINH14tpJnM9hVNn -1/W4DFOUElp1C2a+d9NM8XVWSRa5Ag0EVPYxAQEQAM6TZmb86hsfXeTqiV4JMpBL -RiZ+6/mTDbdYRZEeErm/Vgw16r6tE7m3bNno0r/BRm3XmDBy4U72KP8oHiL55cUV -Y+5ogrJBCq4BbZLyhtVcnDSI2uavwWMS9g6nKbAPl78IFoIg0E+QeJqJPZhRN6ec -uBm2flOmhPyPK5NI0L03rYRpnC6XWBHqEtq8Rjj9KewhZiU2VisvGHbYi2Uj9Axc -cZY1+O4p6rPjYqJEkjAOE1kOlm+96bzL+VuxXr8H+Js7Ae1+3A0rm360qfIEDOYd -3vpQ4Om9rvrgwaX5XCZqTj6IFhlDS6gUMnyy2w9kes5YD/WVtH2jmjkOTi4ko9vC -diSdixQA1DXUkyCZk5A25yWR9N9AHXv5/kijVOpHJ5mqoPdsOBIG3RFCjmaUTmqJ -3nXhU8Zcd5/h7dVOwSq+NxYjYvF0CrB0TtzYXaA9UtHpTvbA2IuZarXn208RWgrr -Pp+H1zP3NAS/pJ1FgX/izZxFhAWC7fhJfpHHTQkVFt4mJ25873QSuwCSsO6qS6mq -oypByxNEAfVvIJUcf2ZdZkaRRFqOBgT13PhP8tKyRYp7wnuzngYDR7Pb2E9JRKT/ -WeAqEcEzWWmjNCs2MkOrDRNd3PC5VvkFCQnoIRsg763jcNrqNEfkm1lJ/Bf+qINr -PYJJTc1MjWBt5sWs8iJrABEBAAGJBD4EGAECAAkFAlT2MQECGwICKQkQPlQo0CYs -VPjBXSAEGQECAAYFAlT2MQEACgkQ0QXeoLVFs2zfsxAAzkKiAmiqQPWyjHV61IJl -13HrJrJS2KZJBu1AY0HjWkSf0zzy4DNF/P3iPmaZvk6rxAb9Mwk5JHx0vlk/m5yW -uM7yR97cyAt7FNrTq7PoVDzmB6nOcHYfLTnrA9Y7difUxE3ShVXWuSM/CDouSaPS -mRIw+BIuP9Op0peGuwM1UBWZ+bKUjRZOVhDDQPrbGApzcg1Mp+zgHhpFUa6enIG8 -P/O6ApteoFrKLGx4/SjeKgv52+YyfD2odHlliHbcu/k+g+Dp+VkPW1I1FQREijGG -K8c19UonBsSZxwT2gQwKtu++ZtLGsRkcpoonmR2mUkU8ruqoEdKk9Co3OQirrgep -Viadv1pcJsa59r6lYIVPdBkJVE0UA2WWp4tullmB5lRD4NNw07HoYnDalz4O/Myb -wjy9FCLgU7WZYtKDH+UiIe6uYIElkRbBBzO16MifgDrh0oNGmkl9m4EIkZeF/t+O -4KF2xEiYqcvv/tVgRjQ/PuHKJh/uspeyUSpcJz8l4x2aAKHJu9RmCp8dD5BcHIk7 -bG9XGiXbr8MsDCC8RtMOfdJIQSTW0FDU/1T8RLAYxw/G+6ESvp+8DDwPqWn1I6Wl -v8bBKwB3eNe1X35lHNsoFHhxsVPpdEvmMI43OWPXZ9CyU9O03FXADBp5L9A8Jq09 -qYasdAgt30ye7iPaTvtZWrS8SRAAgot+talYPKDemCGGXcm7Gj+hnRGe0h2kFzG5 -BJj0yYMcwlWK1fKHsmxxnBN9z3Eto5dcQZ36iLOwOjgdB24E3AEGbGxVnGUfHmqV -Qb/SxSKYuTmeXTfCTicEydW7uX4Esfq91EXdZbqsg4OeS5/J5WB2InXH+FhguTvE -9EkF2T/G4c+A837wOYphmPNnjKuw+so8WPUCaPR2CrjUh6diIjE3gVNloLvQlyke -QGHGKjeA0RmNZOcEKfOFLWNT4s82Yp7syOXQNMNbUhsgl02OFuSekjVdYUApa1qs -bo9P0A4AHk0EC0Paf6V8t6K1LUKUmfaueVQHC6TdHlEJmGU5azw86nKxyX3EtDKq -HahWVPbGpeFKtm36Bis6yQaImQ3tVzV/7yTAkCmLCnct9lAy10OA/21Unb8u6Gmt -AogOAIlELwKyC3mc1J1Br498uykaFgDrE4zXeg5d6x3btgd/0DBJlN65zz38s7Jv -H7QITrTsSXD2tJcp56XAQ4fHNgVgiKS3pRPa7XkbJcaZpb38JotKyfajG9Ig9If6 -bTWkfksL6dEfb67ZO37jmTg4dan1O3IbSUTB0Pn1ske1BKjIMMANcMjcxvS1wDuE -3WR4Ef+otIS6U4sVpkGHACUtjzfTxSSD6oTKxzXhvqQNVdRT7/LQlpg5FkjypP1Z -kusW/UW5Ag0EVPXdCAEQAMGVKyTQqWizKqdhhNzaq6rwn1vCP8qjfPjg1IsK2b+R -E0GObCuYIomotqOci5zWBqkLJUkZYqTyUqfh3w9BSB7nYi8TJXOYl19pxD2BPoOt -ZrB6Qm8t7w8Bw4tZ7gb5qPmrULC22q7yTwo+zAzFeExIC4K3MUCnrhzEAszAOhnx -qODXkxjImm42xEyS5wIARMEadAklfLmFZgCMIUiQ3eIpOGOYyfcXtySd9VrpyJ5Y -VJ3VECCyfcZXrrPxarX0/3dmW5oJkew9m1blN744zEx1RsmOe7GjJR0wioANy1/k -cjpJXnyKt5/XHGpHjuoHmjff+0BZzSS/Bjr0CiKijco/XauGvaRjYl0cvspnQqMl -0lLyMM0Ecol/06SvN5PQ7dm9Yc4V6Rz5XHL/LsWhxsDFvSavMeumXQFeAGvldfva -mLRuKfLZXA/A0G90nZdYC8MQt4NZvtcJLhpzowULFZEKfW9gDLcH3GQAVBrCMje7 -CGDL07fAzgDflwsm+W3fmAVKDACdjCrtgYn9No88Uj/JgpziiXk4fB/BUtySbODW -Eg//7pqFfVodBcMv/4Sf6jf2WZI0s9VH0gbkGjIAHEtG7dIRKW2SqGrzIHv8Sj3G -cUU6v+aF8GyI0mqM/IQG6JFA8eBAFt/120Ebk2aPd/3yoHP69bXU3fUuV6GDZ6Rx -ABEBAAGJAh8EGAECAAkFAlT13QgCGwwACgkQPlQo0CYsVPgsFA//Xjglp6XoEjmX -dk3upkT3+lgnWs5pHeHH23uPHd1VpNgVoGfl6ReQssqT4P5yRo9e00FKTlAokuEB -fEsJzBR8JBWLVt2LAO7d7BORd3jNRZH/TvVBrKhX+VipKNNC6gE3V64VAUwOhFAG -kSo2LtxXs/8nvPJ36fOriHOyoD1EMUe2lKyrVy8ox7qlRWu4YhMtZsLZutCsF64p -2OcaAwqMeR1HWMszdNO+oPfXAR3F8ubiBkHQl92fCs1/BaLOlFhm0DIre4/p47nM -q4fHjZE2N+D8K4tE76Z2kOgEjMGNfG4VCJOAIcj06Wq7QuCVlPv4dRUO2PfqW4ZS -8/5sH+KJfy6XTelA4w92Jd1r5vd497iQDezc4hRTdVOHsdZTqkdBp1a61jl2GhDg -PLoyDb+gCXnlucpg+vUdPUHDwRj+tOrfci3juwHI0WhUmWSXEGuCwJoagmtwMmnQ -2uhMp5TbKfATMcNTtCSx8HDomXfSgSvuVt7BKt0OP5wdhje5PisXtyyvwuT1pH6J -28PGPnRIiFDUFDLmDOC363F0w7Ng3FVJ2vryVIzp80yh6q+i5N3xvFrKVkZvnvUW -6x5ADkLHGpZlxnjwRhgJPYyte8r/0V/m1OOeykO0IpWkU1A1IiSR1A/zT0tDSx/I -nJvZpdFplfhUqMa5YRuuaVwAVlunTQU= -=PYcV +1/W4DFOUElp1C2a+d9NM8XVWSRa0KVRob21hcyBCcnVlZGVybGkgPGJydWVkZXJs +aUBrb2xhYnN5cy5jb20+iQI4BBMBAgAiBQJVCeY5AhsDBgsJCAcDAgYVCAIJCgsE +FgIDAQIeAQIXgAAKCRA+VCjQJixU+OK3D/0RKgxFHmIwqCuj4JSF1FWCc1D8jxcC +PLWXnrZ8IhTIkplaWYQ7EIPPhT05pNFPlCFAc8w67YqZw0UCCChAeK0InxyFQtrs +qBcqO1PedqqseX9wPlaoDFLVU6rC0BmG9e/3GQ+gcg6+cvEoQQ9Mp19oDZY33kUZ +JYMhdiCsxaDwPSfz4ObZTEz9iMBdfYzNG38LSDu8v4H9x59ryQldErhYZyi9hIKu +Fs+DoL3OnJxD7niyPqg3/wqNcVSgEaeV7al90LfgHYGyL7pr2sES0IXP+0kZfJAX +7YWlk2QiW50nxrEasb+ntodXybjHpe9Vt4my2FSJPaOg2m1T46gamArR3TpVaJm5 +oN9D/ZFPdMnBJiwfEwE4d1hUCsbViJ8izIQoLiMqM+NgLAX4eAU/fbCn53zb5b8N +LrdY5m6OHYyQ5J4+7bBBucc5LS64PqDdhmgBzWUOnVn3fNbfjoxxzbBQ7tF+S0zU +JRj5zgxaaWBs5knLA/vbjA0h9pM+3yG5N2oEB29NTLsuKBrMBELP/bJRzQGcnPeR +OYVVe1qfSbzXX2Ph8U42nNd7SAIOJdtzoqE4EbRlCJQaFAFjIEVTIUjw1Wrtruw+ +9YyJZLc9Fr1kEx4jc7BLy7QzJkrqcZxutAGAOW2iRraT8FAXERjfHGWUKcvt3GvF +ts5HGTvL/0Aln7QtVGhvbWFzIEJydWVkZXJsaSA8YnJ1ZWRlcmxpQGtvbGFic3lz +dGVtcy5jb20+iQI4BBMBAgAiBQJU9d0IAhsDBgsJCAcDAgYVCAIJCgsEFgIDAQIe +AQIXgAAKCRA+VCjQJixU+DipD/99hnk5ldlkxqENZiUMBjjkoT9hgE1u6AAcJgSI +rTbBmWMa0QJp69hJ5bOsQq82wolCHnnM9o9dMRMzQuX2fG9Es3DK+Fk8kUT6lDJF +OHvY5KP1ya1DI1uozvrzRZojBcPLUk1Ijg74PzgS5Gg9n7UFQ9LAo4xnlhB+KzgA +agp1Si6jVJCSOLUCRHuauDwQNBJjp/18+aSRiI0Gx827gGsJ8ohot2N40EaVgw0K +d2Q6WzfEZIyoXakRE9bjBK+lrWRVBNYiWAc+1CsFwf6y48eyn0NIlU2HKJiq8UnS +hP5Wjp11YyUUiFm06zPYveMWOUyCQuJV55fh1/nG++c9SNct8RAvh7b7FjWmIowV +eUjm1KBb0JoOrCEsooLwKU5/CKrALrfF3B3kunTI9JJ1mHQ2ZbjjwbVj7/CeEXXM +uHgs17eZSD1IRZphlVu8X8QT03g0Diq+g7jH+tQLXXRNOGdaNCVSYj7gAveHkt8I +NevviVeVcIdR/nd923Nalio9IznWf5QyS9sTep+bivH4P1iidX+LT40AcowrGN3g +XLEDOc+UhV6974hhCaHN/8sLbEKugxZPLMyehFUW3K+GJlEYcNW7dOgk0QtYwMH/ +PdpLKasSr7aqzA0C9dvhYbPeWovSPOVfUPnkyHaSsLR1cCRMv74qKy0kCrqLGhEB +r/uAZrkCDQRU9jEBARAAzpNmZvzqGx9d5OqJXgkykEtGJn7r+ZMNt1hFkR4Sub9W +DDXqvq0Tubds2ejSv8FGbdeYMHLhTvYo/ygeIvnlxRVj7miCskEKrgFtkvKG1Vyc +NIja5q/BYxL2DqcpsA+XvwgWgiDQT5B4mok9mFE3p5y4GbZ+U6aE/I8rk0jQvTet +hGmcLpdYEeoS2rxGOP0p7CFmJTZWKy8YdtiLZSP0DFxxljX47inqs+NiokSSMA4T +WQ6Wb73pvMv5W7Fevwf4mzsB7X7cDSubfrSp8gQM5h3e+lDg6b2u+uDBpflcJmpO +PogWGUNLqBQyfLLbD2R6zlgP9ZW0faOaOQ5OLiSj28J2JJ2LFADUNdSTIJmTkDbn +JZH030Ade/n+SKNU6kcnmaqg92w4EgbdEUKOZpROaonedeFTxlx3n+Ht1U7BKr43 +FiNi8XQKsHRO3NhdoD1S0elO9sDYi5lqtefbTxFaCus+n4fXM/c0BL+knUWBf+LN +nEWEBYLt+El+kcdNCRUW3iYnbnzvdBK7AJKw7qpLqaqjKkHLE0QB9W8glRx/Zl1m +RpFEWo4GBPXc+E/y0rJFinvCe7OeBgNHs9vYT0lEpP9Z4CoRwTNZaaM0KzYyQ6sN +E13c8LlW+QUJCeghGyDvreNw2uo0R+SbWUn8F/6og2s9gklNzUyNYG3mxazyImsA +EQEAAYkEPgQYAQIACQUCVPYxAQIbAgIpCRA+VCjQJixU+MFdIAQZAQIABgUCVPYx +AQAKCRDRBd6gtUWzbN+zEADOQqICaKpA9bKMdXrUgmXXcesmslLYpkkG7UBjQeNa +RJ/TPPLgM0X8/eI+Zpm+TqvEBv0zCTkkfHS+WT+bnJa4zvJH3tzIC3sU2tOrs+hU +POYHqc5wdh8tOesD1jt2J9TETdKFVda5Iz8IOi5Jo9KZEjD4Ei4/06nSl4a7AzVQ +FZn5spSNFk5WEMNA+tsYCnNyDUyn7OAeGkVRrp6cgbw/87oCm16gWsosbHj9KN4q +C/nb5jJ8Pah0eWWIdty7+T6D4On5WQ9bUjUVBESKMYYrxzX1SicGxJnHBPaBDAq2 +775m0saxGRymiieZHaZSRTyu6qgR0qT0Kjc5CKuuB6lWJp2/Wlwmxrn2vqVghU90 +GQlUTRQDZZani26WWYHmVEPg03DTsehicNqXPg78zJvCPL0UIuBTtZli0oMf5SIh +7q5ggSWRFsEHM7XoyJ+AOuHSg0aaSX2bgQiRl4X+347goXbESJipy+/+1WBGND8+ +4comH+6yl7JRKlwnPyXjHZoAocm71GYKnx0PkFwciTtsb1caJduvwywMILxG0w59 +0khBJNbQUNT/VPxEsBjHD8b7oRK+n7wMPA+pafUjpaW/xsErAHd417VffmUc2ygU +eHGxU+l0S+Ywjjc5Y9dn0LJT07TcVcAMGnkv0DwmrT2phqx0CC3fTJ7uI9pO+1la +tLxJEACCi361qVg8oN6YIYZdybsaP6GdEZ7SHaQXMbkEmPTJgxzCVYrV8oeybHGc +E33PcS2jl1xBnfqIs7A6OB0HbgTcAQZsbFWcZR8eapVBv9LFIpi5OZ5dN8JOJwTJ +1bu5fgSx+r3URd1luqyDg55Ln8nlYHYidcf4WGC5O8T0SQXZP8bhz4DzfvA5imGY +82eMq7D6yjxY9QJo9HYKuNSHp2IiMTeBU2Wgu9CXKR5AYcYqN4DRGY1k5wQp84Ut +Y1PizzZinuzI5dA0w1tSGyCXTY4W5J6SNV1hQClrWqxuj0/QDgAeTQQLQ9p/pXy3 +orUtQpSZ9q55VAcLpN0eUQmYZTlrPDzqcrHJfcS0MqodqFZU9sal4Uq2bfoGKzrJ +BoiZDe1XNX/vJMCQKYsKdy32UDLXQ4D/bVSdvy7oaa0CiA4AiUQvArILeZzUnUGv +j3y7KRoWAOsTjNd6Dl3rHdu2B3/QMEmU3rnPPfyzsm8ftAhOtOxJcPa0lynnpcBD +h8c2BWCIpLelE9rteRslxpmlvfwmi0rJ9qMb0iD0h/ptNaR+Swvp0R9vrtk7fuOZ +ODh1qfU7chtJRMHQ+fWyR7UEqMgwwA1wyNzG9LXAO4TdZHgR/6i0hLpTixWmQYcA +JS2PN9PFJIPqhMrHNeG+pA1V1FPv8tCWmDkWSPKk/VmS6xb9RbkCDQRU9d0IARAA +wZUrJNCpaLMqp2GE3NqrqvCfW8I/yqN8+ODUiwrZv5ETQY5sK5giiai2o5yLnNYG +qQslSRlipPJSp+HfD0FIHudiLxMlc5iXX2nEPYE+g61msHpCby3vDwHDi1nuBvmo ++atQsLbarvJPCj7MDMV4TEgLgrcxQKeuHMQCzMA6GfGo4NeTGMiabjbETJLnAgBE +wRp0CSV8uYVmAIwhSJDd4ik4Y5jJ9xe3JJ31WunInlhUndUQILJ9xleus/FqtfT/ +d2ZbmgmR7D2bVuU3vjjMTHVGyY57saMlHTCKgA3LX+RyOklefIq3n9ccakeO6gea +N9/7QFnNJL8GOvQKIqKNyj9dq4a9pGNiXRy+ymdCoyXSUvIwzQRyiX/TpK83k9Dt +2b1hzhXpHPlccv8uxaHGwMW9Jq8x66ZdAV4Aa+V1+9qYtG4p8tlcD8DQb3Sdl1gL +wxC3g1m+1wkuGnOjBQsVkQp9b2AMtwfcZABUGsIyN7sIYMvTt8DOAN+XCyb5bd+Y +BUoMAJ2MKu2Bif02jzxSP8mCnOKJeTh8H8FS3JJs4NYSD//umoV9Wh0Fwy//hJ/q +N/ZZkjSz1UfSBuQaMgAcS0bt0hEpbZKoavMge/xKPcZxRTq/5oXwbIjSaoz8hAbo +kUDx4EAW3/XbQRuTZo93/fKgc/r1tdTd9S5XoYNnpHEAEQEAAYkCHwQYAQIACQUC +VPXdCAIbDAAKCRA+VCjQJixU+CwUD/9eOCWnpegSOZd2Te6mRPf6WCdazmkd4cfb +e48d3VWk2BWgZ+XpF5CyypPg/nJGj17TQUpOUCiS4QF8SwnMFHwkFYtW3YsA7t3s +E5F3eM1Fkf9O9UGsqFf5WKko00LqATdXrhUBTA6EUAaRKjYu3Fez/ye88nfp86uI +c7KgPUQxR7aUrKtXLyjHuqVFa7hiEy1mwtm60KwXrinY5xoDCox5HUdYyzN0076g +99cBHcXy5uIGQdCX3Z8KzX8Fos6UWGbQMit7j+njucyrh8eNkTY34Pwri0TvpnaQ +6ASMwY18bhUIk4AhyPTpartC4JWU+/h1FQ7Y9+pbhlLz/mwf4ol/LpdN6UDjD3Yl +3Wvm93j3uJAN7NziFFN1U4ex1lOqR0GnVrrWOXYaEOA8ujINv6AJeeW5ymD69R09 +QcPBGP606t9yLeO7AcjRaFSZZJcQa4LAmhqCa3AyadDa6EynlNsp8BMxw1O0JLHw +cOiZd9KBK+5W3sEq3Q4/nB2GN7k+Kxe3LK/C5PWkfonbw8Y+dEiIUNQUMuYM4Lfr +cXTDs2DcVUna+vJUjOnzTKHqr6Lk3fG8WspWRm+e9RbrHkAOQscalmXGePBGGAk9 +jK17yv/RX+bU457KQ7QilaRTUDUiJJHUD/NPS0NLH8icm9ml0WmV+FSoxrlhG65p +XABWW6dNBZkBDQRMvU7ZAQgAuHn9CCWqkw0DUGeQj6x7zbOZHAAr7X38Mna03ESd +vHR8I2Q/HWksX1WBKGnMgEXr0zr7Kd+lYKvGLewE7usuzDwWj4/S6tJMF+xzPEA5 +/I037nwIDI8XMOWw/iTUefvBvYVBdxd+YFbgHeO9YUvkAf1IPz3s3DcfR+chVDLr +6zt8m8iA4cOaiSNkaCTIzK+QzylBu8/NdNXvzVu8vRXx6vjp8uwO9MPr3H79S/iy +1+YH66SiN5tMypu3I9b8sWXwvUYoyM1mTdxoBMXsSCiXW5HIPRf84oCqO9kyYYL4 +8umGT9Nx5lmVXKbHd2iE908HoNHAor2ilQTXBUdaHWul7wARAQABtBZBLkwuRS5D +IDxhbGVjQGFsZWMucGw+iQFSBBMBAgAlAhsjBgsJCAcDAgYVCAIJCgsEFgIDAQIe +AQIXgAUCTL1QMAIZAQAhCRC+5nSgGTWdwRYhBLsi73Gclqhu70za0b7mdKAZNZ3B +EhkH/1eAuCOSXsWg8YwZzmABoKKZfNpJZ3QTwAMxXyCPjJMwLMLHsrVO+VbGupFc +IW/q/3bvt1r8LwPB73rg0TFiHoYzeQzdnOVYFW7wOYz9BDVjLE4goDk6xN5Nj1Cp +BMXzQFdr3HVKyuRK1CLd9p13CofiBlLsQ4JqtosnlvSCEjTLyIajACU3kY2je1e5 +8N5VHzZ+VMeg2xbuQJ3q1iTkYggZ+xRC1muw4Xgt2vxgfWjn7u3dmjYMT3H2WFpr +LZwliejHgzhWdYABdyCU5VuGCLOV+xk2UCADya0hvVVIezA/4YG3w01yjsljRrKy +HFJUqw+MqagA6dsfflZSvmROKMa0IkFsZWtzYW5kZXIgTWFjaG5pYWsgPGFsZWNA +YWxlYy5wbD6JAU8EEwECACIFAky9UCUCGyMGCwkIBwMCBhUIAgkKCwQWAgMBAh4B +AheAACEJEL7mdKAZNZ3BFiEEuyLvcZyWqG7vTNrRvuZ0oBk1ncHd6ggAoEj7tCV6 +VCueubKKkzLMLguELX0LUnA7990in5yqVFLvoVg7Kg/z67SnjT6DGYlyW+OPgvxz +E+urJJ7eljVaYv9Yh5/UpF/ubTloQByBRI7g7dAOMhpFWO/Cp1qVlr6RJSbmDyFB +xZBI0mDEpy/SmoUz0PqpxVIlrt7/8ND8ghYnxGo3+Db8+h1WiXRi6Miz7v7y3L0A +H6/iKAA3u52lB1cxBLQWiEiKlQylRDhsIkjXa9LqF/kHRfUAIGUxWRyuQdLnRaYx +2pyBNPcDYej+8zHqSdSkXSctVila2l/ZdEosqvRreFhpRQVDR2WKHjC8eNHUoD3I +07x8PiMkpw6Z4rQtQWxla3NhbmRlciBNYWNobmlhayA8bWFjaG5pYWtAYXBoZWxl +aWEtaXQuY2g+iQFOBBMBCgA4FiEEuyLvcZyWqG7vTNrRvuZ0oBk1ncEFAmHcFOMC +GyMFCwkIBwIGFQoJCAsCBBYCAwECHgECF4AACgkQvuZ0oBk1ncHfBwf8Dq9YzPA3 +gxIJKZ2XZpgQi1XtB0fpV02IVi//wEvhwy3aE0hsNnw44g8FDy1jtMkhvvz2kGbk +3chXfBMoMCSrfla7lLuJ54t+z59KmIpmVOai5HUz9FAkHSrG/d0ZNsomuYT+mWD9 +9sDTODQT429YZ02+AecRudQAW/2ny+0cySdrKvSlvQ8C73axiy4wAMiYWSl7LU36 +G4wtC/H3ZQL2LHToiAQmn5F4ECln7vJOKXr3MzUOI6kHFkjuArL1njI/D2BinsDt +HWwHovNgbMqIecwcg43E/HKgpq9dK+ti2QMppjF6Vz/H3nkQ3e/WIKm9395zq1Hs +jdt+3mwL78pXTLQrQWxla3NhbmRlciBNYWNobmlhayA8bWFjaG5pYWtAa29sYWJz +eXMuY29tPokBTwQTAQIAIgUCTnH06gIbIwYLCQgHAwIGFQgCCQoLBBYCAwECHgEC +F4AAIQkQvuZ0oBk1ncEWIQS7Iu9xnJaobu9M2tG+5nSgGTWdwShlCACIexVvyaW6 +hMp6wK3eRHBVH4onKrCo/ayBIYBm2Rjzcm71tWfbVa8PE+C+IxweRL3S19OpDAO2 +2ymca8w9wcihLJ/HKZ7uYhTSQDcsLPyazBTHNKHTvDGO+kLFVzBJ+aLeLXPm8ums +fR6/ZzGJt1E4qHeCHpBFhbN0IL2o8QvE9idMOZzDAB+mOSldircqGwzFx9eML0TJ +6/vgrYvHGBnkC+FHD7I2xdFgnW5nef+p/5TYmQ7SS4vOw6A3WHKgKlFi4yyfTczo +M4GEqtdqE40T16526OVv7VkBTiy4pgUna3JA4Sua0dpy1rfnUTr0y/VYrdHxnUZO +YgA44cWcBeF2tC9BbGVrc2FuZGVyIE1hY2huaWFrIDxtYWNobmlha0Brb2xhYnN5 +c3RlbXMuY29tPokBTgQTAQgAIQUCWTJWlwIbIwULCQgHAgYVCAkKCwIEFgIDAQIe +AQIXgAAhCRC+5nSgGTWdwRYhBLsi73Gclqhu70za0b7mdKAZNZ3Bh90IALeMO7uq +yPOS7KVp+gbHbmgeROG2/rxDFE6SoY64Vpqy/ZPRiZXQzjPBy6gkgY2Fr8n2ZBbp +NdxOHSKIc0SDWMO8ZxDteFhMi+9Y7uFO7ZqEL/BII0L2d4fRWiXCNnLQqoaI/f6Q +UP3kB6DQtvRg1sxT8wM1RPZBphUnT2xFvHnLgayI+uM83xJiUREArA0tLinRH8HU +O64iKMdvVAExWJ0BQQDDLia/CkTD4wh8d0iww978zySoFsLYF0Mv5wk6cclUgXwz +KpSp3WGZ9hX4vbFLzMYk/KVQbuoHq4ZtlD4IVVH7q9lCavz452PfzFDIwpytCIBd +RdsKmg8uuqspiym5AQ0ETL1O2QEIANHbid+rMQ/IX0/UyVtnLWunDEg6Yl2BtwHT +ecZ4Ym3tBxc1sbPDoYpY0DZ86gYi9DCbolrdjnrRK9ldYItVJ8rJUkEIDz/2yhjc +r3s3p2SyI94bocoG0WW+VRlssJMxTB2ihblihkY5HqT+9PgOFxnpSqz1ksTaI3JO +VcokidhoB7MJmuyb28rNtZCJP7upRUwBSoZfHiL83w3Ad1Fn49QVO7kshH11lNyJ +9jB17BTl1I0sj7RPqAorJcMxsSOJXW71ZcipXWym+GacY/qziQw7bT9CQYSmr4Si +RV7GahD91enDkdv+pUAnb8NEifQ1LT26XcL6Ng9EbG5AT4qI46kAEQEAAYkBNgQY +AQIACQUCTL1O2QIbDAAhCRC+5nSgGTWdwRYhBLsi73Gclqhu70za0b7mdKAZNZ3B +7ZMIAJq7HeUeK0Pwgg7l/LpHE+rKbq8yUqI3QjKKVqG0nQDaG02rBsVvpO6SnMrD +TgMZI8Q4Y9qjiF2wu1C2oA/CqtH4UYkNzpX+MPSs+NOELc1y+Qm6iLrbZksKyLxM +AvmQGYXY1h3t6OzMHfXkTO+ldJ4RLz72m/rKyHNRuisSD1AqE/FbTK+t2PY7AVSV +Gvr+MukqYwvNLHkXTISDXS6u9971K22TlNXMfJw5rWcpLOPv0XWNdOX+aOL+LTza +zWeXBvx3os1WubR7W0YzFKT9amCEVVVKbg4y9S8yQQQOTAayb6Y9yZfhQ9y+r/BT +eEaEN5WWmR9VMlAa8NsRTNNdvPo= +=cGVH -----END PGP PUBLIC KEY BLOCK----- diff -Nru roundcube-1.4.13+dfsg.1/index.php roundcube-1.4.14+dfsg.1/index.php --- roundcube-1.4.13+dfsg.1/index.php 2021-12-29 23:45:05.000000000 +0100 +++ roundcube-1.4.14+dfsg.1/index.php 2023-09-16 22:01:19.000000000 +0200 @@ -2,7 +2,7 @@ /** +-------------------------------------------------------------------------+ | Roundcube Webmail IMAP Client | - | Version 1.4.13 | + | Version 1.4.14 | | | | Copyright (C) The Roundcube Dev Team | | | diff -Nru roundcube-1.4.13+dfsg.1/installer/index.php roundcube-1.4.14+dfsg.1/installer/index.php --- roundcube-1.4.13+dfsg.1/installer/index.php 2021-12-29 23:45:05.000000000 +0100 +++ roundcube-1.4.14+dfsg.1/installer/index.php 2023-09-16 22:01:19.000000000 +0200 @@ -3,7 +3,7 @@ /** +-------------------------------------------------------------------------+ | Roundcube Webmail setup tool | - | Version 1.4.13 | + | Version 1.4.14 | | | | Copyright (C) The Roundcube Dev Team | | | diff -Nru roundcube-1.4.13+dfsg.1/plugins/enigma/lib/enigma_driver_gnupg.php roundcube-1.4.14+dfsg.1/plugins/enigma/lib/enigma_driver_gnupg.php --- roundcube-1.4.13+dfsg.1/plugins/enigma/lib/enigma_driver_gnupg.php 2021-12-29 23:45:05.000000000 +0100 +++ roundcube-1.4.14+dfsg.1/plugins/enigma/lib/enigma_driver_gnupg.php 2023-09-16 22:01:19.000000000 +0200 @@ -586,6 +586,13 @@ continue; } + // Private keys might be located in 'private-keys-v1.d' subdirectory. Make sure it exists. + if (strpos($file, '/private-keys-v1.d/')) { + if (!file_exists($this->homedir . '/private-keys-v1.d')) { + mkdir($this->homedir . '/private-keys-v1.d', 0700); + } + } + $tmpfile = $file . '.tmp'; if (file_put_contents($tmpfile, $data, LOCK_EX) === strlen($data)) { diff -Nru roundcube-1.4.13+dfsg.1/program/include/iniset.php roundcube-1.4.14+dfsg.1/program/include/iniset.php --- roundcube-1.4.13+dfsg.1/program/include/iniset.php 2021-12-29 23:45:05.000000000 +0100 +++ roundcube-1.4.14+dfsg.1/program/include/iniset.php 2023-09-16 22:01:19.000000000 +0200 @@ -24,7 +24,7 @@ } // application constants -define('RCMAIL_VERSION', '1.4.13'); +define('RCMAIL_VERSION', '1.4.14'); define('RCMAIL_START', microtime(true)); if (!defined('INSTALL_PATH')) { diff -Nru roundcube-1.4.13+dfsg.1/program/lib/Roundcube/bootstrap.php roundcube-1.4.14+dfsg.1/program/lib/Roundcube/bootstrap.php --- roundcube-1.4.13+dfsg.1/program/lib/Roundcube/bootstrap.php 2021-12-29 23:45:05.000000000 +0100 +++ roundcube-1.4.14+dfsg.1/program/lib/Roundcube/bootstrap.php 2023-09-16 22:01:19.000000000 +0200 @@ -58,7 +58,7 @@ } // framework constants -define('RCUBE_VERSION', '1.4.13'); +define('RCUBE_VERSION', '1.4.14'); define('RCUBE_CHARSET', 'UTF-8'); define('RCUBE_TEMP_FILE_PREFIX', 'RCMTEMP'); diff -Nru roundcube-1.4.13+dfsg.1/program/lib/Roundcube/rcube_string_replacer.php roundcube-1.4.14+dfsg.1/program/lib/Roundcube/rcube_string_replacer.php --- roundcube-1.4.13+dfsg.1/program/lib/Roundcube/rcube_string_replacer.php 2021-12-29 23:45:05.000000000 +0100 +++ roundcube-1.4.14+dfsg.1/program/lib/Roundcube/rcube_string_replacer.php 2023-09-16 22:01:19.000000000 +0200 @@ -59,8 +59,8 @@ $link_prefix = "([\w]+:\/\/|{$this->noword}[Ww][Ww][Ww]\.|^[Ww][Ww][Ww]\.)"; $this->options = $options; - $this->linkref_index = '/\[([^\]#]+)\](:?\s*' . substr($this->pattern, 1, -1) . ')/'; - $this->linkref_pattern = '/\[([^\]#]+)\]/'; + $this->linkref_index = '/\[([^<>\]#]+)\](:?\s*' . substr($this->pattern, 1, -1) . ')/'; + $this->linkref_pattern = '/\[([^<>\]#]+)\]/'; $this->link_pattern = "/$link_prefix($utf_domain([$url1]*[$url2]+)*)/"; $this->mailto_pattern = "/(" . "[-\w!\#\$%&*+~\/^`|{}=]+(?:\.[-\w!\#\$%&*+~\/^`|{}=]+)*" // local-part diff -Nru roundcube-1.4.13+dfsg.1/public_html/index.php roundcube-1.4.14+dfsg.1/public_html/index.php --- roundcube-1.4.13+dfsg.1/public_html/index.php 2021-12-29 23:45:05.000000000 +0100 +++ roundcube-1.4.14+dfsg.1/public_html/index.php 2023-09-16 22:01:19.000000000 +0200 @@ -3,7 +3,7 @@ /* +-----------------------------------------------------------------------+ | Roundcube Webmail IMAP Client | - | Version 1.4.13 | + | Version 1.4.14 | | | | Copyright (C) The Roundcube Dev Team | | | diff -Nru roundcube-1.4.13+dfsg.1/public_html/plugins/enigma/lib/enigma_driver_gnupg.php roundcube-1.4.14+dfsg.1/public_html/plugins/enigma/lib/enigma_driver_gnupg.php --- roundcube-1.4.13+dfsg.1/public_html/plugins/enigma/lib/enigma_driver_gnupg.php 2021-12-29 23:45:05.000000000 +0100 +++ roundcube-1.4.14+dfsg.1/public_html/plugins/enigma/lib/enigma_driver_gnupg.php 2023-09-16 22:01:19.000000000 +0200 @@ -586,6 +586,13 @@ continue; } + // Private keys might be located in 'private-keys-v1.d' subdirectory. Make sure it exists. + if (strpos($file, '/private-keys-v1.d/')) { + if (!file_exists($this->homedir . '/private-keys-v1.d')) { + mkdir($this->homedir . '/private-keys-v1.d', 0700); + } + } + $tmpfile = $file . '.tmp'; if (file_put_contents($tmpfile, $data, LOCK_EX) === strlen($data)) { diff -Nru roundcube-1.4.13+dfsg.1/tests/Framework/StringReplacer.php roundcube-1.4.14+dfsg.1/tests/Framework/StringReplacer.php --- roundcube-1.4.13+dfsg.1/tests/Framework/StringReplacer.php 2021-12-29 23:45:05.000000000 +0100 +++ roundcube-1.4.14+dfsg.1/tests/Framework/StringReplacer.php 2023-09-16 22:01:19.000000000 +0200 @@ -64,12 +64,14 @@ $this->assertEquals($output, $result); } + /** + * Test link references + */ function test_linkrefs() { - $input = "This is a sample message [1] to test the new linkref [ref0] replacement feature of [Roundcube].\n"; - $input.= "\n"; - $input.= "[1] http://en.wikipedia.org/wiki/Email\n"; - $input.= "[ref0] www.link-ref.com\n"; + $input = "This is a sample message [1] to test the linkref [ref0] replacement feature of [Roundcube].[ref<0]\n" + . "[1] http://en.wikipedia.org/wiki/Email\n" + . "[ref0] www.link-ref.com\n"; $replacer = new rcube_string_replacer; $result = $replacer->replace($input); @@ -77,6 +79,6 @@ $this->assertContains('[<a href="http://en.wikipedia.org/wiki/Email">1</a>] to', $result, "Numeric linkref replacements"); $this->assertContains('[<a href="http://www.link-ref.com">ref0</a>] repl', $result, "Alphanum linkref replacements"); - $this->assertContains('of [Roundcube].', $result, "Don't touch strings wihtout an index entry"); + $this->assertContains('of [Roundcube].[ref<0]', $result, "Don't touch strings wihtout an index entry"); } } diff -Nru roundcube-1.4.13+dfsg.1/tests/Framework/Text2Html.php roundcube-1.4.14+dfsg.1/tests/Framework/Text2Html.php --- roundcube-1.4.13+dfsg.1/tests/Framework/Text2Html.php 2021-12-29 23:45:05.000000000 +0100 +++ roundcube-1.4.14+dfsg.1/tests/Framework/Text2Html.php 2023-09-16 22:01:19.000000000 +0200 @@ -137,4 +137,21 @@ $this->assertEquals($expected, $html); } + + /** + * Test XSS issue + */ + function test_text2html_xss2() + { + $input = "\n[<script>evil</script>] https://google.com\n"; + $t2h = new rcube_text2html($input); + + $html = $t2h->get_html(); + + $expected = "<div class=\"pre\"><br>\n[<script>evil</script>] " + . "<a rel=\"noreferrer\" target=\"_blank\" href=\"https://google.com\">https://google.com</a><br>\n" + . "</div>"; + + $this->assertEquals($expected, $html); + } }signature.asc
Description: PGP signature
--- End Message ---
--- Begin Message ---Package: release.debian.org Version: 11.8 Hi, The updates referred to by each of these requests were included in today's 11.8 bullseye point release. Regards, Adam
--- End Message ---