Hello community, here is the log from the commit of package roundcubemail.5987 for openSUSE:13.2:Update checked in at 2016-12-07 11:25:43 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:13.2:Update/roundcubemail.5987 (Old) and /work/SRC/openSUSE:13.2:Update/.roundcubemail.5987.new (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "roundcubemail.5987" Changes: -------- New Changes file: --- /dev/null 2016-10-27 01:54:32.792041256 +0200 +++ /work/SRC/openSUSE:13.2:Update/.roundcubemail.5987.new/roundcubemail.changes 2016-12-07 11:25:45.000000000 +0100 @@ -0,0 +1,806 @@ +------------------------------------------------------------------- +Tue Nov 29 11:42:02 UTC 2016 - a...@ajaissle.de + +- Add roundcubemail-1.0.9-001-acf633c-boo_982003.patch [boo#982003] [CVE-2016-5103] + - Fix XSS issue in href attribute on area tag + +- Add roundcubemail-1.0.9-002-7b37ef8-empty_text_1.patch + - Avoid sending completely empty text parts for multipart/alternative messages + +- Add roundcubemail-1.0.9-003-f1ca20d-empty_text_2.patch + - Don't create multipart/alternative messages with empty text/plain part + +- Add roundcubemail-1.0.9-004-1e275ac-boo_1001856.patch [boo#1001856] + - Wash position:fixed style in HTML mail for better security + +- Add roundcubemail-1.0.9-005-dc0c606-changelog.patch + - Update changelog + +- Add roundcubemail-1.0.9-006-5d2aaa6-_from_argument.patch + - Fix _from argument validation + +- Add roundcubemail-1.0.9-007-a54dde8-boo_1012493.patch [boo#1012493] + - Fix vulnerability in handling of mail()'s 5th argument + +------------------------------------------------------------------- +Thu Aug 11 16:15:09 UTC 2016 - a...@ajaissle.de + +- Update to 1.0.9 + - Fix a regression where some contact data was missing in export and PHP warnings were logged (Kolab #4522) + - Enable use of TLSv1.1 and TLSv1.2 for IMAP (#4955) + - Fix XSS issue in SVG images handling (#4949) [CVE-2015-8864] [boo#976988] + - Fix (again) security issue in DBMail driver of password plugin [CVE-2015-2181] (#4958) + - Fix bug where Archive/Junk buttons were not active after page jump with select=all mode (#4961) + - Fix bug in long recipients list parsing for cases where recipient name contained @-char (#4964) + - Fix additional_message_headers plugin compatibility with Mail_Mime >= 1.9 (#4966) + - Hide DSN option in Preferences when smtp_server is not used (#4967) + +------------------------------------------------------------------- +Fri Jan 15 11:40:56 UTC 2016 - a...@ajaissle.de + +- Update to 1.0.8 + - Add workaround for https://bugs.php.net/bug.php?id=70757 (#1490582) + - Fix HTML sanitizer to skip <!-- node type X --> in output (#1490583) + - Fix charset encoding of message/rfc822 part bodies (#1490606) + - Fix handling of message/rfc822 attachments on replies and forwards (#1490607) + - Fix PDF support detection in Firefox > 19 (#1490610) + - Fix path traversal vulnerability (CWE-22) in setting a skin (#1490620) [CVE-2015-8770] [bnc#962067] + - Fix so drag-n-drop of text (e.g. recipient addresses) on compose page actually works (#1490619) + - Fix .htaccess rewrite rules to not block .well-known URIs (#1490615) +- Updated apache2 config + +------------------------------------------------------------------- +Fri Oct 23 11:55:15 UTC 2015 - a...@ajaissle.de + +- Changed roundcubemail-httpd.conf +- Enable mod_version.c per default [boo#938840] + +------------------------------------------------------------------- +Tue Sep 15 10:28:33 UTC 2015 - a...@ajaissle.de + +- Update to 1.0.7 + Get rid of Mail_mimeDecode package dependency (#1490416) + Fix compatibility with Net_SMTP > 1.6.3 and Mail_Mime >= 1.9.0 + Fix SQL error on logout when using session_storage=php (#1490421) + Fix so plain text signature field uses monospace font (#1490435) + Fix draft removal after a message is sent and storing sent message is disabled (#1490467) + Fix handling of plus character in mailto: links (#1490510) + Fix so adding CC/BCC recipients from the sidebar unhides compose form fields in Classic skin (#1490472) + Fix so gc.sh script removes also expired sessions from sql database (#1490512) + Fix support for Mozilla-based browsers, e.g. Pale Moon (#1490517) + Fix various issues with Turkish (and similar) locales (#1490519) + Fix so In-Reply-To header is set also for MDN receipts (#1490523) + Fix XSS issue in drag-n-drop file uploads (#1490530) + Fix issue where Content-Length of some attachments could be set to wrong value causing browser errors (#1490482) + +------------------------------------------------------------------- +Sat Jun 6 18:35:27 UTC 2015 - a...@ajaissle.de + +- Update to 1.0.6 + Make SMTP error log more verbose - include server response and error code + Fix rows count when messages search fails (#1490266) + Fix security issue in DBMail driver of password plugin (#1490261) + Fix handling of some improper constructs in format=flowed text as per the RFC3676[4.5] (#1490284) + Fix missing or not up-to-date CATEGORIES entry in vCard export (#1490277) + Fix duplicate entry on timezones list in rcube_config::timezone_name_from_abbr() (#1490293) + Fix handling of %-encoded entities in mailto: URLs (#1490346) + Fix bug where messages count was not updated after message move/delete with skip_deleted=false (#1490372) + Fix security issue in contact photo handling (#1490379) + Fix bug where database_attachments_cache setting was not working + Fix attached file path unsetting in database_attachments plugin (#1490393) + Fix issues when using moduserprefs.sh without --user argument (#1490399) + +------------------------------------------------------------------- +Sun Feb 1 12:33:22 UTC 2015 - a...@ajaissle.de + +- Update to 1.0.5 (bnc#915789) + Fix bug where some valid text in a message was handled as uuencoded attachment + Fix wrong icon for download button in classic skin + Fix bug where sent message was saved in Sent folder even if disabled by user (#1490208) + Fix checks based on window.ActiveXObject in IE > 10 + Fix XSS issue in style attribute handling (#1490227) (CVE-2015-1433) + Fix bug where Drafts list wasn't updated on draft-save action in new window (#1490225) + Fix so "set as default" option is hidden if identities_level > 1 (#1490226) + Fix bug where search was reset after returning from compose visited for reply + Fix javascript error in "IE 8.0/Tablet PC" browser (#1490210) + Fix bug where empty fieldmap config entries caused empty results of ldap search (#1490229) + +------------------------------------------------------------------- +Thu Dec 18 17:28:40 UTC 2014 - a...@ajaissle.de + +- Update to 1.0.4 + Disable TinyMCE contextmenu plugin as there are more cons than pros in using it (#1490118) + Fix bug where show_real_foldernames setting wasn't honored on compose page (#1490153) + Fix issue where Archive folder wasn't protected in Folder Manager (#1490154) + Fix compatibility with PHP 5.2. in rcube_imap_generic (#1490115) + Fix setting flags on servers with no PERMANENTFLAGS response (#1490087) + Fix regression in SHAA password generation in ldap driver of password plugin (#1490094) + Fix displaying of HTML messages with absolutely positioned elements in Larry skin (#1490103) + Fix font style display issue in HTML messages with styled <span> elements (#1490101) + Fix download of attachments that are part of TNEF message (#1490091) + Fix handling of uuencoded messages if messages_cache is enabled (#1490108) + Fix handling of base64-encoded attachments with extra spaces (#1490111) + Fix handling of UNKNOWN-CTE response, try do decode content client-side (#1490046) + Fix bug where creating subfolders in shared folders wasn't possible without ACL extension (#1490113) + Fix reply scrolling issue with text mode and start message below the quote (#1490114) + Fix possible issues in skin/skin_path config handling (#1490125) + Fix lack of delimiter for recipient addresses in smtp_log (#1490150) + Fix generation of Blowfish-based password hashes (#1490184) + Fix bugs where CSRF attacks were still possible on some requests + +------------------------------------------------------------------- +Sat Nov 08 20:02:00 UTC 2014 - Led <led...@gmail.com> + +- fix bashisms in post scripts + +------------------------------------------------------------------- +Mon Sep 29 17:23:39 UTC 2014 - a...@ajaissle.de + +- Update to 1.0.3 + Fix insert-signature command in external compose window if opened from inline compose screen (#1490074) + Initialize HTML editor before restoring a message from localStorage (#1490016) + Add 'sig_max_lines' config option to default config file (#1490071) + Add option to specify IMAP connection socket parameters - imap_conn_options (#1489948) + Add option to set default message list mode - default_list_mode (#1487312) + Enable contextmenu plugin for TinyMCE editor (#1487014) + Fix some mime-type to extension mapping checks in Installer (#1489983) + Fix errors when using localStorage in Safari's private browsing mode (#1489996) + Fix bug where $Forwarded flag was being set even if server didn't support it (#1490000) + Fix various iCloud vCard issues, added fallback for external photos (#1489993) + Fix invalid Content-Type header when send_format_flowed=false (#1489992) + Fix errors when adding/updating contacts in active search (#1490015) + Fix incorrect thumbnail rotation with GD and exif orientation data (#1490029) + Fix contacts list update after adding/deleting/moving a contact (#1490028, #1490033) + Fix handling of email addresses with quoted domain part (#1490040) + Fix comm_path update on task switch (#1490041) + Fix error in MSSQL update script 2013061000.sql (#1490061) + Fix validation of email addresses with IDNA domains (#1490067) + +------------------------------------------------------------------- +Sun Jul 20 23:14:51 UTC 2014 - a...@ajaissle.de + +- Update to 1.0.2 + * Fix storing unsaved drafts in localStorage (#1489818) + * Fix redundant horizontal scrollbar in HTML editor (#1489950) + * Fix PHP error in Preferences when default_folders was in dont_override (#1489940) + * Add configurable LDAP_OPT_DEREF option (#1489864) + * Fix unintentional draft autosave request if autosave is disabled (#1489882) + * Fix malformed References: header in send/saved mail (#1489891) + * Fix handling unicode characters in links (#1489898) + * Fix incorrect handling of HTML comments in messages sanitization code (#1489904) + * Fix so current page is reset on list-mode change (#1489907) + * Fix so responses menu hides on click in classic skin (#1489915) + * Fix unintentional line-height style modification in HTML messages (#1489917) + * Fix broken normalize_string(), add support for ISO-8859-2 (#1489918) + * Support csv contacts import in German localization (#1489920) + * Fix so message list and counters are updated when a message is opened in new window (#1489919) + * Fix malformed recipient name when composing a message by clicking on mailto link (#1489942) + * Fix list reload after sending message in another window (#1489931) + * Fix so address format errors are ignored when saving a draft (#1489954) + * Fix incorrect label translation in return receipt (#1489963) + * Fix security issue in delete-response action - allow only ajax request + * Fix Delete button state after deleting identity/response (#1489972) + * Fix bug where contacts with no email address were listed on compose addressbook (#1489970) + * Fix images import from various vCard formats (#1489977) + * Fix sorting messages by size on servers without SORT capability (#1489981) + +------------------------------------------------------------------- +Mon Jun 23 20:26:06 UTC 2014 - jam...@vicidial.com + +- Modify roundcubemail-httpd.conf for OpenSuSE v.13.1 apache2 + o Apache2 on OpenSuSE v.13.1 has the mod_access_compat.c module + statically compiled into the Apache2 core. This means it can't + be unloaded and the older pre-2.4 access directives must be + used. Since it is not advised to mix pre and post 2.4 access + methods the file had to be modified to look for this static + module and load pre-2.4 directives if found on Apache 2.4. It + should be forward compatible if the mod_access_compat.c module ++++ 609 more lines (skipped) ++++ between /dev/null ++++ and /work/SRC/openSUSE:13.2:Update/.roundcubemail.5987.new/roundcubemail.changes New: ---- README.openSUSE roundcubemail-0.9.1_config-dir.patch roundcubemail-1.0.9-001-acf633c-boo_982003.patch roundcubemail-1.0.9-002-7b37ef8-empty_text_1.patch roundcubemail-1.0.9-003-f1ca20d-empty_text_2.patch roundcubemail-1.0.9-004-1e275ac-boo_1001856.patch roundcubemail-1.0.9-005-dc0c606-changelog.patch roundcubemail-1.0.9-006-5d2aaa6-_from_argument.patch roundcubemail-1.0.9-007-a54dde8-boo_1012493.patch roundcubemail-1.0.9.tar.gz roundcubemail-httpd.conf roundcubemail-rpmlintrc roundcubemail.changes roundcubemail.logrotate roundcubemail.spec ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ roundcubemail.spec ++++++ # # spec file for package roundcubemail # # Copyright (c) 2016 SUSE LINUX GmbH, Nuernberg, Germany. # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed # upon. The license for this file, and modifications and additions to the # file, is the same license as for the pristine package itself (unless the # license for the pristine package is not an Open Source License, in which # case the license is the MIT License). An "Open Source License" is a # license that conforms to the Open Source Definition (Version 1.9) # published by the Open Source Initiative. # Please submit bugfixes or comments via http://bugs.opensuse.org/ # Name: roundcubemail Version: 1.0.9 Release: 0 Summary: A modern browser-based multilingual IMAP client License: GPL-3.0+ and GPL-2.0 and BSD-3-Clause Group: Productivity/Networking/Email/Clients Url: http://www.roundcube.net/ Source0: %{name}-%{version}.tar.gz Source1: %{name}-rpmlintrc Source2: %{name}-httpd.conf Source4: README.openSUSE Source5: %{name}.logrotate Source100: %{name}-rpmlintrc # PATCH-FIX-OPENSUSE roundcubemail-0.9.1_config-dir.patch -- use the general config directory /etc Patch0: %{name}-0.9.1_config-dir.patch # PATCH-FIX-UPSTREAM -- Fix XSS issue in href attribute on area tag Patch001: %{name}-1.0.9-001-acf633c-boo_982003.patch # PATCH-FIX-UPSTREAM -- Avoid sending completely empty text parts for multipart/alternative messages Patch002: %{name}-1.0.9-002-7b37ef8-empty_text_1.patch # PATCH-FIX-UPSTREAM -- Don't create multipart/alternative messages with empty text/plain part Patch003: %{name}-1.0.9-003-f1ca20d-empty_text_2.patch # PATCH-FIX-UPSTREAM -- Wash position:fixed style in HTML mail for better security Patch004: %{name}-1.0.9-004-1e275ac-boo_1001856.patch # PATCH-FIX-UPSTREAM -- Update changelog Patch005: %{name}-1.0.9-005-dc0c606-changelog.patch # PATCH-FIX-UPSTREAM -- Fix _from argument validation Patch006: %{name}-1.0.9-006-5d2aaa6-_from_argument.patch # PATCH-FIX-UPSTREAM -- Fix vulnerability in handling of mail()'s 5th argument Patch007: %{name}-1.0.9-007-a54dde8-boo_1012493.patch BuildArch: noarch BuildRequires: apache2-devel %if 0%{suse_version} >= 1100 BuildRequires: fdupes %endif BuildRequires: pcre-devel BuildRoot: %{_tmppath}/%{name}-%{version}-build Requires: http_daemon Requires: mod_php_any >= 5.3 Requires: php-dom Requires: php-exif Requires: php-gettext Requires: php-iconv Requires: php-json Requires: php-mbstring Requires: php-mcrypt Requires: php-openssl Requires: php-sockets Requires: php_any_db ## Requires: for upstream dep package Requires: php-pear-Auth_SASL >= 1.0.6 Requires: php-pear-MDB2_Driver_mysqli Requires: php-pear-Mail_Mime >= 1.8.1 Requires: php-pear-Net_IDNA2 >= 0.1.1 Requires: php-pear-Net_LDAP2 Requires: php-pear-Net_SMTP Requires: php-pear-Net_Sieve Requires: php-pear-Net_Socket Recommends: logrotate Recommends: php-mysql Recommends: php-intl Recommends: php-fileinfo Recommends: php-zip Recommends: php-pear-Crypt_GPG >= 1.2.0 Provides: roundcube_framework = %{version} Conflicts: roundcube-framework %define apache_serverroot %(/usr/sbin/apxs2 -q DATADIR) %define apache_sysconfdir %(/usr/sbin/apxs2 -q SYSCONFDIR) %define roundcubepath %{apache_serverroot}/%{name} %define roundcubeconfigpath %{_sysconfdir}/%{name} %description Roundcube Webmail is a browser-based multilingual IMAP client with an application-like user interface. It provides full functionality you expect from an e-mail client, including MIME support, address book, folder manipulation, message searching and spell checking. Roundcube Webmail is written in PHP and requires the MySQL database. The user interface is fully skinnable using XHTML and CSS 2. %prep %setup -q %patch0 -p1 %patch001 -p1 %patch002 -p1 %patch003 -p1 %patch004 -p1 %patch005 -p1 %patch006 -p1 %patch007 -p1 cp %{SOURCE4} . # remove cruft from source archive find . -name ".gitignore" -delete # no need to check .htaccess each time, the apache config takes care of the restrictions find . -name ".htaccess" -delete # remove external libraries %{__rm} -rf \ program/lib/Auth/ \ program/lib/Mail/ \ program/lib/Net/ \ program/lib/PEAR* # remove mssql scripts (not needed on openSUSE) %{__rm} -rf \ SQL/mssql/ \ SQL/mssql.*.sql # remove shebang from chpass-wrapper sed -i '1d' plugins/password/helpers/chpass-wrapper.py # remove INSTALL doc %{__rm} INSTALL %build %install # install roundcubemail.logrotate %{__install} -d -m 0755 %{buildroot}%{_sysconfdir}/logrotate.d %{__install} %{SOURCE5} %{buildroot}%{_sysconfdir}/logrotate.d/%{name} # extract roundcube-framework %{__install} -d -m 0755 %{buildroot}%{_datadir}/php5 mv program/lib/Roundcube %{buildroot}%{_datadir}/php5/Roundcube # install roundcubemail %{__install} -d -m 0755 %{buildroot}%{roundcubepath} cp -a * %{buildroot}%{roundcubepath}/ # install config mkdir -p %{buildroot}%{_sysconfdir}/%{name} cp config/* %{buildroot}%{roundcubeconfigpath}/ %{__install} %{buildroot}%{roundcubeconfigpath}/config.inc.php.sample %{buildroot}%{roundcubeconfigpath}/config.inc.php %{__rm} -rf %{buildroot}%{roundcubepath}/config %{__ln_s} %{roundcubeconfigpath} %{buildroot}%{roundcubepath}/config # logs + temp go into /var/ %{__rm} -rf %{buildroot}%{roundcubepath}/logs \ %{buildroot}%{roundcubepath}/temp %{__install} -d %{buildroot}%{_localstatedir}/log/%{name} \ %{buildroot}%{_localstatedir}/lib/%{name} %{__ln_s} %{_localstatedir}/log/%{name}/ %{buildroot}%{roundcubepath}/logs %{__ln_s} %{_localstatedir}/lib/%{name}/ %{buildroot}%{roundcubepath}/temp # move some plugin configs to /etc/roundcubemail for PLUGIN in acl managesieve password; do if [[ -f %{buildroot}%{roundcubepath}/plugins/$PLUGIN/config.inc.php.dist ]]; then mv %{buildroot}%{roundcubepath}/plugins/$PLUGIN/config.inc.php.dist %{buildroot}%{roundcubeconfigpath}/$PLUGIN.inc.php %{__ln_s} %{roundcubeconfigpath}/$PLUGIN.inc.php %{buildroot}%{roundcubepath}/plugins/$PLUGIN/config.inc.php fi done # install httpd.conf file and adapt the configuration %{__install} -d -m 0755 %{buildroot}%{apache_sysconfdir}/conf.d sed -e "s#__ROUNDCUBEPATH__#%{roundcubepath}#g" %{SOURCE2} > %{buildroot}%{apache_sysconfdir}/conf.d/roundcubemail.conf # install docs %{__install} -d -m 0755 %{buildroot}%{_defaultdocdir}/%{name} for i in CHANGELOG UPGRADING LICENSE README.md README.openSUSE SQL; do mv -v %{buildroot}%{roundcubepath}/$i %{buildroot}%{_defaultdocdir}/%{name}/ done # create a link for SQL %{__ln_s} %{_defaultdocdir}/%{name}/SQL %{buildroot}%{roundcubepath}/SQL # Make ghost files mkdir %{buildroot}%{roundcubepath}/migrated mkdir %{buildroot}%{roundcubepath}/migration # fdupes %if 0%{suse_version} >= 1100 %fdupes %{buildroot}%{roundcubepath} %endif %pre # backup logs, temp and config for migration if [ ! -h %{roundcubepath}/logs ] && [ -d %{roundcubepath}/logs ]; then mkdir -p %{roundcubepath}/migration mv %{roundcubepath}/logs %{roundcubepath}/migration/. fi if [ ! -h %{roundcubepath}/temp ] && [ -d %{roundcubepath}/temp ]; then mkdir -p %{roundcubepath}/migration mv %{roundcubepath}/temp %{roundcubepath}/migration/. fi if [ ! -h %{roundcubepath}/SQL ] && [ -d %{roundcubepath}/SQL ]; then mkdir -p %{roundcubepath}/migration mv %{roundcubepath}/SQL %{roundcubepath}/migration/. fi for PLUGIN in acl managesieve password; do if [ ! -h %{roundcubepath}/plugins/$PLUGIN/config.inc.php ] && [ -f %{roundcubepath}/plugins/$PLUGIN/config.inc.php ]; then mv %{roundcubepath}/plugins/$PLUGIN/config.inc.php %{roundcubepath}/migration/$PLUGIN.inc.php fi done %post # replace default des string in config file for better security makedesstr() { local chars="0123456789abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ" local max=${#chars} for i in $(seq 1 24); do echo "$chars" | dd bs=1 skip=$(($(od -An -d -N2 /dev/urandom) % $max)) count=1 2>/dev/null done echo } sed -i "s/rcmail-\!24ByteDESkey\*Str/`makedesstr`/" %{roundcubeconfigpath}/defaults.inc.php || : &> /dev/null # enable apache required apache modules if [ -x /usr/sbin/a2enmod ]; then a2enmod -q alias || a2enmod alias a2enmod -q rewrite || a2enmod rewrite a2enmod -q version || a2enmod version fi # restore backed up logs, temp and config if [ -h %{roundcubepath}/logs ] && [ -d %{roundcubepath}/migration/logs ]; then mkdir -p %{roundcubepath}/migrated cp %{roundcubepath}/migration/logs/* %{roundcubepath}/logs/. mv %{roundcubepath}/migration/logs %{roundcubepath}/migrated/. fi if [ -h %{roundcubepath}/temp ] && [ -d %{roundcubepath}/migration/temp ]; then mkdir -p %{roundcubepath}/migrated cp %{roundcubepath}/migration/temp/* %{roundcubepath}/temp/. mv %{roundcubepath}/migration/temp %{roundcubepath}/migrated/. fi if [ -h %{roundcubepath}/SQL ] && [ -d %{roundcubepath}/migration/SQL ]; then rm -r %{roundcubepath}/migration/SQL fi for PLUGIN in acl managesieve password; do if [ -f %{roundcubepath}/migration/$PLUGIN.inc.php ] && [ -h %{roundcubepath}/plugins/$PLUGIN/config.inc.php ]; then cp %{roundcubepath}/migration/$PLUGIN.inc.php %{roundcubeconfigpath}/. mv %{roundcubepath}/migration/$PLUGIN.inc.php %{roundcubepath}/migrated/$PLUGIN.inc.php fi done for MIGDIR in migration migrated; do if [ -d %{roundcubepath}/$MIGDIR ]; then find %{roundcubepath}/$MIGDIR -empty -delete fi if [ -d %{roundcubepath}/$MIGDIR ]; then echo "Found %{roundcubepath}/$MIGDIR! Make sure you delete this folder after checking the migration!" fi done # update/make new config if [ ! -f %{roundcubeconfigpath}/config.inc.php ]; then if [ -f %{roundcubeconfigpath}/main.inc.php ] && [ -f %{roundcubeconfigpath}/db.inc.php ]; then %{roundcubepath}/bin/update.sh \ --version '?' \ --accept else cp %{roundcubeconfigpath}/config.inc.php.sample %{roundcubeconfigpath}/config.inc.php fi fi exit 0 %files %defattr(0644, root, root,0755) %doc CHANGELOG %doc LICENSE %doc README.md %doc README.openSUSE %doc UPGRADING %doc SQL/ %dir %{roundcubepath} %dir %{roundcubeconfigpath} %ghost %config(noreplace) %{roundcubeconfigpath}/config.inc.php %config(noreplace) %{roundcubeconfigpath}/acl.inc.php %config(noreplace) %{roundcubeconfigpath}/managesieve.inc.php %config(noreplace) %{roundcubeconfigpath}/password.inc.php %config %{roundcubeconfigpath}/config.inc.php.sample %config %{roundcubeconfigpath}/defaults.inc.php %config %{roundcubeconfigpath}/mimetypes.php %config(noreplace) %{apache_sysconfdir}/conf.d/roundcubemail.conf %config(noreplace) %{_sysconfdir}/logrotate.d/%{name} %{roundcubepath}/composer.json-dist %{roundcubepath}/config %{roundcubepath}/index.php %{roundcubepath}/robots.txt %dir %{roundcubepath}/bin %attr(0755,root,root) %{roundcubepath}/bin/*.sh %{roundcubepath}/installer/ %{roundcubepath}/logs %ghost %{roundcubepath}/migrated/ %ghost %{roundcubepath}/migration/ %{roundcubepath}/plugins/ %{roundcubepath}/program/ %{roundcubepath}/skins/ %{roundcubepath}/SQL %{roundcubepath}/temp %dir %{_datadir}/php5 %{_datadir}/php5/Roundcube/ %attr(-, wwwrun, root) %{_localstatedir}/log/%{name} %attr(-, wwwrun, root) %{_localstatedir}/lib/%{name} %changelog ++++++ README.openSUSE ++++++ This README contains additional information specific to the openSUSE package of roundcube. INSTALLATION ============ This application is packaged to integrate with Apache and MySQL but it can basically run with every webserver being able to run PHP and also use other SQL based database engines. After installation of the package the application will immediately be reachable from everywhere once Apache is enabled under the URL http://IP-ADDRESS/roundcube The configuration is copied from the example config files from the package and therefore not really working. First step is to prepare the MySQL database for Roundcube: Setting up the mysql database can be done by creating an empty database, importing the table layout and granting the proper permissions to the roundcube user. Here is an example of that procedure: # mysql > CREATE DATABASE roundcubemail /*!40101 CHARACTER SET utf8 COLLATE > utf8_general_ci */; > GRANT ALL PRIVILEGES ON roundcubemail.* TO roundcube@localhost IDENTIFIED BY 'password'; > quit # mysql roundcubemail < /usr/share/doc/packages/roundcubemail/SQL/mysql.initial.sql Note 1: 'password' is the master password for the roundcube user. It is strongly recommended you replace this with a more secure password. Please keep in mind: You need to specify this password later in '/etc/roundcubemail/db.inc.php'. To use the integrated web based installer you need to enable it first in /etc/roundcubemail/main.inc.php: $rcmail_config['enable_installer'] = true; IMPORTANT: This MUST be disabled again after installation is finished for SECURITY reasons and then access http://IP-ADDRESS/roundcube/installer to finish the installation. ++++++ roundcubemail-0.9.1_config-dir.patch ++++++ diff --git a/installer/index.php b/installer/index.php index 0e80b1c..0123a70 100644 --- a/installer/index.php +++ b/installer/index.php @@ -41,7 +41,7 @@ ini_set('display_errors', 1); define('INSTALL_PATH', realpath(dirname(__FILE__) . '/../').'/'); define('RCUBE_INSTALL_PATH', INSTALL_PATH); -define('RCUBE_CONFIG_DIR', INSTALL_PATH . 'config/'); +define('RCUBE_CONFIG_DIR', '/etc/roundcubemail/'); $include_path = INSTALL_PATH . 'program/lib' . PATH_SEPARATOR; $include_path .= INSTALL_PATH . 'program/include' . PATH_SEPARATOR; diff --git a/program/include/iniset.php b/program/include/iniset.php index ca17640..b6da3a6 100644 --- a/program/include/iniset.php +++ b/program/include/iniset.php @@ -29,7 +29,7 @@ if (!defined('INSTALL_PATH')) { } if (!defined('RCMAIL_CONFIG_DIR')) { - define('RCMAIL_CONFIG_DIR', INSTALL_PATH . 'config'); + define('RCMAIL_CONFIG_DIR', '/etc/roundcubemail/'); } if (!defined('RCUBE_LOCALIZATION_DIR')) { ++++++ roundcubemail-1.0.9-001-acf633c-boo_982003.patch ++++++ From acf633c73bc8df9a5036bc52d7568f4213ab73c7 Mon Sep 17 00:00:00 2001 From: Aleksander Machniak <a...@alec.pl> Date: Fri, 6 May 2016 08:28:15 +0200 Subject: [PATCH] Fix XSS issue in href attribute on area tag (#5240, #5241) Conflicts: CHANGELOG --- CHANGELOG | 2 ++ program/lib/Roundcube/rcube_washtml.php | 2 +- tests/Framework/Washtml.php | 17 +++++++++++++++++ 3 files changed, 20 insertions(+), 1 deletion(-) diff --git a/CHANGELOG b/CHANGELOG index 054de01..1f755a0 100644 --- a/CHANGELOG +++ b/CHANGELOG @@ -1,6 +1,8 @@ CHANGELOG Roundcube Webmail =========================== +- Fix XSS issue in href attribute on area tag (#5240) + RELEASE 1.0.9 ------------- - Fix a regression where some contact data was missing in export and PHP warnings were logged (Kolab #4522) diff --git a/program/lib/Roundcube/rcube_washtml.php b/program/lib/Roundcube/rcube_washtml.php index 2b31033..f5a48e8 100644 --- a/program/lib/Roundcube/rcube_washtml.php +++ b/program/lib/Roundcube/rcube_washtml.php @@ -366,7 +366,7 @@ private function wash_uri($uri, $blocked_source = false) */ private function is_link_attribute($tag, $attr) { - return $tag == 'a' && $attr == 'href'; + return ($tag == 'a' || $tag == 'area') && $attr == 'href'; } /** ++++++ roundcubemail-1.0.9-002-7b37ef8-empty_text_1.patch ++++++ From 7b37ef8a3347f84bae7ca3ba5f6ec23862c7e96b Mon Sep 17 00:00:00 2001 From: Thomas Bruederli <tho...@roundcube.net> Date: Sun, 29 May 2016 13:36:29 +0200 Subject: [PATCH] Avoid sending completely empty text parts for multipart/alternative messages (#5283) --- program/steps/mail/sendmail.inc | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/program/steps/mail/sendmail.inc b/program/steps/mail/sendmail.inc index c47f3d3..ac1d789 100644 --- a/program/steps/mail/sendmail.inc +++ b/program/steps/mail/sendmail.inc @@ -372,6 +372,11 @@ if ($isHtml) { $plainTextPart = rcube_mime::wordwrap($h2t->get_text(), $LINE_LENGTH, "\r\n", false, $message_charset); $plainTextPart = wordwrap($plainTextPart, 998, "\r\n", true); + // completely blank text part confuses some mail clients + if ($plainTextPart == '') { + $plainTextPart = "\r\n"; + } + // make sure all line endings are CRLF (#1486712) $plainTextPart = preg_replace('/\r?\n/', "\r\n", $plainTextPart); ++++++ roundcubemail-1.0.9-003-f1ca20d-empty_text_2.patch ++++++ From f1ca20d9934b3999624205fc232f5da7b9973d81 Mon Sep 17 00:00:00 2001 From: Aleksander Machniak <a...@alec.pl> Date: Tue, 28 Jun 2016 09:24:14 +0200 Subject: [PATCH] Don't create multipart/alternative messages with empty text/plain part (#5283) Conflicts: CHANGELOG program/steps/mail/sendmail.inc --- CHANGELOG | 1 + program/steps/mail/sendmail.inc | 21 +++++++++++---------- 2 files changed, 12 insertions(+), 10 deletions(-) diff --git a/CHANGELOG b/CHANGELOG index 1f755a0..2843ebe 100644 --- a/CHANGELOG +++ b/CHANGELOG @@ -1,6 +1,7 @@ CHANGELOG Roundcube Webmail =========================== +- Don't create multipart/alternative messages with empty text/plain part (#5283) - Fix XSS issue in href attribute on area tag (#5240) RELEASE 1.0.9 diff --git a/program/steps/mail/sendmail.inc b/program/steps/mail/sendmail.inc index ac1d789..c1e2611 100644 --- a/program/steps/mail/sendmail.inc +++ b/program/steps/mail/sendmail.inc @@ -372,18 +372,19 @@ if ($isHtml) { $plainTextPart = rcube_mime::wordwrap($h2t->get_text(), $LINE_LENGTH, "\r\n", false, $message_charset); $plainTextPart = wordwrap($plainTextPart, 998, "\r\n", true); - // completely blank text part confuses some mail clients - if ($plainTextPart == '') { - $plainTextPart = "\r\n"; - } - - // make sure all line endings are CRLF (#1486712) - $plainTextPart = preg_replace('/\r?\n/', "\r\n", $plainTextPart); + // There's no sense to use multipart/alternative if the text/plain + // part would be blank. Completely blank text/plain part may confuse + // some mail clients (#5283) + if (strlen(trim($plainTextPart)) > 0) { + // make sure all line endings are CRLF (#1486712) + $plainTextPart = preg_replace('/\r?\n/', "\r\n", $plainTextPart); - $plugin = $RCMAIL->plugins->exec_hook('message_outgoing_body', - array('body' => $plainTextPart, 'type' => 'alternative', 'message' => $MAIL_MIME)); + $plugin = $RCMAIL->plugins->exec_hook('message_outgoing_body', + array('body' => $plainTextPart, 'type' => 'alternative', 'message' => $MAIL_MIME)); - $MAIL_MIME->setTXTBody($plugin['body']); + // add a plain text version of the e-mail as an alternative part. + $MAIL_MIME->setTXTBody($plugin['body']); + } // look for "emoticon" images from TinyMCE and change their src paths to // be file paths on the server instead of URL paths. ++++++ roundcubemail-1.0.9-004-1e275ac-boo_1001856.patch ++++++ From 1e275ac13ac6222efd9dbc80118642bd2a6fe3dd Mon Sep 17 00:00:00 2001 From: Aleksander Machniak <machn...@kolabsys.com> Date: Sun, 29 May 2016 17:09:41 +0200 Subject: [PATCH] Wash position:fixed style in HTML mail for better security (#5264) --- program/lib/Roundcube/rcube_utils.php | 6 +++++- program/lib/Roundcube/rcube_washtml.php | 9 +++++++-- tests/Framework/Utils.php | 10 ++++++++++ tests/Framework/Washtml.php | 14 ++++++++++++++ 4 files changed, 36 insertions(+), 3 deletions(-) diff --git a/program/lib/Roundcube/rcube_utils.php b/program/lib/Roundcube/rcube_utils.php index 28b16ff..adda416 100644 --- a/program/lib/Roundcube/rcube_utils.php +++ b/program/lib/Roundcube/rcube_utils.php @@ -430,10 +430,11 @@ public static function html_identifier($str, $encode=false) /** * Replace all css definitions with #container [def] - * and remove css-inlined scripting + * and remove css-inlined scripting, make position style safe * * @param string CSS source code * @param string Container ID to use as prefix + * @param bool Allow remote content * * @return string Modified CSS source */ @@ -461,6 +462,9 @@ public static function mod_css_styles($source, $container_id, $allow_remote=fals $length = $pos2 - $pos - 1; $styles = substr($source, $pos+1, $length); + // Convert position:fixed to position:absolute (#5264) + $styles = preg_replace('/position:[\s\r\n]*fixed/i', 'position: absolute', $styles); + // check every line of a style block... if ($allow_remote) { $a_styles = preg_split('/;[\r\n]*/', $styles, -1, PREG_SPLIT_NO_EMPTY); diff --git a/program/lib/Roundcube/rcube_washtml.php b/program/lib/Roundcube/rcube_washtml.php index f5a48e8..ee992da 100644 --- a/program/lib/Roundcube/rcube_washtml.php +++ b/program/lib/Roundcube/rcube_washtml.php @@ -231,6 +231,11 @@ private function wash_style($style) } } else if (!preg_match('/^(behavior|expression)/i', $val)) { + // Set position:fixed to position:absolute for security (#5264) + if (!strcasecmp($cssid, 'position') && !strcasecmp($val, 'fixed')) { + $val = 'absolute'; + } + // whitelist ? $value .= ' ' . $val; @@ -716,10 +721,9 @@ public static function fix_broken_lists(&$html) */ protected function explode_style($style) { - $style = trim($style); + $pos = 0; // first remove comments - $pos = 0; while (($pos = strpos($style, '/*', $pos)) !== false) { $end = strpos($style, '*/', $pos+2); @@ -731,6 +735,7 @@ protected function explode_style($style) } } + $style = trim($style); $strlen = strlen($style); $result = array(); ++++++ roundcubemail-1.0.9-005-dc0c606-changelog.patch ++++++ From dc0c6067b7597ff750ac3af2575ff9276ef28455 Mon Sep 17 00:00:00 2001 From: Aleksander Machniak <a...@alec.pl> Date: Sun, 31 Jul 2016 09:34:06 +0200 Subject: [PATCH] Update changelog --- CHANGELOG | 1 + 1 file changed, 1 insertion(+) diff --git a/CHANGELOG b/CHANGELOG index 2843ebe..fdaa57e 100644 --- a/CHANGELOG +++ b/CHANGELOG @@ -3,6 +3,7 @@ CHANGELOG Roundcube Webmail - Don't create multipart/alternative messages with empty text/plain part (#5283) - Fix XSS issue in href attribute on area tag (#5240) +- Wash position:fixed style in HTML mail for better security (#5264) RELEASE 1.0.9 ------------- ++++++ roundcubemail-1.0.9-006-5d2aaa6-_from_argument.patch ++++++ From 5d2aaa68c3b2c681f14d45d9f48fce1565dfbead Mon Sep 17 00:00:00 2001 From: Aleksander Machniak <a...@alec.pl> Date: Tue, 22 Nov 2016 10:38:41 +0100 Subject: [PATCH] Fix _from argument validation --- program/steps/mail/sendmail.inc | 13 ++++++++----- 1 file changed, 8 insertions(+), 5 deletions(-) diff --git a/program/steps/mail/sendmail.inc b/program/steps/mail/sendmail.inc index c1e2611..4834880 100644 --- a/program/steps/mail/sendmail.inc +++ b/program/steps/mail/sendmail.inc @@ -105,11 +105,14 @@ if (is_numeric($from)) { } } // ... if there is no identity record, this might be a custom from -else if ($from_string = rcmail_email_input_format($from)) { - if (preg_match('/(\S+@\S+)/', $from_string, $m)) - $from = trim($m[1], '<>'); - else - $from = null; +else if (($from_string = rcmail_email_input_format($from)) + && preg_match('/(\S+@\S+)/', $from_string, $m) +) { + $from = trim($m[1], '<>'); +} +// ... otherwise it's empty or invalid +else { + $from = null; } if (!$from_string && $from) { ++++++ roundcubemail-1.0.9-007-a54dde8-boo_1012493.patch ++++++ From a54dde834c9085b1579aa34cc382fe925d209d8e Mon Sep 17 00:00:00 2001 From: Aleksander Machniak <a...@alec.pl> Date: Tue, 22 Nov 2016 10:42:50 +0100 Subject: [PATCH] Fix vulnerability in handling of mail()'s 5th argument --- CHANGELOG | 1 + program/lib/Roundcube/rcube.php | 2 +- 2 files changed, 2 insertions(+), 1 deletion(-) diff --git a/CHANGELOG b/CHANGELOG index fdaa57e..9ee4bbe 100644 --- a/CHANGELOG +++ b/CHANGELOG @@ -1,6 +1,7 @@ CHANGELOG Roundcube Webmail =========================== +- Fix vulnerability in handling of mail()'s 5th argument - Don't create multipart/alternative messages with empty text/plain part (#5283) - Fix XSS issue in href attribute on area tag (#5240) - Wash position:fixed style in HTML mail for better security (#5264) diff --git a/program/lib/Roundcube/rcube.php b/program/lib/Roundcube/rcube.php index 5fe4a4b..258a1c9 100644 --- a/program/lib/Roundcube/rcube.php +++ b/program/lib/Roundcube/rcube.php @@ -1542,7 +1542,7 @@ public function deliver_message(&$message, $from, $mailto, &$error, &$body_file if (filter_var(ini_get('safe_mode'), FILTER_VALIDATE_BOOLEAN)) $sent = mail($to, $subject, $msg_body, $header_str); else - $sent = mail($to, $subject, $msg_body, $header_str, "-f$from"); + $sent = mail($to, $subject, $msg_body, $header_str, '-f ' . escapeshellarg($from)); } } ++++++ roundcubemail-httpd.conf ++++++ # You might want to set up a virtual host for the server, but it is # not a requirement. You can as well reach the server under its # common name under https://yourroundcubeserver.example.com/ # # NameVirtualHost * # <VirtualHost *> # ServerName yourroundcubeserver.example.com # DocumentRoot __ROUNDCUBEPATH__ <IfModule mod_alias.c> Alias /roundcube __ROUNDCUBEPATH__ Alias /roundcubemail __ROUNDCUBEPATH__ </IfModule> # AddDefaultCharset UTF-8 AddType text/x-component .htc <Directory __ROUNDCUBEPATH__> <IfModule mod_version.c> <IfVersion < 2.4> Order allow,deny Allow from all </IfVersion> <IfVersion >= 2.4> <IfModule mod_authz_core.c> Require all granted </IfModule> <IfModule mod_access_compat.c> Order allow,deny Allow from all </IfModule> </IfVersion> </IfModule> <IfModule !mod_version.c> Order allow,deny Allow from all </IfModule> Options -Indexes +FollowSymLinks <IfModule mod_php5.c> php_flag display_errors Off php_flag log_errors On #php_value error_log logs/errors php_value upload_max_filesize 5M php_value post_max_size 6M php_value memory_limit 64M php_flag register_globals Off php_flag zlib.output_compression Off php_flag magic_quotes_gpc Off php_flag magic_quotes_runtime Off php_flag zend.ze1_compatibility_mode Off php_flag suhosin.session.encrypt Off #php_value session.cookie_path / php_flag session.auto_start Off php_value session.gc_maxlifetime 21600 php_value session.gc_divisor 500 php_value session.gc_probability 1 </IfModule> <IfModule mod_rewrite.c> RewriteEngine On RewriteRule ^favicon\.ico$ skins/larry/images/favicon.ico # security rules: # - deny access to files not containing a dot or starting with a dot # in all locations except installer directory RewriteRule ^(?!installer|\.well-known\/)(\.?[^\.]+)$ - [F] # - deny access to some locations RewriteRule ^/?(\.git|\.tx|SQL|bin|config|logs|temp|tests|program\/(include|lib|localization|steps)) - [F] # - deny access to some documentation files RewriteRule /?(README\.md|composer\.json-dist|composer\.json|package\.xml)$ - [F] </IfModule> <IfModule mod_deflate.c> SetOutputFilter DEFLATE </IfModule> <IfModule mod_headers.c> #Header merge Cache-Control public env=!NO_CACHE </IfModule> <IfModule mod_expires.c> ExpiresActive On ExpiresDefault "access plus 1 month" </IfModule> FileETag MTime Size </Directory> # # Special directories # <Directory __ROUNDCUBEPATH__/bin> <IfModule mod_version.c> <IfVersion < 2.4> Order deny,allow Deny from all </IfVersion> <IfVersion >= 2.4> <IfModule mod_authz_core.c> Require all denied </IfModule> <IfModule mod_access_compat.c> Order deny,allow Deny from all </IfModule> </IfVersion> </IfModule> <IfModule !mod_version.c> Order deny,allow Deny from all </IfModule> </Directory> <Directory __ROUNDCUBEPATH__/config> Options -FollowSymLinks AllowOverride None <IfModule mod_version.c> <IfVersion < 2.4> Order deny,allow Deny from all </IfVersion> <IfVersion >= 2.4> <IfModule mod_authz_core.c> Require all denied </IfModule> <IfModule mod_access_compat.c> Order deny,allow Deny from all </IfModule> </IfVersion> </IfModule> <IfModule !mod_version.c> Order deny,allow Deny from all </IfModule> </Directory> <Directory __ROUNDCUBEPATH__/logs> Options -FollowSymLinks AllowOverride None <IfModule mod_version.c> <IfVersion < 2.4> Order deny,allow Deny from all </IfVersion> <IfVersion >= 2.4> <IfModule mod_authz_core.c> Require all denied </IfModule> <IfModule mod_access_compat.c> Order deny,allow Deny from all </IfModule> </IfVersion> </IfModule> <IfModule !mod_version.c> Order deny,allow Deny from all </IfModule> </Directory> <Directory __ROUNDCUBEPATH__/migration> Options -FollowSymLinks AllowOverride None <IfModule mod_version.c> <IfVersion < 2.4> Order deny,allow Deny from all </IfVersion> <IfVersion >= 2.4> <IfModule mod_authz_core.c> Require all denied </IfModule> <IfModule mod_access_compat.c> Order deny,allow Deny from all </IfModule> </IfVersion> </IfModule> <IfModule !mod_version.c> Order deny,allow Deny from all </IfModule> </Directory> <Directory __ROUNDCUBEPATH__/migrated> Options -FollowSymLinks AllowOverride None <IfModule mod_version.c> <IfVersion < 2.4> Order deny,allow Deny from all </IfVersion> <IfVersion >= 2.4> <IfModule mod_authz_core.c> Require all denied </IfModule> <IfModule mod_access_compat.c> Order deny,allow Deny from all </IfModule> </IfVersion> </IfModule> <IfModule !mod_version.c> Order deny,allow Deny from all </IfModule> </Directory> <Directory __ROUNDCUBEPATH__/plugins/enigma/home> <IfModule mod_version.c> <IfVersion < 2.4> Order deny,allow Deny from all </IfVersion> <IfVersion >= 2.4> <IfModule mod_authz_core.c> Require all denied </IfModule> <IfModule mod_access_compat.c> Order deny,allow Deny from all </IfModule> </IfVersion> </IfModule> <IfModule !mod_version.c> Order deny,allow Deny from all </IfModule> </Directory> <Directory __ROUNDCUBEPATH__/program> <IfModule mod_rewrite.c> RewriteEngine On RewriteRule !^js|.*\.gif$ - [F] </IfModule> </Directory> <Directory __ROUNDCUBEPATH__/temp> Options -FollowSymLinks AllowOverride None <IfModule mod_version.c> <IfVersion < 2.4> Order deny,allow Deny from all </IfVersion> <IfVersion >= 2.4> <IfModule mod_authz_core.c> Require all denied </IfModule> <IfModule mod_access_compat.c> Order deny,allow Deny from all </IfModule> </IfVersion> </IfModule> <IfModule !mod_version.c> Order deny,allow Deny from all </IfModule> </Directory> # # </VirtualHost> ++++++ roundcubemail-rpmlintrc ++++++ addFilter("E: devel-file-in-non-devel-package") ++++++ roundcubemail.logrotate ++++++ /var/log/roundcubemail/console /var/log/roundcubemail/errors /var/log/roundcubemail/imap /var/log/roundcubemail/ldap /var/log/roundcubemail/sendmail /var/log/roundcubemail/sieve /var/log/roundcubemail/smtp /var/log/roundcubemail/sql /var/log/roundcubemail/userlogins { missingok compress notifempty size 30k create 0660 wwwrun www }