roundcube (1.6.5+dfsg-1+deb12u5) bookworm-security; urgency=high
* Fix CVE-2025-49113: Post-Auth RCE via PHP Object Deserialization.
(Closes: #1107073)
* Regression fix: CVE-2024-42009.patch from 1.6.5+dfsg-1+deb12u3 and
1.6.5+dfsg-1+deb12u4 caused some HTML messages to be displayed unstyled.
-- Guilhem Moulin <guilhem@debian.org> Mon, 02 Jun 2025 10:01:44 +0200
roundcube (1.6.5+dfsg-1+deb12u4) bookworm-security; urgency=medium
* Regression fix: The original fix for CVE-2024-42008 broke printing and
other handling of image attachments. (Closes: #1078456)
-- Guilhem Moulin <guilhem@debian.org> Mon, 12 Aug 2024 14:59:59 +0200
roundcube (1.6.5+dfsg-1+deb12u3) bookworm-security; urgency=high
* Cherry pick upstream security fixes from v1.6.8 (closes: #1077969):
+ CVE-2024-42008: Cross-site scripting (XSS) vulnerability in serving of
attachments other than HTML or SVG.
+ CVE-2024-42009: Cross-site scripting (XSS) vulnerability in
post-processing of sanitized HTML content.
+ CVE-2024-42010: Fix information leak (access to remote content) via
insufficient CSS filtering.
* Cherry pick further upstream changes from v1.6.8:
+ Fix fatal error when parsing some TNEF attachments.
+ Fix bug where an unhandled exception was caused by an invalid image
attachment.
+ Fix infinite loop when parsing malformed Sieve script.
+ Fix bug where imap_conn_option's 'socket' was ignored.
-- Guilhem Moulin <guilhem@debian.org> Tue, 06 Aug 2024 16:02:54 +0200
roundcube (1.6.5+dfsg-1+deb12u2) bookworm-security; urgency=high
* Fix CVE-2024-37384: Cross-site scripting (XSS) vulnerability in handling
list columns from user preferences. (Closes: #1071474)
* Fix CVE-2024-37383: Cross-site scripting (XSS) vulnerability in handling
SVG animate attributes. (Closes: #1071474)
-- Guilhem Moulin <guilhem@debian.org> Mon, 17 Jun 2024 03:15:26 +0200
roundcube (1.6.5+dfsg-1~deb12u1) bookworm-security; urgency=high
* New upstream security and bugfix release:
+ Fix CVE-2023-47272: Cross-site scripting (XSS) vulnerability in setting
Content-Type/Content-Disposition for attachment preview/download.
(Closes: #1055421)
+ Fix PHP8 fatal error when parsing a malformed BODYSTRUCTURE.
+ Fix UI issue when dealing with an invalid managesieve_default_headers
value.
+ Fix bug where images attached to application/smil messages weren't
displayed.
+ Fix PHP8 warnings.
+ Fix regression where ‘smtp_user’ did not allow pre/post strings
before/after ‘%u’ placeholder.
* Refresh d/patches.
-- Guilhem Moulin <guilhem@debian.org> Tue, 28 Nov 2023 16:10:54 +0100
roundcube (1.6.4+dfsg-1~deb12u1) bookworm-security; urgency=high
* New upstream security and bugfix release:
+ Fix CVE-2023-5631: Cross-site scripting (XSS) vulnerability in handling
of SVG in HTML messages. (Closes: #1054079)
+ Managesieve plugin: Fix javascript error when relational or spamtest
extension is not enabled.
+ Fix PHP8 warnings.
* Replace upstream release “version” 1.6-git with the actual tagged version.
* Add DEP-8 test to check RCMAIL_VERSION against d/changelog.
* Salsa CI: Disable lintian and reprotest jobs.
* Refresh patches.
-- Guilhem Moulin <guilhem@debian.org> Thu, 19 Oct 2023 00:20:52 +0200
roundcube (1.6.3+dfsg-1~deb12u1) bookworm; urgency=medium
* Rebuild for bookworm.
* Salsa CI: Set RELEASE=bookworm.
* d/gbp.conf: Set --debian-branch=debian/bookworm.
-- Guilhem Moulin <guilhem@debian.org> Mon, 25 Sep 2023 14:22:10 +0200
roundcube (1.6.3+dfsg-1) unstable; urgency=medium
* New upstream security and bugfix release:
+ Fix CVE-2023-43770: cross-site scripting (XSS) vulnerability in handling
of linkrefs in plain text messages. (Closes: #1052059)
+ Fix regression that broke use_secure_urls feature hence OAuth2
authentication. (Closes: #1050317)
+ Fix regression where LDAP addressbook 'filter' option was ignored.
+ Fix regression in decoding mail parts FETCHed from IMAP.
+ Fix PHP8 warnings.
* roundcube-core.cron: Trigger gc twice every hour. (Closes: #1043395)
* Fix GuzzleHttp autoload location. (Closes: #1040705)
* d/p/fix-autoload-location.patch: Set ‘Forwarded: not-needed’ DEP-3 header.
* Refresh d/patches.
-- Guilhem Moulin <guilhem@debian.org> Mon, 18 Sep 2023 14:18:17 +0200
roundcube (1.6.2+dfsg-1) unstable; urgency=medium
[ Amin Bandali ]
* Test suite: Adjust short date test to make it work with all ICUs.
(Closes: #1030161)
[ Remus-Gabriel Chelu ]
* Add Romanian debconf templates translation. (Closes: #1033468)
[ Guilhem Moulin ]
* New upstream bugfix release.
* d/gbp.conf, d/README.source: Remove obsolete comment.
* d/sql/mysql/1.3.0-1: Move inline comment.
* d/p/fix-short-date-test-icu72.patch: Remove patch applied upstream.
* Refresh patches.
-- Guilhem Moulin <guilhem@debian.org> Sun, 02 Jul 2023 11:54:33 +0200
roundcube (1.6.1+dfsg-1) unstable; urgency=medium
* New upstream bugfix release.
* Update d/sql for 1.6.1+dfsg-1.
* Fix d/README.source order.
* Refresh d/patches.
* d/roundcube-core.postinst: Add $config['imap_host'] to $CONFFILE.ucftmp if
needs be. This fixes d/t/config-ownership-perms.
* d/t/config-ownership-perms: Use HOST:PORT in roundcube/hosts string.
-- Guilhem Moulin <guilhem@debian.org> Tue, 24 Jan 2023 01:42:19 +0100
roundcube (1.6.0+dfsg-2) unstable; urgency=medium
* Salsa CI: Restore piuparts job.
* Salsa CI: Install suitable RDBMS before running piuparts.
* Salsa CI: Include recipes/debian.yml.
* d/control: Build-Depends: Drop versioned constraint on uglifyjs.
* Update standards version to 4.6.2, no changes needed.
* Fix FTBFS (closes: #1026528).
* d/s/lintian-overrides: Remove mismatched overrides.
-- Guilhem Moulin <guilhem@debian.org> Tue, 20 Dec 2022 20:36:47 +0100
roundcube (1.6.0+dfsg-1.1) unstable; urgency=medium
* Non-maintainer upload.
* No source change upload to rebuild with debhelper 13.10.
-- Michael Biebl <biebl@debian.org> Sat, 15 Oct 2022 12:43:57 +0200
roundcube (1.6.0+dfsg-1) unstable; urgency=low
* New upstream release.
* d/p/fix-install-path.patch: Also adjust installer/index.php.
* d/t/control: Factor stanzas with same dependencies and restrictions.
* /etc/roundcube/*.php: Don't include files only once.
* DEP-8: Run upstream installer checks in a dedicated autopkgtest.
* d/t/cleanup: Sort sessions by changed date on error.
* d/t/installer-checks: And also run 3rd step of installation checks.
* DEP-8: Add ‘Restrictions: breaks-testbed’ when suitable.
* DEP-8: Name inline tests.
* debian/control: Replace 'Depends: libapache2-mod-php | php' with 'Depends:
php'.
* Add d/README.source to document the package workflow.
-- Guilhem Moulin <guilhem@debian.org> Fri, 29 Jul 2022 11:47:02 +0200
roundcube (1.6~rc+dfsg-2) experimental; urgency=medium
* Adjust d/origtargz-diff.sh for 1.6~rc+dfsg.
* Refresh lintian overrides to accommodate lintian v2.115.
* Bump Standards-Version to 4.6.1 (no changes needed).
* Promote GuzzleHttp\Client back to "require" from "suggest".
* Revert "Don't install the installer into /usr/share/roundcube."
* Run upstream installer checks for apache2 and lighttpd DEP-8 tests.
* Add roundcube-cleandb.{service,timer} which replaces the cronjob on
systems where PID1 is systemd.
* Add roundcube-gc.{service,timer} to purge expired sessions, caches and
tempfiles in the background in a scheduled fashion.
* Don't force set session.gc_probability=1 since we don't have to rely on
probabilistic synchronous garbage collection anymore.
* Remove obsolete /etc/default/roundcube and /etc/cron.daily/roundcube-core
files since removing temporary files is part of the normal garbage
collection routine.
* DEP-8: Create tempfiles in $AUTOPKGTEST_TMP not /tmp.
* DEP-8: Test roundcube-{cleandb,gc}.service (cleanup and garbage collection
routines).
-- Guilhem Moulin <guilhem@debian.org> Wed, 29 Jun 2022 20:23:02 +0200
roundcube (1.6~rc+dfsg-1) experimental; urgency=medium
* New upstream release candidate 1.6.
* d/u/signing-key.asc: Add Alec's key BEE674A019359DC1.
* Refresh d/patches.
-- Guilhem Moulin <guilhem@debian.org> Sun, 12 Jun 2022 16:46:12 +0200
roundcube (1.6~beta+dfsg-2) experimental; urgency=medium
* d/roundcube-core.NEWS: Mention roundcube-skin-* packages by name
now that they cleared the NEW queue.
* d/control: roundcube-core: Add 'Recommends: roundcube-skin-classic,
roundcube-skin-larry'.
* Update d/copyright.
* d/watch: Add uversionmangle for /-(alpha|beta|rc)\d*$/.
* d/watch: Improve dversionmangle.
* d/sql/*.sql: Escape identifiers to fix compatibility with MySQL 8
(LP: #1970428).
* New script d/sqlupdate replacing d/addsqlupdate.sh.
* Update d/sql for 1.6~beta+dfsg-1 (remove 2020122900 which is in
d/sql/*/1.5.0+dfsg.1-1 already).
* Run wrap-and-sort(1).
* Remove d/t/fix-format_date-x.patch and generate an en_US.utf8 locale for
the upstream test suite instead. This adds Build-Depends: locales.
-- Guilhem Moulin <guilhem@debian.org> Wed, 11 May 2022 20:22:23 +0200
roundcube (1.6~beta+dfsg-1) experimental; urgency=medium
* New beta upstream release. Highlights for major version 1.6 include:
- Full PHP 8.1 support (closes: #1000642)
- Unified and simplified services connection options:
. renamed `default_host` resp. `smtp_server` to `imap_host` resp.
`smtp_host`
. removed `default_port`, `smtp_port`, `managesieve_port` and
`managesieve_usetls` options
- The classic and larry skins are no longer included in the upstream
repository hence are excluded from this source package; we will ship in
separate packages.
* Add d/roundcube-core.NEWS to highlight the above.
* Update default value for roundcube/hosts template to "localhost:143" to
match the upstream default.
* Update d/copyright.
* Update d/sql.
* Refresh d/patches. Remove the following patches (now obsolete or applied
upstream):
- fix-FTBFS-with-phpunit-8.patch
- fix-file-list-in-phpunit-configuration.patch
- fix-FTBFS-with-phpunit-9.patch
* Add patch to fix `$rcmail->format_date(.., 'x')` calls.
* Remove mismatched Lintian override.
* Add 'Restrictions: rw-build-tree' to the phpunit DEP-8 test as it writes
into tests/.phpunit.result.cache.
* Add aspell-en and php-pspell to Build-Depends (unless under 'nocheck'
build profile) and DEP-8 test to test Framework_SpellcheckerPspell.
* Add hunspell-en-us and php-enchant to Build-Depends (unless under
'nocheck' build profile) and DEP-8 test to test
Framework_SpellcheckerEnchant.
* Add php-roundcube-rtf-html-php to Build-Depends (unless under 'nocheck'
build profile) and DEP-8 test to test Framework_TnefDecoder.
* Add php-bacon-qr-code to Build-Depends (unless under 'nocheck'
build profile) and DEP-8 test to test Actions_Contacts_Qrcode.
* d/rules, d/t/control: Mark flaky tests as such and run phpunit with
`--exclude-group=flaky --fail-on-skipped` in build-time and DEP-8 tests.
* CI: Disable piuparts which is bound to fail due to the schema upgrade.
* d/rules: Replace '$(dir $@)' with '$(@D)'.
-- Guilhem Moulin <guilhem@debian.org> Mon, 14 Mar 2022 00:16:05 +0100
roundcube (1.5.2+dfsg-1) unstable; urgency=medium
* New upstream bugfix & security release (closes: #1003027).
-- Guilhem Moulin <guilhem@debian.org> Sun, 02 Jan 2022 22:50:42 +0100
roundcube (1.5.1+dfsg-1) unstable; urgency=medium
* New upstream bugfix release.
* Change repacking suffix to +dfsg from +dfsg.1.
-- Guilhem Moulin <guilhem@debian.org> Sat, 04 Dec 2021 15:07:42 +0100
roundcube (1.5.0+dfsg.1-2) unstable; urgency=medium
* CI: Restore piuparts job.
* DEP-8: config-ownership-perms: Add Restrictions: allow-stderr.
-- Guilhem Moulin <guilhem@debian.org> Sat, 23 Oct 2021 20:00:35 +0200
roundcube (1.5.0+dfsg.1-1) unstable; urgency=low
* New upstream release. Highlights for major version 1.5 include:
- full PHP 8.0 support (closes: #977687)
- dark mode for Elastic skin
- collected recipients and trusted senders
- moving recipients between inputs with drag & drop
- full unicode support with MySQL database
- support of IMAP LITERAL [RFC7888]
- support of [RFC2231] encoded names
- cache refactoring
* Ship upstream's bin/updatedb.sh to roundcube-core.
* d/t/dbconfig-no-thanks: Also run bin/updatedb.sh.
* d/t/dbconfig-no-thanks: Check DB ownership and permissions.
* Exclude spellchecker from build-time and DEP8 tests, as dictionary
mismatch makes it too brittle.
* d/pkg-php-tools-overrides: Remove useless roundcube/net_sieve builtin.
-- Guilhem Moulin <guilhem@debian.org> Sat, 23 Oct 2021 09:47:50 +0200
roundcube (1.5~rc+dfsg.1-3) experimental; urgency=medium
* DEP-8: Add test for dbconfig-no-thanks (set custom $config['db_dsnw']).
* Create symlink var/lib/roundcube/SQL pointing to usr/share/roundcube/SQL.
This is required for dbconfig-no-thanks deployments (closes: #996613).
* Refresh lintian overrides to accommodate lintian v2.109.
* Retroactively update d/roundcube-core.NEWS to advertise the 1.4 smtp_*
default settings (closes: #994446).
-- Guilhem Moulin <guilhem@debian.org> Sat, 16 Oct 2021 23:20:50 +0200
roundcube (1.5~rc+dfsg.1-2) experimental; urgency=medium
* Replace `which` with `command -v` in maint scripts.
* Refresh lintian overrides to accommodate lintian v2.107.
* Bump Standards-Version to 4.6.0 (no changes needed).
* Remove 4 obsolete maintscript entries in 2 files.
* Set upstream metadata fields: Security-Contact.
-- Guilhem Moulin <guilhem@debian.org> Fri, 08 Oct 2021 20:53:01 +0200
roundcube (1.5~rc+dfsg.1-1) experimental; urgency=medium
* New upstream release candidate 1.5 (closes: #949629).
* d/rules: Exclude tinymce/js/tinymce/tinymce.d.ts in accordance with
jsdeps.json.
-- Guilhem Moulin <guilhem@debian.org> Tue, 06 Jul 2021 12:00:42 +0200
roundcube (1.5~beta+dfsg.1-4) experimental; urgency=medium
* d/roundcube-core.cron.daily, d/addsqlupdate.sh: `set -ue` and improve
quoting.
* d/*: Fix space damage.
* bin/update.sh: Hardcode define('INSTALL_PATH', '/var/lib/roundcube/');
(closes: #989140).
* d/roundcube-core.postinst: Set DEBIAN_PKG=[0|1] for symmetry.
* d/p/debianize-config.patch: Comment out sample plugins, see #884992.
-- Guilhem Moulin <guilhem@debian.org> Sat, 29 May 2021 15:03:39 +0200
roundcube (1.5~beta+dfsg.1-3) experimental; urgency=medium
* d/*.post*, d/*.config: Improve style consistency.
* d/*.post*: pathfind(): Keep IFS null (instead of setting it to the empty
string) if it was null before.
* d/roundcube-core.postinst: Set ln(1)'s '-T' to flag protect against
undesired semantics should the target be an existing directory.
* d/roundcube-core.postinst, d/roundcube-core.config: Replace useless calls
to sed.
* d/*.pre*, d/*.post*, d/*.config: Fix space damage.
* d/roundcube-core.postinst: Make configuration sample parsing and reading
roundcube/hosts more robust.
* d/roundcube-core.postinst: 3DES key generation: Use a random 18-bytes long
string base64 encoded (the key needs to be 24 bytes long).
* d/roundcube-core.postinst: lighttpd: Prefer the more efficient
fastcgi-php-fpm over fastcgi-php on lighttpd 1.4.55-2 and later.
* d/copyright: Add self.
* DEP-8: Add basic Apache2 and lighttpd tests.
* DEP-8: Add configuration file and log/temp directory ownership and mode
checks.
* DEP-8: Add an hardened deployment, with a dedicated PHP-FPM pool and
dedicated user/group (so the HTTPd can't read sensitive roundcube data).
* d/roundcube-core.post*: Reload webserver with deb-systemd-invoke(1) when
possible.
* d/roundcube-core.postinst: Avoid running bin/update.sh with root
privileges, depending on /etc/roundcube/config.inc.php's ownership and
mode: if the file is word-readable then issue a warning and run as
www-data; otherwise, if the file not root-owned then run as its owner;
otherwise, if the file is group readable and is not group owned by root,
and the group is used as a primary group for a single user, then use that
user. Should all that fail root privileges are preserved and a warning is
issued.
* d/roundcube-core.postinst: Issue a warning if a .dpkg-new leak is
dedected.
-- Guilhem Moulin <guilhem@debian.org> Mon, 17 May 2021 21:00:08 +0200
roundcube (1.4.11+dfsg.1-4) unstable; urgency=medium
* d/roundcube-core.postinst: Remove the roundcube lighttpd module after it
has been disabled, not before (closes: #988282).
* d/roundcube-core.postinst: lighttpd: Don't enable fastcgi-php if there is
already an enabled fastcgi .php handler (closes: #988236).
* d/uupdate: Fix comment.
-- Guilhem Moulin <guilhem@debian.org> Mon, 17 May 2021 20:45:48 +0200
roundcube (1.5~beta+dfsg.1-2) experimental; urgency=medium
* Add hunspell-en-us to Build-Depends and DEP-8 tests dependencies as
spellcheck tests rely on that dictionary.
-- Guilhem Moulin <guilhem@debian.org> Mon, 08 Mar 2021 19:14:45 +0100
roundcube (1.5~beta+dfsg.1-1) experimental; urgency=medium
* New upstream beta release (closes: #977687).
* Change default spellchecker engine from pspell to enchant as the latter
is better supported and more flexible.
* d/copyright: Update Files-Excluded stanza for tinymce component.
* d/uupdate: Fix tinymce-langs URL.
* d/control: Bump dependencies to match jsdeps.json and composer.json-dist.
* d/control: Update build dependencies for the improved test suite.
* Update d/copyright.
* Fix DEP-8 tests: The test suite now requires reads the configuration file,
so we need to run it as www-data. We test with SQLite3 backend, and also
the default backend (MySQL) on testbeds providing container-level
isolation.
* d/rules: Treat plugins/*/readme* (not only plugins/*/README*) as
documentation.
* CI: Disable piuparts which is bound to fail due to the schema upgrade.
-- Guilhem Moulin <guilhem@debian.org> Mon, 08 Mar 2021 00:42:28 +0100
roundcube (1.4.11+dfsg.1-3) unstable; urgency=medium
* Remove versioned dependency (php* <<8.0) as it prevents users from
upgrading php-common (e.g. via 3rd-party repositories). Instead we give a
hint which phpX.Y-* packages needs to be manually installed. Thanks to
the Debian PHP PEAR Maintainers for their input!
-- Guilhem Moulin <guilhem@debian.org> Fri, 26 Feb 2021 23:44:31 +0100
roundcube (1.4.11+dfsg.1-2) unstable; urgency=medium
* d/rules: Reorder targets based on the dh sequencer execution order.
* d/roundcube-core.README.Debian: Add instructions for running Roundcube
code as a user:group other than the default www-data:www-data.
-- Guilhem Moulin <guilhem@debian.org> Thu, 11 Feb 2021 21:49:03 +0100
roundcube (1.4.11+dfsg.1-1) unstable; urgency=high
* New upstream bugfix/security release.
* d/rules: Remove duplicate dh_link call.
* d/rules: Fix sourcemap URLs in minified CSS.
-- Guilhem Moulin <guilhem@debian.org> Mon, 08 Feb 2021 23:32:06 +0100
roundcube (1.4.10+dfsg.2-2) unstable; urgency=medium
[ Sandro Knauß ]
* Remove retry-to-reach-imap-server.patch (Closes: #960302)
It triggered too many issues for other users.
[ Guilhem Moulin ]
* Update d/missing-sources/README.
* Remove useless duplicate d/install-jsdeps.sh.
* d/rules: Use execute_after_dh_* from Debhelper compatibility level 13 when
relevant.
* d/control: Require php* <8.0 in dependencies.
-- Guilhem Moulin <guilhem@debian.org> Mon, 08 Feb 2021 00:22:01 +0100
roundcube (1.4.10+dfsg.2-1) unstable; urgency=low
* Retroactively update roundcube-plugins.NEWS as enigma is currently usable
in Bullseye and sid.
* d/rules: Complete refactoring.
* Ship skin README files to /usr/share/doc/PACKAGE/skins.
* Run bin/updatecss.sh at build time to (re-)stamp background images.
* Exclude irrelevant scripts from binary packages: cssshrink.sh, initdb.sh,
install-jsdeps.sh, installto.sh, jsshrink.sh, makedoc.sh, updatecss.sh,
and updatedb.sh.
* Don't install .htaccess into /usr/share/roundcube. The root directory for
the HTTPd is /var/lib/roundcube and already ship the htaccess there.
* Don't install the installer into /usr/share/roundcube.
* Lintian overrides: Remove package annotations.
* Remove upstream installation instructions from /usr/share/doc/roundcube-core
* Lintian: Override false positive
package-contains-documentation-outside-usr-share-doc and
package-contains-empty-directory.
* Install managesieve helpdocs to /usr/share/doc/roundcube-plugins.
* Install password helpers into /usr/share/roundcube/plugins/password/helpers
not into /usr/share/doc/roundcube-core/examples.
* plugins/password/helpers/chpass-wrapper.py: use python3 as interpreter and
add to roundcube-plugins' Suggests.
* d/watch: Monitor git tags rather than release tarballs.
* d/gbp.conf: Add upstream VCS tag as additional parent to upstream/$VERSION.
* d/gbp.conf: Rename upstream branch to upstream/release-1.4.
* Recommend using new directory /var/lib/roundcube/public_html as document
root.
* Update d/*.README.Debian with current instructions.
* Run the upstream test suite (excluding Selenium-based web tests) at build
time (unless under 'nocheck' build profile). This adds phpunit,
php-masterminds-html5 and php-intl to Build-Depends.
* Add DEP-8 tests. For now this only consists of the upstream test suite
(excluding Selenium-based web tests).
* Replace Build-Depends: closure-compiler, yui-compressor with cleancss,
uglifyjs (>=3), used respectively for CSS and Javascript minification.
Build also source maps alongside the minified code. (Closes: #978073)
* Elastic skin: Ship non-minified CSS and sourcemap alongside Less source
files. (Closes: #978070)
* New Build-Depends: pigz. Ship gzipped (minified) JS and CSS files along
side the non-compressed versions. Compatible HTTPds can send these files
as is in order to avoid on-the-fly compression overhead.
(Closes: #978075)
-- Guilhem Moulin <guilhem@debian.org> Fri, 15 Jan 2021 23:55:02 +0100
roundcube (1.4.10+dfsg.1-1) unstable; urgency=high
* New upstream bugfix release, including security fix for: CVE-2020-35730:
Cross-site scripting (XSS) vulnerability via HTML or Plain text messages
with malicious content svg/namespace. (Closes: #978491)
* d/rules: Make sure to fail the build when an error is raised in a for
loop. (Closes: #978069)
* d/rules: Refactor and move CSS/JS generation and minification from
override_dh_auto_install to override_dh_auto_build. Thanks to Jonas
Smedegaard pointing this out.
* Bump Standards-Version to 4.5.1 (no changes needed).
* Upgrade watch file to version 4.
* Rename Debian branch to debian/latest for DEP-14 compliance.
* d/gbp.conf: Remove custom setting compression=xz.
-- Guilhem Moulin <guilhem@debian.org> Mon, 28 Dec 2020 01:33:45 +0100
roundcube (1.4.9+dfsg.1-1) unstable; urgency=medium
* New upstream bugfix release.
-- Guilhem Moulin <guilhem@debian.org> Thu, 01 Oct 2020 17:43:08 +0200
roundcube (1.4.8+dfsg.1-1) unstable; urgency=high
* New upstream bugfix release, including security fix for CVE-2020-16145:
Cross-site scripting (XSS) vulnerability via HTML messages with malicious
svg or math content. (Closes: #968216)
-- Guilhem Moulin <guilhem@debian.org> Tue, 11 Aug 2020 16:45:02 +0200
roundcube (1.4.7+dfsg.2-1) unstable; urgency=low
* d/rules: Exclude TinyMCE language Javascript packs from minification as
Roundcube and TinyMCE load $code.js files not $code.min.js.
* d/patches: Rename Use-system-JQueryUI.patch to use-system-JQueryUI.patch.
* Bundle TinyCME as secondary orig tarballs (downloaded automatically using
custom uscan(1) script) rather than in d/missing-sources. The TinyCME zip
archive we used to ship in d/missing-sources violates DFSG (since
1.3.0+dfsg.1-1), because upstream's jsdeps.json links to the so-called
"production package" which doesn't include preferred sources of
modification. This remained unnoticed because lintian doesn't inspect the
content of archives in d/missing-sources. Unfortunately Roundcube is
still too dependent on the TinyCME version for us to switch to the
packaged version (see #784351), so we use secondary tarballs (repacked to
exclude generated files such as minified JS and CSS files) for now.
* d/control: Bump minimum node-less version to 3.0.0 as for later versions
evaluation of JavaScript inline is disabled by default unless the new --js
flag is set.
* d/patches: Add Forwarded: DEP-3 headers.
-- Guilhem Moulin <guilhem@debian.org> Fri, 24 Jul 2020 02:44:11 +0200
roundcube (1.4.7+dfsg.1-1) unstable; urgency=high
* New upstream bugfix release, including security fix for: CVE-2020-15562:
Cross-Site Scripting (XSS) vulnerability via HTML messages with malicious
svg/namespace (Closes: #964355)
-- Guilhem Moulin <guilhem@debian.org> Sun, 05 Jul 2020 23:57:50 +0200
roundcube (1.4.6+dfsg.1-3) unstable; urgency=low
* d/upstream/metadata: Add upstream's screenshot URL.
* d/po/de.po: Convert from ISO-8859-15 to TDF-8.
* Remove bundled OpenPGP.js as the bundled source is not the preferred form
of modification hence violates DFSG. This breaks key generation in the
enigma plugin (server-side OpenPGP support), but other key operations
(incl. import of private keys) still work. That being said enigma is
already broken in Buster (and Bullseye too right now) due to the missing
dependency 'php-crypt-gpg'. Admins wanting enigma already need to
manually install the dependency; they'll now need to also copy
https://raw.githubusercontent.com/openpgpjs/openpgpjs/v4.4.6/dist/openpgp.min.js
(or a later version) to /usr/share/roundcube/plugins/enigma/openpgp.min.js
for key generation to keep working.
-- Guilhem Moulin <guilhem@debian.org> Sat, 04 Jul 2020 01:07:51 +0200
roundcube (1.4.6+dfsg.1-2) unstable; urgency=medium
* d/rules: Fix FTBFS on systems where lessc(1) 1.6.3 uses node 12.18.0.
* d/roundcube-core.preinst: Remove script as the dbconfig logic is a no-op.
-- Guilhem Moulin <guilhem@debian.org> Thu, 18 Jun 2020 14:01:20 +0200
roundcube (1.4.6+dfsg.1-1) unstable; urgency=low
* New upstream bugfix release.
* d/copyright: Add generated CSS (minified or compiled from LESS sources) to
Files-Excluded:. We don't want these in our (repacked) orig tarball nor
in our git tree. d/origtargz-diff.sh can be used to verify that all
upstream-generated CSS/JS files are re-generated at build time and that
none is missing from our .debs.
-- Guilhem Moulin <guilhem@debian.org> Sun, 07 Jun 2020 16:43:45 +0200
roundcube (1.4.5+dfsg.1-2) unstable; urgency=low
* d/copyright: Upgrade URLs to secure HTTP.
* d/copyright: Simplify Files-Excluded: pattern for generated JS files. Add
new helper script d/origtargz-diff.sh to make sure we ship all files:
generated files from the upstream tarball (before repacking) are excluded
from the repacked .orig tarball, so we need to generate them back at build
time and install them somewhere.
* d/rules: Replace `find -print0 | xargs -r0` calls and loops with `find
-exec`.
* d/rules: Minify CSS files ourselves (like for .js files we minify all
files, even the ones for which there is no .min.css in the upstream tree).
* d/rules: Add yui-compressor to Build-Depends: for CSS minification.
* d/patches/debianize-config.patch: typofix (closes: #931909).
* d/rules: Also (re-)minify CSS/JS in roundcube-plugins, not only in
roundcube-core. The upstream tarball contains multiple plugins/*/*.min.js
files before repacking, and while Roundcube seems to manage without, there
are no reasons not to re-minify these in additions to the files in -core.
* d/roundcube-core.preinst: Drop logic to remove old symlinks with file
targets (.js, .txt etc.) as dpkg is able to handle these on its own.
* d/roundcube-core.{pre,post}inst: Drop logic to handle upgrade path from
ancient versions (<oldstable). We don't support these upgrade paths and
it clutters the maintainer scripts.
* d/roundcube-core.maintscript: Ensure smooth directory-to-symlink
conversion. This is required for upgrades from <1.4~.
* d/roundcube-core.dirs: Remove var/lib/roundcube/config as dh_link will
create a symlink to etc/roundcube with that name.
-- Guilhem Moulin <guilhem@debian.org> Sat, 06 Jun 2020 16:44:07 +0200
roundcube (1.4.5+dfsg.1-1) unstable; urgency=high
* New upstream bugfix release, including security fixes for:
- CVE-2020-13964: Cross-Site Scripting (XSS) vulnerability in template
object 'username' (closes: #962123)
- CVE-2020-13965: Cross-Site Scripting (XSS) vulnerability via malicious
XML messages (closes: #962124)
* d/roundcube-core.postinst: Also call ucfr(1) on existing config.inc.php
and always pass --debconf-ok to ucf(1).
* Bump debhelper compatibility level to 13.
* Add upstream meta-information to debian/upstream/metadata.
-- Guilhem Moulin <guilhem@debian.org> Wed, 03 Jun 2020 15:09:31 +0200
roundcube (1.4.4+dfsg.1-1) unstable; urgency=high
* New upstream release, including security fixes for:
- CVE-2020-12625: Cross-Site Scripting (XSS) vulnerability via malicious
HTML messages (closes: #959140)
- CVE-2020-12626: CSRF attack can cause an authenticated user to be logged
out (closes: #959142)
* Include krb_authentication plugin to the roundcube-plugins binary package.
Upstream ships this (core) plugin since 1.2-beta but somehow it never made
it to the Debian package. Thanks to Mike Gabriel for the poke.
(Closes: #958642)
* d/control: Update Maintainer: field to use @alioth-lists.debian.net not
deprecated @lists.alioth.debian.org.
-- Guilhem Moulin <guilhem@debian.org> Wed, 29 Apr 2020 22:10:57 +0200
roundcube (1.4.3+dfsg.1-1) unstable; urgency=medium
* New upstream release.
* d/roundcube-core.post*:
+ Replace tabs with spaces.
+ Pass flag '-f' to rm(1).
* d/roundcube-core.postinst:
+ Create temporary config file with restricted permissions. Previously
the file was created with mode 0644 (minus umask), possibly leaking
secrets to a local attacker during a short time window. (The file was,
and still is, removed later during the postinst stage.)
+ If the config file /etc/roundcube/config.inc.php already exists, don't
override its ownership or mode. Otherwise (atomically) create it with
owner root:www-data and mode 0640, like before. (Closes: #951194)
+ Honor dpkg-statoverride(1) rules on /var/lib/roundcube/temp and
/var/log/roundcube: don't chown/chmod these directories if the local
admin has defined overrides.
* d/roundcube-core.postrm:
+ Also remove '.ucf-{new,old,dist}'-suffixed configuration files on purge,
as suggested by ucf(1).
+ Only recursively remove /var/lib/roundcube/temp on purge, not its
parent /var/lib/roundcube. Roundcube needs only write access to the
temp dir.
* d/patches/update_script.patch: Restore patch removed in 1.4.1+dfsg.1-1
to fix the ucf logic.
* d/patches/dbconfig-common_support.patch: Use C++ style comment for
consistency.
-- Guilhem Moulin <guilhem@debian.org> Mon, 24 Feb 2020 06:39:10 +0100
roundcube (1.4.2+dfsg.1-2) unstable; urgency=medium
* d/control:
+ Specify minimum versions for libjs-* dependencies.
+ Bump Standards-Version to 4.5.0 (no changes needed).
* d/roundcube-core.links: link to /usr/share/javascript/$FOO, instead of its
unreliable target name. (Closes: #948011)
* d/roundcube-core.logrotate:
+ Add glob pattern for /var/log/roundcube/*.log, as ".log" is the default
extension used for log filenames since 1.4-beta. (Closes: #948034)
+ Rotate daily and reduce the retention period to 14 days to match the
new apache2 and nginx defaults.
* d/rules: Rebuild skins/elastic/styles/{styles,print,embed}.css from the
.less sources instead of shipping the upstream versions. This requires
lessc(1) from node-less in the build environment.
-- Guilhem Moulin <guilhem@debian.org> Wed, 29 Jan 2020 11:21:01 +0100
roundcube (1.4.2+dfsg.1-1) unstable; urgency=low
* New upstream release.
* d/control: roundcube-plugins now suggests php-cli as enigma's
import_keys.sh requires it.
-- Guilhem Moulin <guilhem@debian.org> Wed, 01 Jan 2020 23:09:32 +0100
roundcube (1.4.1+dfsg.1-2) unstable; urgency=low
[ Sandro Knauß ]
* Add patch to Fix "Retry to connect to IMAP server" (Closes: #947320)
-- Guilhem Moulin <guilhem@debian.org> Fri, 27 Dec 2019 11:14:20 +0100
roundcube (1.4.1+dfsg.1-1) experimental; urgency=low
* New upstream release.
+ New Depends (and Build-Depends) 'php-mbstring', required by a call to
mb_internal_encoding() in program/lib/Roundcube/bootstrap.php.
* Rebase debian/install-jsdeps.sh from bin/install-jsdeps.sh.
* Use system JS dependencies when possible: JQuery from libjs-jquery, jstz
from libjs-jstimezonedetect, codemirror from libjs-codemirror, bootstrap
from libjs-bootstrap4, jquery-minicolors from libjs-jquery-minicolors,
libjs-jquery-minicolors, JQuery UI from libjs-jquery-ui.
* New Build-Depends: closure-compiler, used for JS minification instead of
yui-compressor. closure-compiler is what upstream uses, and
yui-compressor is unable to compress 1.4's program/js/app.js and
skins/elastic/ui.js.
* Move plugin README.md files to /usr/share/doc/roundcube/plugins/$PLUGIN
* Ensure INSTALL_PATH is always set to /var/lib/roundcube in the upstream
tools.
* d/roundcube-core.postinst: The honored environment variable for confdir is
RCUBE_CONFIG_PATH, not RCMAIL_CONFIG_DIR.
* d/control: Bump Standards-Version to 4.4.1 (no changes needed).
* Refresh tinymce language pack from upstream.
* d/control, d/compat: Set debhelper-compat version in Build-Depends.
* d/control: Set 'Rules-Requires-Root: no'.
-- Guilhem Moulin <guilhem@debian.org> Wed, 18 Dec 2019 19:17:13 +0100
roundcube (1.3.10+dfsg.1-1) unstable; urgency=medium
* New upstream release: (Closes: #927713)
- Fixes CVE-2019-10740
[ Guilhem Moulin ]
* Backport fix for CVE-2018-1000071: Insecure Permissions vulnerability in
enigma plugin that can result in exfiltration of gpg private key.
https://github.com/roundcube/roundcubemail/issues/6173 (Closes: #897014)
* New upstream release (1.3.9). (Closes: #898068)
* d/roundcube-core.config: Honor debconf setting roundcube/language, by
skipping the relevant part at pre-configure stage. (Closes: #923142)
* d/roundcube-core.postinst: Create temporary configuration file atomically.
* d/upstream/signing-key.asc: Minimize OpenPGP certificate.
* Add new plugins to roundcube-plugins: 'attachment_reminder' (closes:
#918126), 'example_addressbook', 'identicon', 'identity_select' and
'redundant_attachments'.
* d/control: Bump Standards-Version to 4.3.0 (no changes needed).
-- Beowulf <beowulf@netzguerilla.net> Wed, 18 Dec 2019 00:26:48 +0100
# Older entries have been removed from this changelog.
# To read the complete changelog use `apt changelog roundcube-core`.
Generated by dwww version 1.15 on Fri Aug 29 21:21:24 CEST 2025.