-
roundcube (1.3.6+dfsg.1-1) unstable; urgency=medium
* New upstream release. (Closes: #883620).
+ Includes fix for CVE-2018-9846: When the archive plugin enabled and
configured, it's possible to exploit the unsanitized, user-controlled
"_uid" parameter to perform an MX (IMAP) injection attack.
(Closes: #895184).
+ Upgrade OpenPGP.js from 1.6.2 to 2.6.2.
* debian/control:
+ Bump Standards-Version to 4.1.4 (no changes needed).
+ Remove dependency on 'php-mcrypt' package, which is no longer needed
since Roundcube 1.2. (Closes: #895100).
* debian/patches/*.patch: Remove files not mentioned in series:
+ correct-magic-path.patch
+ disable-dns-prefetch.patch
+ dont-limit-email-local-part.patch
+ fix-599586.patch
+ install-jsdeps.sh
+ received-headers-sa.patch
+ too-old-mdb2.patch
+ use-debian-jquery-ui.patch
+ uuencoded-attachments.patch
* debian/roundcube-core.postinst: Use non-recursive calls to chown(1) and
chmod(1).
-- Guilhem Moulin <email address hidden> Sat, 14 Apr 2018 20:52:38 +0200
-
roundcube (1.3.3+dfsg.1-2) unstable; urgency=medium
* Upgrade internal TinyMCE to 4.5.8 to match upstream's JS dependencies.
(Closes: #881902.)
* roundcube-core: Remove symlinks /etc/apache2/conf-available/roundcube.conf
and /etc/lighttpd/conf-available/50-roundcube.conf when the HTTPd is
uninstalled before roundcube-core.
(Closes: #857838.)
-- Guilhem Moulin <email address hidden> Mon, 20 Nov 2017 03:45:14 +0100
-
roundcube (1.3.3+dfsg.1-1) unstable; urgency=high
* New upstream release. It primarily fixes a recently discovered file
disclosure vulnerability caused by insufficient input validation in
conjunction with file-based attachment plugins, which are used by default.
More details will be published under CVE-2017-16651.
* debian/rules:
+ Make the build reproducible. Thanks to Chris Lamb for the report and
patch. (Closes: #880827.)
+ Run `chmod 0755 plugins/password/helpers/*.p[ly]`
+ Fix precedence in find(1) call in override_dh_install. Thanks to Chris
Lamb for the report and patch. (Closes: #876722.)
* debian/control:
+ Replace "Priority: extra" (deprecated since Debian Policy 4.0.1) with
"Priority: optional".
+ Bump Standards-Version to 4.1.0 (no changes needed).
+ Promote php-mysql to first alternative in roundcube-mysql's
dependencies: it currently depends on php7.0-mysql, which in turns
provides virtual package php-mysqlnd.
* Patch /etc/roundcube/htaccess to use mod_php7.c in the <IfModule>
directive. Thanks to Peter Nowee for the report and patch. (Closes:
#880194.)
* debian/roundcube-core.preinst: Add "#DEBHELPER#" placeholder.
* debian/roundcube-core.links: Remove robots.txt, which is no longer shipped
by the package since 1.3.0+dfsg.1-1. (Closes: #877275.)
-- Guilhem Moulin <email address hidden> Thu, 09 Nov 2017 05:32:13 +0100
-
roundcube (1.3.1+dfsg.1-1) unstable; urgency=medium
* New upstream release.
* resort copyright file.
* update upstream-Add-get-and-extract-arguments-and-CACHEDIR-env-varia.patch.
* Bump Standards-Version to 4.1.0 (no changes needed).
* use dbc_go the propper way and use "$@".
-- Sandro Knauß <email address hidden> Sun, 10 Sep 2017 18:58:06 +0200
-
roundcube (1.3.0+dfsg.1-1) unstable; urgency=medium
* New upstream release.
* Update patches:
- remove patches that are not needed anymore
- hunks
- update_composer.patch to match new upstream release
* robots.txt is not shipped anymore in the package
* Get rid of unused overrides
* Bump Standards-Version to 4.0.0 (no changes needed)
* Bump compat level to 10 (no changes needed).
* Update copyright file
* Add SQL updates to Debian package
* 3rdparty handling:
- switch to install-jsdeps.sh
- install unminified version whwn possible, too
- modify jsdeps.json to be able to use sources
- update all missing-sourcecs
* create-jquery-ui-custom.sh don't handle input arguments
* Update source.lintian-overrides
-- Sandro Knauß <email address hidden> Tue, 22 Aug 2017 19:55:39 +0200
