Sat Dec 26 14:24:48 2015 UTC ()
Update roundcube to 1.1.4 including security fixes.

* Fix a potential path traversal vulnerability.
* Adds some measures against brute-force attacks

RELEASE 1.1.4
-------------
- Add workaround for https://bugs.php.net/bug.php?id=70757 (#1490582)
- Fix duplicate messages in list and wrong count after delete (#1490572)
- Fix so Installer requires PHP5
- Make brute force attacks harder by re-generating security token on every failed login (#1490549)
- Slow down brute-force attacks by waiting for a second after failed login (#1490549)
- Fix .htaccess rewrite rules to not block .well-known URIs (#1490615)
- Fix mail view scaling on iOS (#1490551)
- Fix so database_attachments::cleanup() does not remove attachments from other sessions (#1490542)
- Fix responses list update issue after response name change (#1490555)
- Fix bug where message preview was unintentionally reset on check-recent action (#1490563)
- Fix bug where HTML messages with invalid/excessive css styles couldn't be displayed (#1490539)
- Fix redundant blank lines when using HTML and top posting (#1490576)
- Fix redundant blank lines on start of text after html to text conversion (#1490577)
- Fix HTML sanitizer to skip <!-- node type X --> in output (#1490583)
- Fix invalid LDAP query in ACL user autocompletion (#1490591)
- Fix regression in displaying contents of message/rfc822 parts (#1490606)
- Fix handling of message/rfc822 attachments on replies and forwards (#1490607)
- Fix PDF support detection in Firefox > 19 (#1490610)
- Fix path traversal vulnerability (CWE-22) in setting a skin (#1490620)
- Fix so drag-n-drop of text (e.g. recipient addresses) on compose page actually works (#1490619)


(taca)
diff -r1.77 -r1.78 pkgsrc/mail/roundcube/Makefile
diff -r1.38 -r1.39 pkgsrc/mail/roundcube/PLIST
diff -r1.47 -r1.48 pkgsrc/mail/roundcube/distinfo
diff -r1.1 -r1.2 pkgsrc/mail/roundcube/patches/patch-config.inc.php
diff -r1.1 -r1.2 pkgsrc/mail/roundcube/patches/patch-rcube_mime_default
cvs diff -r1.77 -r1.78 pkgsrc/mail/roundcube/Makefile (expand / switch to unified diff)

--- pkgsrc/mail/roundcube/Makefile 2015/10/29 15:54:20 1.77
+++ pkgsrc/mail/roundcube/Makefile 2015/12/26 14:24:48 1.78
@@ -1,16 +1,16 @@ @@ -1,16 +1,16 @@
1# $NetBSD: Makefile,v 1.77 2015/10/29 15:54:20 prlw1 Exp $ 1# $NetBSD: Makefile,v 1.78 2015/12/26 14:24:48 taca Exp $
2 2
3DISTNAME= roundcubemail-1.1.3 3DISTNAME= roundcubemail-1.1.4
4PKGNAME= ${DISTNAME:S/mail-/-/} 4PKGNAME= ${DISTNAME:S/mail-/-/}
5CATEGORIES= mail 5CATEGORIES= mail
6MASTER_SITES= ${MASTER_SITE_SOURCEFORGE:=roundcubemail/} 6MASTER_SITES= ${MASTER_SITE_SOURCEFORGE:=roundcubemail/}
7 7
8MAINTAINER= taca@NetBSD.org 8MAINTAINER= taca@NetBSD.org
9HOMEPAGE= http://roundcube.net/ 9HOMEPAGE= http://roundcube.net/
10COMMENT= Browser-based multilingual IMAP client 10COMMENT= Browser-based multilingual IMAP client
11LICENSE= gnu-gpl-v3 11LICENSE= gnu-gpl-v3
12 12
13DEPENDS+= ${PHP_PKG_PREFIX}-mbstring>=${PHP_BASE_VERS}:../../converters/php-mbstring 13DEPENDS+= ${PHP_PKG_PREFIX}-mbstring>=${PHP_BASE_VERS}:../../converters/php-mbstring
14DEPENDS+= ${PHP_PKG_PREFIX}-dom>=${PHP_BASE_VERS}:../../textproc/php-dom 14DEPENDS+= ${PHP_PKG_PREFIX}-dom>=${PHP_BASE_VERS}:../../textproc/php-dom
15DEPENDS+= ${PHP_PKG_PREFIX}-exif>=${PHP_BASE_VERS}:../../graphics/php-exif 15DEPENDS+= ${PHP_PKG_PREFIX}-exif>=${PHP_BASE_VERS}:../../graphics/php-exif
16DEPENDS+= ${PHP_PKG_PREFIX}-intl>=${PHP_BASE_VERS}:../../textproc/php-intl 16DEPENDS+= ${PHP_PKG_PREFIX}-intl>=${PHP_BASE_VERS}:../../textproc/php-intl
cvs diff -r1.38 -r1.39 pkgsrc/mail/roundcube/PLIST (expand / switch to unified diff)

--- pkgsrc/mail/roundcube/PLIST 2015/10/29 15:54:20 1.38
+++ pkgsrc/mail/roundcube/PLIST 2015/12/26 14:24:48 1.39
@@ -1,14 +1,14 @@ @@ -1,14 +1,14 @@
1@comment $NetBSD: PLIST,v 1.38 2015/10/29 15:54:20 prlw1 Exp $ 1@comment $NetBSD: PLIST,v 1.39 2015/12/26 14:24:48 taca Exp $
2share/doc/roundcube/INSTALL 2share/doc/roundcube/INSTALL
3share/doc/roundcube/LICENSE 3share/doc/roundcube/LICENSE
4share/doc/roundcube/README.md 4share/doc/roundcube/README.md
5share/doc/roundcube/UPGRADING 5share/doc/roundcube/UPGRADING
6share/examples/roundcube/config.inc.php 6share/examples/roundcube/config.inc.php
7share/examples/roundcube/defaults.inc.php 7share/examples/roundcube/defaults.inc.php
8share/examples/roundcube/mimetypes.php 8share/examples/roundcube/mimetypes.php
9share/examples/roundcube/plugins/acl/config.inc.php 9share/examples/roundcube/plugins/acl/config.inc.php
10share/examples/roundcube/plugins/additional_message_headers/config.inc.php 10share/examples/roundcube/plugins/additional_message_headers/config.inc.php
11share/examples/roundcube/plugins/help/config.inc.php 11share/examples/roundcube/plugins/help/config.inc.php
12share/examples/roundcube/plugins/http_authentication/config.inc.php 12share/examples/roundcube/plugins/http_authentication/config.inc.php
13share/examples/roundcube/plugins/jqueryui/config.inc.php 13share/examples/roundcube/plugins/jqueryui/config.inc.php
14share/examples/roundcube/plugins/managesieve/config.inc.php 14share/examples/roundcube/plugins/managesieve/config.inc.php
@@ -1855,26 +1855,27 @@ share/roundcube/program/localization/tr_ @@ -1855,26 +1855,27 @@ share/roundcube/program/localization/tr_
1855share/roundcube/program/localization/uk_UA/labels.inc 1855share/roundcube/program/localization/uk_UA/labels.inc
1856share/roundcube/program/localization/uk_UA/messages.inc 1856share/roundcube/program/localization/uk_UA/messages.inc
1857share/roundcube/program/localization/ur_PK/labels.inc 1857share/roundcube/program/localization/ur_PK/labels.inc
1858share/roundcube/program/localization/vi_VN/labels.inc 1858share/roundcube/program/localization/vi_VN/labels.inc
1859share/roundcube/program/localization/vi_VN/messages.inc 1859share/roundcube/program/localization/vi_VN/messages.inc
1860share/roundcube/program/localization/zh_CN/labels.inc 1860share/roundcube/program/localization/zh_CN/labels.inc
1861share/roundcube/program/localization/zh_CN/messages.inc 1861share/roundcube/program/localization/zh_CN/messages.inc
1862share/roundcube/program/localization/zh_TW/csv2vcard.inc 1862share/roundcube/program/localization/zh_TW/csv2vcard.inc
1863share/roundcube/program/localization/zh_TW/labels.inc 1863share/roundcube/program/localization/zh_TW/labels.inc
1864share/roundcube/program/localization/zh_TW/messages.inc 1864share/roundcube/program/localization/zh_TW/messages.inc
1865share/roundcube/program/resources/blank.gif 1865share/roundcube/program/resources/blank.gif
1866share/roundcube/program/resources/blank.tif 1866share/roundcube/program/resources/blank.tif
1867share/roundcube/program/resources/blocked.gif 1867share/roundcube/program/resources/blocked.gif
 1868share/roundcube/program/resources/dummy.pdf
1868share/roundcube/program/steps/addressbook/copy.inc 1869share/roundcube/program/steps/addressbook/copy.inc
1869share/roundcube/program/steps/addressbook/delete.inc 1870share/roundcube/program/steps/addressbook/delete.inc
1870share/roundcube/program/steps/addressbook/edit.inc 1871share/roundcube/program/steps/addressbook/edit.inc
1871share/roundcube/program/steps/addressbook/export.inc 1872share/roundcube/program/steps/addressbook/export.inc
1872share/roundcube/program/steps/addressbook/func.inc 1873share/roundcube/program/steps/addressbook/func.inc
1873share/roundcube/program/steps/addressbook/groups.inc 1874share/roundcube/program/steps/addressbook/groups.inc
1874share/roundcube/program/steps/addressbook/import.inc 1875share/roundcube/program/steps/addressbook/import.inc
1875share/roundcube/program/steps/addressbook/list.inc 1876share/roundcube/program/steps/addressbook/list.inc
1876share/roundcube/program/steps/addressbook/mailto.inc 1877share/roundcube/program/steps/addressbook/mailto.inc
1877share/roundcube/program/steps/addressbook/move.inc 1878share/roundcube/program/steps/addressbook/move.inc
1878share/roundcube/program/steps/addressbook/photo.inc 1879share/roundcube/program/steps/addressbook/photo.inc
1879share/roundcube/program/steps/addressbook/print.inc 1880share/roundcube/program/steps/addressbook/print.inc
1880share/roundcube/program/steps/addressbook/save.inc 1881share/roundcube/program/steps/addressbook/save.inc
cvs diff -r1.47 -r1.48 pkgsrc/mail/roundcube/distinfo (expand / switch to unified diff)

--- pkgsrc/mail/roundcube/distinfo 2015/11/04 17:41:20 1.47
+++ pkgsrc/mail/roundcube/distinfo 2015/12/26 14:24:48 1.48
@@ -1,10 +1,10 @@ @@ -1,10 +1,10 @@
1$NetBSD: distinfo,v 1.47 2015/11/04 17:41:20 agc Exp $ 1$NetBSD: distinfo,v 1.48 2015/12/26 14:24:48 taca Exp $
2 2
3SHA1 (roundcubemail-1.1.3.tar.gz) = 4513227bd64eb8564f056817341b1dfe478e215e 3SHA1 (roundcubemail-1.1.4.tar.gz) = 4883c8bb39fadf8af94ffb09ee426cba9f8ef2e3
4RMD160 (roundcubemail-1.1.3.tar.gz) = e4301d85004cc5986743ef16e3c4ea2c3f8dd9fd 4RMD160 (roundcubemail-1.1.4.tar.gz) = 24f4bd093db74183132eba7ff610fcff9840541a
5SHA512 (roundcubemail-1.1.3.tar.gz) = be5d64a8d52aa623de614bc1b137ae2f74250de050de086a510114121bcb760b973f8319884395827f324371542b741b80054b90031d8814752bb018dcda2096 5SHA512 (roundcubemail-1.1.4.tar.gz) = 18c2422d65292cd13bc4ce592e8490cc0a9d3e9551ac4d188db93eb989525af7ccf519642dd2e68a7380ab0d0d4ad4f999af2b7e99da75d88274743949b42f8a
6Size (roundcubemail-1.1.3.tar.gz) = 3208502 bytes 6Size (roundcubemail-1.1.4.tar.gz) = 3209549 bytes
7SHA1 (patch-ac) = 235116580665d5d58edc218c063b41171a2d9227 7SHA1 (patch-ac) = 235116580665d5d58edc218c063b41171a2d9227
8SHA1 (patch-af) = 1f95a7005569207469563aa37ff48da0383b7668 8SHA1 (patch-af) = 1f95a7005569207469563aa37ff48da0383b7668
9SHA1 (patch-config.inc.php) = 20a71b7fd9fbf0a1e097bd17428b9a1a2bed638d 9SHA1 (patch-config.inc.php) = 6652bd2aaba06e1d1dd4a02d2390aa523f54e613
10SHA1 (patch-rcube_mime_default) = 5cf58d8cbba63f97ddd8baaa7f1603aeff6bcb0d 10SHA1 (patch-rcube_mime_default) = fe6ff1bea0a2c4223b34e44a6d0ca76e6476d2aa
cvs diff -r1.1 -r1.2 pkgsrc/mail/roundcube/patches/Attic/patch-config.inc.php (expand / switch to unified diff)

--- pkgsrc/mail/roundcube/patches/Attic/patch-config.inc.php 2015/05/24 14:48:54 1.1
+++ pkgsrc/mail/roundcube/patches/Attic/patch-config.inc.php 2015/12/26 14:24:48 1.2
@@ -1,15 +1,17 @@ @@ -1,15 +1,17 @@
1$NetBSD: patch-config.inc.php,v 1.1 2015/05/24 14:48:54 jym Exp $ 1$NetBSD: patch-config.inc.php,v 1.2 2015/12/26 14:24:48 taca Exp $
 2
2Add default paths for log, tmp and MIME types. 3Add default paths for log, tmp and MIME types.
 4
3--- config/config.inc.php.sample 2015-03-16 20:54:49.000000000 +0000 5--- config/config.inc.php.sample 2015-03-16 20:54:49.000000000 +0000
4+++ config/config.inc.php.sample.18555.sample 6+++ config/config.inc.php.sample.18555.sample
5@@ -83,3 +83,10 @@ $config['plugins'] = array( 7@@ -83,3 +83,10 @@ $config['plugins'] = array(
6  8
7 // skin name: folder from skins/ 9 // skin name: folder from skins/
8 $config['skin'] = 'larry'; 10 $config['skin'] = 'larry';
9+ 11+
10+// use this folder to store log files (must be writeable for apache user) 12+// use this folder to store log files (must be writeable for apache user)
11+// This is used by the 'file' log driver. 13+// This is used by the 'file' log driver.
12+$config['log_dir'] = '@VARBASE@/log/roundcube/'; 14+$config['log_dir'] = '@VARBASE@/log/roundcube/';
13+ 15+
14+// use this folder to store temp files (must be writeable for apache user) 16+// use this folder to store temp files (must be writeable for apache user)
15+$config['temp_dir'] = '@VARBASE@/tmp/roundcube/'; 17+$config['temp_dir'] = '@VARBASE@/tmp/roundcube/';
cvs diff -r1.1 -r1.2 pkgsrc/mail/roundcube/patches/Attic/patch-rcube_mime_default (expand / switch to unified diff)

--- pkgsrc/mail/roundcube/patches/Attic/patch-rcube_mime_default 2015/05/24 14:48:54 1.1
+++ pkgsrc/mail/roundcube/patches/Attic/patch-rcube_mime_default 2015/12/26 14:24:48 1.2
@@ -1,18 +1,20 @@ @@ -1,18 +1,20 @@
1$NetBSD: patch-rcube_mime_default,v 1.1 2015/05/24 14:48:54 jym Exp $ 1$NetBSD: patch-rcube_mime_default,v 1.2 2015/12/26 14:24:48 taca Exp $
 2
2Fix path to /etc/. 3Fix path to /etc/.
3--- program/lib/Roundcube/rcube_mime.php.orig 2015-03-16 20:54:50.000000000 +0000 4
 5--- program/lib/Roundcube/rcube_mime.php.orig 2015-12-23 09:18:12.000000000 +0000
4+++ program/lib/Roundcube/rcube_mime.php 6+++ program/lib/Roundcube/rcube_mime.php
5@@ -807,12 +807,12 @@ class rcube_mime 7@@ -770,12 +770,12 @@ class rcube_mime
6 $file_paths[] = 'C:/xampp/apache/conf/mime.types.'; 8 $file_paths[] = 'C:/xampp/apache/conf/mime.types.';
7 } 9 }
8 else { 10 else {
9- $file_paths[] = '/etc/mime.types'; 11- $file_paths[] = '/etc/mime.types';
10- $file_paths[] = '/etc/httpd/mime.types'; 12- $file_paths[] = '/etc/httpd/mime.types';
11- $file_paths[] = '/etc/httpd2/mime.types'; 13- $file_paths[] = '/etc/httpd2/mime.types';
12- $file_paths[] = '/etc/apache/mime.types'; 14- $file_paths[] = '/etc/apache/mime.types';
13- $file_paths[] = '/etc/apache2/mime.types'; 15- $file_paths[] = '/etc/apache2/mime.types';
14- $file_paths[] = '/etc/nginx/mime.types'; 16- $file_paths[] = '/etc/nginx/mime.types';
15+ $file_paths[] = '@PKG_SYSCONFBASE@/mime.types'; 17+ $file_paths[] = '@PKG_SYSCONFBASE@/mime.types';
16+ $file_paths[] = '@PKG_SYSCONFBASE@/httpd/mime.types'; 18+ $file_paths[] = '@PKG_SYSCONFBASE@/httpd/mime.types';
17+ $file_paths[] = '@PKG_SYSCONFBASE@/httpd2/mime.types'; 19+ $file_paths[] = '@PKG_SYSCONFBASE@/httpd2/mime.types';
18+ $file_paths[] = '@PKG_SYSCONFBASE@/apache/mime.types'; 20+ $file_paths[] = '@PKG_SYSCONFBASE@/apache/mime.types';