* Fri Apr 13 2018 kbabioch@suse.com
- Upgrade to version 1.3.6
* Fix parsing date strings (e.g. from a Date: mail header) with comments
* Fix PHP 7.2: count(): Parameter must be an array in enchant-based spellchecker
* Fix possible IMAP command injection and type juggling vulnerabilities
* Enigma: Fix key selection for signing
* Enigma: Enable keypair generation on Internet Explorer 11
* Fix check_request() bypass in places using get_uids() (CVE-2018-9846 boo#1067574)
* Fix bug where usernames without domain part could be malformed or converted to lower-case on logon
* Fri Mar 16 2018 joop.boonen@opensuse.org
- Upgrade to version 1.3.5
* Added new skin with mobile support - the Elastic
* Support Redis cache
* Improved Mailvelope integration
- Added private key listing and generating to identity settings
- Enable encrypt & sign option if Mailvelope supports it
* Update to jQuery-3.3.1
* vcard_attachments: Add possibility to send contact vCard from Contacts toolbar (#6080)
* Add More actions button in Contacts toolbar with Copy/Move actions (#6081)
* Display an error when clicking disabled link to register protocol handler (#6079)
* Add option trusted_host_patterns (#6009, #5752)
* Support SMTPUTF8 and relax email address validation to support unicode in local part (#5120)
* Support additional connect parameters in PostgreSQL database wrapper
* Use UI dialogs instead of confirm() and alert() where possible
* Display value of the SMTP message size limit in the error message (#6032)
* Skip redundant INSERT query on successful logon when using PHP7
* Replace display_version with display_product_version (#5904)
* Extend disabled_actions config so it accepts also button names (#5903)
* Handle remote stylesheets the same as remote images, ask the user to allow them (#5994)
* Add Message-ID to the sendmail log (#5871)
* Managesieve: Add ability to disable filter sets and other actions (#5496, #5898)
* Managesieve: Add option managesieve_forward to enable settings dialog for simple forwarding (#6021)
* Managesieve: Support filter action with custom IMAP flags (#6011)
* Managesieve: Support 'mime' extension tests - RFC5703 (#5832)
* Managesieve: Support GSSAPI authentication with krb_authentication plugin (#5779)
* Changed defaults for smtp_user (%u), smtp_pass (%p) and smtp_port (587)
* Composer: Fix certificate validation errors by using packagist only (#5148)
* Enigma: Add button to send mail unencrypted if no key was found (#5913)
* Enigma: Add options to set PGP cipher/digest algorithms (#5645)
* Enigma: Multi-host support
* Add --get and --extract arguments and CACHEDIR env-variable support to install-jsdeps.sh (#5882)
* Update to jquery-minicolors 2.2.6
* Support _filter and _scope as GET arguments for opening mail UI (#5825)
* Support for IMAP folders that cannot contain both folders and messages (#5057)
* Added .user.ini file for php-fpm (#5846)
* Email Resent (Bounce) feature (#4985)
* Various improvements for templating engine and skin behaviours
- Support conditional include
- Support for 'link' objects
- Support including files with path relative to templates directory
- Use <button> instead of <input> for submit button on logon screen
* Reset onerror on images if placeholder does not exist to prevent from requests storm
* Unified and simplified code for loading content frame for responses and identities
* Display contact import and advanced search in popup dialogs
* Make possible to set (some) config options from a skin
* Added optional checkbox selection for the list widget
* Make 'compose' command always enabled
* Add .log suffix to all log file names, add option log_file_ext to control this (#313)
* Archive: Fix archiving by sender address on cyrus-imap
* Archive: Style Archive folder also on folder selector and folder manager lists
* Archive: Add Thunderbird compatible Month option (#5623)
* Return "401 Unauthorized" status when login fails (#5663)
* Support both comma and semicolon as recipient separator, drop recipients_separator option (#5092)
* Plugin API: Added 'show_bytes' hook (#5001)
* subscriptions_option: show \\Noselect folders greyed out (#5621)
* Add option to not indent quoted text on top-posting reply (#5105)
* Removed global $CONFIG variable
* Password: Support host variables in password_db_dsn option (#5955)
* Password: Automatic virtualmin domain setting, removed password_virtualmin_format option (#5759)
* Support AUTHENTICATE LOGIN for IMAP connections (#5563)
* Support LDAP GSSAPI authentication (#5703)
* Allow contacts without an email address (#5079)
* Localized timezone selector (#4983)
* Use 7bit encoding for ISO-2022-* charsets in sent mail (#5640)
* Handle inline images also inside multipart/mixed messages (#5905)
* Fix bug where attachment size wasn't visible when the filename was too long (#6033)
* Fix checking table columns when there's more schemas/databases in postgres/mysql (#6047)
* Fix css conflicts in user interface and e-mail content (#5891)
* Fix duplicated signature when using Back button in Chrome (#5809)
* Fix touch event issue on messages list in IE/Edge (#5781)
* Fix so links over images are not removed in plain text signatures converted from HTML (#4473)
* Fix various issues when downloading files with names containing non-ascii chars, use RFC 2231 (#5772)
* Managesieve: Fix bug where text: syntax was forced for strings longer than 1024 characters (#6143)
* Managesieve: Fix missing Save button in Edit Filter Set page of Classic skin (#6154)
* Fix duplicated labels in Test SMTP Config section (#6166)
* Fix PHP Warning: exif_read_data(...): Illegal IFD size (#6169)
* Enigma: Fix key generation in Safari by upgrade to OpenPGP 2.6.2 (#6149)
* Fix security issue in remote content blocking on HTML image and style tags (#6178)
* Added 9pt and 11pt to the list of font sizes in HTML editor
* Fix handling encoding of HTML tags in "inline" JSON output (#6207)
* Fix bug where some unix timestamps were not handled correctly by rcube_utils::anytodatetime() (#6212)
* Fri Feb 16 2018 ecsos@opensuse.org
- fix rights for enigma plugin
* Mon Feb 05 2018 jengelh@inai.de
- Trim bias from description.
- Replace %__-type macro indirections.
- Avoid bashisms in build logic.
* Sun Feb 04 2018 joop.boonen@opensuse.org
- Upgrade to version 1.3.4
- RELEASE 1.3.4
* Fix bug where contacts search could skip some records (#6130)
* Fix possible information leak - add more strict sql error check on user creation (#6125)
* Fix a couple of warnings on PHP 7.2 (#6098)
* Fix broken long filenames when using imap4d server - workaround server bug (#6048)
* Fix so temp_dir misconfiguration prints an error to the log (#6045)
* Fix untagged COPYUID responses handling - again (#5982)
* Fix PHP warning "idn_to_utf8(): INTL_IDNA_VARIANT_2003 is deprecated" with PHP 7.2 (#6075)
* Fix bug where Archive folder wasn't auto-created on login with create_default_folders=true
* Fix performance issue when parsing malformed and long Date header (#6087)
* Fix syntax error in mssql.initial.sql (#6097)
* Fix bug where contacts export by selection returned no more than 10 entries (#6103)
* Fix searching contacts by address in LDAP source (#6084)
* Fix X-Frame-Options:ALLOW-FROM support, remove custom click-jacking protection (#6057)
- RELEASE 1.3.3
* Fix decoding of mailto: links with + character in HTML messages (#6020)
* Fix false reporting of failed upgrade in installto.sh (#6019)
* Fix file disclosure vulnerability caused by insufficient input validation [CVE-2017-16651] (#6026)
* Fix mangled non-ASCII characters in links in HTML messages (#6028)
- RELEASE 1.3.2
* Fix bug where pink image was used instead of a thumbnail when image resize fails (#5933)
* Fix so files size/count limit is verified (client-side) also on drag-n-drop uploads (#5940)
* Fix invalid template loading on a message error in preview frame (#5941)
* Fix bug where HTML messages could have been rendered empty on some systems (#5957)
* Fix wording of "Mark previewed messages as read" to "Mark messages as read" (#5952)
* Enigma: Fix decryption of messages encoded with non-ascii charset (#5962)
* Fix missing cursor in HTML editor on mail reply (#5969)
* Fix (again) bug where image data URIs in css style were treated as evil/remote in mail preview (#5580)
* Fix bug where mail search could return empty result on servers without SORT capability (#5973)
* Fix bug where assets_path wasn't added to some watermark frames
* Fix so untagged COPYUID responses are also supported according to RFC6851 (#5982)
* Fix issue caused by non-default session.cookie_lifetime setting (#5961)
* Fix Edge encoding bug when pasting text into the HTML editor, update to TinyMCE 4.5.8 (#5885)
* Fix handling of unknown Content-Disposition type (#6002)
* Fix truncated folder name on messages list in multi-folder mode, for folders with non-ascii characters (#6004)
* Fix bug where removing the last subfolder did not hide toggle button on its parent record (#6007)
* Fix bug where ghost messages could be added to the list after fast delete (#5941)
- RELEASE 1.3.1
* Add Preferences > Mailbox View > Main Options > Layout (#5829)
* Password: Fix compatibility with PHP 7+ in cpanel_webmail driver (#5820)
* Managesieve: Fix parsing dot-staffed lines in multiline text (#5838)
* Managesieve: Fix AM/PM suffix in vacation time selectors
* Managesieve: Fix bug where 'exists' operator was reset to 'contains' (#5899)
* Remove non-printable characters from filenames on download/display (#5880)
* Fix decoding non-ascii attachment names from TNEF attachments (#5646, #5799)
* Fix uninitialized string offset in rcube_utils::bin2ascii() and make sure rcube_utils::random_bytes() result has always requested length (#5788)
* Fix bug where HTML messages with @media styles could moddify style of page body (#5811)
* Fix style issue on selected and unfocused message that is part of a thread (#5798)
* Fix bug where a.button style from managesieve plugin could impact other elements (#5800)
* Fix position of selected icon for (Mailvelope) Encrypt button
* Fix fatal error when using DMY- or MDY-based date format in PostgreSQL (#5808)
* Fix bug where errors were not printed when using bin/update.sh (#5834)
* Fix PHP 7.2 warnings on count() use (#5845)
* Fix bug where Chrome could not upload the same file that was selected before (#5854)
* Fix duplicate messages on the list after deleting messages on the next to the last page (#5862)
* Fix bug where messages count was not updated after delete when imap_cache is set (#5872)
* Fix potential XSS vulnerability with malformed HTML message markup
* Fix sending message with "Too many public recipients" dialog buttons (#5924)
* Bring back double-click behavior on the message list which was removed in 1.3.0 (#5823)
* Enigma: Fix decrypting an encrypted+signed message when signature verification fails (#5914)
- RELEASE 1.3.0
* Update to TinyMCE 4.5.7
* Fix bug where invalid recipients could be silently discarded (#5739)
* Fix conflict with _gid cookie of Google Analytics (#5748)
* Print error from CLI scripts when system/exec function is disabled (#5744)
* Fix bug where comment notation within style tag would cause the whole style to be ignored (#5747)
* Fix bug where it wasn't possible to scroll folders list in Edge (#5750)
* Fix folders list sorting on Windows - if php-intl is available (#5732)
* Fix addressbook searching by gender (#5757)
* Fix prevention from using % and * characters in folder name (#5762)
* Fix POST parameter reflection in default_charset selector (#5768)
* Enigma: Fix compatibility with assets_dir
* Managesieve: Skip redundant LISTSCRIPTS command
* Fix SQL syntax error on MariaDB 10.2 (#5774)
* Fix bug where zipdownload ignored files with the same name (#5777)
* Fix bug where it wasn't possible to set timezone to auto-detected value (#5782)
- Build roundcube correcty for both php5 and php7
* Fri Nov 10 2017 lars@linux-schulserver.de
- Update to 1.2.7:
+ Fix file disclosure vulnerability caused by insufficient
input validation (CVE-2017-16651; boo#1067574)
* Tue Sep 19 2017 michael@stroeder.com
- Update to 1.2.6
* Don't ignore (global) userlogins/sendmail logging in per_user_logging mode
* Enigma: Fix compatibility with assets_dir
* Managesieve: Fix AM/PM suffix in vacation time selectors
* Fix bug where comment notation within style tag would cause the whole style to be ignored (#5747)
* Fix bug where it wasn't possible to scroll folders list in Edge (#5750)
* Fix addressbook searching by gender (#5757)
* Fix SQL syntax error on MariaDB 10.2 (#5774)
* Fix bug where it wasn't possible to set timezone to auto-detected value (#5782)
* Fix uninitialized string offset in rcube_utils::bin2ascii() and make sure rcube_utils::random_bytes() result has always requested length (#5788)
* Fix potential XSS vulnerability with malformed HTML message markup
* Fri Jul 28 2017 chris@computersalat.de
- fix for boo#1050980
* php-mcrypt will be removed with php >= 7.2
* anyway not a dependency anymore since roundcube version 1.2
* Wed May 03 2017 michael@stroeder.com
- Update to 1.2.5 which fixes vulnerability in the virtualmin and
sasl drivers of the password plugin (CVE-2017-8114, bsc#1036955)
* Thu Mar 16 2017 aj@ajaissle.de
- Update to 1.2.4 [boo#1029035]
- Managesieve: Fix handling of scripts with nested rules (#5540)
- Managesieve: Fix parser issue with empty lines between comments (#5657)
- Managesieve: Fix possible defect in handling \r\n in scripts (#5685)
- Enigma: Fix handling of messages with nested PGP encrypted parts (#5634)
- Enigma: Fix PHP fatal error when decrypting a message with invalid signature (#5555)
- Enigma: Fix missing require statement for Crypt_GPG_KeyGenerator (#5641)
- Fix variable substitution in ldap host for some use-cases, e.g. new_user_identity (#5544)
- Fix adding images to new identity signatures
- Fix rsync error handling in installto.sh script (#5562)
- Fix some advanced search issues with multiple addressbooks (#5572)
- Fix so group/addressbook selection is retained on page refresh
- Fix bug where image data URIs in css style were treated as evil/remote in mail preview (#5580)
- Fix bug where external content in src attribute of input/video tags was not secured (#5583)
- Fix PHP error on update of a contact with multiple email addresses when using PHP 7.1 (#5587)
- Fix bug where mail content frame couldn't be reset in some corner cases (#5608)
- Fix bug where some classic skin images were not displayed in IE/Edge (#5614)
- Fix bug where signature couldn't be added above the quote in Firefox 51 (#5628)
- Fix regression where groups with email address were resolved to its members' addresses
- Fix update of group name in the contacts list header on group rename (#5648)
- Add rewrite rule to disable access to /vendor/bin folder in .htaccess (#5630)
- Fix bug where it was too easy accidentally move a folder when using the subscription checkbox (#5655)
- Fix XSS issue in handling of a style tag inside of an svg element [CVE-2017-6820]
* Tue Nov 29 2016 aj@ajaissle.de
- Update to 1.2.3 [boo#1012493]
- Searching in both contacts and groups when LDAP addressbook with group_filters option is used
- Fix vulnerability in handling of mail()'s 5th argument [boo#1012493]
- Fix To: header encoding in mail sent with mail() method (#5475)
- Fix flickering of header topline in min-mode (#5426)
- Fix bug where folders list would scroll to top when clicking on subscription checkbox (#5447)
- Fix decoding of GB2312/GBK text when iconv is not installed (#5448)
- Fix regression where creation of default folders wasn't functioning without prefix (#5460)
- Enigma: Fix bug where last records on keys list were hidden (#5461)
- Enigma: Fix key search with keyword containing non-ascii characters (#5459)
- Fix bug where deleting folders with subfolders could fail in some cases (#5466)
- Fix bug where IMAP password could be exposed via error message (#5472)
- Fix bug where it wasn't possible to store more that 2MB objects in memcache/apc, Added memcache_max_allowed_packet and apc_max_allowed_packet settings (#5452)
- Fix "Illegal string offset" warning in rcube::log_bug() on PHP 7.1 (#5508)
- Fix storing "empty" values in rcube_cache/rcube_cache_shared (#5519)
- Fix missing content check when image resize fails on attachment thumbnail generation (#5485)
- Fix displaying attached images with wrong Content-Type specified (#5527)
* Wed Oct 05 2016 astieger@suse.com
- verify source signature
* Thu Sep 29 2016 aj@ajaissle.de
- Update to 1.2.2 [boo#1001856]
- Enigma: Add possibility to configure gpg-agent binary location (enigma_pgp_agent)
- Enigma: Fix signature verification with some IMAP servers, e.g. Gmail, DBMail (#5371)
- Enigma: Make recipient key searches case-insensitive (#5434)
- Fix regression in resizing JPEG images with Imagick (#5376)
- Managesieve: Fix parsing of vacation date-time with non-default date_format (#5372)
- Use SymLinksIfOwnerMatch in .htaccess instead of FollowSymLinks disabled on some hosts for security reasons (#5370)
- Wash position:fixed style in HTML mail for better security (#5264) [boo#1001856]
- Fix bug where memcache_debug didn't work for session operations
- Fix bug where Message-ID domain part was tied to username instead of current identity (#5385)
- Fix bug where blocked.gif couldn't be attached to reply/forward with insecure content
- Fix E_DEPRECATED warning when using Auth_SASL::factory() (#5401)
- Fix bug where names of downloaded files could be malformed when derived from the message subject (#5404)
- Fix so "All" messages selection is resetted on search reset (#5413)
- Fix bug where folder creation could fail if personal namespace contained more than one entry (#5403)
- Fix error causing empty INBOX listing in Firefox when using an URL with user:password specified (#5400)
- Fix PHP warning when handling shared namespace with empty prefix (#5420)
- Fix so folders list is scrolled to the selected folder on page load (#5424)
- Fix so when moving to Trash we make sure the folder exists (#5192)
- Fix displaying size of attachments with zero size
- Fix so "Action disabled" error uses more appropriate 404 code (#5440)
* Thu Aug 11 2016 aj@ajaissle.de
- Update to 1.2.1
- Update TinyMCE to version 4.3.13 (#5309)
- Fix bug where errors could have been not logged when per_user_logging=true
- Fix bug where message list columns could be in wrong order after column drag-n-drop and list sorting
- Fix so minified publickey.js (with cache-buster) is used when available (#5254)
- Fix (replace) application/x-tar file extension test as it might not exist in nginx config (#5253)
- Fix PHP warning when password_hosts is set, but is not an array (#5260)
- Fix redundant keep-alive requests when session_lifetime is greater than ~20000 (#5273)
- Fix so subfolders of INBOX can be set as Archive (#5274)
- Fix bug where multi-folder search could choose a wrong folder in "this and subfolders" scope (#5282)
- Fix bug where multi-folder search didn't work for unsubscribed INBOX (#5259)
- Fix bug where "no body" alert could be displayed when sending mailvelope email
- Enigma: Fix keys import from inside of an encrypted message (#5285)
- Enigma: Fix malformed signed messages with force_7bit=true (#5292)
- Enigma: Add possibility to configure gpg binary location (enigma_pgp_binary)
- Enigma: Add possibility to export private keys (#5321)
- Fix searching by email address in contacts with multiple addresses (#5291)
- Fix handling of --delete argument in moduserprefs.sh script (#5296)
- Workaround PHP issue by calling closelog() on script shutdown when using log_driver=syslog (#5289)
- Fix so upgrade script makes sure program/lib directory does not contain old libraries (#5287)
- Fix subscription checkbox state on error in folder subscribe/unsubscribe action (#5243)
- Fix bug where microsecond format in logged date didn't work in some cases
- Fix conflict in new_user_dialog and password_force_new_user settings (#5275)
- Don't create multipart/alternative messages with empty text/plain part (#5283)
- Use contact_search_name format in popup on results in compose contacts search
- Fix handling of 'mailto' and 'error' arguments in message_before_send hook (#5347)
- Fix missing localization of HTML editor when assets_dir != INSTALL_PATH
- Fix handling of blockquote tags with mixed case on html2text conversion (#5363)
- Fix javascript errors in IE on page with iframe that points to another domain
* Tue May 24 2016 opensuse@dstoecker.de
- update to version 1.2.0 [boo#982003] [CVE-2016-5103]
PHP7 compatibility
PGP encryption
Drag-n-drop attachments from mail preview to compose window
Mail messages searching with predefined date interval
Improved security measures to protect from brute-force attacks
And of course plenty of small improvements and bug fixes.
* Mon Apr 25 2016 lars@linux-schulserver.de
- Update to 1.1.5
Plugin API: Add html2text hook
Plugin API: Added addressbook_export hook
Fix missing emoticons on html-to-text conversion
Fix random "access to this resource is secured against CSRF" message at logout (#4956)
Fix missing language name in "Add to Dictionary" request in HTML mode (#4951)
Enable use of TLSv1.1 and TLSv1.2 for IMAP (#4955)
Fix XSS issue in SVG images handling (#4949)
Fix (again) security issue in DBMail driver of password plugin CVE-2015-2181
Fix bug where Archive/Junk buttons were not active after page jump with select=all mode (#4961)
Fix bug in long recipients list parsing for cases where recipient name contained @-char (#4964)
Fix additional_message_headers plugin compatibility with Mail_Mime >= 1.9 (#4966)
Hide DSN option in Preferences when smtp_server is not used (#4967)
Protect download urls against CSRF using unique request tokens (#4957)
newmail_notifier: Refactor desktop notifications
Fix so contactlist_fields option can be set via config file
Fix so SPECIAL-USE assignments are forced only until user sets special folders (#4782)
Fix performance in reverting order of THREAD result
Fix converting mail addresses with @www. into mailto links (#5197)
* Fri Feb 05 2016 aj@ajaissle.de
- Added "Suggests:" for apache2
* Fri Jan 15 2016 aj@ajaissle.de
- Changed apache2 config
* Thu Dec 31 2015 lars@linux-schulserver.de
- Update to 1.1.4
Add workaround for ?https://bugs.php.net/bug.php?id=70757 (#1490582)
Fix duplicate messages in list and wrong count after delete (#1490572)
Fix so Installer requires PHP5
Make brute force attacks harder by re-generating security token on every failed login (#1490549)
Slow down brute-force attacks by waiting for a second after failed login (#1490549)
Fix .htaccess rewrite rules to not block .well-known URIs (#1490615)
Fix mail view scaling on iOS (#1490551)
Fix so database_attachments::cleanup() does not remove attachments from other sessions (#1490542)
Fix responses list update issue after response name change (#1490555)
Fix bug where message preview was unintentionally reset on check-recent action (#1490563)
Fix bug where HTML messages with invalid/excessive css styles couldn't be displayed (#1490539)
Fix redundant blank lines when using HTML and top posting (#1490576)
Fix redundant blank lines on start of text after html to text conversion (#1490577)
Fix HTML sanitizer to skip <!-- node type X --> in output (#1490583)
Fix invalid LDAP query in ACL user autocompletion (#1490591)
Fix regression in displaying contents of message/rfc822 parts (#1490606)
Fix handling of message/rfc822 attachments on replies and forwards (#1490607)
Fix PDF support detection in Firefox > 19 (#1490610)
Fix path traversal vulnerability (CWE-22) in setting a skin (#1490620) [CVE-2015-8770] [bnc#962067]
Fix so drag-n-drop of text (e.g. recipient addresses) on compose page actually works (#1490619)
- explicitely add required PHP packages (according to INSTALL):
+ php-dom, php-json, php-sockets
- also recommend additional PHP packages:
+ php-zip, php-pear-Crypt_GPG
- use generic php- prefix also for recommended packages (no explicit php5-)
- no Dockerfile readme any more
* Fri Oct 23 2015 aj@ajaissle.de
- Changed roundcubemail-httpd.conf
- Enable mod_version.c per default [boo#938840]