Package Release Info

roundcubemail-1.3.6-bp150.2.4

Update Info: Base Release
Available in Package Hub : 15

platforms

AArch64
ppc64le
s390x
x86-64

subpackages

roundcubemail

Change Logs

* Fri Apr 13 2018 kbabioch@suse.com
- Upgrade to version 1.3.6
  * Fix parsing date strings (e.g. from a Date: mail header) with comments
  * Fix PHP 7.2: count(): Parameter must be an array in enchant-based spellchecker
  * Fix possible IMAP command injection and type juggling vulnerabilities
  * Enigma: Fix key selection for signing
  * Enigma: Enable keypair generation on Internet Explorer 11
  * Fix check_request() bypass in places using get_uids() (CVE-2018-9846 boo#1067574)
  * Fix bug where usernames without domain part could be malformed or converted to lower-case on logon
* Fri Mar 16 2018 joop.boonen@opensuse.org
- Upgrade to version 1.3.5
  * Added new skin with mobile support - the Elastic
  * Support Redis cache
  * Improved Mailvelope integration
  - Added private key listing and generating to identity settings
  - Enable encrypt & sign option if Mailvelope supports it
  * Update to jQuery-3.3.1
  * vcard_attachments: Add possibility to send contact vCard from Contacts toolbar (#6080)
  * Add More actions button in Contacts toolbar with Copy/Move actions (#6081)
  * Display an error when clicking disabled link to register protocol handler (#6079)
  * Add option trusted_host_patterns (#6009, #5752)
  * Support SMTPUTF8 and relax email address validation to support unicode in local part (#5120)
  * Support additional connect parameters in PostgreSQL database wrapper
  * Use UI dialogs instead of confirm() and alert() where possible
  * Display value of the SMTP message size limit in the error message (#6032)
  * Skip redundant INSERT query on successful logon when using PHP7
  * Replace display_version with display_product_version (#5904)
  * Extend disabled_actions config so it accepts also button names (#5903)
  * Handle remote stylesheets the same as remote images, ask the user to allow them (#5994)
  * Add Message-ID to the sendmail log (#5871)
  * Managesieve: Add ability to disable filter sets and other actions (#5496, #5898)
  * Managesieve: Add option managesieve_forward to enable settings dialog for simple forwarding (#6021)
  * Managesieve: Support filter action with custom IMAP flags (#6011)
  * Managesieve: Support 'mime' extension tests - RFC5703 (#5832)
  * Managesieve: Support GSSAPI authentication with krb_authentication plugin (#5779)
  * Changed defaults for smtp_user (%u), smtp_pass (%p) and smtp_port (587)
  * Composer: Fix certificate validation errors by using packagist only (#5148)
  * Enigma: Add button to send mail unencrypted if no key was found (#5913)
  * Enigma: Add options to set PGP cipher/digest algorithms (#5645)
  * Enigma: Multi-host support
  * Add --get and --extract arguments and CACHEDIR env-variable support to install-jsdeps.sh (#5882)
  * Update to jquery-minicolors 2.2.6
  * Support _filter and _scope as GET arguments for opening mail UI (#5825)
  * Support for IMAP folders that cannot contain both folders and messages (#5057)
  * Added .user.ini file for php-fpm (#5846)
  * Email Resent (Bounce) feature (#4985)
  * Various improvements for templating engine and skin behaviours
  - Support conditional include
  - Support for 'link' objects
  - Support including files with path relative to templates directory
  - Use <button> instead of <input> for submit button on logon screen
  * Reset onerror on images if placeholder does not exist to prevent from requests storm
  * Unified and simplified code for loading content frame for responses and identities
  * Display contact import and advanced search in popup dialogs
  * Make possible to set (some) config options from a skin
  * Added optional checkbox selection for the list widget
  * Make 'compose' command always enabled
  * Add .log suffix to all log file names, add option log_file_ext to control this (#313)
  * Archive: Fix archiving by sender address on cyrus-imap
  * Archive: Style Archive folder also on folder selector and folder manager lists
  * Archive: Add Thunderbird compatible Month option (#5623)
  * Return "401 Unauthorized" status when login fails (#5663)
  * Support both comma and semicolon as recipient separator, drop recipients_separator option (#5092)
  * Plugin API: Added 'show_bytes' hook (#5001)
  * subscriptions_option: show \\Noselect folders greyed out (#5621)
  * Add option to not indent quoted text on top-posting reply (#5105)
  * Removed global $CONFIG variable
  * Password: Support host variables in password_db_dsn option (#5955)
  * Password: Automatic virtualmin domain setting, removed password_virtualmin_format option (#5759)
  * Support AUTHENTICATE LOGIN for IMAP connections (#5563)
  * Support LDAP GSSAPI authentication (#5703)
  * Allow contacts without an email address (#5079)
  * Localized timezone selector (#4983)
  * Use 7bit encoding for ISO-2022-* charsets in sent mail (#5640)
  * Handle inline images also inside multipart/mixed messages (#5905)
  * Fix bug where attachment size wasn't visible when the filename was too long (#6033)
  * Fix checking table columns when there's more schemas/databases in postgres/mysql (#6047)
  * Fix css conflicts in user interface and e-mail content (#5891)
  * Fix duplicated signature when using Back button in Chrome (#5809)
  * Fix touch event issue on messages list in IE/Edge (#5781)
  * Fix so links over images are not removed in plain text signatures converted from HTML (#4473)
  * Fix various issues when downloading files with names containing non-ascii chars, use RFC 2231 (#5772)
  * Managesieve: Fix bug where text: syntax was forced for strings longer than 1024 characters (#6143)
  * Managesieve: Fix missing Save button in Edit Filter Set page of Classic skin (#6154)
  * Fix duplicated labels in Test SMTP Config section (#6166)
  * Fix PHP Warning: exif_read_data(...): Illegal IFD size (#6169)
  * Enigma: Fix key generation in Safari by upgrade to OpenPGP 2.6.2 (#6149)
  * Fix security issue in remote content blocking on HTML image and style tags (#6178)
  * Added 9pt and 11pt to the list of font sizes in HTML editor
  * Fix handling encoding of HTML tags in "inline" JSON output (#6207)
  * Fix bug where some unix timestamps were not handled correctly by rcube_utils::anytodatetime() (#6212)
* Fri Feb 16 2018 ecsos@opensuse.org
- fix rights for enigma plugin
* Mon Feb 05 2018 jengelh@inai.de
- Trim bias from description.
- Replace %__-type macro indirections.
- Avoid bashisms in build logic.
* Sun Feb 04 2018 joop.boonen@opensuse.org
- Upgrade to version 1.3.4
- RELEASE 1.3.4
  * Fix bug where contacts search could skip some records (#6130)
  * Fix possible information leak - add more strict sql error check on user creation (#6125)
  * Fix a couple of warnings on PHP 7.2 (#6098)
  * Fix broken long filenames when using imap4d server - workaround server bug (#6048)
  * Fix so temp_dir misconfiguration prints an error to the log (#6045)
  * Fix untagged COPYUID responses handling - again (#5982)
  * Fix PHP warning "idn_to_utf8(): INTL_IDNA_VARIANT_2003 is deprecated" with PHP 7.2 (#6075)
  * Fix bug where Archive folder wasn't auto-created on login with create_default_folders=true
  * Fix performance issue when parsing malformed and long Date header (#6087)
  * Fix syntax error in mssql.initial.sql (#6097)
  * Fix bug where contacts export by selection returned no more than 10 entries (#6103)
  * Fix searching contacts by address in LDAP source (#6084)
  * Fix X-Frame-Options:ALLOW-FROM support, remove custom click-jacking protection (#6057)
- RELEASE 1.3.3
  * Fix decoding of mailto: links with + character in HTML messages (#6020)
  * Fix false reporting of failed upgrade in installto.sh (#6019)
  * Fix file disclosure vulnerability caused by insufficient input validation [CVE-2017-16651] (#6026)
  * Fix mangled non-ASCII characters in links in HTML messages (#6028)
- RELEASE 1.3.2
  * Fix bug where pink image was used instead of a thumbnail when image resize fails (#5933)
  * Fix so files size/count limit is verified (client-side) also on drag-n-drop uploads (#5940)
  * Fix invalid template loading on a message error in preview frame (#5941)
  * Fix bug where HTML messages could have been rendered empty on some systems (#5957)
  * Fix wording of "Mark previewed messages as read" to "Mark messages as read" (#5952)
  * Enigma: Fix decryption of messages encoded with non-ascii charset (#5962)
  * Fix missing cursor in HTML editor on mail reply (#5969)
  * Fix (again) bug where image data URIs in css style were treated as evil/remote in mail preview (#5580)
  * Fix bug where mail search could return empty result on servers without SORT capability (#5973)
  * Fix bug where assets_path wasn't added to some watermark frames
  * Fix so untagged COPYUID responses are also supported according to RFC6851 (#5982)
  * Fix issue caused by non-default session.cookie_lifetime setting (#5961)
  * Fix Edge encoding bug when pasting text into the HTML editor, update to TinyMCE 4.5.8 (#5885)
  * Fix handling of unknown Content-Disposition type (#6002)
  * Fix truncated folder name on messages list in multi-folder mode, for folders with non-ascii characters (#6004)
  * Fix bug where removing the last subfolder did not hide toggle button on its parent record (#6007)
  * Fix bug where ghost messages could be added to the list after fast delete (#5941)
- RELEASE 1.3.1
  * Add Preferences > Mailbox View > Main Options > Layout (#5829)
  * Password: Fix compatibility with PHP 7+ in cpanel_webmail driver (#5820)
  * Managesieve: Fix parsing dot-staffed lines in multiline text (#5838)
  * Managesieve: Fix AM/PM suffix in vacation time selectors
  * Managesieve: Fix bug where 'exists' operator was reset to 'contains' (#5899)
  * Remove non-printable characters from filenames on download/display (#5880)
  * Fix decoding non-ascii attachment names from TNEF attachments (#5646, #5799)
  * Fix uninitialized string offset in rcube_utils::bin2ascii() and make sure rcube_utils::random_bytes() result has always requested length (#5788)
  * Fix bug where HTML messages with @media styles could moddify style of page body (#5811)
  * Fix style issue on selected and unfocused message that is part of a thread (#5798)
  * Fix bug where a.button style from managesieve plugin could impact other elements (#5800)
  * Fix position of selected icon for (Mailvelope) Encrypt button
  * Fix fatal error when using DMY- or MDY-based date format in PostgreSQL (#5808)
  * Fix bug where errors were not printed when using bin/update.sh (#5834)
  * Fix PHP 7.2 warnings on count() use (#5845)
  * Fix bug where Chrome could not upload the same file that was selected before (#5854)
  * Fix duplicate messages on the list after deleting messages on the next to the last page (#5862)
  * Fix bug where messages count was not updated after delete when imap_cache is set (#5872)
  * Fix potential XSS vulnerability with malformed HTML message markup
  * Fix sending message with "Too many public recipients" dialog buttons (#5924)
  * Bring back double-click behavior on the message list which was removed in 1.3.0 (#5823)
  * Enigma: Fix decrypting an encrypted+signed message when signature verification fails (#5914)
- RELEASE 1.3.0
  * Update to TinyMCE 4.5.7
  * Fix bug where invalid recipients could be silently discarded (#5739)
  * Fix conflict with _gid cookie of Google Analytics (#5748)
  * Print error from CLI scripts when system/exec function is disabled (#5744)
  * Fix bug where comment notation within style tag would cause the whole style to be ignored (#5747)
  * Fix bug where it wasn't possible to scroll folders list in Edge (#5750)
  * Fix folders list sorting on Windows - if php-intl is available (#5732)
  * Fix addressbook searching by gender (#5757)
  * Fix prevention from using % and * characters in folder name (#5762)
  * Fix POST parameter reflection in default_charset selector (#5768)
  * Enigma: Fix compatibility with assets_dir
  * Managesieve: Skip redundant LISTSCRIPTS command
  * Fix SQL syntax error on MariaDB 10.2 (#5774)
  * Fix bug where zipdownload ignored files with the same name (#5777)
  * Fix bug where it wasn't possible to set timezone to auto-detected value (#5782)
- Build roundcube correcty for both php5 and php7
* Fri Nov 10 2017 lars@linux-schulserver.de
- Update to 1.2.7:
  + Fix file disclosure vulnerability caused by insufficient
    input validation (CVE-2017-16651; boo#1067574)
* Tue Sep 19 2017 michael@stroeder.com
- Update to 1.2.6
  * Don't ignore (global) userlogins/sendmail logging in per_user_logging mode
  * Enigma: Fix compatibility with assets_dir
  * Managesieve: Fix AM/PM suffix in vacation time selectors
  * Fix bug where comment notation within style tag would cause the whole style to be ignored (#5747)
  * Fix bug where it wasn't possible to scroll folders list in Edge (#5750)
  * Fix addressbook searching by gender (#5757)
  * Fix SQL syntax error on MariaDB 10.2 (#5774)
  * Fix bug where it wasn't possible to set timezone to auto-detected value (#5782)
  * Fix uninitialized string offset in rcube_utils::bin2ascii() and make sure rcube_utils::random_bytes() result has always requested length (#5788)
  * Fix potential XSS vulnerability with malformed HTML message markup
* Fri Jul 28 2017 chris@computersalat.de
- fix for boo#1050980
  * php-mcrypt will be removed with php >= 7.2
  * anyway not a dependency anymore since roundcube version 1.2
* Wed May 03 2017 michael@stroeder.com
- Update to 1.2.5 which fixes vulnerability in the virtualmin and
  sasl drivers of the password plugin (CVE-2017-8114, bsc#1036955)
* Thu Mar 16 2017 aj@ajaissle.de
- Update to 1.2.4 [boo#1029035]
  - Managesieve: Fix handling of scripts with nested rules (#5540)
  - Managesieve: Fix parser issue with empty lines between comments (#5657)
  - Managesieve: Fix possible defect in handling \r\n in scripts (#5685)
  - Enigma: Fix handling of messages with nested PGP encrypted parts (#5634)
  - Enigma: Fix PHP fatal error when decrypting a message with invalid signature (#5555)
  - Enigma: Fix missing require statement for Crypt_GPG_KeyGenerator (#5641)
  - Fix variable substitution in ldap host for some use-cases, e.g. new_user_identity (#5544)
  - Fix adding images to new identity signatures
  - Fix rsync error handling in installto.sh script (#5562)
  - Fix some advanced search issues with multiple addressbooks (#5572)
  - Fix so group/addressbook selection is retained on page refresh
  - Fix bug where image data URIs in css style were treated as evil/remote in mail preview (#5580)
  - Fix bug where external content in src attribute of input/video tags was not secured (#5583)
  - Fix PHP error on update of a contact with multiple email addresses when using PHP 7.1 (#5587)
  - Fix bug where mail content frame couldn't be reset in some corner cases (#5608)
  - Fix bug where some classic skin images were not displayed in IE/Edge (#5614)
  - Fix bug where signature couldn't be added above the quote in Firefox 51 (#5628)
  - Fix regression where groups with email address were resolved to its members' addresses
  - Fix update of group name in the contacts list header on group rename (#5648)
  - Add rewrite rule to disable access to /vendor/bin folder in .htaccess (#5630)
  - Fix bug where it was too easy accidentally move a folder when using the subscription checkbox (#5655)
  - Fix XSS issue in handling of a style tag inside of an svg element [CVE-2017-6820]
* Tue Nov 29 2016 aj@ajaissle.de
- Update to 1.2.3 [boo#1012493]
  - Searching in both contacts and groups when LDAP addressbook with group_filters option is used
  - Fix vulnerability in handling of mail()'s 5th argument [boo#1012493]
  - Fix To: header encoding in mail sent with mail() method (#5475)
  - Fix flickering of header topline in min-mode (#5426)
  - Fix bug where folders list would scroll to top when clicking on subscription checkbox (#5447)
  - Fix decoding of GB2312/GBK text when iconv is not installed (#5448)
  - Fix regression where creation of default folders wasn't functioning without prefix (#5460)
  - Enigma: Fix bug where last records on keys list were hidden (#5461)
  - Enigma: Fix key search with keyword containing non-ascii characters (#5459)
  - Fix bug where deleting folders with subfolders could fail in some cases (#5466)
  - Fix bug where IMAP password could be exposed via error message (#5472)
  - Fix bug where it wasn't possible to store more that 2MB objects in memcache/apc, Added memcache_max_allowed_packet and apc_max_allowed_packet settings (#5452)
  - Fix "Illegal string offset" warning in rcube::log_bug() on PHP 7.1 (#5508)
  - Fix storing "empty" values in rcube_cache/rcube_cache_shared (#5519)
  - Fix missing content check when image resize fails on attachment thumbnail generation (#5485)
  - Fix displaying attached images with wrong Content-Type specified (#5527)
* Wed Oct 05 2016 astieger@suse.com
- verify source signature
* Thu Sep 29 2016 aj@ajaissle.de
- Update to 1.2.2 [boo#1001856]
  - Enigma: Add possibility to configure gpg-agent binary location (enigma_pgp_agent)
  - Enigma: Fix signature verification with some IMAP servers, e.g. Gmail, DBMail (#5371)
  - Enigma: Make recipient key searches case-insensitive (#5434)
  - Fix regression in resizing JPEG images with Imagick (#5376)
  - Managesieve: Fix parsing of vacation date-time with non-default date_format (#5372)
  - Use SymLinksIfOwnerMatch in .htaccess instead of FollowSymLinks disabled on some hosts for security reasons (#5370)
  - Wash position:fixed style in HTML mail for better security (#5264) [boo#1001856]
  - Fix bug where memcache_debug didn't work for session operations
  - Fix bug where Message-ID domain part was tied to username instead of current identity (#5385)
  - Fix bug where blocked.gif couldn't be attached to reply/forward with insecure content
  - Fix E_DEPRECATED warning when using Auth_SASL::factory() (#5401)
  - Fix bug where names of downloaded files could be malformed when derived from the message subject (#5404)
  - Fix so "All" messages selection is resetted on search reset (#5413)
  - Fix bug where folder creation could fail if personal namespace contained more than one entry (#5403)
  - Fix error causing empty INBOX listing in Firefox when using an URL with user:password specified (#5400)
  - Fix PHP warning when handling shared namespace with empty prefix (#5420)
  - Fix so folders list is scrolled to the selected folder on page load (#5424)
  - Fix so when moving to Trash we make sure the folder exists (#5192)
  - Fix displaying size of attachments with zero size
  - Fix so "Action disabled" error uses more appropriate 404 code (#5440)
* Thu Aug 11 2016 aj@ajaissle.de
- Update to 1.2.1
  - Update TinyMCE to version 4.3.13 (#5309)
  - Fix bug where errors could have been not logged when per_user_logging=true
  - Fix bug where message list columns could be in wrong order after column drag-n-drop and list sorting
  - Fix so minified publickey.js (with cache-buster) is used when available (#5254)
  - Fix (replace) application/x-tar file extension test as it might not exist in nginx config (#5253)
  - Fix PHP warning when password_hosts is set, but is not an array (#5260)
  - Fix redundant keep-alive requests when session_lifetime is greater than ~20000 (#5273)
  - Fix so subfolders of INBOX can be set as Archive (#5274)
  - Fix bug where multi-folder search could choose a wrong folder in "this and subfolders" scope (#5282)
  - Fix bug where multi-folder search didn't work for unsubscribed INBOX (#5259)
  - Fix bug where "no body" alert could be displayed when sending mailvelope email
  - Enigma: Fix keys import from inside of an encrypted message (#5285)
  - Enigma: Fix malformed signed messages with force_7bit=true (#5292)
  - Enigma: Add possibility to configure gpg binary location (enigma_pgp_binary)
  - Enigma: Add possibility to export private keys (#5321)
  - Fix searching by email address in contacts with multiple addresses (#5291)
  - Fix handling of --delete argument in moduserprefs.sh script (#5296)
  - Workaround PHP issue by calling closelog() on script shutdown when using log_driver=syslog (#5289)
  - Fix so upgrade script makes sure program/lib directory does not contain old libraries (#5287)
  - Fix subscription checkbox state on error in folder subscribe/unsubscribe action (#5243)
  - Fix bug where microsecond format in logged date didn't work in some cases
  - Fix conflict in new_user_dialog and password_force_new_user settings (#5275)
  - Don't create multipart/alternative messages with empty text/plain part (#5283)
  - Use contact_search_name format in popup on results in compose contacts search
  - Fix handling of 'mailto' and 'error' arguments in message_before_send hook (#5347)
  - Fix missing localization of HTML editor when assets_dir != INSTALL_PATH
  - Fix handling of blockquote tags with mixed case on html2text conversion (#5363)
  - Fix javascript errors in IE on page with iframe that points to another domain
* Tue May 24 2016 opensuse@dstoecker.de
- update to version 1.2.0 [boo#982003] [CVE-2016-5103]
    PHP7 compatibility
    PGP encryption
    Drag-n-drop attachments from mail preview to compose window
    Mail messages searching with predefined date interval
    Improved security measures to protect from brute-force attacks
    And of course plenty of small improvements and bug fixes.
* Mon Apr 25 2016 lars@linux-schulserver.de
- Update to 1.1.5
    Plugin API: Add html2text hook
    Plugin API: Added addressbook_export hook
    Fix missing emoticons on html-to-text conversion
    Fix random "access to this resource is secured against CSRF" message at logout (#4956)
    Fix missing language name in "Add to Dictionary" request in HTML mode (#4951)
    Enable use of TLSv1.1 and TLSv1.2 for IMAP (#4955)
    Fix XSS issue in SVG images handling (#4949)
    Fix (again) security issue in DBMail driver of password plugin CVE-2015-2181
    Fix bug where Archive/Junk buttons were not active after page jump with select=all mode (#4961)
    Fix bug in long recipients list parsing for cases where recipient name contained @-char (#4964)
    Fix additional_message_headers plugin compatibility with Mail_Mime >= 1.9 (#4966)
    Hide DSN option in Preferences when smtp_server is not used (#4967)
    Protect download urls against CSRF using unique request tokens (#4957)
    newmail_notifier: Refactor desktop notifications
    Fix so contactlist_fields option can be set via config file
    Fix so SPECIAL-USE assignments are forced only until user sets special folders (#4782)
    Fix performance in reverting order of THREAD result
    Fix converting mail addresses with @www. into mailto links (#5197)
* Fri Feb 05 2016 aj@ajaissle.de
- Added "Suggests:" for apache2
* Fri Jan 15 2016 aj@ajaissle.de
- Changed apache2 config
* Thu Dec 31 2015 lars@linux-schulserver.de
- Update to 1.1.4
    Add workaround for ?https://bugs.php.net/bug.php?id=70757 (#1490582)
    Fix duplicate messages in list and wrong count after delete (#1490572)
    Fix so Installer requires PHP5
    Make brute force attacks harder by re-generating security token on every failed login (#1490549)
    Slow down brute-force attacks by waiting for a second after failed login (#1490549)
    Fix .htaccess rewrite rules to not block .well-known URIs (#1490615)
    Fix mail view scaling on iOS (#1490551)
    Fix so database_attachments::cleanup() does not remove attachments from other sessions (#1490542)
    Fix responses list update issue after response name change (#1490555)
    Fix bug where message preview was unintentionally reset on check-recent action (#1490563)
    Fix bug where HTML messages with invalid/excessive css styles couldn't be displayed (#1490539)
    Fix redundant blank lines when using HTML and top posting (#1490576)
    Fix redundant blank lines on start of text after html to text conversion (#1490577)
    Fix HTML sanitizer to skip <!-- node type X --> in output (#1490583)
    Fix invalid LDAP query in ACL user autocompletion (#1490591)
    Fix regression in displaying contents of message/rfc822 parts (#1490606)
    Fix handling of message/rfc822 attachments on replies and forwards (#1490607)
    Fix PDF support detection in Firefox > 19 (#1490610)
    Fix path traversal vulnerability (CWE-22) in setting a skin (#1490620) [CVE-2015-8770] [bnc#962067]
    Fix so drag-n-drop of text (e.g. recipient addresses) on compose page actually works (#1490619)
- explicitely add required PHP packages (according to INSTALL):
  + php-dom, php-json, php-sockets
- also recommend additional PHP packages:
  + php-zip, php-pear-Crypt_GPG
- use generic php- prefix also for recommended packages (no explicit php5-)
- no Dockerfile readme any more
* Fri Oct 23 2015 aj@ajaissle.de
- Changed roundcubemail-httpd.conf
- Enable mod_version.c per default [boo#938840]
Version: 1.3.15-bp151.4.3.1
* Thu Aug 13 2020 Lars Vogdt <lars@linux-schulserver.de>
- Upgrade to 1.3.15
  This is a security update to the LTS version 1.3. (bsc#1175135)
  * Security: Fix cross-site scripting (XSS) via HTML messages with malicious svg content [CVE-2020-16145]
  * Security: Fix cross-site scripting (XSS) via HTML messages with malicious math content
  From 1.3.14 (bsc#1173792 -> CVE-2020-15562)
  * Security: Fix cross-site scripting (XSS) via HTML messages with malicious svg/namespace
  From 1.3.13
  * Installer: Fix regression in SMTP test section (#7417)
  From 1.3.12
  * Security: Better fix for CVE-2020-12641 (bsc#1171148)
  * Security: Fix XSS issue in template object 'username' (#7406)
  * Security: Fix couple of XSS issues in Installer (#7406)
  * Security: Fix cross-site scripting (XSS) via malicious XML attachment
  From 1.3.11 (bsc#1171148 -> CVE-2020-12641 bsc#1171040 -> CVE-2020-12625 bsc#1171149 -> CVE-2020-12640)
  * Enigma: Fix compatibility with Mail_Mime >= 1.10.5
  * Fix permissions on some folders created by bin/install-jsdeps.sh script (#6930)
  * Fix bug where inline images could have been ignored if Content-Id header contained redundant spaces (#6980)
  * Fix PHP Warning: Use of undefined constant LOG_EMERGE (#6991)
  * Fix PHP warning: "array_merge(): Expected parameter 2 to be an array, null given in sendmail.inc (#7003)
  * Security: Fix XSS issue in handling of CDATA in HTML messages
  * Security: Fix remote code execution via crafted 'im_convert_path' or 'im_identify_path' settings
  * Security: Fix local file inclusion (and code execution) via crafted 'plugins' option
  * Security: Fix CSRF bypass that could be used to log out an authenticated user (#7302)
  From 1.3.10 (bsc#1146286)
  * Managesieve: Fix so "Create filter" option does not show up when Filters menu is disabled (#6723)
  * Enigma: Fix bug where revoked users/keys were not greyed out in key info
  * Enigma: Fix error message when trying to encrypt with a revoked key (#6607)
  * Enigma: Fix "decryption oracle" bug [CVE-2019-10740] (#6638)
  * Fix compatibility with kolab/net_ldap3 > 1.0.7 (#6785)
  * Fix bug where bmp images couldn't be displayed on some systems (#6728)
  * Fix bug in parsing vCard data using PHP 7.3 due to an invalid regexp (#6744)
  * Fix bug where bold/strong text was converted to upper-case on html-to-text conversion (6758)
  * Fix bug in rcube_utils::parse_hosts() where %t, %d, %z could return only tld (#6746)
  * Fix bug where Next/Prev button in mail view didn't work with multi-folder search result (#6793)
  * Fix bug where selection of columns on messages list wasn't working
  * Fix bug in converting multi-page Tiff images to Jpeg (#6824)
  * Fix wrong messages order after returning to a multi-folder search result (#6836)
  * Fix PHP 7.4 deprecation: implode() wrong parameter order (#6866)
  * Fix bug where it was possible to bypass the position:fixed CSS check in received messages (#6898)
  * Fix bug where some strict remote URIs in url() style were unintentionally blocked (#6899)
  * Fix bug where it was possible to bypass the CSS jail in HTML messages using :root pseudo-class (#6897)
  * Fix bug where it was possible to bypass href URI check with data:application/xhtml+xml URIs (#6896)
  From 1.3.9 (bsc#1115718)
  * Fix TinyMCE download location (#6694)
  * Fix bug where a message/rfc822 part without a filename wasn't listed on the attachments list (#6494)
  * Fix handling of empty entries in vCard import (#6564)
  * Fix bug in parsing some IMAP command responses that include unsolicited replies (#6577)
  * Fix PHP 7.2 compatibility in debug_logger plugin (#6586)
  * Fix so ANY record is not used for email domain validation, use A, MX, CNAME, AAAA instead (#6581)
  * Fix so mime_content_type check in Installer uses files that should always
    be available (i.e. from program/resources) (#6599)
  * Fix missing CSRF token on a link to download too-big message part (#6621)
  * Fix bug when aborting dragging with ESC key didn't stop the move action (#6623)
  * Fix bug where next row wasn't selected after deleting a collapsed thread (#6655)
  From 1.3.8
  * Fix PHP warnings on dummy QUOTA responses in Courier-IMAP 4.17.1 (#6374)
  * Fix so fallback from BINARY to BODY FETCH is used also on [PARSE] errors in dovecot 2.3 (#6383)
  * Enigma: Fix deleting keys with authentication subkeys (#6381)
  * Fix invalid regular expressions that throw warnings on PHP 7.3 (#6398)
  * Fix so Classic skin splitter does not escape out of window (#6397)
  * Fix XSS issue in handling invalid style tag content (#6410)
  * Fix compatibility with MySQL 8 - error on 'system' table use
  * Managesieve: Fix bug where show_real_foldernames setting wasn't respected (#6422)
  * New_user_identity: Fix %fu/%u vars substitution in user specific LDAP params (#6419)
  * Fix support for "allow-from <uri>" in "x_frame_options" config option (#6449)
  * Fix bug where valid content between HTML comments could have been skipped in some cases (#6464)
  * Fix multiple VCard field search (#6466)
  * Fix session issue on long running requests (#6470)
  From 1.3.7 (bsc#1115719)
  * Fix PHP Warning: Use of undefined constant IDNA_DEFAULT on systems without php-intl (#6244)
  * Fix bug where some parts of quota information could have been ignored (#6280)
  * Fix bug where some escape sequences in html styles could bypass security checks
  * Fix bug where some forbidden characters on Cyrus-IMAP were not prevented from use in folder names
  * Fix bug where only attachments with the same name would be ignored on zip download (#6301)
  * Fix bug where unicode contact names could have been broken/emptied or caused DB errors (#6299)
  * Fix bug where after "mark all folders as read" action message counters were not reset (#6307)
  * Enigma: [EFAIL] Don't decrypt PGP messages with no MDC protection (#6289)
  * Fix bug where some HTML comments could have been malformed by HTML parser (#6333)
Version: 1.3.16-bp151.4.6.1
* Mon Dec 28 2020 Lars Vogdt <lars@linux-schulserver.de>
- Upgrade to version 1.3.16
  This is a security update to the LTS version 1.3.
  It fixes a recently reported stored cross-site scripting (XSS)
  vulnerability via HTML or plain text messages with malicious content.
  References:
  [CVE-2020-18670]: boo#1187707
  [CVE-2020-18671]: boo#1187706
  [CVE-2020-35730]: boo#1180399
Version: 1.3.16-bp152.4.10.1
* Mon Dec 28 2020 Lars Vogdt <lars@linux-schulserver.de>
- Upgrade to version 1.3.16
  This is a security update to the LTS version 1.3.
  It fixes a recently reported stored cross-site scripting (XSS)
  vulnerability via HTML or plain text messages with malicious content.
  References:
  [CVE-2020-18670]: boo#1187707
  [CVE-2020-18671]: boo#1187706
  [CVE-2020-35730]: boo#1180399