Package Release Info


Update Info: openSUSE-2022-10148
Available in Package Hub : 15 SP4 Update





Change Logs

Version: 1.5.3-bp153.2.3.1
* Sun Jun 26 2022 Michael Ströder <>
- update to 1.5.3
  * Enigma: Fix initial synchronization of private keys
  * Enigma: Fix double quoted-printable encoding of pgp-signed messages with no attachments (#8413)
  * Fix various PHP8 warnings (#8392)
  * Fix mail headers injection via the subject field on mail compose (#8404)
  * Fix bug where small message/rfc822 parts could not be decoded (#8408)
  * Fix setting HTML mode on reply/forward of a signed message (#8405)
  * Fix handling of RFC2231-encoded attachment names inside of a message/rfc822 part (#8418)
  * Fix bug where some mail parts (images) could have not be listed as attachments (#8425)
  * Fix bug where attachment icons were stuck at the top of the messages list in Safari (#8433)
  * Fix handling of message/rfc822 parts that are small and are multipart structures with a single part (#8458)
  * Fix bug where session could time out if DB and PHP timezone were different (#8303)
  * Fix bug where DSN flag state wasn't stored with a draft (#8371)
  * Fix broken encoding of HTML content encapsulated in a RTF attachment (#8444)
  * Fix problem with aria-hidden=true on toolbar menus in the Elastic skin (#8517)
  * Fix bug where title tag content was displayed in the body if it contained HTML tags (#8540)
  * Fix support for DSN specification without host e.g. pgsql:///dbname (#8558)
* Fri Dec 31 2021 Michael Ströder <>
- update to 1.5.2
  * OAuth: pass 'id_token' to 'oauth_login' plugin hook (#8214)
  * OAuth: fix expiration of short-lived oauth tokens (#8147)
  * OAuth: fix relative path to assets if /index.php/foo/bar url is used (#8144)
  * OAuth: no auto-redirect on imap login failures (#8370)
  * OAuth: refresh access token in 'refresh' plugin hook (#8224)
  * Fix so folder search parameters are honored by subscriptions_option plugin (#8312)
  * Fix password change with Directadmin driver (#8322, #8329)
  * Fix so css files in plugins/jqueryui/themes will be minified too (#8337)
  * Fix handling of unicode/special characters in custom From input (#8357)
  * Fix some PHP8 compatibility issues (#8363)
  * Fix helper compatibility with Python 3 (#8324)
  * Fix scrolling and missing Close button in the Select image dialog in Elastic/mobile (#8367)
  * Security: fix cross-site scripting (XSS) via HTML messages with malicious CSS content
- added Suggests: php-sqlite
* Tue Dec 28 2021 Lars Vogdt <>
- use the virtual provides from each PHP module, to allow the installation
  of roundcubemail with various PHP versions.
  The only problem, we are currently facing is the automatic
  enablement of the PHP apache module during post-installation:
  Trying to evaluate the correct PHP module now during post as well,
  which should eleminate the pre-definition of the required
  PHP-Version during build completely.
  See for the initial
Version: 1.5.1-bp154.1.30
* Sun Nov 28 2021 Michael Ströder <>
- update to 1.5.1
  * Fix importing contacts with no email address (#8227)
  * Fix so session's search scope is not used if search is not active (#8199)
  * Fix some PHP8 warnings (#8239)
  * Fix so dark mode state is retained after closing the browser (#8237)
  * Fix bug where new messages were not added to the list on refresh if skip_deleted=true (#8234)
  * Fix colors on "Show source" page in dark mode (#8246)
  * Fix handling of dark_mode_support:false setting in skins meta.json - also when devel_mode=false (#8249)
  * Fix database initialization if db_prefix is a schema prefix (#8221)
  * Fix undefined constant error in Installer on Windows (#8258)
  * Fix installation/upgrade on MySQL 5.5 - Index column size too large (#8231)
  * Fix regression in setting of contact listing name (#8260)
  * Fix bug in Larry skin where headers toggle state was reset on full page preview (#8203)
  * Fix bug where \u200b characters were added into the recipient input preventing mail delivery (#8269)
  * Fix charset conversion errors on PHP < 8 for charsets not supported by mbstring (#8252)
  * Fix bug where adding a contact to trusted senders via "Always allow from..." button didn't work (#8264, #8268)
  * Fix bug with show_images setting where option 1 and 3 were swapped (#8268)
  * Fix PHP fatal error on an undefined constant in contacts import action (#8277)
  * Fix fetching headers of multiple message parts at once in rcube_imap_generic::fetchMIMEHeaders() (#8282)
  * Fix bug where attachment download could sometimes fail with a CSRF check error (#8283)
  * Fix an infinite loop when parsing environment variables with float/integer values (#8293)
  * Fix so 'small-dark' logo has more priority than the 'small' logo (#8298)
* Tue Oct 19 2021 - 1.5.0
- update to 1.5.0
  + full PHP8 support
  + Dark mode for Elastic skin
  + OAuth2/XOauth support (with plugin hooks)
  + Collected recipients and trusted senders
  + Moving recipients between inputs with drag & drop
  + Full unicode support with MySQL database
  + Support of IMAP LITERAL- extension RFC 7888
  + Support of RFC 2231 <>
    encoded names
  + Cache refactoring
  More at
- adjusted some file names to new release
  (_styles.less -> styles.less; _variables.less -> variables.less;
- vendor/roundcube/plugin-installer/src/bin/ does not exist
  any longer
- added to documentation
- mark the whole documentation directory as documentation instead of
  listing some files and others not (avoid duplicate entries in RPM-DB)
- adjust requirements: php-intl is now required
* Mon Feb 08 2021 Michael Ströder <>
- update to 1.4.11 with security fix:
  Fix cross-site scripting (XSS) via HTML messages with malicious CSS content
* Fri Jan 22 2021 Arjen de Korte <>
- add PHP version to Requires: and Recommends: to make sure the same
  version is installed as used during packaging
- drop Requires: http_daemon (fixes boo#1180132) and Suggests: apache2
  (which is already required though mod_php_any)
* Tue Dec 01 2020
- use system apache rpm macros
* Mon Sep 28 2020 Michael Ströder <>
- update to 1.4.9:
  * Fix HTML editor in latest Chrome 85.0.4183.102, update to TinyMCE 4.9.11 (#7615)
  * Add missing localization for some label/legend elements in userinfo plugin (#7478)
  * Fix importing birthday dates from Gmail vCards (BDAY:YYYYMMDD)
  * Fix restoring Cc/Bcc fields from local storage (#7554)
  * Fix jstz.min.js installation, bump version to 1.0.7
  * Fix incorrect PDO::lastInsertId() use in sqlsrv driver (#7564)
  * Fix link to closure compiler in bin/ script (#7567)
  * Fix bug where some parts of a message could have been missing in a reply/forward body (#7568)
  * Fix empty space on mail printouts in Chrome (#7604)
  * Fix empty output from HTML5 parser when content contains XML tag (#7624)
  * Fix scroll jump on key press in plain text mode of the HTML editor (#7622)
  * Fix so autocompletion list does not hide on scroll inside it (#7592)
* Tue Aug 11 2020 Michael Ströder <>
- update to 1.4.8 with security fixes:
  * Fix cross-site scripting (XSS) via HTML messages with malicious svg content (CVE-2020-16145)
  * Fix cross-site scripting (XSS) via HTML messages with malicious math content
* Mon Jul 06 2020 Michael Ströder <>
- update to 1.4.7 with security fix:
  * Security: Fix cross-site scripting (XSS) via HTML messages with malicious svg/namespace
  * Fix bug where subfolders of special folders could have been duplicated on folder list
  * Increase maximum size of contact jobtitle and department fields to 128 characters
  * Fix missing newline after the logged line when writing to stdout (#7418)
  * Elastic: Fix context menu (paste) on the recipient input (#7431)
  * Fix problem with forwarding inline images attached to messages with no HTML part (#7414)
  * Fix problem with handling attached images with same name when using
    database_attachments/redundant_attachments (#7455)
- renamed roundcubemail-1.4.6-config_dir.patch to
* Fri Jul 03 2020
- add file
  * include one file for php5/php7 admin flags/values
* Sun Jun 07 2020 Michael Ströder <>
- update to 1.4.6
  * Installer: Fix regression in SMTP test section (#7417)
- renamed roundcubemail-1.4.5-config_dir.patch to
* Wed Jun 03 2020 Lars Vogdt <>
- update to 1.4.5
  Security fixes
  * Fix XSS issue in template object 'username' (#7406)
  * Fix cross-site scripting (XSS) via malicious XML attachment
  * Fix a couple of XSS issues in Installer (#7406)
  * Better fix for CVE-2020-12641
  Other changes
  * Fix bug in extracting required plugins from composer.json that led
    to spurious error in log (#7364)
  * Fix so the database setup description is compatible with MySQL 8 (#7340)
  * Markasjunk: Fix regression in jsevent driver (#7361)
  * Fix missing flag indication on collapsed thread in Larry and Elastic (#7366)
  * Fix default keyservers (use, add note about CORS (#7373, #7367)
  * Password: Fix issue with Modoboa driver (#7372)
  * Mailvelope: Use sender's address to find pubkeys to check signatures (#7348)
  * Mailvelope: Fix Encrypt button hidden in Elastic (#7353)
  * Fix PHP warning: count(): Parameter must be an array or an object...
    in ID command handler (#7392)
  * Fix error when user-configured skin does not exist anymore (#7271)
  * Elastic: Fix aspect ratio of a contact photo in mail preview (#7339)
  * Fix bug where PDF attachments marked as inline could have not been
    attached on mail forward (#7382)
  * Security: Fix a couple of XSS issues in Installer (#7406)
  * Security: Fix XSS issue in template object 'username' (#7406)
  * Security: Fix cross-site scripting (XSS) via malicious XML attachment
  * Security: Better fix for CVE-2020-12641
- renamed roundcubemail-1.4.4-config_dir.patch to
* Wed Apr 29 2020 Michael Ströder <>
- update to 1.4.4
  * Fix bug where attachments with Content-Id were attached to the message on reply (#7122)
  * Fix identity selection on reply when both sender and recipient addresses are included in identities (#7211)
  * Elastic: Fix text selection with Shift+PageUp and Shift+PageDown in plain text editor when using Chrome (#7230)
  * Elastic: Fix recipient input bug when using click to select a contact from autocomplete list (#7231)
  * Elastic: Fix color of a folder with recent messages (#7281)
  * Elastic: Restrict logo size in print view (#7275)
  * Fix invalid Content-Type for messages with only html part and inline images   * Mail_Mime-1.10.7 (#7261)
  * Fix missing contact display name in QR Code data (#7257)
  * Fix so button label in Select image/media dialogs is "Close" not "Cancel" (#7246)
  * Fix regression in testing database schema on MSSQL (#7227)
  * Fix cursor position after inserting a group to a recipient input using autocompletion (#7267)
  * Fix string literals handling in IMAP STATUS (and various other) responses (#7290)
  * Fix bug where multiple images in a message were replaced by the first one on forward/reply/edit (#7293)
  * Fix handling keyservers configured with protocol prefix (#7295)
  * Markasjunk: Fix marking as spam/ham on moving messages with Move menu (#7189)
  * Markasjunk: Fix bug where moving to Junk was failing on messages selected with Select > All (#7206)
  * Fix so imap error message is displayed to the user on folder create/update (#7245)
  * Fix bug where a special folder couldn't be created if a special-use flag is not supported (#7147)
  * Mailvelope: Fix bug where recipients with name were not handled properly in mail compose (#7312)
  * Fix characters encoding in group rename input after group creation/rename (#7330)
  * Fix bug where some message/rfc822 parts could not be attached on forward (#7323)
  * Make script working without the 'file' program installed (#7325)
  * Fix performance issue of parsing big HTML messages by disabling HTML5 parser for these (#7331)
  * Fix so Print button for PDF attachments works on Firefox >= 75 (#5125)
  * Security: Fix XSS issue in handling of CDATA in HTML messages
  * Security: Fix remote code execution via crafted 'im_convert_path' or 'im_identify_path' settings
  * Security: Fix local file inclusion (and code execution) via crafted 'plugins' option
  * Security: Fix CSRF bypass that could be used to log out an authenticated user (#7302)
- adjusted/renamed roundcubemail-1.4.3-config_dir.patch to
* Thu Feb 20 2020 Michael Ströder <>
- update to 1.4.3
  * Enigma: Fix so key list selection is reset when opening key creation form (#7154)
  * Enigma: Fix so using list checkbox selection does not load the key preview frame
  * Enigma: Fix generation of key pairs for identities with IDN domains (#7181)
  * Enigma: Display IDN domains of key users and identities in UTF8
  * Enigma: Fix bug where "Send unencrypted" button didn't work in Elastic skin (#7205)
  * Managesieve: Fix bug where it wasn't possible to save flag actions (#7188)
  * Markasjunk: Fix bug where marking as spam/ham didn't work on moving messages with drag-and-drop (#7137)
  * Password: Make Python 3 compatible (#7135)
  * Elastic: Fix disappearing sidebar in mail compose after clicking Mail button
  * Elastic: Fix incorrect aria-disabled attribute on Mail taskmenu button in mail compose
  * Elastic: Fix bug where it was possible to switch editor mode when 'htmleditor' was in 'dont_override' (#7143)
  * Elastic: Fix text selection in recipient inputs (#7129)
  * Elastic: Fix missing Close button in "more recipients" dialog
  * Elastic: Fix non-working folder subscription checkbox for newly added folders (#7174)
  * Fix regression where "Open in new window" action didn't work (#7155)
  * Fix PHP Warning: array_filter() expects parameter 1 to be array, null given in subscriptions_option plugin (#7165)
  * Fix unexpected error message when mail refresh involves folder auto-unsubscribe (#6923)
  * Fix recipient duplicates in print-view when the recipient list has been expanded (#7169)
  * Fix bug where files in skins/ directory were listed on skins list (#7180)
  * Fix bug where message parts with no Content-Disposition header and no name were not listed on attachments list (#7117)
  * Fix display issues with mail subject that contains line-breaks (#7191)
  * Fix invalid Content-Transfer-Encoding on multipart messages - Mail_Mime fix (#7170)
  * Fix regression where using an absolute path to SQLite database file on Windows didn't work (#7196)
  * Fix using unix:///path/to/socket.file in memcached driver (#7210)
- adjusted/renamed roundcubemail-1.4.2-config_dir.patch to
* Tue Feb 18 2020 Lars Vogdt <>
- prefer brotli over gzip if brotli is available:
  + enable mod_brotli in roundcubemail-httpd.conf (after deflate)
  + enable brotli via a2enmod for new installations
* Thu Jan 02 2020 Lars Vogdt <>
- update to 1.4.2:
  * Plugin API: Make actionbefore, before, actionafter and after
    events working with plugin actions (#7106)
  * Managesieve: Replace "Filter disabled" with "Filter enabled" (#7028)
  * Managesieve: Fix so modifier type select wasn't hidden after hiding
    modifier select on header change
  * Managesieve: Fix filter selection after removing a first filter (#7079)
  * Markasjunk: Fix marking more than one message as spam/ham with
    email_learn driver (#7121)
  * Password: Fix kpasswd and smb drivers' double-escaping bug (#7092)
  * Enigma: Add script to import keys from filesystem to the db
    storage (for multihost)
  * Installer: Fix DB Write test on SQLite database
    ("database is locked" error) (#7064)
  * Installer: Fix so SQLite DSN with a relative path to the database
    file works in Installer
  * Elastic: Fix contrast of warning toasts (#7058)
  * Elastic: Simple search in pretty selects (#7072)
  * Elastic: Fix hidden list widget on mobile/tablet when selecting
    folder while search menu is open (#7120)
  * Fix so type attribute on script tags is not used on HTML5 pages (#6975)
  * Fix unread count after purge on a folder that is not currently selected (#7051)
  * Fix bug where Enter key didn't work on messages list in "List" layout (#7052)
  * Fix bug where deleting a saved search in addressbook caused
    display issue on sources/groups list (#7061)
  * Fix bug where a new saved search added after removing all searches
    wasn't added to the list (#7061)
  * Fix bug where a new contact group added after removing all groups
    from addressbook wasn't added to the list
  * Fix so removes Bootstrap's sourceMappingURL (#7035)
  * Fix so use of Ctrl+A does not scroll the list (#7020)
  * Fix/remove useless keyup event handler on username input in logon form (#6970)
  * Fix bug where cancelling switching from HTML to plain text didn't
    set the flag properly (#7077)
  * Fix bug where HTML reply could add an empty line with extra indentation
    above the original message (#7088)
  * Fix matching multiple X-Forwarded-For addresses with 'proxy_whitelist' (#7107)
  * Fix so displayed maximum attachment size depends also on 'max_message_size' (#7105)
  * Fix bug where 'skins_allowed' option didn't enforce user skin
    preference (#7080)
  * Fix so contact's organization field accepts up to 128 characters
    (it was 50)
  * Fix bug where listing tables in PostgreSQL database with db_prefix
    didn't work (#7093)
  * Fix bug where 'text' attribute on body tag was ignored when
    displaying HTML message (#7109)
  * Fix bug where next message wasn't displayed after delete in List mode (#7096)
  * Fix so number of contacts in a group is not limited to 200 when
    redirecting to mail composer from Contacts (#6972)
  * Fix malformed characters in HTML message with charset meta tag
  not in head (#7116)
- renamed patches:
  - roundcubemail-1.1-beta-config_dir.patch
  + roundcubemail-1.4.2-config_dir.patch
* Mon Dec 16 2019 Lars Vogdt <>
- remove more cruft from the source (like .tavis or .gitignore)
- php documentor is not needed on a productive system -> remove
- also fix /usr/bin/env calls for two vendor scripts
- skins now have some configurable files in their directories:
  move those files over to /etc/roundcubemail/skins/
- move other text files (incl. vendor ones) out of the root
  directory (and handle the LICENSE file a bit different)
- enable mod_filter and add AddOutputFilterByType for common media
  types like html, javascript or xml
- enable php7 on newer openSUSE versions
- enable deflate, expires, filter, headers and setenvif on a new
  installation - do not enable any module in case of an update
- recommend php-imagick for additional features
* Fri Dec 06 2019 Johannes Weberhofer <>
- Updated dependencies
- Moved LICENCE file to proper directory
- removed travis files
- fixed most of the shell scripts to contain /usr/bin/php
* Fri Nov 22 2019 Michael Ströder <>
- Upgrade to version 1.4.1:
  * new defaults for smtp_* config options
  * changed default password_charset to UTF-8
  * login page returning 401 Unauthorized status
Version: 1.3.6-bp150.2.4
* Fri Apr 13 2018
- Upgrade to version 1.3.6
  * Fix parsing date strings (e.g. from a Date: mail header) with comments
  * Fix PHP 7.2: count(): Parameter must be an array in enchant-based spellchecker
  * Fix possible IMAP command injection and type juggling vulnerabilities
  * Enigma: Fix key selection for signing
  * Enigma: Enable keypair generation on Internet Explorer 11
  * Fix check_request() bypass in places using get_uids() (CVE-2018-9846 boo#1067574)
  * Fix bug where usernames without domain part could be malformed or converted to lower-case on logon
* Fri Mar 16 2018
- Upgrade to version 1.3.5
  * Added new skin with mobile support - the Elastic
  * Support Redis cache
  * Improved Mailvelope integration
  - Added private key listing and generating to identity settings
  - Enable encrypt & sign option if Mailvelope supports it
  * Update to jQuery-3.3.1
  * vcard_attachments: Add possibility to send contact vCard from Contacts toolbar (#6080)
  * Add More actions button in Contacts toolbar with Copy/Move actions (#6081)
  * Display an error when clicking disabled link to register protocol handler (#6079)
  * Add option trusted_host_patterns (#6009, #5752)
  * Support SMTPUTF8 and relax email address validation to support unicode in local part (#5120)
  * Support additional connect parameters in PostgreSQL database wrapper
  * Use UI dialogs instead of confirm() and alert() where possible
  * Display value of the SMTP message size limit in the error message (#6032)
  * Skip redundant INSERT query on successful logon when using PHP7
  * Replace display_version with display_product_version (#5904)
  * Extend disabled_actions config so it accepts also button names (#5903)
  * Handle remote stylesheets the same as remote images, ask the user to allow them (#5994)
  * Add Message-ID to the sendmail log (#5871)
  * Managesieve: Add ability to disable filter sets and other actions (#5496, #5898)
  * Managesieve: Add option managesieve_forward to enable settings dialog for simple forwarding (#6021)
  * Managesieve: Support filter action with custom IMAP flags (#6011)
  * Managesieve: Support 'mime' extension tests - RFC5703 (#5832)
  * Managesieve: Support GSSAPI authentication with krb_authentication plugin (#5779)
  * Changed defaults for smtp_user (%u), smtp_pass (%p) and smtp_port (587)
  * Composer: Fix certificate validation errors by using packagist only (#5148)
  * Enigma: Add button to send mail unencrypted if no key was found (#5913)
  * Enigma: Add options to set PGP cipher/digest algorithms (#5645)
  * Enigma: Multi-host support
  * Add --get and --extract arguments and CACHEDIR env-variable support to (#5882)
  * Update to jquery-minicolors 2.2.6
  * Support _filter and _scope as GET arguments for opening mail UI (#5825)
  * Support for IMAP folders that cannot contain both folders and messages (#5057)
  * Added .user.ini file for php-fpm (#5846)
  * Email Resent (Bounce) feature (#4985)
  * Various improvements for templating engine and skin behaviours
  - Support conditional include
  - Support for 'link' objects
  - Support including files with path relative to templates directory
  - Use <button> instead of <input> for submit button on logon screen
  * Reset onerror on images if placeholder does not exist to prevent from requests storm
  * Unified and simplified code for loading content frame for responses and identities
  * Display contact import and advanced search in popup dialogs
  * Make possible to set (some) config options from a skin
  * Added optional checkbox selection for the list widget
  * Make 'compose' command always enabled
  * Add .log suffix to all log file names, add option log_file_ext to control this (#313)
  * Archive: Fix archiving by sender address on cyrus-imap
  * Archive: Style Archive folder also on folder selector and folder manager lists
  * Archive: Add Thunderbird compatible Month option (#5623)
  * Return "401 Unauthorized" status when login fails (#5663)
  * Support both comma and semicolon as recipient separator, drop recipients_separator option (#5092)
  * Plugin API: Added 'show_bytes' hook (#5001)
  * subscriptions_option: show \\Noselect folders greyed out (#5621)
  * Add option to not indent quoted text on top-posting reply (#5105)
  * Removed global $CONFIG variable
  * Password: Support host variables in password_db_dsn option (#5955)
  * Password: Automatic virtualmin domain setting, removed password_virtualmin_format option (#5759)
  * Support AUTHENTICATE LOGIN for IMAP connections (#5563)
  * Support LDAP GSSAPI authentication (#5703)
  * Allow contacts without an email address (#5079)
  * Localized timezone selector (#4983)
  * Use 7bit encoding for ISO-2022-* charsets in sent mail (#5640)
  * Handle inline images also inside multipart/mixed messages (#5905)
  * Fix bug where attachment size wasn't visible when the filename was too long (#6033)
  * Fix checking table columns when there's more schemas/databases in postgres/mysql (#6047)
  * Fix css conflicts in user interface and e-mail content (#5891)
  * Fix duplicated signature when using Back button in Chrome (#5809)
  * Fix touch event issue on messages list in IE/Edge (#5781)
  * Fix so links over images are not removed in plain text signatures converted from HTML (#4473)
  * Fix various issues when downloading files with names containing non-ascii chars, use RFC 2231 (#5772)
  * Managesieve: Fix bug where text: syntax was forced for strings longer than 1024 characters (#6143)
  * Managesieve: Fix missing Save button in Edit Filter Set page of Classic skin (#6154)
  * Fix duplicated labels in Test SMTP Config section (#6166)
  * Fix PHP Warning: exif_read_data(...): Illegal IFD size (#6169)
  * Enigma: Fix key generation in Safari by upgrade to OpenPGP 2.6.2 (#6149)
  * Fix security issue in remote content blocking on HTML image and style tags (#6178)
  * Added 9pt and 11pt to the list of font sizes in HTML editor
  * Fix handling encoding of HTML tags in "inline" JSON output (#6207)
  * Fix bug where some unix timestamps were not handled correctly by rcube_utils::anytodatetime() (#6212)
* Fri Feb 16 2018
- fix rights for enigma plugin
* Mon Feb 05 2018
- Trim bias from description.
- Replace %__-type macro indirections.
- Avoid bashisms in build logic.
* Sun Feb 04 2018
- Upgrade to version 1.3.4
- RELEASE 1.3.4
  * Fix bug where contacts search could skip some records (#6130)
  * Fix possible information leak - add more strict sql error check on user creation (#6125)
  * Fix a couple of warnings on PHP 7.2 (#6098)
  * Fix broken long filenames when using imap4d server - workaround server bug (#6048)
  * Fix so temp_dir misconfiguration prints an error to the log (#6045)
  * Fix untagged COPYUID responses handling - again (#5982)
  * Fix PHP warning "idn_to_utf8(): INTL_IDNA_VARIANT_2003 is deprecated" with PHP 7.2 (#6075)
  * Fix bug where Archive folder wasn't auto-created on login with create_default_folders=true
  * Fix performance issue when parsing malformed and long Date header (#6087)
  * Fix syntax error in mssql.initial.sql (#6097)
  * Fix bug where contacts export by selection returned no more than 10 entries (#6103)
  * Fix searching contacts by address in LDAP source (#6084)
  * Fix X-Frame-Options:ALLOW-FROM support, remove custom click-jacking protection (#6057)
- RELEASE 1.3.3
  * Fix decoding of mailto: links with + character in HTML messages (#6020)
  * Fix false reporting of failed upgrade in (#6019)
  * Fix file disclosure vulnerability caused by insufficient input validation [CVE-2017-16651] (#6026)
  * Fix mangled non-ASCII characters in links in HTML messages (#6028)
- RELEASE 1.3.2
  * Fix bug where pink image was used instead of a thumbnail when image resize fails (#5933)
  * Fix so files size/count limit is verified (client-side) also on drag-n-drop uploads (#5940)
  * Fix invalid template loading on a message error in preview frame (#5941)
  * Fix bug where HTML messages could have been rendered empty on some systems (#5957)
  * Fix wording of "Mark previewed messages as read" to "Mark messages as read" (#5952)
  * Enigma: Fix decryption of messages encoded with non-ascii charset (#5962)
  * Fix missing cursor in HTML editor on mail reply (#5969)
  * Fix (again) bug where image data URIs in css style were treated as evil/remote in mail preview (#5580)
  * Fix bug where mail search could return empty result on servers without SORT capability (#5973)
  * Fix bug where assets_path wasn't added to some watermark frames
  * Fix so untagged COPYUID responses are also supported according to RFC6851 (#5982)
  * Fix issue caused by non-default session.cookie_lifetime setting (#5961)
  * Fix Edge encoding bug when pasting text into the HTML editor, update to TinyMCE 4.5.8 (#5885)
  * Fix handling of unknown Content-Disposition type (#6002)
  * Fix truncated folder name on messages list in multi-folder mode, for folders with non-ascii characters (#6004)
  * Fix bug where removing the last subfolder did not hide toggle button on its parent record (#6007)
  * Fix bug where ghost messages could be added to the list after fast delete (#5941)
- RELEASE 1.3.1
  * Add Preferences > Mailbox View > Main Options > Layout (#5829)
  * Password: Fix compatibility with PHP 7+ in cpanel_webmail driver (#5820)
  * Managesieve: Fix parsing dot-staffed lines in multiline text (#5838)
  * Managesieve: Fix AM/PM suffix in vacation time selectors
  * Managesieve: Fix bug where 'exists' operator was reset to 'contains' (#5899)
  * Remove non-printable characters from filenames on download/display (#5880)
  * Fix decoding non-ascii attachment names from TNEF attachments (#5646, #5799)
  * Fix uninitialized string offset in rcube_utils::bin2ascii() and make sure rcube_utils::random_bytes() result has always requested length (#5788)
  * Fix bug where HTML messages with @media styles could moddify style of page body (#5811)
  * Fix style issue on selected and unfocused message that is part of a thread (#5798)
  * Fix bug where a.button style from managesieve plugin could impact other elements (#5800)
  * Fix position of selected icon for (Mailvelope) Encrypt button
  * Fix fatal error when using DMY- or MDY-based date format in PostgreSQL (#5808)
  * Fix bug where errors were not printed when using bin/ (#5834)
  * Fix PHP 7.2 warnings on count() use (#5845)
  * Fix bug where Chrome could not upload the same file that was selected before (#5854)
  * Fix duplicate messages on the list after deleting messages on the next to the last page (#5862)
  * Fix bug where messages count was not updated after delete when imap_cache is set (#5872)
  * Fix potential XSS vulnerability with malformed HTML message markup
  * Fix sending message with "Too many public recipients" dialog buttons (#5924)
  * Bring back double-click behavior on the message list which was removed in 1.3.0 (#5823)
  * Enigma: Fix decrypting an encrypted+signed message when signature verification fails (#5914)
- RELEASE 1.3.0
  * Update to TinyMCE 4.5.7
  * Fix bug where invalid recipients could be silently discarded (#5739)
  * Fix conflict with _gid cookie of Google Analytics (#5748)
  * Print error from CLI scripts when system/exec function is disabled (#5744)
  * Fix bug where comment notation within style tag would cause the whole style to be ignored (#5747)
  * Fix bug where it wasn't possible to scroll folders list in Edge (#5750)
  * Fix folders list sorting on Windows - if php-intl is available (#5732)
  * Fix addressbook searching by gender (#5757)
  * Fix prevention from using % and * characters in folder name (#5762)
  * Fix POST parameter reflection in default_charset selector (#5768)
  * Enigma: Fix compatibility with assets_dir
  * Managesieve: Skip redundant LISTSCRIPTS command
  * Fix SQL syntax error on MariaDB 10.2 (#5774)
  * Fix bug where zipdownload ignored files with the same name (#5777)
  * Fix bug where it wasn't possible to set timezone to auto-detected value (#5782)
- Build roundcube correcty for both php5 and php7
* Fri Nov 10 2017
- Update to 1.2.7:
  + Fix file disclosure vulnerability caused by insufficient
    input validation (CVE-2017-16651; boo#1067574)
* Tue Sep 19 2017
- Update to 1.2.6
  * Don't ignore (global) userlogins/sendmail logging in per_user_logging mode
  * Enigma: Fix compatibility with assets_dir
  * Managesieve: Fix AM/PM suffix in vacation time selectors
  * Fix bug where comment notation within style tag would cause the whole style to be ignored (#5747)
  * Fix bug where it wasn't possible to scroll folders list in Edge (#5750)
  * Fix addressbook searching by gender (#5757)
  * Fix SQL syntax error on MariaDB 10.2 (#5774)
  * Fix bug where it wasn't possible to set timezone to auto-detected value (#5782)
  * Fix uninitialized string offset in rcube_utils::bin2ascii() and make sure rcube_utils::random_bytes() result has always requested length (#5788)
  * Fix potential XSS vulnerability with malformed HTML message markup
* Fri Jul 28 2017
- fix for boo#1050980
  * php-mcrypt will be removed with php >= 7.2
  * anyway not a dependency anymore since roundcube version 1.2
* Wed May 03 2017
- Update to 1.2.5 which fixes vulnerability in the virtualmin and
  sasl drivers of the password plugin (CVE-2017-8114, bsc#1036955)
* Thu Mar 16 2017
- Update to 1.2.4 [boo#1029035]
  - Managesieve: Fix handling of scripts with nested rules (#5540)
  - Managesieve: Fix parser issue with empty lines between comments (#5657)
  - Managesieve: Fix possible defect in handling \r\n in scripts (#5685)
  - Enigma: Fix handling of messages with nested PGP encrypted parts (#5634)
  - Enigma: Fix PHP fatal error when decrypting a message with invalid signature (#5555)
  - Enigma: Fix missing require statement for Crypt_GPG_KeyGenerator (#5641)
  - Fix variable substitution in ldap host for some use-cases, e.g. new_user_identity (#5544)
  - Fix adding images to new identity signatures
  - Fix rsync error handling in script (#5562)
  - Fix some advanced search issues with multiple addressbooks (#5572)
  - Fix so group/addressbook selection is retained on page refresh
  - Fix bug where image data URIs in css style were treated as evil/remote in mail preview (#5580)
  - Fix bug where external content in src attribute of input/video tags was not secured (#5583)
  - Fix PHP error on update of a contact with multiple email addresses when using PHP 7.1 (#5587)
  - Fix bug where mail content frame couldn't be reset in some corner cases (#5608)
  - Fix bug where some classic skin images were not displayed in IE/Edge (#5614)
  - Fix bug where signature couldn't be added above the quote in Firefox 51 (#5628)
  - Fix regression where groups with email address were resolved to its members' addresses
  - Fix update of group name in the contacts list header on group rename (#5648)
  - Add rewrite rule to disable access to /vendor/bin folder in .htaccess (#5630)
  - Fix bug where it was too easy accidentally move a folder when using the subscription checkbox (#5655)
  - Fix XSS issue in handling of a style tag inside of an svg element [CVE-2017-6820]
* Tue Nov 29 2016
- Update to 1.2.3 [boo#1012493]
  - Searching in both contacts and groups when LDAP addressbook with group_filters option is used
  - Fix vulnerability in handling of mail()'s 5th argument [boo#1012493]
  - Fix To: header encoding in mail sent with mail() method (#5475)
  - Fix flickering of header topline in min-mode (#5426)
  - Fix bug where folders list would scroll to top when clicking on subscription checkbox (#5447)
  - Fix decoding of GB2312/GBK text when iconv is not installed (#5448)
  - Fix regression where creation of default folders wasn't functioning without prefix (#5460)
  - Enigma: Fix bug where last records on keys list were hidden (#5461)
  - Enigma: Fix key search with keyword containing non-ascii characters (#5459)
  - Fix bug where deleting folders with subfolders could fail in some cases (#5466)
  - Fix bug where IMAP password could be exposed via error message (#5472)
  - Fix bug where it wasn't possible to store more that 2MB objects in memcache/apc, Added memcache_max_allowed_packet and apc_max_allowed_packet settings (#5452)
  - Fix "Illegal string offset" warning in rcube::log_bug() on PHP 7.1 (#5508)
  - Fix storing "empty" values in rcube_cache/rcube_cache_shared (#5519)
  - Fix missing content check when image resize fails on attachment thumbnail generation (#5485)
  - Fix displaying attached images with wrong Content-Type specified (#5527)
* Wed Oct 05 2016
- verify source signature
* Thu Sep 29 2016
- Update to 1.2.2 [boo#1001856]
  - Enigma: Add possibility to configure gpg-agent binary location (enigma_pgp_agent)
  - Enigma: Fix signature verification with some IMAP servers, e.g. Gmail, DBMail (#5371)
  - Enigma: Make recipient key searches case-insensitive (#5434)
  - Fix regression in resizing JPEG images with Imagick (#5376)
  - Managesieve: Fix parsing of vacation date-time with non-default date_format (#5372)
  - Use SymLinksIfOwnerMatch in .htaccess instead of FollowSymLinks disabled on some hosts for security reasons (#5370)
  - Wash position:fixed style in HTML mail for better security (#5264) [boo#1001856]
  - Fix bug where memcache_debug didn't work for session operations
  - Fix bug where Message-ID domain part was tied to username instead of current identity (#5385)
  - Fix bug where blocked.gif couldn't be attached to reply/forward with insecure content
  - Fix E_DEPRECATED warning when using Auth_SASL::factory() (#5401)
  - Fix bug where names of downloaded files could be malformed when derived from the message subject (#5404)
  - Fix so "All" messages selection is resetted on search reset (#5413)
  - Fix bug where folder creation could fail if personal namespace contained more than one entry (#5403)
  - Fix error causing empty INBOX listing in Firefox when using an URL with user:password specified (#5400)
  - Fix PHP warning when handling shared namespace with empty prefix (#5420)
  - Fix so folders list is scrolled to the selected folder on page load (#5424)
  - Fix so when moving to Trash we make sure the folder exists (#5192)
  - Fix displaying size of attachments with zero size
  - Fix so "Action disabled" error uses more appropriate 404 code (#5440)
* Thu Aug 11 2016
- Update to 1.2.1
  - Update TinyMCE to version 4.3.13 (#5309)
  - Fix bug where errors could have been not logged when per_user_logging=true
  - Fix bug where message list columns could be in wrong order after column drag-n-drop and list sorting
  - Fix so minified publickey.js (with cache-buster) is used when available (#5254)
  - Fix (replace) application/x-tar file extension test as it might not exist in nginx config (#5253)
  - Fix PHP warning when password_hosts is set, but is not an array (#5260)
  - Fix redundant keep-alive requests when session_lifetime is greater than ~20000 (#5273)
  - Fix so subfolders of INBOX can be set as Archive (#5274)
  - Fix bug where multi-folder search could choose a wrong folder in "this and subfolders" scope (#5282)
  - Fix bug where multi-folder search didn't work for unsubscribed INBOX (#5259)
  - Fix bug where "no body" alert could be displayed when sending mailvelope email
  - Enigma: Fix keys import from inside of an encrypted message (#5285)
  - Enigma: Fix malformed signed messages with force_7bit=true (#5292)
  - Enigma: Add possibility to configure gpg binary location (enigma_pgp_binary)
  - Enigma: Add possibility to export private keys (#5321)
  - Fix searching by email address in contacts with multiple addresses (#5291)
  - Fix handling of --delete argument in script (#5296)
  - Workaround PHP issue by calling closelog() on script shutdown when using log_driver=syslog (#5289)
  - Fix so upgrade script makes sure program/lib directory does not contain old libraries (#5287)
  - Fix subscription checkbox state on error in folder subscribe/unsubscribe action (#5243)
  - Fix bug where microsecond format in logged date didn't work in some cases
  - Fix conflict in new_user_dialog and password_force_new_user settings (#5275)
  - Don't create multipart/alternative messages with empty text/plain part (#5283)
  - Use contact_search_name format in popup on results in compose contacts search
  - Fix handling of 'mailto' and 'error' arguments in message_before_send hook (#5347)
  - Fix missing localization of HTML editor when assets_dir != INSTALL_PATH
  - Fix handling of blockquote tags with mixed case on html2text conversion (#5363)
  - Fix javascript errors in IE on page with iframe that points to another domain
* Tue May 24 2016
- update to version 1.2.0 [boo#982003] [CVE-2016-5103]
    PHP7 compatibility
    PGP encryption
    Drag-n-drop attachments from mail preview to compose window
    Mail messages searching with predefined date interval
    Improved security measures to protect from brute-force attacks
    And of course plenty of small improvements and bug fixes.
* Mon Apr 25 2016
- Update to 1.1.5
    Plugin API: Add html2text hook
    Plugin API: Added addressbook_export hook
    Fix missing emoticons on html-to-text conversion
    Fix random "access to this resource is secured against CSRF" message at logout (#4956)
    Fix missing language name in "Add to Dictionary" request in HTML mode (#4951)
    Enable use of TLSv1.1 and TLSv1.2 for IMAP (#4955)
    Fix XSS issue in SVG images handling (#4949)
    Fix (again) security issue in DBMail driver of password plugin CVE-2015-2181
    Fix bug where Archive/Junk buttons were not active after page jump with select=all mode (#4961)
    Fix bug in long recipients list parsing for cases where recipient name contained @-char (#4964)
    Fix additional_message_headers plugin compatibility with Mail_Mime >= 1.9 (#4966)
    Hide DSN option in Preferences when smtp_server is not used (#4967)
    Protect download urls against CSRF using unique request tokens (#4957)
    newmail_notifier: Refactor desktop notifications
    Fix so contactlist_fields option can be set via config file
    Fix so SPECIAL-USE assignments are forced only until user sets special folders (#4782)
    Fix performance in reverting order of THREAD result
    Fix converting mail addresses with @www. into mailto links (#5197)
* Fri Feb 05 2016
- Added "Suggests:" for apache2
* Fri Jan 15 2016
- Changed apache2 config
* Thu Dec 31 2015
- Update to 1.1.4
    Add workaround for ? (#1490582)
    Fix duplicate messages in list and wrong count after delete (#1490572)
    Fix so Installer requires PHP5
    Make brute force attacks harder by re-generating security token on every failed login (#1490549)
    Slow down brute-force attacks by waiting for a second after failed login (#1490549)
    Fix .htaccess rewrite rules to not block .well-known URIs (#1490615)
    Fix mail view scaling on iOS (#1490551)
    Fix so database_attachments::cleanup() does not remove attachments from other sessions (#1490542)
    Fix responses list update issue after response name change (#1490555)
    Fix bug where message preview was unintentionally reset on check-recent action (#1490563)
    Fix bug where HTML messages with invalid/excessive css styles couldn't be displayed (#1490539)
    Fix redundant blank lines when using HTML and top posting (#1490576)
    Fix redundant blank lines on start of text after html to text conversion (#1490577)
    Fix HTML sanitizer to skip <!-- node type X --> in output (#1490583)
    Fix invalid LDAP query in ACL user autocompletion (#1490591)
    Fix regression in displaying contents of message/rfc822 parts (#1490606)
    Fix handling of message/rfc822 attachments on replies and forwards (#1490607)
    Fix PDF support detection in Firefox > 19 (#1490610)
    Fix path traversal vulnerability (CWE-22) in setting a skin (#1490620) [CVE-2015-8770] [bnc#962067]
    Fix so drag-n-drop of text (e.g. recipient addresses) on compose page actually works (#1490619)
- explicitely add required PHP packages (according to INSTALL):
  + php-dom, php-json, php-sockets
- also recommend additional PHP packages:
  + php-zip, php-pear-Crypt_GPG
- use generic php- prefix also for recommended packages (no explicit php5-)
- no Dockerfile readme any more
* Fri Oct 23 2015
- Changed roundcubemail-httpd.conf
- Enable mod_version.c per default [boo#938840]
Version: 1.3.16-bp152.4.10.1
* Mon Dec 28 2020 Lars Vogdt <>
- Upgrade to version 1.3.16
  This is a security update to the LTS version 1.3.
  It fixes a recently reported stored cross-site scripting (XSS)
  vulnerability via HTML or plain text messages with malicious content.
  [CVE-2020-18670]: boo#1187707
  [CVE-2020-18671]: boo#1187706
  [CVE-2020-35730]: boo#1180399
Version: 1.3.16-bp151.4.6.1
* Mon Dec 28 2020 Lars Vogdt <>
- update to 1.4.10:
  * Stored cross-site scripting (XSS) via HTML or plain text messages
    with malicious content ( CVE-2020-35730 boo#1180399 )
  * Fix extra angle brackets in In-Reply-To header derived from mailto: params (#7655)
  * Fix folder list issue when special folder is a subfolder (#7647)
  * Fix Elastic's folder subscription toggle in search result (#7653)
  * Fix state of subscription toggle on folders list after changing
    folder state from the search result (#7653)
  * Security: Fix cross-site scripting (XSS) via HTML or plain text
    messages with malicious content
Version: 1.3.15-bp151.4.3.1
* Thu Aug 13 2020 Lars Vogdt <>
- finally renamed roundcubemail-1.4.8-config_dir.patch to
  roundcubemail-config_dir.patch to avoid additional roundtrip
  times with each submission:
  + removed roundcubemail-1.4.7-config_dir.patch
  + added  roundcubemail-config_dir.patch