Script 'mail_helper' called by obssrc
Hello community,
here is the log from the commit of package roundcubemail for openSUSE:Factory
checked in at 2025-06-02 22:00:43
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Comparing /work/SRC/openSUSE:Factory/roundcubemail (Old)
and /work/SRC/openSUSE:Factory/.roundcubemail.new.16005 (New)
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "roundcubemail"
Mon Jun 2 22:00:43 2025 rev:89 rq:1281843 version:1.6.11
Changes:
--------
--- /work/SRC/openSUSE:Factory/roundcubemail/roundcubemail.changes
2025-02-09 20:54:38.793767319 +0100
+++ /work/SRC/openSUSE:Factory/.roundcubemail.new.16005/roundcubemail.changes
2025-06-02 22:00:59.514294485 +0200
@@ -1,0 +2,24 @@
+Sun Jun 1 17:11:22 UTC 2025 - Aeneas Jaißle <a...@ajaissle.de>
+
+- update to 1.6.11
+ This is a security update to the stable version 1.6 of Roundcube Webmail.
+ It provides fixes to recently reported security vulnerabilities:
+ * Fix Post-Auth RCE via PHP Object Deserialization reported by firs0v.
+
+- CHANGELOG
+ * Managesieve: Fix match-type selector (remove unsupported options) in
delete header action (#9610)
+ * Improve installer to fix confusion about disabling SMTP authentication
(#9801)
+ * Fix PHP warning in index.php (#9813)
+ * OAuth: Fix/improve token refresh
+ * Fix dark mode bug where wrong colors were used for blockquotes in HTML
mail preview (#9820)
+ * Fix HTML message preview if it contains floating tables (#9804)
+ * Fix removing/expiring redis/memcache records when using a key prefix
+ * Fix bug where a wrong SPECIAL-USE folder could have been detected, if
there were more than one per-type (#9781)
+ * Fix a default value and documentation of password_ldap_encodage option
(#9658)
+ * Remove mobile/floating Create button from the list in Settings > Folders
(#9661)
+ * Fix Delete and Empty buttons state while creating a folder (#9047)
+ * Fix connecting to LDAP using ldapi:// URI (#8990)
+ * Fix cursor position on "below the quote" reply in HTML mode (#8700)
+ * Fix bug where attachments with content type of application/vnd.ms-tnef
were not parsed (#7119)
+
+-------------------------------------------------------------------
Old:
----
roundcubemail-1.6.10-complete.tar.gz
roundcubemail-1.6.10-complete.tar.gz.asc
New:
----
roundcubemail-1.6.11-complete.tar.gz
roundcubemail-1.6.11-complete.tar.gz.asc
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Other differences:
------------------
++++++ roundcubemail.spec ++++++
--- /var/tmp/diff_new_pack.gtWaA2/_old 2025-06-02 22:01:00.054316881 +0200
+++ /var/tmp/diff_new_pack.gtWaA2/_new 2025-06-02 22:01:00.058317047 +0200
@@ -20,7 +20,7 @@
%define roundcubeconfigpath %{_sysconfdir}/%{name}
Name: roundcubemail
-Version: 1.6.10
+Version: 1.6.11
Release: 0
Summary: A browser-based multilingual IMAP client
License: BSD-3-Clause AND GPL-2.0-only AND GPL-3.0-or-later
++++++ roundcubemail-1.6.10-complete.tar.gz ->
roundcubemail-1.6.11-complete.tar.gz ++++++
++++ 2317 lines of diff (skipped)
++++++ roundcubemail-httpd.conf ++++++
--- /var/tmp/diff_new_pack.gtWaA2/_old 2025-06-02 22:01:01.010356531 +0200
+++ /var/tmp/diff_new_pack.gtWaA2/_new 2025-06-02 22:01:01.010356531 +0200
@@ -2,10 +2,10 @@
# not a requirement. You can as well reach the server under its
# common name under https://yourroundcubeserver.example.com/
#
-# NameVirtualHost *
-# <VirtualHost *>
-# ServerName yourroundcubeserver.example.com
-# DocumentRoot __ROUNDCUBEPATH__
+#NameVirtualHost *
+#<VirtualHost *>
+# ServerName yourroundcubeserver.example.com
+# DocumentRoot __ROUNDCUBEPATH__
<IfModule mod_alias.c>
@@ -17,38 +17,25 @@
AddType text/x-component .htc
<Directory "__ROUNDCUBEPATH__/public_html">
- <IfModule mod_version.c>
- <IfVersion < 2.4>
- Order allow,deny
- Allow from all
- </IfVersion>
- <IfVersion >= 2.4>
- <IfModule mod_authz_core.c>
- Require all granted
- </IfModule>
- <IfModule mod_access_compat.c>
- Order allow,deny
- Allow from all
- </IfModule>
- </IfVersion>
+ <IfModule mod_authz_core.c>
+ Require all granted
</IfModule>
- <IfModule !mod_version.c>
+ <IfModule !mod_authz_core.c>
Order allow,deny
Allow from all
</IfModule>
- <IfModule mod_php5.c>
+ <IfModule mod_php7.c>
Include @apache_sysconfdir@/conf.d/@name@.inc
</IfModule>
-
- <IfModule mod_php7.c>
+ <IfModule mod_php8.c>
Include @apache_sysconfdir@/conf.d/@name@.inc
</IfModule>
<IfModule mod_rewrite.c>
Options +SymLinksIfOwnerMatch
RewriteEngine On
- RewriteRule ^favicon\.ico$ skins/larry/images/favicon.ico
+ RewriteRule ^favicon\.ico$ static.php/skins/elastic/images/favicon.ico
# security rules:
# - deny access to files not containing a dot or starting with a dot
@@ -75,48 +62,71 @@
</IfModule>
<IfModule mod_filter.c>
- AddOutputFilterByType DEFLATE application/javascript
- AddOutputFilterByType DEFLATE application/x-javascript
- AddOutputFilterByType DEFLATE application/xhtml+xml
- AddOutputFilterByType DEFLATE application/xml
- AddOutputFilterByType DEFLATE application/json
- AddOutputFilterByType DEFLATE text/css
- AddOutputFilterByType DEFLATE text/html
- AddOutputFilterByType DEFLATE text/plain
- AddOutputFilterByType DEFLATE text/x-component
- AddOutputFilterByType DEFLATE text/xml
+ AddOutputFilterByType DEFLATE application/javascript
+ AddOutputFilterByType DEFLATE application/x-javascript
+ AddOutputFilterByType DEFLATE application/xhtml+xml
+ AddOutputFilterByType DEFLATE application/xml
+ AddOutputFilterByType DEFLATE application/json
+ AddOutputFilterByType DEFLATE text/css
+ AddOutputFilterByType DEFLATE text/html
+ AddOutputFilterByType DEFLATE text/plain
+ AddOutputFilterByType DEFLATE text/x-component
+ AddOutputFilterByType DEFLATE text/xml
<IfModule mod_setenvif.c>
- SetEnvIfNoCase Request_URI .(?:gif|jpe?g|png)$ no-gzip
dont-vary
- BrowserMatch ^Mozilla/4 gzip-only-text/html
- BrowserMatch ^Mozilla/4.0[678] no-gzip
- BrowserMatch bMSIE !no-gzip !gzip-only-text/html
+ SetEnvIfNoCase Request_URI .(?:gif|jpe?g|png)$ no-gzip dont-vary
+ BrowserMatch ^Mozilla/4 gzip-only-text/html
+ BrowserMatch ^Mozilla/4.0[678] no-gzip
+ BrowserMatch bMSIE !no-gzip !gzip-only-text/html
</IfModule>
</IfModule>
+ <IfModule mod_expires.c>
+ ExpiresActive On
+ ExpiresDefault "access plus 1 month"
+ </IfModule>
+
+ FileETag MTime Size
+
+ <IfModule mod_autoindex.c>
+ Options -Indexes
+ </ifModule>
+
<IfModule mod_headers.c>
+ # Disable page indexing
+ Header set X-Robots-Tag "noindex, nofollow"
+
# for better privacy/security ask browsers to not set the Referer
Header set Content-Security-Policy "referrer no-referrer"
+
# don't cache, please
Header merge Cache-Control public env=!NO_CACHE
+
+ # Optional security headers
+ # Only provides increased security if the browser supports those
features
+ # Be careful! Testing is required! They should be adjusted to your
installation / user environment
+
<IfModule mod_ssl.c>
# HSTS - HTTP Strict Transport Security
Header always set Strict-Transport-Security "max-age=31536000;
preload" env=HTTPS
</IfModule>
+
+ # HPKP - HTTP Public Key Pinning
+ # Only template - fill with your values
+ #Header always set Public-Key-Pins "max-age=3600; report-uri=\"\";
pin-sha256=\"\"; pin-sha256=\"\"" env=HTTPS
+
# X-Xss-Protection
# This header is used to configure the built in reflective XSS
protection found in Internet Explorer, Chrome and Safari (Webkit).
Header set X-XSS-Protection "1; mode=block"
- </IfModule>
- <IfModule mod_expires.c>
- ExpiresActive On
- ExpiresDefault "access plus 1 month"
+ # X-Frame-Options
+ # The X-Frame-Options header (RFC), or XFO header, protects your
visitors against clickjacking attacks
+ # Already set by php code! Do not activate both options
+ #Header set X-Frame-Options SAMEORIGIN
+
+ # X-Content-Type-Options
+ # It prevents Google Chrome and Internet Explorer from trying to
mime-sniff the content-type of a response away from the one being declared by
the server.
+ #Header set X-Content-Type-Options "nosniff"
</IfModule>
-
- FileETag MTime Size
-
- <IfModule mod_autoindex.c>
- Options -Indexes
- </ifModule>
</Directory>
#
@@ -319,6 +329,5 @@
</Directory>
#
-# </VirtualHost>
-
+#</VirtualHost>
