roundcube (0.3.1-6+deb6u1) squeeze-lts; urgency=high * Non-maintainer upload by the Squeeze LTS Team. * CVE-2015-8770 patch for remote code execution / path traversal -- Thorsten Alteholz Sun, 31 Aug 2014 14:03:02 +0200 roundcube (0.3.1-6) unstable; urgency=low * Update Arabic debconf translation, thanks to Ossama Khayat. Closes: #596181. * Update Portuguese debconf translation, thanks to Christian Perrier. Closes: #599575. * Add a patch to avoid duplicate boundaries in headers when adding an attachment. Closes: #599586. -- Vincent Bernat Mon, 18 Oct 2010 23:14:37 +0200 roundcube (0.3.1-5) unstable; urgency=low * Depends on php-mail-mime 1.7.0 or more recent to handle correctly 'mime_param_folding' directive. Closes: #588295. * Add Danish debconf translation, thanks to Joe Dalton. Closes: #593271. * Add a patch to fix Received header to behave better with Spam Assassin. Closes: #595204. -- Vincent Bernat Thu, 02 Sep 2010 07:54:58 +0200 roundcube (0.3.1-4) unstable; urgency=low * Update README.Debian to state that the variable to modify is 'htmleditor' instead of 'enable_htmleditor'. Thanks to Hans Spaans. Closes: #575556. * Add Brazilian Portuguese debconf translation, thanks to Eder L. Marques. Closes: #581745. * Switch default encoding to UTF-8 instead of ISO-8859-1. Closes: #588084. * Add more explanations on how to install roundcube in a Debian system in README.Debian. Closes: #584458, #582894. * Bump Standards-Version. No changes required. * Switch to 3.0 (quilt) format. * Use Breaks instead of Conflicts to move files from older roundcube installations. -- Vincent Bernat Sat, 17 Jul 2010 17:23:30 +0200 roundcube (0.3.1-3) unstable; urgency=high * RFC 5321, section 4.5.3.1, asks to not impose any limits on length if possible. We respect this by dropping limitation of the local-part of an email address. Closes: #568360, #568537. * Suggests php-auth-sasl to enable use of SASL mechanisms for mail servers. Closes: #567550. * Disable DNS prefetching to avoid information leakage through links embedded in messages. This fixes CVE-2010-0464. Closes: #569660. * Bump Standards-Version. No changes required. -- Vincent Bernat Sat, 13 Feb 2010 10:21:49 +0100 roundcube (0.3.1-2) unstable; urgency=low * Fix VCS links in debian/control, thanks to Torsten Landschoff. Closes: #555900. * Really ship NEWS.Debian. * Add changesets 3170 and 3202 from upstream to handle gracefully jQuery 1.4. Thanks to Volker Gropp for the report. Closes: #565715. -- Vincent Bernat Mon, 18 Jan 2010 23:11:01 +0100 roundcube (0.3.1-1) unstable; urgency=low * New upstream release. * Add a notice in NEWS.Debian about php.ini options that should be set to get Roundcube working properly. Closes: #549428, #552508. -- Vincent Bernat Sat, 07 Nov 2009 17:41:37 +0100 roundcube (0.3-2) unstable; urgency=low * Really fix #544579 since the default value is null without quotes. This really Closes: #544579. * Enlarge login box to accommodate sk_SK locale. Closes: #542933. -- Vincent Bernat Sun, 27 Sep 2009 11:26:56 +0200 roundcube (0.3-1) unstable; urgency=low * New upstream release. Closes: #545498. * Update debconf translations: + Italian, thanks to Luca Monducci. Closes: #544199. + Czech, thanks to Miroslav Kure. Closes: #546413. * Roundcube configuration now uses 'language' instead of 'locale_string' to specify the default language. Update postinst to reflect this change. Thanks to Richard van den Berg for noticing this. Closes: #544579. * Depends on libjs-jquery (>= 1.3) since this is now used by roundcube. * Don't ship any plugins for now but ship an empty plugins directory. * Ship main .htaccess since it is needed to setup correctly PHP (for example, to disable PHP Suhosin cookie encryption). * Bump Standards-Version. No changes required. -- Vincent Bernat Sun, 27 Sep 2009 11:00:30 +0200 roundcube (0.2.2-1) unstable; urgency=low * New upstream release * Bump Standards-Version. No changes required. * Remove *.js.src which are not needed at runtime. * Don't send email contents to Google by default by using php5-pspell instead. Thanks to Anand Kumria. Closes: #529563. * Update debconf translations: + Basque, thanks to Piarres Beobide. Closes: #534282. -- Vincent Bernat Sun, 05 Jul 2009 09:53:17 +0200 roundcube (0.2.1-2) unstable; urgency=low * Update debconf translations: + German, thanks to Helge Kreutzmann. Closes: #520004. + Japanese, thanks to Hideki Yamane. Closes: #520024. + Spanish, thanks to Francisco Javier. Closes: #526696. + Russian, thanks to Yuri Kozlov. Closes: #528796. * Depend on php-mdb2-* (>= 1.5.0b2) since it is needed to fix some bugs. Closes: #519104, #519293. Remove not needed any more patch from debian/patches/series. Keep it in debian/patches to help backports. -- Vincent Bernat Sat, 16 May 2009 15:30:17 +0200 roundcube (0.2.1-1) unstable; urgency=low * New upstream release: + Fix use_packaged_tinymce.patch to apply to this new version + Remove cve-2009-0413.patch which has been applied upstream -- Vincent Bernat Sat, 14 Mar 2009 17:42:07 +0100 roundcube (0.2~stable-2) unstable; urgency=low * Update debconf translations: + French, thanks to Christian Perrier. Closes: #515806. + Swedish, thanks to Martin Bagge. Closes: #516683. * Drop virtual package roundcube-db and add dependencies on real package instead: this way, we can have versioned dependencies on those to avoid version mismatch between packages. * Add a patch to not use a MDB2 feature not present in the Debian package. Thanks to Grzegorz Sobański for the patch. Closes: #519104. -- Vincent Bernat Wed, 11 Mar 2009 18:49:32 +0100 roundcube (0.2~stable-1) unstable; urgency=low * New upstream version. Closes: #503573, #504570. + Add SQL update scripts for this new release and for 0.2~alpha. Remove copy of SQL upgrade script from debian/rules. + Remove patch for CVE-2008-5620 which is now fixed upstream. + Remove patch correcting a vulnerability in html2text.php. + Remove patch fixing login issue. This is fixed upstream. + Remove patch setting the default backend to db instead of mdb2: this is not possible any more. We depend on php-mdb2 now. + Update patch to use packaged tinymce. * Upload to unstable since Lenny is out. * Apply fix for XSS issue (CVE-2009-0413). Closes: #514179. * Remove hack to update a SQLite table for an upgrade from a quite old version of roundcube. * Fix pending l10n issues: + Update English debconf template. Closes: #473794. + Add Swedish translation thanks to Martin Bagge. Closes: #508752. * Fix debian/copyright to make lintian happy. -- Vincent Bernat Sun, 15 Feb 2009 16:18:58 +0100 roundcube (0.2~alpha-4) experimental; urgency=low * Add missing ${misc:Depends} to make Lintian happy. * Add description to each patch. * Execute cron job only if the directory to clean exists. * Reload web server configuration instead of restart, thanks to a patch from Tiago Bortoletto Vaz. Closes: #508633. * Fix a vulnerability in quota image generation. This fixes CVE-2008-5620. Thanks to Nico Golde for reporting it. Closes: #509596. * Add missing dependency on php5-gd, used for quota bar. * For roundcube-pgsql, depends on postgresql-client only. This package is provided by the currently supported real package. -- Vincent Bernat Thu, 25 Dec 2008 11:38:13 +0100 roundcube (0.2~alpha-3) experimental; urgency=high [ Vincent Bernat ] * Fix a vulnerability in the use of preg_replace (Closes: #508628). * Adapt descriptions of roundcube-database packages to refer them as metapackages instead of virtual package (Closes: #495434). * Add robots.txt from upstream, even if in some configuration, it will not be considered (Closes: #499108). * Do not ship .htaccess files. Restrictions are set in Apache or Lighttpd configuration files (Closes: #500202). [ Romain Beauxis ] * Changed versioned dependency of rouncube from binary:Version to source:Version since these are all architecture independent packages. -- Vincent Bernat Sat, 13 Dec 2008 14:36:02 +0100 roundcube (0.2~alpha-2) experimental; urgency=low [ Vincent Bernat ] * Fix lintian warnings introduced by previous upload * Fix lighttpd.conf to make it work with latest versions (Closes: #494044) * Do not prepend path to lighty util in postinst and postrm, as per Policy Manual section 6.1 * Ship a bug/control file to have all bugs submitted against roundcube metapackage * Fix debian/roundcube-core.cron.daily to use /etc/default/roundcube-core instead of /etc/default/roundcube which should not exist any more [ Romain Beauxis ] * Versioned roundcube-core dependency for roundcube -- Vincent Bernat Sat, 16 Aug 2008 13:22:08 +0200 roundcube (0.2~alpha-1) experimental; urgency=low * New upstream release * Update debian/watch file to correctly consider those new releases * Remove the following patches: + messageid-headers-ordering + mysql-update-fix + disable-tinymce-spellchecker * Update the following patches: + correct_install_path + use_packaged_tinymce * Add a new patch to fix a login problem * Depends on tinymce >= 3 -- Vincent Bernat Sun, 22 Jun 2008 14:10:44 +0200 roundcube (0.1.1-7) unstable; urgency=low * Another fix for incorrect tinymce path. This should be the last one! -- Vincent Bernat Sun, 22 Jun 2008 12:36:59 +0200 roundcube (0.1.1-6) unstable; urgency=low * Fix use_packaged_tinymce patch which was incorrect after switch to tinymce2 package. -- Vincent Bernat Sun, 22 Jun 2008 12:19:16 +0200 roundcube (0.1.1-5) unstable; urgency=low * Fix ordering of message-id in message headers, thanks to Reinhard Tartler (Closes: #486493) * Update Standards-Version to 3.8.0 -- Vincent Bernat Tue, 17 Jun 2008 00:33:40 +0200 roundcube (0.1.1-4) unstable; urgency=low * Add Slovak debconf translation, thanks to Ivan Masár (Closes: #481376) * Fix debian/copyright: + RoundCube is GPL-2 licensed, not GPL-2+ + Add an explanation on the BSD license present at the top of index.php (Closes: #477119) * We do not support tinymce 3, yet. Depends on tinymce2 | tinymce (<< 3). Closes: #481145, #483053, #482295 -- Vincent Bernat Tue, 20 May 2008 20:51:52 +0200 roundcube (0.1.1-3) unstable; urgency=low * Fix an error introduced when fixing bug #476803. Thanks to Micah Anderson for spotting it (Closes: #479775). * Avoid to pop language question at every upgrade. Thanks to Ivan Vucica for spotting this. The problem lied in the use of db_metaget to get the value of a key set by db_subst in a previous invocation. It seems this is not possible any more (Closes: #480043). The fix implies that we won't ask the question again if more languages are available since last upgrade. -- Vincent Bernat Thu, 08 May 2008 09:50:24 +0200 roundcube (0.1.1-2) unstable; urgency=low * Comment by default Alias directive for tinymce in Apache configuration file (Closes: #476162). * Allow to preseed language value (Closes: #476803). -- Vincent Bernat Sat, 19 Apr 2008 16:50:28 +0200 roundcube (0.1.1-1) unstable; urgency=low * New upstream release - Copy old SQL upgrade scripts into debian/sql to allow upgrade from versions older than 0.1 - Patch new MySQL upgrade script to fix a typo * Debconf translation updates: - Spanish. Closes: #473788 * Depends on php-mail-mime (>= 1.5.0) and drop compatibility patch * Install upstream changelog in /usr/share/doc/roundcube* -- Vincent Bernat Sat, 05 Apr 2008 18:16:33 +0200 roundcube (0.1-4) unstable; urgency=low * Debconf translation updates: - French. Closes: #469802 - Russian. Closes: #469847 - Galician. Closes: #469866 - German. Closes: #469875 - Finnish. Closes: #469922 - Italian. Closes: #469987 - Czech. Closes: #470150 - Portuguese. Closes: #470156 - Spanish. Closes: #470732 - Basque. Closes: #470871 - Arabic. Closes: #471470 -- Vincent Bernat Sat, 08 Mar 2008 11:15:00 +0100 roundcube (0.1-3) unstable; urgency=low * Fix problem with too old php-mail-mime package (Closes: #469814) -- Vincent Bernat Fri, 07 Mar 2008 11:06:49 +0100 roundcube (0.1-2) unstable; urgency=low * Ship bin/ directory as well. This fix conversion from HTML to text in composition. * Disable spellchecker for tinymce since it is not shipped with Debian package of tinymce. -- Vincent Bernat Fri, 07 Mar 2008 09:42:39 +0100 roundcube (0.1-1) unstable; urgency=low * New upstream release (Closes: #469487). - This release seems to fix failure to set some fields when replying, with bincimap as IMAP server (Closes: #443562) - It also fixes the deletion of multiple messages, still with bincimap (Closes: #451404) * Remove 'ob_gzhandler.patch' and 'xss-fix.patch'. They have been merged upstream. * Upstream has switched to MDB2 database backend which is not packaged in Debian yet. We switch back to old backend. * Fix debian/watch to handle correctly detection of new versions. * Add support for lighttpd and remove support for older version of Apache. The debconf question about webserver autoconfiguration is reworded (Closes: #462961). * Do not depend on a specific revision of cdbs. * Move po-debconf from Build-Depends-Indep to Build-Depends since it is needed for clean target. * Correct path to /usr/share/file/magic, provided by libmagic1. Provide license information about this file in debian/copyright. -- Vincent Bernat Wed, 05 Mar 2008 20:49:03 +0100 roundcube (0.1~rc2-6) unstable; urgency=high * Bug fix: "CVE-2007-6321: Cross-site scripting (XSS) vulnerability", thanks to Micah Anderson (Closes: #455840). The patch is from http://lists.roundcube.net/mail-archive/dev/2007-12/0000038.html and provided by Robin Elfrink. It has been modified with some functions stolen from Squirrelmail. * Finnish debconf template, thanks to Esko Arajärvi (Closes: #458244). -- Vincent Bernat Sat, 29 Dec 2007 21:55:17 +0100 roundcube (0.1~rc2-5) unstable; urgency=low * Deal with old /etc/logrotate.d/roundcube by removing it if left untouched (Closes: #456546). Also deal with /etc/default/roundcube and /etc/cron.daily/roundcube. -- Vincent Bernat Tue, 18 Dec 2007 23:02:46 +0100 roundcube (0.1~rc2-4) unstable; urgency=low * Thightened dependencies for a safe upgrade * Finally removed any circular dependency, -db packages no longer pull a full roundcube install -- Romain Beauxis Sun, 09 Dec 2007 14:24:24 +0100 roundcube (0.1~rc2-3) unstable; urgency=low * Upload to unstable * Bumped standard version to 3.7.3 (no changes) -- Romain Beauxis Sun, 09 Dec 2007 14:19:28 +0100 roundcube (0.1~rc2-2) experimental; urgency=low [ Vincent Bernat ] * Fix a conflict between ob_gzhandler and zlib output compression, thanks to kaouete (Closes: #450482). [ Romain Beauxis ] * Fix tinymce patch and inclusion Closes: #452016 * Splitted virtual packages to avoid circular dependencies. Uploading to experimental, as this is an important change and we may expect issues.. -- Romain Beauxis Mon, 26 Nov 2007 11:54:21 +0100 roundcube (0.1~rc2-1) unstable; urgency=low * New upstream, thanks to Nicolas Stransky (Closes: #447503). This release support tinymce as HTML editor. Look at README.Debian for more information. * Update Galician debconf template, thanks to Jacobo Tarrio (Closes: #447943). -- Vincent Bernat Mon, 29 Oct 2007 22:08:43 +0100 roundcube (0.1~rc1-3) unstable; urgency=low * In respect to policy 12.3, do not put main.inc.php.dist in /usr/share/doc, thanks to Jonas Smedegaard (Closes: #446502). * Update German and French debconf templates, thanks to Christian Perrier (Closes: #446458) and Helge Kreutzmann (Closes: #446532). -- Vincent Bernat Sun, 14 Oct 2007 08:41:24 +0200 roundcube (0.1~rc1-2) unstable; urgency=low * Fix dependencies by creating virtual packages for each database backend, thanks to Joey Hess (Closes: #444925). -- Vincent Bernat Tue, 02 Oct 2007 20:09:19 +0200 roundcube (0.1~rc1-1) unstable; urgency=low * New upstream release * Removed non gpl file des.inc -- Romain Beauxis Tue, 24 Jul 2007 13:36:20 +0200 roundcube (0.1~rc1~dfsg-3) unstable; urgency=low * Add php5-mcrypt dependency (Closes: #431177) -- Vincent Bernat Sat, 30 Jun 2007 19:36:21 +0200 roundcube (0.1~rc1~dfsg-2) unstable; urgency=low * Removed custom unix_timestamp for sqlite: solved upstream * Debconf templates and debian/control reviewed by the debian-l10n- english team as part of the Smith review project. Closes: #426086, #427546, #427546 * Debconf translation updates: - Galician. Closes: #426140 - Basque. Closes: #426150 - Czech. Closes: #426428 - Portuguese. Closes: #426451 - Arabic. Closes: #427110 - Italian. Closes: #427206 - German. Closes: #427536 - French. Closes: #427736 - Tamil. Closes: #428254 - Russian. Closes: #428364 - Spanish. Closes: #428573 -- Romain Beauxis Tue, 05 Jun 2007 15:22:36 +0200 roundcube (0.1~rc1~dfsg-1) unstable; urgency=low [ Vincent Bernat ] * New upstream release * Update script for sqlite in postinst [ Romain Beauxis ] * Fixed dh_link calls Closes: #423824 * Added custom patch to use php unix timestamp support with sqlite since UNIX_TIMESTAMP is not supported by sqlite. * Dropped php4 dependencies -- Vincent Bernat Sun, 20 May 2007 13:59:44 +0200 roundcube (0.1~beta2.2~dfsg-2) unstable; urgency=low * Fix a security issue by disallowing access to logs. * First upload to unstable. -- Vincent Bernat Sat, 5 May 2007 00:23:40 +0200 roundcube (0.1~beta2.2~dfsg-1) experimental; urgency=low * Initial release. (Closes: #333756, #344949) -- Romain Beauxis Tue, 13 Mar 2007 13:28:05 +0100