diff options
author | bsiegert <bsiegert> | 2016-06-04 19:39:34 +0000 |
---|---|---|
committer | bsiegert <bsiegert> | 2016-06-04 19:39:34 +0000 |
commit | 42b937fba8a29951d8633c1f76097f4076e196b1 (patch) | |
tree | c3f64a5e812179a1f430c92493f12927863ad5a4 | |
parent | e4e247c3257ca19b86cefffb8c73156ed340bed2 (diff) | |
download | pkgsrc-42b937fba8a29951d8633c1f76097f4076e196b1.tar.gz |
Pullup ticket #5033 - requested by taca
mail/roundcube: security fix
Revisions pulled up:
- mail/roundcube/Makefile 1.81-1.83
- mail/roundcube/PLIST 1.40-1.41
- mail/roundcube/distinfo 1.49-1.51
- mail/roundcube/patches/patch-config.inc.php deleted
- mail/roundcube/patches/patch-plugins_password_helpers_passwd-expect 1.1
- mail/roundcube/patches/patch-program_lib_Roundcube_rcube__washtml.php 1.3
---
Module Name: pkgsrc
Committed By: taca
Date: Thu May 26 03:20:37 UTC 2016
Modified Files:
pkgsrc/mail/roundcube: Makefile PLIST distinfo
Removed Files:
pkgsrc/mail/roundcube/patches: patch-config.inc.php
Log Message:
Update roundcube to 1.1.5, including security fix.
RELEASE 1.1.5
-------------
- Plugin API: Add html2text hook
- Plugin API: Added addressbook_export hook
- Fix missing emoticons on html-to-text conversion
- Fix random "access to this resource is secured against CSRF" message at logout (#4956)
- Fix missing language name in "Add to Dictionary" request in HTML mode (#4951)
- Enable use of TLSv1.1 and TLSv1.2 for IMAP (#4955)
- Fix XSS issue in SVG images handling (#4949)
- Fix (again) security issue in DBMail driver of password plugin [CVE-2015-2181] (#4958)
- Fix bug where Archive/Junk buttons were not active after page jump with select=all mode (#4961)
- Fix bug in long recipients list parsing for cases where recipient name contained @-char (#4964)
- Fix additional_message_headers plugin compatibility with Mail_Mime >= 1.9 (#4966)
- Hide DSN option in Preferences when smtp_server is not used (#4967)
- Protect download urls against CSRF using unique request tokens (#4957)
- newmail_notifier: Refactor desktop notifications
- Fix so contactlist_fields option can be set via config file
- Fix so SPECIAL-USE assignments are forced only until user sets special folders (#4782)
- Fix performance in reverting order of THREAD result
- Fix converting mail addresses with @www. into mailto links (#5197)
---
Module Name: pkgsrc
Committed By: taca
Date: Thu May 26 03:23:39 UTC 2016
Added Files:
pkgsrc/mail/roundcube/patches:
patch-plugins_password_helpers_passwd-expect
Log Message:
Oops, forgot to add a patch file for NetBSD (and perhaps for *BSD) to
make password plugin work.
---
Module Name: pkgsrc
Committed By: taca
Date: Thu May 26 23:22:17 UTC 2016
Modified Files:
pkgsrc/mail/roundcube: Makefile distinfo
Added Files:
pkgsrc/mail/roundcube/patches:
patch-program_lib_Roundcube_rcube__washtml.php
Log Message:
Update security path for CVE-2016-5103 (XSS) from upstream.
Bump PKGREVISION.
---
Module Name: pkgsrc
Committed By: taca
Date: Sun May 29 15:46:59 UTC 2016
Modified Files:
pkgsrc/mail/roundcube: Makefile PLIST distinfo
Log Message:
Switch to get distfiles from GitHub, noted by David Brownlee via private
e-mail.
And some installed files are changed, bump PKGREVISION.
-rw-r--r-- | mail/roundcube/Makefile | 11 | ||||
-rw-r--r-- | mail/roundcube/distinfo | 13 | ||||
-rw-r--r-- | mail/roundcube/patches/patch-config.inc.php | 17 | ||||
-rw-r--r-- | mail/roundcube/patches/patch-plugins_password_helpers_passwd-expect | 24 | ||||
-rw-r--r-- | mail/roundcube/patches/patch-program_lib_Roundcube_rcube__washtml.php | 15 |
5 files changed, 54 insertions, 26 deletions
diff --git a/mail/roundcube/Makefile b/mail/roundcube/Makefile index 5b02a2a824c..a82de28c1b0 100644 --- a/mail/roundcube/Makefile +++ b/mail/roundcube/Makefile @@ -1,9 +1,14 @@ -# $NetBSD: Makefile,v 1.80 2016/03/16 13:36:52 taca Exp $ +# $NetBSD: Makefile,v 1.80.2.1 2016/06/04 19:39:34 bsiegert Exp $ -DISTNAME= roundcubemail-1.1.4 +DISTNAME= roundcubemail-1.1.5 PKGNAME= ${PHP_PKG_PREFIX}-${DISTNAME:S/mail-/-/} +PKGREVISION= 2 CATEGORIES= mail -MASTER_SITES= ${MASTER_SITE_SOURCEFORGE:=roundcubemail/} +MASTER_SITES= ${MASTER_SITE_GITHUB:=roundcube/} +GITHUB_PROJECT= roundcubemail +GITHUB_RELEASE= 1.1.5 +GITHUB_TYPE= release +DIST_SUBDIR= roundcubemail-1.1.5 MAINTAINER= taca@NetBSD.org HOMEPAGE= http://roundcube.net/ diff --git a/mail/roundcube/distinfo b/mail/roundcube/distinfo index 50dd2f3def4..844201c63e9 100644 --- a/mail/roundcube/distinfo +++ b/mail/roundcube/distinfo @@ -1,10 +1,11 @@ -$NetBSD: distinfo,v 1.48 2015/12/26 14:24:48 taca Exp $ +$NetBSD: distinfo,v 1.48.4.1 2016/06/04 19:39:34 bsiegert Exp $ -SHA1 (roundcubemail-1.1.4.tar.gz) = 4883c8bb39fadf8af94ffb09ee426cba9f8ef2e3 -RMD160 (roundcubemail-1.1.4.tar.gz) = 24f4bd093db74183132eba7ff610fcff9840541a -SHA512 (roundcubemail-1.1.4.tar.gz) = 18c2422d65292cd13bc4ce592e8490cc0a9d3e9551ac4d188db93eb989525af7ccf519642dd2e68a7380ab0d0d4ad4f999af2b7e99da75d88274743949b42f8a -Size (roundcubemail-1.1.4.tar.gz) = 3209549 bytes +SHA1 (roundcubemail-1.1.5/roundcubemail-1.1.5.tar.gz) = 8a59d196ef0aa6d9c717b00699215135abcb99cf +RMD160 (roundcubemail-1.1.5/roundcubemail-1.1.5.tar.gz) = 33cc523ccbc7a4437a2f1a9d67783ba4cfc3bd5d +SHA512 (roundcubemail-1.1.5/roundcubemail-1.1.5.tar.gz) = 0202dfa5ae6bbc121bc07ccfe4fc5d5b3bc2ef84956c1ed1d5f0dac9290f945c0f09b6086484ff83eaec286b8083f0ce07c758ba76a13d0b1cb4571400140b1d +Size (roundcubemail-1.1.5/roundcubemail-1.1.5.tar.gz) = 3212432 bytes SHA1 (patch-ac) = 235116580665d5d58edc218c063b41171a2d9227 SHA1 (patch-af) = 1f95a7005569207469563aa37ff48da0383b7668 -SHA1 (patch-config.inc.php) = 6652bd2aaba06e1d1dd4a02d2390aa523f54e613 +SHA1 (patch-plugins_password_helpers_passwd-expect) = 9e0082f23e37bbab26e8bb1439668132d5aacca2 +SHA1 (patch-program_lib_Roundcube_rcube__washtml.php) = 3a38804d81ead4cd0271befaacc370e78c103b7a SHA1 (patch-rcube_mime_default) = fe6ff1bea0a2c4223b34e44a6d0ca76e6476d2aa diff --git a/mail/roundcube/patches/patch-config.inc.php b/mail/roundcube/patches/patch-config.inc.php deleted file mode 100644 index 0e0edab5184..00000000000 --- a/mail/roundcube/patches/patch-config.inc.php +++ /dev/null @@ -1,17 +0,0 @@ -$NetBSD: patch-config.inc.php,v 1.2 2015/12/26 14:24:48 taca Exp $ - -Add default paths for log, tmp and MIME types. - ---- config/config.inc.php.sample 2015-03-16 20:54:49.000000000 +0000 -+++ config/config.inc.php.sample.18555.sample -@@ -83,3 +83,10 @@ $config['plugins'] = array( - - // skin name: folder from skins/ - $config['skin'] = 'larry'; -+ -+// use this folder to store log files (must be writeable for apache user) -+// This is used by the 'file' log driver. -+$config['log_dir'] = '@VARBASE@/log/roundcube/'; -+ -+// use this folder to store temp files (must be writeable for apache user) -+$config['temp_dir'] = '@VARBASE@/tmp/roundcube/'; diff --git a/mail/roundcube/patches/patch-plugins_password_helpers_passwd-expect b/mail/roundcube/patches/patch-plugins_password_helpers_passwd-expect new file mode 100644 index 00000000000..6d7bb7054b5 --- /dev/null +++ b/mail/roundcube/patches/patch-plugins_password_helpers_passwd-expect @@ -0,0 +1,24 @@ +$NetBSD: patch-plugins_password_helpers_passwd-expect,v 1.1.2.2 2016/06/04 19:39:34 bsiegert Exp $ + +Make password plugin work on NetBSD (and maybe other *BSD). + +--- plugins/password/helpers/passwd-expect.orig 2016-04-17 16:22:20.000000000 +0000 ++++ plugins/password/helpers/passwd-expect +@@ -49,7 +49,7 @@ set oldpassword_string "((O|o)ld|login|\ + set newpassword_string "(N|n)ew.* (P|p)assword.*" + set badoldpassword_string "(Authentication token manipulation error).*" + set badpassword_string "((passwd|BAD PASSWORD).*|(passwd|Bad:).*\r)" +-set verify_string "((R|r)e-*enter.*(P|p)assword|Retype new( UNIX)? password|(V|v)erification|(V|v)erify|(A|a)gain).*" ++set verify_string "((R|r)e-*enter.*(P|p)assword|Retype (N|n)ew( UNIX)? (P|p)assword|(V|v)erification|(V|v)erify|(A|a)gain).*" + set success_string "((P|p)assword.* changed|successfully)" + set login_string "(((L|l)ogin|(U|u)sername).*)" + set timeout 20 +@@ -251,6 +251,8 @@ expect { + expect { + -re $success_string {sleep .5 + send exit\r} ++ -re $prompt_string { sleep .5 ++ send exit\r} + -re $badpassword_string {puts $err "$expect_out(0,string)" + close $err + exit 1} diff --git a/mail/roundcube/patches/patch-program_lib_Roundcube_rcube__washtml.php b/mail/roundcube/patches/patch-program_lib_Roundcube_rcube__washtml.php new file mode 100644 index 00000000000..dbf8f6fdece --- /dev/null +++ b/mail/roundcube/patches/patch-program_lib_Roundcube_rcube__washtml.php @@ -0,0 +1,15 @@ +$NetBSD: patch-program_lib_Roundcube_rcube__washtml.php,v 1.3.2.2 2016/06/04 19:39:34 bsiegert Exp $ + +Fix CVE-2016-5103, XSS from upstream. + +--- program/lib/Roundcube/rcube_washtml.php.orig 2016-04-17 16:22:20.000000000 +0000 ++++ program/lib/Roundcube/rcube_washtml.php +@@ -370,7 +370,7 @@ class rcube_washtml + */ + private function is_link_attribute($tag, $attr) + { +- return $tag == 'a' && $attr == 'href'; ++ return ($tag == 'a' || $tag == 'area') && $attr == 'href'; + } + + /** |