pkgsrc-Changes-HG archive
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]

[pkgsrc/pkgsrc-2016Q1]: pkgsrc/mail/roundcube Pullup ticket #5033 - requested...

details:   https://anonhg.NetBSD.org/pkgsrc/rev/a23aa0357185
branches:  pkgsrc-2016Q1
changeset: 408908:a23aa0357185
user:      bsiegert <bsiegert%pkgsrc.org@localhost>
date:      Sat Jun 04 19:39:34 2016 +0000

description:
Pullup ticket #5033 - requested by taca
mail/roundcube: security fix

Revisions pulled up:
- mail/roundcube/Makefile                                       1.81-1.83
- mail/roundcube/PLIST                                          1.40-1.41
- mail/roundcube/distinfo                                       1.49-1.51
- mail/roundcube/patches/patch-config.inc.php                   deleted
- mail/roundcube/patches/patch-plugins_password_helpers_passwd-expect 1.1
- mail/roundcube/patches/patch-program_lib_Roundcube_rcube__washtml.php 1.3

---
   Module Name: pkgsrc
   Committed By:        taca
   Date:                Thu May 26 03:20:37 UTC 2016

   Modified Files:
        pkgsrc/mail/roundcube: Makefile PLIST distinfo
   Removed Files:
        pkgsrc/mail/roundcube/patches: patch-config.inc.php

   Log Message:
   Update roundcube to 1.1.5, including security fix.

   RELEASE 1.1.5
   -------------
   - Plugin API: Add html2text hook
   - Plugin API: Added addressbook_export hook
   - Fix missing emoticons on html-to-text conversion
   - Fix random "access to this resource is secured against CSRF" message at logout (#4956)
   - Fix missing language name in "Add to Dictionary" request in HTML mode (#4951)
   - Enable use of TLSv1.1 and TLSv1.2 for IMAP (#4955)
   - Fix XSS issue in SVG images handling (#4949)
   - Fix (again) security issue in DBMail driver of password plugin [CVE-2015-2181] (#4958)
   - Fix bug where Archive/Junk buttons were not active after page jump with select=all mode (#4961)
   - Fix bug in long recipients list parsing for cases where recipient name contained @-char (#4964)
   - Fix additional_message_headers plugin compatibility with Mail_Mime >= 1.9 (#4966)
   - Hide DSN option in Preferences when smtp_server is not used (#4967)
   - Protect download urls against CSRF using unique request tokens (#4957)
   - newmail_notifier: Refactor desktop notifications
   - Fix so contactlist_fields option can be set via config file
   - Fix so SPECIAL-USE assignments are forced only until user sets special folders (#4782)
   - Fix performance in reverting order of THREAD result
   - Fix converting mail addresses with @www. into mailto links (#5197)

---
   Module Name: pkgsrc
   Committed By:        taca
   Date:                Thu May 26 03:23:39 UTC 2016

   Added Files:
        pkgsrc/mail/roundcube/patches:
            patch-plugins_password_helpers_passwd-expect

   Log Message:
   Oops, forgot to add a patch file for NetBSD (and perhaps for *BSD) to
   make password plugin work.

---
   Module Name: pkgsrc
   Committed By:        taca
   Date:                Thu May 26 23:22:17 UTC 2016

   Modified Files:
        pkgsrc/mail/roundcube: Makefile distinfo
   Added Files:
        pkgsrc/mail/roundcube/patches:
            patch-program_lib_Roundcube_rcube__washtml.php

   Log Message:
   Update security path for CVE-2016-5103 (XSS) from upstream.

   Bump PKGREVISION.

---
   Module Name: pkgsrc
   Committed By:        taca
   Date:                Sun May 29 15:46:59 UTC 2016

   Modified Files:
        pkgsrc/mail/roundcube: Makefile PLIST distinfo

   Log Message:
   Switch to get distfiles from GitHub, noted by David Brownlee via private
   e-mail.

   And some installed files are changed, bump PKGREVISION.

diffstat:

 mail/roundcube/Makefile                                               |  11 +++-
 mail/roundcube/distinfo                                               |  13 ++--
 mail/roundcube/patches/patch-config.inc.php                           |  17 -------
 mail/roundcube/patches/patch-plugins_password_helpers_passwd-expect   |  24 ++++++++++
 mail/roundcube/patches/patch-program_lib_Roundcube_rcube__washtml.php |  15 ++++++
 5 files changed, 54 insertions(+), 26 deletions(-)

diffs (110 lines):

diff -r 393c93839af6 -r a23aa0357185 mail/roundcube/Makefile
--- a/mail/roundcube/Makefile   Sat Jun 04 19:39:09 2016 +0000
+++ b/mail/roundcube/Makefile   Sat Jun 04 19:39:34 2016 +0000
@@ -1,9 +1,14 @@
-# $NetBSD: Makefile,v 1.80 2016/03/16 13:36:52 taca Exp $
+# $NetBSD: Makefile,v 1.80.2.1 2016/06/04 19:39:34 bsiegert Exp $
 
-DISTNAME=      roundcubemail-1.1.4
+DISTNAME=      roundcubemail-1.1.5
 PKGNAME=       ${PHP_PKG_PREFIX}-${DISTNAME:S/mail-/-/}
+PKGREVISION=   2
 CATEGORIES=    mail
-MASTER_SITES=  ${MASTER_SITE_SOURCEFORGE:=roundcubemail/}
+MASTER_SITES=   ${MASTER_SITE_GITHUB:=roundcube/}
+GITHUB_PROJECT= roundcubemail
+GITHUB_RELEASE= 1.1.5
+GITHUB_TYPE=    release
+DIST_SUBDIR=   roundcubemail-1.1.5
 
 MAINTAINER=    taca%NetBSD.org@localhost
 HOMEPAGE=      http://roundcube.net/
diff -r 393c93839af6 -r a23aa0357185 mail/roundcube/distinfo
--- a/mail/roundcube/distinfo   Sat Jun 04 19:39:09 2016 +0000
+++ b/mail/roundcube/distinfo   Sat Jun 04 19:39:34 2016 +0000
@@ -1,10 +1,11 @@
-$NetBSD: distinfo,v 1.48 2015/12/26 14:24:48 taca Exp $
+$NetBSD: distinfo,v 1.48.4.1 2016/06/04 19:39:34 bsiegert Exp $
 
-SHA1 (roundcubemail-1.1.4.tar.gz) = 4883c8bb39fadf8af94ffb09ee426cba9f8ef2e3
-RMD160 (roundcubemail-1.1.4.tar.gz) = 24f4bd093db74183132eba7ff610fcff9840541a
-SHA512 (roundcubemail-1.1.4.tar.gz) = 18c2422d65292cd13bc4ce592e8490cc0a9d3e9551ac4d188db93eb989525af7ccf519642dd2e68a7380ab0d0d4ad4f999af2b7e99da75d88274743949b42f8a
-Size (roundcubemail-1.1.4.tar.gz) = 3209549 bytes
+SHA1 (roundcubemail-1.1.5/roundcubemail-1.1.5.tar.gz) = 8a59d196ef0aa6d9c717b00699215135abcb99cf
+RMD160 (roundcubemail-1.1.5/roundcubemail-1.1.5.tar.gz) = 33cc523ccbc7a4437a2f1a9d67783ba4cfc3bd5d
+SHA512 (roundcubemail-1.1.5/roundcubemail-1.1.5.tar.gz) = 0202dfa5ae6bbc121bc07ccfe4fc5d5b3bc2ef84956c1ed1d5f0dac9290f945c0f09b6086484ff83eaec286b8083f0ce07c758ba76a13d0b1cb4571400140b1d
+Size (roundcubemail-1.1.5/roundcubemail-1.1.5.tar.gz) = 3212432 bytes
 SHA1 (patch-ac) = 235116580665d5d58edc218c063b41171a2d9227
 SHA1 (patch-af) = 1f95a7005569207469563aa37ff48da0383b7668
-SHA1 (patch-config.inc.php) = 6652bd2aaba06e1d1dd4a02d2390aa523f54e613
+SHA1 (patch-plugins_password_helpers_passwd-expect) = 9e0082f23e37bbab26e8bb1439668132d5aacca2
+SHA1 (patch-program_lib_Roundcube_rcube__washtml.php) = 3a38804d81ead4cd0271befaacc370e78c103b7a
 SHA1 (patch-rcube_mime_default) = fe6ff1bea0a2c4223b34e44a6d0ca76e6476d2aa
diff -r 393c93839af6 -r a23aa0357185 mail/roundcube/patches/patch-config.inc.php
--- a/mail/roundcube/patches/patch-config.inc.php       Sat Jun 04 19:39:09 2016 +0000
+++ /dev/null   Thu Jan 01 00:00:00 1970 +0000
@@ -1,17 +0,0 @@
-$NetBSD: patch-config.inc.php,v 1.2 2015/12/26 14:24:48 taca Exp $
-
-Add default paths for log, tmp and MIME types.
-
---- config/config.inc.php.sample       2015-03-16 20:54:49.000000000 +0000
-+++ config/config.inc.php.sample.18555.sample
-@@ -83,3 +83,10 @@ $config['plugins'] = array(
- 
- // skin name: folder from skins/
- $config['skin'] = 'larry';
-+
-+// use this folder to store log files (must be writeable for apache user)
-+// This is used by the 'file' log driver.
-+$config['log_dir'] = '@VARBASE@/log/roundcube/';
-+
-+// use this folder to store temp files (must be writeable for apache user)
-+$config['temp_dir'] = '@VARBASE@/tmp/roundcube/';
diff -r 393c93839af6 -r a23aa0357185 mail/roundcube/patches/patch-plugins_password_helpers_passwd-expect
--- /dev/null   Thu Jan 01 00:00:00 1970 +0000
+++ b/mail/roundcube/patches/patch-plugins_password_helpers_passwd-expect       Sat Jun 04 19:39:34 2016 +0000
@@ -0,0 +1,24 @@
+$NetBSD: patch-plugins_password_helpers_passwd-expect,v 1.1.2.2 2016/06/04 19:39:34 bsiegert Exp $
+
+Make password plugin work on NetBSD (and maybe other *BSD).
+
+--- plugins/password/helpers/passwd-expect.orig        2016-04-17 16:22:20.000000000 +0000
++++ plugins/password/helpers/passwd-expect
+@@ -49,7 +49,7 @@ set oldpassword_string "((O|o)ld|login|\
+ set newpassword_string "(N|n)ew.* (P|p)assword.*"
+ set badoldpassword_string "(Authentication token manipulation error).*"
+ set badpassword_string "((passwd|BAD PASSWORD).*|(passwd|Bad:).*\r)"
+-set verify_string      "((R|r)e-*enter.*(P|p)assword|Retype new( UNIX)? password|(V|v)erification|(V|v)erify|(A|a)gain).*"
++set verify_string      "((R|r)e-*enter.*(P|p)assword|Retype (N|n)ew( UNIX)? (P|p)assword|(V|v)erification|(V|v)erify|(A|a)gain).*"
+ set success_string     "((P|p)assword.* changed|successfully)"
+ set login_string       "(((L|l)ogin|(U|u)sername).*)"
+ set timeout            20
+@@ -251,6 +251,8 @@ expect {
+ expect {
+   -re $success_string {sleep .5
+                        send exit\r}
++  -re $prompt_string { sleep .5
++                       send exit\r}
+   -re $badpassword_string {puts $err "$expect_out(0,string)"
+                            close $err
+                            exit 1}
diff -r 393c93839af6 -r a23aa0357185 mail/roundcube/patches/patch-program_lib_Roundcube_rcube__washtml.php
--- /dev/null   Thu Jan 01 00:00:00 1970 +0000
+++ b/mail/roundcube/patches/patch-program_lib_Roundcube_rcube__washtml.php     Sat Jun 04 19:39:34 2016 +0000
@@ -0,0 +1,15 @@
+$NetBSD: patch-program_lib_Roundcube_rcube__washtml.php,v 1.3.2.2 2016/06/04 19:39:34 bsiegert Exp $
+
+Fix CVE-2016-5103, XSS from upstream.
+
+--- program/lib/Roundcube/rcube_washtml.php.orig       2016-04-17 16:22:20.000000000 +0000
++++ program/lib/Roundcube/rcube_washtml.php
+@@ -370,7 +370,7 @@ class rcube_washtml
+      */
+     private function is_link_attribute($tag, $attr)
+     {
+-        return $tag == 'a' && $attr == 'href';
++        return ($tag == 'a' || $tag == 'area') && $attr == 'href';
+     }
+ 
+     /**
Home | Main Index | Thread Index | Old Index