CVS commit: pkgsrc/mail

To: pkgsrc-changes%NetBSD.org@localhost
Subject: CVS commit: pkgsrc/mail
From: "Takahiro Kambe" <taca%netbsd.org@localhost>
Date: Wed, 18 Mar 2026 14:58:17 +0000

Module Name:    pkgsrc
Committed By:   taca
Date:           Wed Mar 18 14:58:17 UTC 2026

Modified Files:
        pkgsrc/mail/roundcube: Makefile.common PLIST distinfo
        pkgsrc/mail/roundcube-plugin-password: distinfo

Log Message:
mail/roundcube: update to 1.6.14

This is security release.

1.6.14 (2026-03-18)

* Fix Postgres connection using IPv6 address (#10104)
* Security: Fix pre-auth arbitrary file write via unsafe deserialization in
  redis/memcache session handler
* Security: Fix bug where a password could get changed without providing the
  old password
* Security: Fix IMAP Injection + CSRF bypass in mail search
* Security: Fix remote image blocking bypass via various SVG animate attributes
* Security: Fix remote image blocking bypass via a crafted body background
  attribute
* Security: Fix fixed position mitigation bypass via use of !important
* Security: Fix XSS issue in a HTML attachment preview
* Security: Fix SSRF + Information Disclosure via stylesheet links to a
  local network hosts


To generate a diff of this commit:
cvs rdiff -u -r1.41 -r1.42 pkgsrc/mail/roundcube/Makefile.common
cvs rdiff -u -r1.58 -r1.59 pkgsrc/mail/roundcube/PLIST
cvs rdiff -u -r1.96 -r1.97 pkgsrc/mail/roundcube/distinfo
cvs rdiff -u -r1.43 -r1.44 pkgsrc/mail/roundcube-plugin-password/distinfo

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

Modified files:

Index: pkgsrc/mail/roundcube/Makefile.common
diff -u pkgsrc/mail/roundcube/Makefile.common:1.41 pkgsrc/mail/roundcube/Makefile.common:1.42
--- pkgsrc/mail/roundcube/Makefile.common:1.41  Sun Feb  8 15:27:25 2026
+++ pkgsrc/mail/roundcube/Makefile.common       Wed Mar 18 14:58:17 2026
@@ -1,4 +1,4 @@
-# $NetBSD: Makefile.common,v 1.41 2026/02/08 15:27:25 taca Exp $
+# $NetBSD: Makefile.common,v 1.42 2026/03/18 14:58:17 taca Exp $
 #
 # used by mail/roundcube/Makefile
 # used by mail/roundcube/plugins.mk
@@ -10,7 +10,7 @@ GITHUB_PROJECT=       roundcubemail
 GITHUB_RELEASE=        ${RC_VERS}
 HOMEPAGE=      https://roundcube.net/
 
-RC_VERS=       1.6.13
+RC_VERS=       1.6.14
 
 USE_LANGUAGES=         # none
 USE_TOOLS+=            pax

Index: pkgsrc/mail/roundcube/PLIST
diff -u pkgsrc/mail/roundcube/PLIST:1.58 pkgsrc/mail/roundcube/PLIST:1.59
--- pkgsrc/mail/roundcube/PLIST:1.58    Mon Dec 15 14:30:13 2025
+++ pkgsrc/mail/roundcube/PLIST Wed Mar 18 14:58:17 2026
@@ -1,4 +1,4 @@
-@comment $NetBSD: PLIST,v 1.58 2025/12/15 14:30:13 taca Exp $
+@comment $NetBSD: PLIST,v 1.59 2026/03/18 14:58:17 taca Exp $
 share/doc/roundcube/CHANGELOG.md
 share/doc/roundcube/INSTALL
 share/doc/roundcube/LICENSE
@@ -2220,6 +2220,27 @@ share/roundcube/vendor/masterminds/html5
 share/roundcube/vendor/masterminds/html5/src/HTML5/Serializer/README.md
 share/roundcube/vendor/masterminds/html5/src/HTML5/Serializer/RulesInterface.php
 share/roundcube/vendor/masterminds/html5/src/HTML5/Serializer/Traverser.php
+share/roundcube/vendor/mlocati/ip-lib/LICENSE.txt
+share/roundcube/vendor/mlocati/ip-lib/README.md
+share/roundcube/vendor/mlocati/ip-lib/composer.json
+share/roundcube/vendor/mlocati/ip-lib/ip-lib.php
+share/roundcube/vendor/mlocati/ip-lib/src/Address/AddressInterface.php
+share/roundcube/vendor/mlocati/ip-lib/src/Address/AssignedRange.php
+share/roundcube/vendor/mlocati/ip-lib/src/Address/IPv4.php
+share/roundcube/vendor/mlocati/ip-lib/src/Address/IPv6.php
+share/roundcube/vendor/mlocati/ip-lib/src/Address/Type.php
+share/roundcube/vendor/mlocati/ip-lib/src/Factory.php
+share/roundcube/vendor/mlocati/ip-lib/src/ParseStringFlag.php
+share/roundcube/vendor/mlocati/ip-lib/src/Range/AbstractRange.php
+share/roundcube/vendor/mlocati/ip-lib/src/Range/Pattern.php
+share/roundcube/vendor/mlocati/ip-lib/src/Range/RangeInterface.php
+share/roundcube/vendor/mlocati/ip-lib/src/Range/Single.php
+share/roundcube/vendor/mlocati/ip-lib/src/Range/Subnet.php
+share/roundcube/vendor/mlocati/ip-lib/src/Range/Type.php
+share/roundcube/vendor/mlocati/ip-lib/src/Service/BinaryMath.php
+share/roundcube/vendor/mlocati/ip-lib/src/Service/NumberInChunks.php
+share/roundcube/vendor/mlocati/ip-lib/src/Service/RangesFromBoundaryCalculator.php
+share/roundcube/vendor/mlocati/ip-lib/src/Service/UnsignedIntegerMath.php
 share/roundcube/vendor/pear/auth_sasl/Auth/SASL.php
 share/roundcube/vendor/pear/auth_sasl/Auth/SASL/Anonymous.php
 share/roundcube/vendor/pear/auth_sasl/Auth/SASL/Common.php

Index: pkgsrc/mail/roundcube/distinfo
diff -u pkgsrc/mail/roundcube/distinfo:1.96 pkgsrc/mail/roundcube/distinfo:1.97
--- pkgsrc/mail/roundcube/distinfo:1.96 Sun Feb  8 15:27:25 2026
+++ pkgsrc/mail/roundcube/distinfo      Wed Mar 18 14:58:17 2026
@@ -1,8 +1,5 @@
-$NetBSD: distinfo,v 1.96 2026/02/08 15:27:25 taca Exp $
+$NetBSD: distinfo,v 1.97 2026/03/18 14:58:17 taca Exp $
 
-BLAKE2s (roundcubemail-1.6.13-complete.tar.gz) = f2b229f19a576b1ac31136ecca2cb197e4af77d81e9ff7f93f7ae2fa8745ade7
-SHA512 (roundcubemail-1.6.13-complete.tar.gz) = 876b1e40aa481cb88bda1540e44fa1e3466e9a16b7e9bfd98040fdea0e2cb3902f4bc95b6cc22401bb25d62c2342b8ba8999218addaa95a682e130877aa3aac5
-Size (roundcubemail-1.6.13-complete.tar.gz) = 5841171 bytes
-SHA1 (patch-config_config.inc.php.sample) = 92a48a97b16fe3f5f4b9441fce762a559d8daca7
-SHA1 (patch-program_include_iniset.php) = 8a6c13c0c87d583ed60e43c01a4173d9d802a6a1
-SHA1 (patch-program_lib_Roundcube_rcube__mime.php) = bfefc6850d3db230dd4224491e895fe25a32e87a
+BLAKE2s (roundcubemail-1.6.14-complete.tar.gz) = 311e2076bd3343acb18c1f5c93378c3580625f45a6db0a683cfa6d3e0a2f2b76
+SHA512 (roundcubemail-1.6.14-complete.tar.gz) = 55e3ee4674ac6257a80577b98295b972609b3a6bbb2d929841101132aa960ccbed56c3ddd127a417eb301433215fe8917c373df19da768b57844e1fadcbda525
+Size (roundcubemail-1.6.14-complete.tar.gz) = 5873247 bytes

Index: pkgsrc/mail/roundcube-plugin-password/distinfo
diff -u pkgsrc/mail/roundcube-plugin-password/distinfo:1.43 pkgsrc/mail/roundcube-plugin-password/distinfo:1.44
--- pkgsrc/mail/roundcube-plugin-password/distinfo:1.43 Sun Feb  8 15:27:25 2026
+++ pkgsrc/mail/roundcube-plugin-password/distinfo      Wed Mar 18 14:58:17 2026
@@ -1,6 +1,6 @@
-$NetBSD: distinfo,v 1.43 2026/02/08 15:27:25 taca Exp $
+$NetBSD: distinfo,v 1.44 2026/03/18 14:58:17 taca Exp $
 
-BLAKE2s (roundcubemail-1.6.13-complete.tar.gz) = f2b229f19a576b1ac31136ecca2cb197e4af77d81e9ff7f93f7ae2fa8745ade7
-SHA512 (roundcubemail-1.6.13-complete.tar.gz) = 876b1e40aa481cb88bda1540e44fa1e3466e9a16b7e9bfd98040fdea0e2cb3902f4bc95b6cc22401bb25d62c2342b8ba8999218addaa95a682e130877aa3aac5
-Size (roundcubemail-1.6.13-complete.tar.gz) = 5841171 bytes
+BLAKE2s (roundcubemail-1.6.14-complete.tar.gz) = 311e2076bd3343acb18c1f5c93378c3580625f45a6db0a683cfa6d3e0a2f2b76
+SHA512 (roundcubemail-1.6.14-complete.tar.gz) = 55e3ee4674ac6257a80577b98295b972609b3a6bbb2d929841101132aa960ccbed56c3ddd127a417eb301433215fe8917c373df19da768b57844e1fadcbda525
+Size (roundcubemail-1.6.14-complete.tar.gz) = 5873247 bytes
 SHA1 (patch-plugins_password_helpers_passwd-expect) = 15e427a3c90bf7c0437a023b3f099abb5a139165

Prev by Date: CVS commit: pkgsrc/graphics/xbmbrowser
Next by Date: CVS commit: pkgsrc/doc
Previous by Thread: CVS commit: pkgsrc/graphics/xbmbrowser
Next by Thread: CVS commit: pkgsrc/doc
Indexes:

Home | Main Index | Thread Index | Old Index