Debian Patches

Status for roundcube/1.4.15+dfsg.1-1+deb11u4

Patch Description Author Forwarded Bugs Origin Last update
dbconfig-common-support.patch Adapt db.inc.php to the use of dbconfig-common package Romain Beauxis <toots@rastageeks.org> not-needed 2007-03-13
debianize-config.patch Debianize sample config file
* By default we do not have any plugins available (these are in
roundcube-plugins).

* Disable spellchecking, because it needs recommended packages.
Sandro Knauß <bugs@sandroknauss.de> not-needed 2016-05-09
fix-install-path.patch Fix INSTALL_PATH for bin/*.sh and tests/bootstrap.php
These scripts get installed to /usr/share/roundcube/bin, but
INSTALL_PATH should be /var/lib/roundcube/. Fixed/updated with

sed -ri "s#(\\s*define\\s*\\(\\s*(['\"])INSTALL_PATH\\2)\\s*,.*#\\1, '/var/lib/roundcube/');#" \
bin/*.sh program/include/iniset.php

Excluding bin/install*.sh and bin/update*.sh. For bin/updatecss.sh we
use the current directory.

We also edit tests/bootstrap.php to use the RCUBE_INSTALL_PATH
environment variable.
Guilhem Moulin <guilhem@debian.org> not-needed 2019-06-08
update-script.patch patch update scripts to work with Debian package Sandro Knauß <bugs@sandroknauss.de> not-needed 2015-03-13
use-pspell.patch Use pspell by default to avoid to send each mail to Google… Vincent Bernat <bernat@debian.org> not-needed 2009-07-05
loginbox-size.patch 'classic' skin: Fix login box size to accommodate sk_SK locale Vincent Bernat <bernat@debian.org> no 2009-09-27
default-charset-utf8.patch Switch to UTF-8 as default charset Vincent Bernat <bernat@debian.org> not-needed 2010-07-17
debianize-password-plugin.patch specify Debian path and group names in password plugin Jérémy Bobbio <lunar@debian.org> not-needed 2011-06-20
map-sqlite3-to-sqlite.patch map dbconfig-common's "sqlite3" driver to "sqlite" Vincent Bernat <bernat@luffy.cx> not-needed debian 2013-07-12
use-embedded-jquery-for-http-authentication.patch avoid fetching jQuery from Google, use the embedded one
This page is also just an example. The user is expected to provide their
own page.
Vincent Bernat <vincent@bernat.im> not-needed 2015-08-22
update-composer.patch Update PHP pear dependencies
The current dependencies that are published by upstream are too
conservative, so:
* replace ~ (that only allows minor versions changes) with >= as
documented in the INSTALL file;
* delete dependency to net_idna2, that is only needed for PHP < 5.3
(idn_to_utf8 and idn_to_ascii); and
* replace pear/ with pear-pear.php.net/ to create current Debian
package names.
Sandro Knauß <bugs@sandroknauss.de> not-needed debian Debian 2019-12-18
update-jsdeps.patch Make it possible to download/install unminified sourcefiles
We remove system libraries from this file so we easily notice updates
(either of the version, or of the map).
Sandro Knauß <hefee@debian.org> not-needed Debian 2020-10-01
use-system-JQueryUI.patch Use system JQueryUI
We source jquery-ui-accessible-datepicker.min.js after libjs-jquery-ui's
jquery-ui.min.js to avoid concatening these files (see the former's
headers).

Also libjs-jquery-ui's datepicker-* files don't have the ‘jquery.ui.’
prefix.
Guilhem Moulin <guilhem@debian.org> not-needed 2019-06-07
rename-python-to-python3.patch Rename `python` to `python3` Guilhem Moulin <guilhem@debian.org> not-needed 2021-01-10
fix-FTBFS-with-phpunit-8.5.13-1.patch Fix FTBFS with phpunit 8.5.13-1
Changes:

1. Rename PHPUnit_Framework_TestCase class to \PHPUnit\Framework\TestCase
2. Set setUp() output type to void
3. Source ‘INSTALL_PATH . 'plugins/…’ rather than ‘__DIR__ . '/../…’ in
setUp(). This doesn't cause FTBFS but we want to check installed
code in DEP-8 tests.
Guilhem Moulin <guilhem@debian.org> not-needed 2021-01-10
fix-file-list-in-phpunit-configuration.patch Fix file list in phpunit configuration
Remove <file/> that don't exist (this causes phpunit 9.5 to fail), and
fix typos in those which do.
Guilhem Moulin <guilhem@debian.org> no 2021-01-11
fix-FTBFS-with-phpunit-9.5.0-1.patch Fix FTBFS with phpunit 9.5.0-1
Changes:

1. Rename assertContains() to assertStringContainsString()
2. Rename assertNotContains() to assertStringNotContainsString()
Guilhem Moulin <guilhem@debian.org> not-needed 2021-01-11
fix-FTBFS-with-phpunit-10.patch Fix FTBFS with phpunit 10
Changes:

1. Migrate XML schema
2. Rename assertRegExp() to assertMatchesRegularExpression()
3. Rename assertNotRegExp() to assertDoesNotMatchRegularExpression()
Guilhem Moulin <guilhem@debian.org> not-needed 2021-01-11
hint-at-which-packages-needs-installing-under-PHP8.patch Hint at which packages needs installing under PHP8.
An upgraded php-* doesn't necessarily mean a broken Roundcube as long
as phpX.Y-* are still available for X.Y < 8.0.

See https://alioth-lists.debian.net/pipermail/pkg-php-pear/2021-February/016060.html .

This patch should be removed when the PHP 8.0 transition completes.
Guilhem Moulin <guilhem@debian.org> not-needed 2021-02-26
fix-Framework_Washtml-test_wash_xss_tests.patch Fix Framework_Washtml::test_wash_xss_tests().
This merely prepends a comment to the expected HTML (in line with the other test vectors).
Regression from b2400a4b592e3094b6c84e6000d512f99ae0eed8 and c998034d312ef04f1801c7df6ba649d51d749436.
Guilhem Moulin <guilhem@debian.org> no 2022-01-03
bump-upstream-version.patch Bump upstream version
Unfortunately upstream left the old version number in the tagged
release… It's harmless in comments, but RCMAIL_VERSION shows in the
about dialog, so it's best to patch it.
Guilhem Moulin <guilhem@debian.org> no 2023-10-18
CVE-2023-47272.patch Fix cross-site scripting (XSS) vulnerability in setting Content-Type/Content-Disposition for attachment preview/download

Thanks to rehme.infosec for reporting the issues.
Aleksander Machniak <alec@alec.pl> no debian https://github.com/roundcube/roundcubemail/commit/bf599fe1cfbb9a6a13681524fd27e85aeb1f549a 2023-11-04
CVE-2024-37384.patch Fix cross-site scripting (XSS) vulnerability in handling list columns from user preferences

Reported by Huy Nguyễn Phạm Nhật.
Aleksander Machniak <alec@alec.pl> no debian https://github.com/roundcube/roundcubemail/commit/0d0bc61b139d6ca321d5923d769d03a3253596ed 2024-05-19
CVE-2024-37383.patch Fix cross-site scripting (XSS) vulnerability in handling SVG animate attributes

Reported by Valentin T. and Lutz Wolf of CrowdStrike.
Aleksander Machniak <alec@alec.pl> no debian https://github.com/roundcube/roundcubemail/commit/43aaaa528646877789ec028d87924ba1accf5242 2024-05-19
CVE-2024-42009.patch Fix XSS vulnerability in post-processing of sanitized HTML content
Credits to Oskar Zeino-Mahmalat (https://www.sonarsource.com)
Aleksander Machniak <alec@alec.pl> no debian https://github.com/roundcube/roundcubemail/commit/a25e48e2daec522432fea3c37f3917366e2948d1 2024-08-03
CVE-2024-42008.patch Fix XSS vulnerability in serving of attachments other than HTML or SVG

Credits to Oskar Zeino-Mahmalat (Sonar) https://www.sonarsource.com
Aleksander Machniak <alec@alec.pl> no debian https://github.com/roundcube/roundcubemail/commit/c222ea8b99448ead20ab3864fcc29c84ed17403a 2024-08-03
Fix-regression-where-printing-scaling-rotating-image-atta.patch Fix regression where printing/scaling/rotating image attachments was broken Aleksander Machniak <alec@alec.pl> yes debian upstream https://github.com/roundcube/roundcubemail/commit/44cec17e8f1b9a03af75f97a9cb6a77724586c47 2024-08-08
CVE-2024-42010.patch Fix information leak (access to remote content) via insufficient CSS filtering

Credits to Oskar Zeino-Mahmalat (Sonar) https://www.sonarsource.com
Aleksander Machniak <alec@alec.pl> no debian https://github.com/roundcube/roundcubemail/commit/9f19b931e3b89c2fa577e2bf719f7db84492eb66 2024-08-03
Fix-infinite-loop-when-parsing-malformed-Sieve-script.patch Fix infinite loop when parsing malformed Sieve script Aleksander Machniak <alec@alec.pl> yes upstream https://github.com/roundcube/roundcubemail/commit/3567090a997e95aac6bb052bfb48bb301d0c03c3 2024-07-31

All known versions for source package 'roundcube'

Links