Debian Patches

Status for roundcube/1.6.5+dfsg-1+deb12u4

Patch Description Author Forwarded Bugs Origin Last update
dbconfig-common-support.patch Adapt db.inc.php to the use of dbconfig-common package Romain Beauxis <toots@rastageeks.org> not-needed 2007-03-13
debianize-config.patch Debianize sample config file
* By default we do not have any plugins available (these are in
roundcube-plugins).
* Disable spellchecking, because it needs recommended packages.		 Sandro Knauß <bugs@sandroknauss.de> not-needed 2016-05-09
fix-install-path.patch Fix INSTALL_PATH for bin/*.sh and tests/bootstrap.php
These scripts get installed to /usr/share/roundcube/bin, but
INSTALL_PATH should be /var/lib/roundcube/. Fixed/updated with

sed -ri "s#(\\s*define\\s*\\(\\s*(['\"])INSTALL_PATH\\2)\\s*,.*#\\1, '/var/lib/roundcube/');#" \
bin/*.sh installer/index.php program/include/iniset.php

Except:

- bin/install-jsdeps.sh, where we keep define('INSTALL_PATH', realpath(__DIR__ . '/..') . '/' ); and
- bin/updatecss.sh, where we use define('INSTALL_PATH', './');

We also edit tests/bootstrap.php to use the RCUBE_INSTALL_PATH environment variable.		 Guilhem Moulin <guilhem@debian.org> not-needed 2019-06-08
update-script.patch Patch update scripts to work with Debian package Sandro Knauß <bugs@sandroknauss.de> not-needed 2015-03-13
use-enchant.patch Use enchant spellchecker engine by default.
We don't want to send messages to a 3rd party…		 Vincent Bernat <bernat@debian.org> not-needed 2009-07-05
default-charset-utf8.patch Switch to UTF-8 as default charset Vincent Bernat <bernat@debian.org> not-needed 2010-07-17
debianize-password-plugin.patch Specify Debian path and group names in password plugin Jérémy Bobbio <lunar@debian.org> not-needed 2011-06-20
map-sqlite3-to-sqlite.patch Map dbconfig-common's "sqlite3" driver to "sqlite" Vincent Bernat <bernat@luffy.cx> not-needed debian 2013-07-12
use-embedded-jquery-for-http-authentication.patch Avoid fetching jQuery from Google, use the embedded one
This page is also just an example. The user is expected to provide their
own page.		 Vincent Bernat <vincent@bernat.im> not-needed 2015-08-22
update-composer.patch Update PHP pear dependencies
The current dependencies that are published by upstream are too
conservative, so:
* replace ~ and ^ (that only allows minor versions changes) with >= as
documented in the INSTALL file;
* replace pear/ with pear-pear.php.net/ to create current Debian
package names.		 Sandro Knauß <bugs@sandroknauss.de> not-needed debian Debian 2021-07-06
update-jsdeps.patch Make it possible to download/install unminified sourcefiles
We remove system libraries from this file so we easily notice updates
(either of the version, or of the map).		 Sandro Knauß <hefee@debian.org> not-needed Debian 2021-07-06
use-system-JQueryUI.patch Use system JQueryUI
We source jquery-ui-accessible-datepicker.min.js after libjs-jquery-ui's
jquery-ui.min.js to avoid concatening these files (see the former's
headers).

Also libjs-jquery-ui's datepicker-* files don't have the ‘jquery.ui.’
prefix.		 Guilhem Moulin <guilhem@debian.org> not-needed 2019-06-07
rename-python-to-python3.patch Rename `python` to `python3` Guilhem Moulin <guilhem@debian.org> not-needed 2021-01-10
adjust-test-environment-for-dep8.patch Adjust test environment for DEP-8 tests
Changes:

1. Source ‘INSTALL_PATH . 'plugins/…’ rather than ‘__DIR__ . '/../…’ in
setUp(). This doesn't cause FTBFS but we want to check installed
code in DEP-8 tests.
2. Source ‘TESTS_DIR . '../SQL/…’ rather than ‘INSTALL_PATH . '/SQL/…’
in tests/ActionTestCase.php. Again, this doesn't cause FTBFS but we
want to run DEP-8 tests too and the binary packages ship the SQL
scripts under dbconfig-common not INSTALL_PATH.		 Guilhem Moulin <guilhem@debian.org> not-needed 2021-01-10
fix-autoload-locations.patch Fix autoload locations
Snippets generated with `phpabtpl --suggest bacon/bacon-qr-code` and
`phpabtpl --suggest GuzzleHttp`.		 Guilhem Moulin <guilhem@debian.org> not-needed debian 2022-03-13
mark-flaky-tests-as-such.patch Mark flaky tests as such.
That way we can run phpunit with `--exclude-group=flaky
--fail-on-skipped --verbose` and avoid missing unintentionally skipped
tests.		 Guilhem Moulin <guilhem@debian.org> no 2022-03-13
dont-force-set-session.gc_probability=1.patch Don't force set session.gc_probability=1
We don't have to rely on probabilistic synchronous garbage collection
since we're running bin/gc.sh periodically.

If desired the local admin can manually set session.gc_probability > 0
in the PHP configuration (on Debian systems the default value is 0 which
disables probability based GC). They may then want to disable the
cronjob or systemd.timer(5) unit.

This reverts upstream commit 32a0ad6778cde495e30f3447e5220136f0528cee.		 Guilhem Moulin <guilhem@debian.org> no 2022-06-29
fix-upstream-test-suite.patch Fix upstream's test suite
Also, in our environment phpunit(1) resides in /usr/bin not vendor/bin.		 Guilhem Moulin <guilhem@debian.org> no 2022-12-20
CVE-2024-37384.patch Fix cross-site scripting (XSS) vulnerability in handling list columns from user preferences

Reported by Huy Nguyễn Phạm Nhật.		 Aleksander Machniak <alec@alec.pl> no debian https://github.com/roundcube/roundcubemail/commit/cde4522c5c95f13c6aeeb1600ab17e5067a536f7 2024-05-19
CVE-2024-37383.patch Fix cross-site scripting (XSS) vulnerability in handling SVG animate attributes

Reported by Valentin T. and Lutz Wolf of CrowdStrike.		 Aleksander Machniak <alec@alec.pl> no debian https://github.com/roundcube/roundcubemail/commit/43aaaa528646877789ec028d87924ba1accf5242 2024-05-19
Fix-fatal-error-when-parsing-some-TNEF-attachments.patch Fix fatal error when parsing some TNEF attachments Aleksander Machniak <alec@alec.pl> yes upstream https://github.com/roundcube/roundcubemail/commit/22d403d5fdea1846319389d3d65ef60726434712 2024-06-02
Fix-bug-where-an-unhandled-exception-was-caused-by-an-inv.patch Fix bug where an unhandled exception was caused by an invalid image attachment

GD functions may throw ValueError in some cases since PHP 8.0.
We wrap them in try/catch blocks.		 Aleksander Machniak <alec@alec.pl> yes upstream https://github.com/roundcube/roundcubemail/commit/9d9f4d6926e16e9acd46231ee6d03695d058565a 2024-07-21
Fix-infinite-loop-when-parsing-malformed-Sieve-script.patch Fix infinite loop when parsing malformed Sieve script Aleksander Machniak <alec@alec.pl> yes upstream https://github.com/roundcube/roundcubemail/commit/3567090a997e95aac6bb052bfb48bb301d0c03c3 2024-07-31
Fix-bug-where-imap_conn_option-s-socket-was-ignored.patch Fix bug where imap_conn_option's 'socket' was ignored Aleksander Machniak <alec@alec.pl> yes upstream https://github.com/roundcube/roundcubemail/commit/b5ed0e49464ecee70756ad6d1b96d38279b3916e 2024-08-02
CVE-2024-42009.patch Fix XSS vulnerability in post-processing of sanitized HTML content
Credits to Oskar Zeino-Mahmalat (https://www.sonarsource.com)		 Aleksander Machniak <alec@alec.pl> no debian https://github.com/roundcube/roundcubemail/commit/68af7c864a36e1941764238dac440ab0d99a8d26 2024-08-03
CVE-2024-42008.patch Fix XSS vulnerability in serving of attachments other than HTML or SVG

Credits to Oskar Zeino-Mahmalat (Sonar) https://www.sonarsource.com		 Aleksander Machniak <alec@alec.pl> no debian https://github.com/roundcube/roundcubemail/commit/89c8fe9ae9318c015807fbcbf7e39555fb30885d 2024-08-03
Fix-regression-where-printing-scaling-rotating-image-atta.patch Fix regression where printing/scaling/rotating image attachments was broken Aleksander Machniak <alec@alec.pl> yes debian upstream https://github.com/roundcube/roundcubemail/commit/32fed15346e5b842042e5dd1001d6878225c5367 2024-08-08
CVE-2024-42010.patch Fix information leak (access to remote content) via insufficient CSS filtering

Credits to Oskar Zeino-Mahmalat (Sonar) https://www.sonarsource.com		 Aleksander Machniak <alec@alec.pl> no debian https://github.com/roundcube/roundcubemail/commit/602d0f566eb39b6dcb739ad78323ec434a3b92ce 2024-08-03

All known versions for source package 'roundcube'

Links