From cc39562d435d67a1d9ba6655928e9e5c061c59fd Mon Sep 17 00:00:00 2001
From: Vincent Bernat <bernat@debian.org>
Date: Sun, 15 Feb 2009 15:57:20 +0000
Subject: [PATCH 1/1] Prepare a new release for unstable

---
 debian/changelog                            |  15 +++
 debian/control                              |  10 +-
 debian/control.in                           |   8 +-
 debian/patches/cve-2008-5620.patch          |  45 -------
 debian/patches/cve-2009-0413.patch          |  45 +++++++
 debian/patches/dont-use-preg-e-option.patch | 123 --------------------
 debian/patches/fix_login.patch              |  13 ---
 debian/patches/series                       |   5 +-
 debian/patches/use-db-backend.patch         |  13 ---
 debian/rules                                |   4 -
 debian/sql/mysql/0.1.1-1                    |  17 +++
 debian/sql/mysql/0.2~alpha-5                |  10 ++
 debian/sql/mysql/0.2~stable-1               |  18 +++
 debian/sql/pgsql/0.1.1-1                    |  20 ++++
 debian/sql/pgsql/0.2~stable-1               |  18 +++
 debian/sql/sqlite/0.1.1-1                   |  28 +++++
 debian/sql/sqlite/0.2~stable-1              |   8 ++
 17 files changed, 189 insertions(+), 211 deletions(-)
 delete mode 100644 debian/patches/cve-2008-5620.patch
 create mode 100644 debian/patches/cve-2009-0413.patch
 delete mode 100644 debian/patches/dont-use-preg-e-option.patch
 delete mode 100644 debian/patches/fix_login.patch
 delete mode 100644 debian/patches/use-db-backend.patch
 create mode 100644 debian/sql/mysql/0.1.1-1
 create mode 100644 debian/sql/mysql/0.2~alpha-5
 create mode 100644 debian/sql/mysql/0.2~stable-1
 create mode 100644 debian/sql/pgsql/0.1.1-1
 create mode 100644 debian/sql/pgsql/0.2~stable-1
 create mode 100644 debian/sql/sqlite/0.1.1-1
 create mode 100644 debian/sql/sqlite/0.2~stable-1

diff --git a/debian/changelog b/debian/changelog
index b97f2f8..63ac70a 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,18 @@
+roundcube (0.2~stable-1) unstable; urgency=low
+
+  * New upstream version. Closes: #503573.
+      + Add SQL update scripts for this new release and for
+        0.2~alpha. Remove copy of SQL upgrade script from debian/rules.
+      + Remove patch for CVE-2008-5620 which is now fixed upstream.
+      + Remove patch correcting a vulnerability in html2text.php.
+      + Remove patch fixing login issue. This is fixed upstream.
+      + Remove patch setting the default backend to db instead of mdb2:
+        this is not possible any more. We depend on php-mdb2 now.
+  * Upload to unstable since Lenny is out.
+  * Apply fix for XSS issue (CVE-2009-0413). Closes: #514179.
+
+ -- Vincent Bernat <bernat@debian.org>  Sun, 15 Feb 2009 16:18:58 +0100
+
 roundcube (0.2~alpha-4) experimental; urgency=low
 
   * Add missing ${misc:Depends} to make Lintian happy.
diff --git a/debian/control b/debian/control
index a510c79..b40f1f4 100644
--- a/debian/control
+++ b/debian/control
@@ -3,7 +3,7 @@ Section: web
 Priority: extra
 Maintainer: Debian Roundcube Maintainers <pkg-roundcube-maintainers@lists.alioth.debian.org>
 Uploaders: Vincent Bernat <bernat@debian.org>, Romain Beauxis <toots@rastageeks.org>
-Build-Depends: debhelper (>= 5), quilt, patchutils (>= 0.2.25), cdbs (>= 0.4.27), po-debconf
+Build-Depends: cdbs (>= 0.4.23-1.1), debhelper (>= 5), quilt, patchutils (>= 0.2.25), cdbs (>= 0.4.27), po-debconf
 Homepage: http://www.roundcube.net/
 Standards-Version: 3.8.0
 Vcs-Svn: svn://svn.debian.org/svn/pkg-roundcube/roundcube
@@ -11,7 +11,7 @@ Vcs-Browser: http://svn.debian.org/wsvn/pkg-roundcube/roundcube
 
 Package: roundcube-core
 Architecture: all
-Depends: dbconfig-common, debconf | debconf-2.0, apache2 | lighttpd | httpd, php5, php5-mcrypt, php5-gd, roundcube-db, php-db, php-auth, php-net-smtp, php-net-socket, php-mail-mime (>= 1.5.0), ucf, tinymce (>= 3), ${misc:Depends}, libmagic1
+Depends: dbconfig-common, debconf | debconf-2.0, apache2 | lighttpd | httpd, php5, php5-mcrypt, php5-gd, roundcube-db, php-mdb2, php-auth, php-net-smtp, php-net-socket, php-mail-mime (>= 1.5.0), ucf, tinymce (>= 3), ${misc:Depends}, libmagic1
 Replaces: roundcube
 Conflicts: roundcube (<< 0.1~rc2-2)
 Description: skinnable AJAX based webmail solution for IMAP servers
@@ -40,7 +40,7 @@ Description: skinnable AJAX based webmail solution for IMAP servers
 
 Package: roundcube-mysql
 Architecture: all
-Depends: php5-mysql, mysql-client | virtual-mysql-client, ${misc:Depends}
+Depends: php-mdb2-driver-mysql, mysql-client | virtual-mysql-client, ${misc:Depends}
 Suggests: mysql-server
 Provides: roundcube-db
 Description: metapackage providing MySQL dependencies for RoundCube
@@ -50,7 +50,7 @@ Description: metapackage providing MySQL dependencies for RoundCube
 
 Package: roundcube-pgsql
 Architecture: all
-Depends: php5-pgsql, postgresql-client, ${misc:Depends}
+Depends: php-mdb2-driver-pgsql, postgresql-client-8.1 | postgresql-client, ${misc:Depends}
 Suggests: postgresql-server
 Provides: roundcube-db
 Description: metapackage providing PostgreSQL dependencies for RoundCube
@@ -60,7 +60,7 @@ Description: metapackage providing PostgreSQL dependencies for RoundCube
 
 Package: roundcube-sqlite
 Architecture: all
-Depends: php5-sqlite, sqlite, ${misc:Depends}
+Depends: php-mdb2-driver-sqlite, sqlite, ${misc:Depends}
 Provides: roundcube-db
 Description: metapackage providing sqlite dependencies for RoundCube
  This package provides sqlite dependencies for RoundCube Webmail, a
diff --git a/debian/control.in b/debian/control.in
index 22c0cfc..c583a16 100644
--- a/debian/control.in
+++ b/debian/control.in
@@ -11,7 +11,7 @@ Vcs-Browser: http://svn.debian.org/wsvn/pkg-roundcube/roundcube
 
 Package: roundcube-core
 Architecture: all
-Depends: dbconfig-common, debconf | debconf-2.0, apache2 | lighttpd | httpd, php5, php5-mcrypt, php5-gd, roundcube-db, php-db, php-auth, php-net-smtp, php-net-socket, php-mail-mime (>= 1.5.0), ucf, tinymce (>= 3), ${misc:Depends}, libmagic1
+Depends: dbconfig-common, debconf | debconf-2.0, apache2 | lighttpd | httpd, php5, php5-mcrypt, php5-gd, roundcube-db, php-mdb2, php-auth, php-net-smtp, php-net-socket, php-mail-mime (>= 1.5.0), ucf, tinymce (>= 3), ${misc:Depends}, libmagic1
 Replaces: roundcube
 Conflicts: roundcube (<< 0.1~rc2-2)
 Description: skinnable AJAX based webmail solution for IMAP servers
@@ -40,7 +40,7 @@ Description: skinnable AJAX based webmail solution for IMAP servers
 
 Package: roundcube-mysql
 Architecture: all
-Depends: php5-mysql, mysql-client | virtual-mysql-client, ${misc:Depends}
+Depends: php-mdb2-driver-mysql, mysql-client | virtual-mysql-client, ${misc:Depends}
 Suggests: mysql-server
 Provides: roundcube-db
 Description: metapackage providing MySQL dependencies for RoundCube
@@ -50,7 +50,7 @@ Description: metapackage providing MySQL dependencies for RoundCube
 
 Package: roundcube-pgsql
 Architecture: all
-Depends: php5-pgsql, postgresql-client-8.1 | postgresql-client, ${misc:Depends}
+Depends: php-mdb2-driver-pgsql, postgresql-client-8.1 | postgresql-client, ${misc:Depends}
 Suggests: postgresql-server
 Provides: roundcube-db
 Description: metapackage providing PostgreSQL dependencies for RoundCube
@@ -60,7 +60,7 @@ Description: metapackage providing PostgreSQL dependencies for RoundCube
 
 Package: roundcube-sqlite
 Architecture: all
-Depends: php5-sqlite, sqlite, ${misc:Depends}
+Depends: php-mdb2-driver-sqlite, sqlite, ${misc:Depends}
 Provides: roundcube-db
 Description: metapackage providing sqlite dependencies for RoundCube
  This package provides sqlite dependencies for RoundCube Webmail, a
diff --git a/debian/patches/cve-2008-5620.patch b/debian/patches/cve-2008-5620.patch
deleted file mode 100644
index c1fdd23..0000000
--- a/debian/patches/cve-2008-5620.patch
+++ /dev/null
@@ -1,45 +0,0 @@
-Fix CVE-2008-5620 which was caused by insufficient input sanitizing for quota bar.
-
-diff --git a/bin/quotaimg.php b/bin/quotaimg.php
-index 354f4eb..4e73c21 100644
---- a/bin/quotaimg.php
-+++ b/bin/quotaimg.php
-@@ -18,10 +18,10 @@
- 
- */
- 
--$used   = ((isset($_GET['u']) && !empty($_GET['u'])) || $_GET['u']=='0')?(int)$_GET['u']:'??';
--$quota  = ((isset($_GET['q']) && !empty($_GET['q'])) || $_GET['q']=='0')?(int)$_GET['q']:'??';
--$width  = empty($_GET['w']) ? 100 : (int)$_GET['w'];
--$height = empty($_GET['h']) ? 14 : (int)$_GET['h'];
-+$used   = isset($_GET['u']) ? intval($_GET['u']) : '??';
-+$quota  = isset($_GET['q']) ? intval($_GET['q']) : '??';
-+$width  = empty($_GET['w']) ? 100 : min(300, intval($_GET['w']));
-+$height = empty($_GET['h']) ? 14  : min(50,  intval($_GET['h']));
- 
- /**
-  * Quota display
-@@ -159,7 +159,7 @@ function genQuota($used, $total, $width, $height)
- 		}
- 
- 		$quota_width = $quota / 100 * $width;
--		imagefilledrectangle($im, $border, 0, $quota, $height-2*$border, $fill);
-+		imagefilledrectangle($im, $border, 0, $quota_width, $height-2*$border, $fill);
- 
- 		$string = $quota . '%';
- 		$mid    = floor(($width-(strlen($string)*imagefontwidth($font)))/2)+1;
-@@ -178,6 +178,12 @@ function genQuota($used, $total, $width, $height)
- 	imagedestroy($im);
- }
- 
--genQuota($used, $quota, $width, $height);
-+if ($width > 1 && $height > 1) {
-+	genQuota($used, $quota, $width, $height);
-+}
-+else {
-+	header("HTTP/1.0 404 Not Found");
-+}
-+
- exit;
- ?>
-\ No newline at end of file
diff --git a/debian/patches/cve-2009-0413.patch b/debian/patches/cve-2009-0413.patch
new file mode 100644
index 0000000..8b4349b
--- /dev/null
+++ b/debian/patches/cve-2009-0413.patch
@@ -0,0 +1,45 @@
+Fix CVE-2009-0413 by handling carefully background attribute.
+--- roundcubemail/CHANGELOG (revision 2242)
++++ roundcubemail/CHANGELOG (revision 2245)
+@@ -1,4 +1,8 @@
+ CHANGELOG RoundCube Webmail
+ ---------------------------
++
++2009/01/20 (thomasb)
++----------
++- Fix XSS vulnerability through background attributes as reported by Julien Cayssol
+ 
+ 2009/01/18 (alec)
+--- roundcubemail/program/lib/washtml.php (revision 1811)
++++ roundcubemail/program/lib/washtml.php (revision 2245)
+@@ -81,5 +81,5 @@
+   
+   /* Allowed HTML attributes */
+-  static $html_attribs = array('name', 'class', 'title', 'alt', 'width', 'height', 'align', 'nowrap', 'col', 'row', 'id', 'rowspan', 'colspan', 'cellspacing', 'cellpadding', 'valign', 'bgcolor', 'color', 'border', 'bordercolorlight', 'bordercolordark', 'face', 'marginwidth', 'marginheight', 'axis', 'border', 'abbr', 'char', 'charoff', 'clear', 'compact', 'coords', 'vspace', 'hspace', 'cellborder', 'size', 'lang', 'dir', 'background');  
++  static $html_attribs = array('name', 'class', 'title', 'alt', 'width', 'height', 'align', 'nowrap', 'col', 'row', 'id', 'rowspan', 'colspan', 'cellspacing', 'cellpadding', 'valign', 'bgcolor', 'color', 'border', 'bordercolorlight', 'bordercolordark', 'face', 'marginwidth', 'marginheight', 'axis', 'border', 'abbr', 'char', 'charoff', 'clear', 'compact', 'coords', 'vspace', 'hspace', 'cellborder', 'size', 'lang', 'dir');  
+   
+   /* State for linked objects in HTML */
+@@ -161,13 +161,13 @@
+       $value = $node->getAttribute($key);
+       if(isset($this->_html_attribs[$key]) ||
+-         ($key == 'href' && preg_match('/^(http|https|ftp|mailto):.*/i', $value)))
++         ($key == 'href' && preg_match('/^(http|https|ftp|mailto):.+/i', $value)))
+         $t .= ' ' . $key . '="' . htmlspecialchars($value, ENT_QUOTES) . '"';
+       else if($key == 'style' && ($style = $this->wash_style($value)))
+         $t .= ' style="' . $style . '"';
+-      else if($key == 'src' && strtolower($node->tagName) == 'img') { //check tagName anyway
++      else if($key == 'background' || ($key == 'src' && strtolower($node->tagName) == 'img')) { //check tagName anyway
+         if($src = $this->config['cid_map'][$value]) {
+           $t .= ' ' . $key . '="' . htmlspecialchars($src, ENT_QUOTES) . '"';
+         }
+-        else if(preg_match('/^(http|https|ftp):.*/i', $value)) {
++        else if(preg_match('/^(http|https|ftp):.+/i', $value)) {
+           if($this->config['allow_remote'])
+             $t .= ' ' . $key . '="' . htmlspecialchars($value, ENT_QUOTES) . '"';
+@@ -175,5 +175,5 @@
+             $this->extlinks = true;
+             if ($this->config['blocked_src'])
+-              $t .= ' src="' . htmlspecialchars($this->config['blocked_src'], ENT_QUOTES) . '"';
++              $t .= ' ' . $key . '="' . htmlspecialchars($this->config['blocked_src'], ENT_QUOTES) . '"';
+           }
+         }
diff --git a/debian/patches/dont-use-preg-e-option.patch b/debian/patches/dont-use-preg-e-option.patch
deleted file mode 100644
index 718526b..0000000
--- a/debian/patches/dont-use-preg-e-option.patch
+++ /dev/null
@@ -1,123 +0,0 @@
-Fix a vulnerability due to the use of "e" option of preg_replace.
-
---- roundcube-0.2~alpha/program/lib/html2text.php	2008-04-12 15:54:45.000000000 +0200
-+++ roundcube-0.2~alpha/program/lib/html2text.php	2008-12-13 14:21:44.000000000 +0100
-@@ -99,6 +99,22 @@
-      */
-     var $width = 70;
- 
-+    /** 
-+	 *  List of preg* regular expression patterns to search for 
-+	 *  and replace using callback function. 
-+	 * 
-+	 *  @var array $callback_search 
-+	 *  @access public 
-+	 */ 
-+     var $callback_search = array( 
-+        '/<(h)[123456][^>]*>(.*?)<\/h[123456]>/i', // H1 - H3 
-+        '/<(b)[^>]*>(.*?)<\/b>/i',                 // <b> 
-+        '/<(strong)[^>]*>(.*?)<\/strong>/i',       // <strong> 
-+        '/<(a) [^>]*href=("|\')([^"\']+)\2[^>]*>(.*?)<\/a>/i', 
-+                                                   // <a href=""> 
-+        '/<(th)[^>]*>(.*?)<\/th>/i',               // <th> and </th> 
-+    ); 
-+
-     /**
-      *  List of preg* regular expression patterns to search for,
-      *  used in conjunction with $replace.
-@@ -112,12 +128,8 @@
-         "/[\n\t]+/",                             // Newlines and tabs
-         '/<script[^>]*>.*?<\/script>/i',         // <script>s -- which strip_tags supposedly has problems with
-         //'/<!-- .* -->/',                         // Comments -- which strip_tags might have problem a with
--        '/<a [^>]*href=("|\')([^"\']+)\1[^>]*>(.+?)<\/a>/ie', // <a href="">
--        '/<h[123][^>]*>(.+?)<\/h[123]>/ie',      // H1 - H3
--        '/<h[456][^>]*>(.+?)<\/h[456]>/ie',      // H4 - H6
-         '/<p[^>]*>/i',                           // <P>
-         '/<br[^>]*>/i',                          // <br>
--        '/<b[^>]*>(.+?)<\/b>/ie',                // <b>
-         '/<i[^>]*>(.+?)<\/i>/i',                 // <i>
-         '/(<ul[^>]*>|<\/ul>)/i',                 // <ul> and </ul>
-         '/(<ol[^>]*>|<\/ol>)/i',                 // <ol> and </ol>
-@@ -126,7 +138,6 @@
-         '/(<table[^>]*>|<\/table>)/i',           // <table> and </table>
-         '/(<tr[^>]*>|<\/tr>)/i',                 // <tr> and </tr>
-         '/<td[^>]*>(.+?)<\/td>/i',               // <td> and </td>
--        '/<th[^>]*>(.+?)<\/th>/ie',              // <th> and </th>
-         '/&nbsp;/i',
-         '/&quot;/i',
-         '/&gt;/i',
-@@ -161,12 +172,8 @@
-         ' ',                                    // Newlines and tabs
-         '',                                     // <script>s -- which strip_tags supposedly has problems with
-         //'',                                  // Comments -- which strip_tags might have problem a with
--        '$this->_build_link_list("\\2", "\\3")', // <a href="">
--        "strtoupper(\"\n\n\\1\n\n\")",          // H1 - H3
--        "ucwords(\"\n\n\\1\n\")",               // H4 - H6
-         "\n\n",                                 // <P>
-         "\n",                                   // <br>
--        'strtoupper("\\1")',                    // <b>
-         '_\\1_',                                // <i>
-         "\n\n",                                 // <ul> and </ul>
-         "\n\n",                                 // <ol> and </ol>
-@@ -175,7 +182,6 @@
-         "\n\n",                                 // <table> and </table>
-         "\n",                                   // <tr> and </tr>
-         "\t\t\\1\n",                            // <td> and </td>
--        "strtoupper(\"\t\t\\1\n\")",            // <th> and </th>
-         ' ',
-         '"',
-         '>',
-@@ -379,6 +385,7 @@
- 
-         // Run our defined search-and-replace
-         $text = preg_replace($this->search, $this->replace, $text);
-+        $text = preg_replace_callback($this->callback_search, array('html2text', '_preg_callback'), $text);
- 
-         // Strip any other HTML tags
-         $text = strip_tags($text, $this->allowed_tags);
-@@ -446,6 +453,44 @@
-               
-       return $display . ' [' . ($index+1) . ']';
-       }
-+
-+    /**
-+     *  Callback function for preg_replace_callback use.
-+     *
-+     *  @param  array PREG matches
-+     *  @return string
-+     *  @access private
-+     */
-+    function _preg_callback($matches)
-+    {
-+		switch($matches[1])
-+		{
-+	    case 'b':
-+	    case 'strong':
-+			return $this->_strtoupper($matches[2]);
-+	    case 'hr':
-+		return $this->_strtoupper("\t\t". $matches[2] ."\n");
-+	    case 'h':
-+			return $this->_strtoupper("\n\n". $matches[2] ."\n\n");
-+	    case 'a':
-+			return $this->_build_link_list($matches[3], $matches[4]);
-+        }
-+    }
-+    
-+    /**
-+     *  Strtoupper multibyte wrapper function
-+     *
-+     *  @param  string
-+     *  @return string
-+     *  @access private
-+     */
-+    function _strtoupper($str)
-+    {
-+		if (function_exists('mb_strtoupper'))
-+    	    return mb_strtoupper($str);
-+    	else
-+			return strtoupper($str);
-+    }
- }
- 
- ?>
-\ Pas de fin de ligne à la fin du fichier.
diff --git a/debian/patches/fix_login.patch b/debian/patches/fix_login.patch
deleted file mode 100644
index 581deaf..0000000
--- a/debian/patches/fix_login.patch
+++ /dev/null
@@ -1,13 +0,0 @@
-Fix login redirection.
-
---- a/program/include/rcmail.php~	2008-06-07 21:33:07.000000000 +0200
-+++ a/program/include/rcmail.php	2008-06-22 13:36:57.000000000 +0200
-@@ -474,7 +474,7 @@
-   public function autoselect_host()
-   {
-     $default_host = $this->config->get('default_host');
--    $host = !empty($default_host) ? get_input_value('_host', RCUBE_INPUT_POST) : $default_host;
-+    $host = isset($_POST['_host']) ? get_input_value('_host', RCUBE_INPUT_POST) : $default_host;
-     
-     if (is_array($host)) {
-       list($user, $domain) = explode('@', get_input_value('_user', RCUBE_INPUT_POST));
diff --git a/debian/patches/series b/debian/patches/series
index 07f681f..9753d88 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -1,8 +1,5 @@
 dbconfig-common_support.patch
 correct_install_path.patch
 use_packaged_tinymce.patch
-use-db-backend.patch
 correct-magic-path.patch
-fix_login.patch
-dont-use-preg-e-option.patch
-cve-2008-5620.patch
+cve-2009-0413.patch
diff --git a/debian/patches/use-db-backend.patch b/debian/patches/use-db-backend.patch
deleted file mode 100644
index d76df6d..0000000
--- a/debian/patches/use-db-backend.patch
+++ /dev/null
@@ -1,13 +0,0 @@
-Use db backend since mdb2 is not yet available in Debian.
-
---- roundcubemail-0.1-dep/config/db.inc.php.dist~	2008-03-03 22:32:15.000000000 +0100
-+++ roundcubemail-0.1-dep/config/db.inc.php.dist	2008-03-05 21:07:28.000000000 +0100
-@@ -27,7 +27,7 @@
- $rcmail_config['db_dsnr'] = '';
- 
- // database backend to use (only db or mdb2 are supported)
--$rcmail_config['db_backend'] = 'mdb2';
-+$rcmail_config['db_backend'] = 'db';
- 
- // maximum length of a query in bytes
- $rcmail_config['db_max_length'] = 512000;  // 500K
diff --git a/debian/rules b/debian/rules
index 0b48aa1..17cb182 100755
--- a/debian/rules
+++ b/debian/rules
@@ -27,10 +27,6 @@ binary-install/roundcube-core::
 	install -m 0644 $(CURDIR)/SQL/mysql.initial.sql $(CURDIR)/debian/roundcube-core/usr/share/dbconfig-common/data/roundcube/install/mysql
 	install -m 0644 $(CURDIR)/SQL/postgres.initial.sql $(CURDIR)/debian/roundcube-core/usr/share/dbconfig-common/data/roundcube/install/pgsql
 	install -m 0644 $(CURDIR)/SQL/sqlite.initial.sql $(CURDIR)/debian/roundcube-core/usr/share/dbconfig-common/data/roundcube/install/sqlite
-	# Database upgrade from latest versions
-	install -m 0644 $(CURDIR)/SQL/postgres.update.sql $(CURDIR)/debian/roundcube-core/usr/share/dbconfig-common/data/roundcube/upgrade/pgsql/0.1.1-1
-	install -m 0644 $(CURDIR)/SQL/mysql.update.sql $(CURDIR)/debian/roundcube-core/usr/share/dbconfig-common/data/roundcube/upgrade/mysql/0.1.1-1
-	install -m 0644 $(CURDIR)/SQL/sqlite.update.sql $(CURDIR)/debian/roundcube-core/usr/share/dbconfig-common/data/roundcube/upgrade/sqlite/0.1.1-1
 
 	# Old database upgrades
 	cp -r $(CURDIR)/debian/sql/* $(CURDIR)/debian/roundcube-core/usr/share/dbconfig-common/data/roundcube/upgrade/.
diff --git a/debian/sql/mysql/0.1.1-1 b/debian/sql/mysql/0.1.1-1
new file mode 100644
index 0000000..103cb61
--- /dev/null
+++ b/debian/sql/mysql/0.1.1-1
@@ -0,0 +1,17 @@
+-- RoundCube Webmail update script for MySQL databases
+-- Updates from version 0.1-stable to 0.1.1
+
+TRUNCATE TABLE `messages`;
+
+ALTER TABLE `messages`
+  DROP INDEX `idx`,
+  DROP INDEX `uid`;
+
+ALTER TABLE `cache`
+  DROP INDEX `cache_key`,
+  DROP INDEX `session_id`,
+  ADD INDEX `user_cache_index` (`user_id`,`cache_key`);
+
+ALTER TABLE `users`
+    ADD INDEX `username_index` (`username`),
+    ADD INDEX `alias_index` (`alias`);
diff --git a/debian/sql/mysql/0.2~alpha-5 b/debian/sql/mysql/0.2~alpha-5
new file mode 100644
index 0000000..38b9631
--- /dev/null
+++ b/debian/sql/mysql/0.2~alpha-5
@@ -0,0 +1,10 @@
+-- Updates from version 0.1.1
+
+ALTER TABLE `identities`
+    MODIFY `signature` text, 
+    MODIFY `bcc` varchar(128) NOT NULL DEFAULT '', 
+    MODIFY `reply-to` varchar(128) NOT NULL DEFAULT '', 
+    MODIFY `organization` varchar(128) NOT NULL DEFAULT '',
+    MODIFY `name` varchar(128) NOT NULL, 
+    MODIFY `email` varchar(128) NOT NULL; 
+
diff --git a/debian/sql/mysql/0.2~stable-1 b/debian/sql/mysql/0.2~stable-1
new file mode 100644
index 0000000..67f7fb3
--- /dev/null
+++ b/debian/sql/mysql/0.2~stable-1
@@ -0,0 +1,18 @@
+-- Updates from version 0.2-alpha
+
+ALTER TABLE `messages`
+    ADD INDEX `created_index` (`created`);
+
+-- Updates from version 0.2-beta (InnoDB only)
+
+ALTER TABLE `cache`
+    DROP `session_id`;
+    
+ALTER TABLE `session`
+    ADD INDEX `changed_index` (`changed`);
+
+ALTER TABLE `cache`
+    ADD INDEX `created_index` (`created`);
+
+ALTER TABLE `users`
+    CHANGE `language` `language` varchar(5);
diff --git a/debian/sql/pgsql/0.1.1-1 b/debian/sql/pgsql/0.1.1-1
new file mode 100644
index 0000000..fb28a7a
--- /dev/null
+++ b/debian/sql/pgsql/0.1.1-1
@@ -0,0 +1,20 @@
+-- RoundCube Webmail update script for Postgres databases
+-- Updates from version 0.1-stable to 0.1.1
+
+CREATE INDEX cache_user_id_idx ON cache (user_id, cache_key);
+CREATE INDEX contacts_user_id_idx ON contacts (user_id);
+CREATE INDEX identities_user_id_idx ON identities (user_id);
+
+CREATE INDEX users_username_id_idx ON users (username);
+CREATE INDEX users_alias_id_idx ON users (alias);
+
+-- added ON DELETE/UPDATE actions
+ALTER TABLE messages DROP CONSTRAINT messages_user_id_fkey;
+ALTER TABLE messages ADD FOREIGN KEY (user_id) REFERENCES users(user_id) ON DELETE CASCADE ON UPDATE CASCADE;
+ALTER TABLE identities DROP CONSTRAINT identities_user_id_fkey;
+ALTER TABLE identities ADD FOREIGN KEY (user_id) REFERENCES users(user_id) ON DELETE CASCADE ON UPDATE CASCADE;
+ALTER TABLE contacts DROP CONSTRAINT contacts_user_id_fkey;
+ALTER TABLE contacts ADD FOREIGN KEY (user_id) REFERENCES users(user_id) ON DELETE CASCADE ON UPDATE CASCADE;
+ALTER TABLE cache DROP CONSTRAINT cache_user_id_fkey;
+ALTER TABLE cache ADD FOREIGN KEY (user_id) REFERENCES users(user_id) ON DELETE CASCADE ON UPDATE CASCADE;
+
diff --git a/debian/sql/pgsql/0.2~stable-1 b/debian/sql/pgsql/0.2~stable-1
new file mode 100644
index 0000000..102843e
--- /dev/null
+++ b/debian/sql/pgsql/0.2~stable-1
@@ -0,0 +1,18 @@
+-- Updates from version 0.2-alpha
+
+CREATE INDEX messages_created_idx ON messages (created);
+
+-- Updates from version 0.2-beta
+
+ALTER TABLE cache DROP session_id;
+
+CREATE INDEX session_changed_idx ON session (changed);
+CREATE INDEX cache_created_idx ON "cache" (created);
+
+ALTER TABLE users ALTER "language" DROP NOT NULL;
+ALTER TABLE users ALTER "language" DROP DEFAULT;
+
+ALTER TABLE identities ALTER del TYPE smallint;
+ALTER TABLE identities ALTER standard TYPE smallint;
+ALTER TABLE contacts ALTER del TYPE smallint;
+ALTER TABLE messages ALTER del TYPE smallint;
diff --git a/debian/sql/sqlite/0.1.1-1 b/debian/sql/sqlite/0.1.1-1
new file mode 100644
index 0000000..1857890
--- /dev/null
+++ b/debian/sql/sqlite/0.1.1-1
@@ -0,0 +1,28 @@
+-- RoundCube Webmail update script for SQLite databases
+-- Updates from version 0.1-stable to 0.1.1
+
+DROP TABLE messages;
+
+CREATE TABLE messages (
+  message_id integer NOT NULL PRIMARY KEY,
+  user_id integer NOT NULL default '0',
+  del tinyint NOT NULL default '0',
+  cache_key varchar(128) NOT NULL default '',
+  created datetime NOT NULL default '0000-00-00 00:00:00',
+  idx integer NOT NULL default '0',
+  uid integer NOT NULL default '0',
+  subject varchar(255) NOT NULL default '',
+  "from" varchar(255) NOT NULL default '',
+  "to" varchar(255) NOT NULL default '',
+  "cc" varchar(255) NOT NULL default '',
+  "date" datetime NOT NULL default '0000-00-00 00:00:00',
+  size integer NOT NULL default '0',
+  headers text NOT NULL,
+  structure text
+);
+
+CREATE INDEX ix_messages_user_cache_uid ON messages(user_id,cache_key,uid);
+
+CREATE INDEX ix_users_username ON users(username);
+CREATE INDEX ix_users_alias ON users(alias);
+
diff --git a/debian/sql/sqlite/0.2~stable-1 b/debian/sql/sqlite/0.2~stable-1
new file mode 100644
index 0000000..4005727
--- /dev/null
+++ b/debian/sql/sqlite/0.2~stable-1
@@ -0,0 +1,8 @@
+-- Updates from version 0.2-alpha
+
+CREATE INDEX ix_messages_created ON messages (created);
+
+-- Updates from version 0.2-beta
+
+CREATE INDEX ix_session_changed ON session (changed);
+CREATE INDEX ix_cache_created ON cache (created);
-- 
2.39.2