Don't let www-data overwrite debian-db.php. Closes: #608976.

[roundcube.git] / debian / changelog

roundcube (0.5~rc-1) UNRELEASED; urgency=low

  * New upstream release. Closes: #592312.
     + Drop patches included upstream (DNS prefetching, jQuery 1.4
       handling, email address validation, duplicate headers, incorrectly
       formatted received headers). Adapt other patches.
     + Update SQL commands to use to upgrade database.
       That also closes: #602922.
     + Update dependencies to match INSTALL file. Only exception is the
       use of Mail_Mime 1.8.0 in place of 1.8.1 which is not available in
       Debian. We depends on jQuery 1.4.2 because 1.4.4 is not available in
       Debian.
  * Move .htaccess to /etc/roundcube and use a symlink (Closes: #591369).
  * Don't let www-data overwrite debian-db.php. Closes: #608976.
  * Bump Standards-Version. No changes required.

 -- Vincent Bernat <bernat@debian.org>  Sat, 08 Jan 2011 15:15:56 +0100

roundcube (0.3.1-6) unstable; urgency=low

  * Update Arabic debconf translation, thanks to Ossama Khayat.
    Closes: #596181.
  * Update Portuguese debconf translation, thanks to Christian Perrier.
    Closes: #599575.
  * Add a patch to avoid duplicate boundaries in headers when adding an
    attachment. Closes: #599586.

 -- Vincent Bernat <bernat@debian.org>  Mon, 18 Oct 2010 23:14:37 +0200

roundcube (0.3.1-5) unstable; urgency=low

  * Depends on php-mail-mime 1.7.0 or more recent to handle correctly
    'mime_param_folding' directive. Closes: #588295.
  * Add Danish debconf translation, thanks to Joe Dalton.
    Closes: #593271.
  * Add a patch to fix Received header to behave better with Spam
    Assassin. Closes: #595204.

 -- Vincent Bernat <bernat@debian.org>  Thu, 02 Sep 2010 07:54:58 +0200

roundcube (0.3.1-4) unstable; urgency=low

  * Update README.Debian to state that the variable to modify is
    'htmleditor' instead of 'enable_htmleditor'. Thanks to Hans
    Spaans. Closes: #575556.
  * Add Brazilian Portuguese debconf translation, thanks to Eder
    L. Marques. Closes: #581745.
  * Switch default encoding to UTF-8 instead of ISO-8859-1.
    Closes: #588084.
  * Add more explanations on how to install roundcube in a Debian system
    in README.Debian. Closes: #584458, #582894.
  * Bump Standards-Version. No changes required.
  * Switch to 3.0 (quilt) format.
  * Use Breaks instead of Conflicts to move files from older roundcube
    installations.

 -- Vincent Bernat <bernat@debian.org>  Sat, 17 Jul 2010 17:23:30 +0200

roundcube (0.3.1-3) unstable; urgency=high

  * RFC 5321, section 4.5.3.1, asks to not impose any limits on length if
    possible. We respect this by dropping limitation of the local-part of
    an email address. Closes: #568360, #568537.
  * Suggests php-auth-sasl to enable use of SASL mechanisms for mail
    servers. Closes: #567550.
  * Disable DNS prefetching to avoid information leakage through links
    embedded in messages. This fixes CVE-2010-0464. Closes: #569660.
  * Bump Standards-Version. No changes required.

 -- Vincent Bernat <bernat@debian.org>  Sat, 13 Feb 2010 10:21:49 +0100

roundcube (0.3.1-2) unstable; urgency=low

  * Fix VCS links in debian/control, thanks to Torsten Landschoff.
    Closes: #555900.
  * Really ship NEWS.Debian.
  * Add changesets 3170 and 3202 from upstream to handle gracefully jQuery
    1.4. Thanks to Volker Gropp for the report. Closes: #565715.

 -- Vincent Bernat <bernat@debian.org>  Mon, 18 Jan 2010 23:11:01 +0100

roundcube (0.3.1-1) unstable; urgency=low

  * New upstream release.
  * Add a notice in NEWS.Debian about php.ini options that should be set
    to get Roundcube working properly. Closes: #549428, #552508.

 -- Vincent Bernat <bernat@debian.org>  Sat, 07 Nov 2009 17:41:37 +0100

roundcube (0.3-2) unstable; urgency=low

  * Really fix #544579 since the default value is null without
    quotes. This really Closes: #544579.
  * Enlarge login box to accommodate sk_SK locale. Closes: #542933.

 -- Vincent Bernat <bernat@debian.org>  Sun, 27 Sep 2009 11:26:56 +0200

roundcube (0.3-1) unstable; urgency=low

  * New upstream release. Closes: #545498.
  * Update debconf translations:
      + Italian, thanks to Luca Monducci. Closes: #544199.
      + Czech, thanks to Miroslav Kure. Closes: #546413.
  * Roundcube configuration now uses 'language' instead of 'locale_string'
    to specify the default language. Update postinst to reflect this
    change. Thanks to Richard van den Berg for noticing this. Closes: #544579.
  * Depends on libjs-jquery (>= 1.3) since this is now used by roundcube.
  * Don't ship any plugins for now but ship an empty plugins directory.
  * Ship main .htaccess since it is needed to setup correctly PHP (for
    example, to disable PHP Suhosin cookie encryption).
  * Bump Standards-Version. No changes required.

 -- Vincent Bernat <bernat@debian.org>  Sun, 27 Sep 2009 11:00:30 +0200

roundcube (0.2.2-1) unstable; urgency=low

  * New upstream release
  * Bump Standards-Version. No changes required.
  * Remove *.js.src which are not needed at runtime.
  * Don't send email contents to Google by default by using php5-pspell
    instead. Thanks to Anand Kumria. Closes: #529563.
  * Update debconf translations:
      + Basque, thanks to Piarres Beobide. Closes: #534282.

 -- Vincent Bernat <bernat@debian.org>  Sun, 05 Jul 2009 09:53:17 +0200

roundcube (0.2.1-2) unstable; urgency=low

  * Update debconf translations:
      + German, thanks to Helge Kreutzmann. Closes: #520004.
      + Japanese, thanks to Hideki Yamane. Closes: #520024.
      + Spanish, thanks to Francisco Javier. Closes: #526696.
      + Russian, thanks to Yuri Kozlov. Closes: #528796.
  * Depend on php-mdb2-* (>= 1.5.0b2) since it is needed to fix some
    bugs. Closes: #519104, #519293. Remove not needed any more patch from
    debian/patches/series. Keep it in debian/patches to help backports.

 -- Vincent Bernat <bernat@debian.org>  Sat, 16 May 2009 15:30:17 +0200

roundcube (0.2.1-1) unstable; urgency=low

  * New upstream release:
      + Fix use_packaged_tinymce.patch to apply to this new version
      + Remove cve-2009-0413.patch which has been applied upstream

 -- Vincent Bernat <bernat@debian.org>  Sat, 14 Mar 2009 17:42:07 +0100

roundcube (0.2~stable-2) unstable; urgency=low

  * Update debconf translations:
      + French, thanks to Christian Perrier. Closes: #515806.
      + Swedish, thanks to Martin Bagge. Closes: #516683.
  * Drop virtual package roundcube-db and add dependencies on real package
    instead: this way, we can have versioned dependencies on those to avoid
    version mismatch between packages.
  * Add a patch to not use a MDB2 feature not present in the Debian
    package. Thanks to Grzegorz Sobański for the patch. Closes: #519104.

 -- Vincent Bernat <bernat@debian.org>  Wed, 11 Mar 2009 18:49:32 +0100

roundcube (0.2~stable-1) unstable; urgency=low

  * New upstream version. Closes: #503573, #504570.
      + Add SQL update scripts for this new release and for
        0.2~alpha. Remove copy of SQL upgrade script from debian/rules.
      + Remove patch for CVE-2008-5620 which is now fixed upstream.
      + Remove patch correcting a vulnerability in html2text.php.
      + Remove patch fixing login issue. This is fixed upstream.
      + Remove patch setting the default backend to db instead of mdb2:
        this is not possible any more. We depend on php-mdb2 now.
      + Update patch to use packaged tinymce.
  * Upload to unstable since Lenny is out.
  * Apply fix for XSS issue (CVE-2009-0413). Closes: #514179.
  * Remove hack to update a SQLite table for an upgrade from a quite old
    version of roundcube.
  * Fix pending l10n issues:
      + Update English debconf template. Closes: #473794.
      + Add Swedish translation thanks to Martin Bagge. Closes: #508752.
  * Fix debian/copyright to make lintian happy.

 -- Vincent Bernat <bernat@debian.org>  Sun, 15 Feb 2009 16:18:58 +0100

roundcube (0.2~alpha-4) experimental; urgency=low

  * Add missing ${misc:Depends} to make Lintian happy.
  * Add description to each patch.
  * Execute cron job only if the directory to clean exists.
  * Reload web server configuration instead of restart, thanks to a patch
    from Tiago Bortoletto Vaz. Closes: #508633.
  * Fix a vulnerability in quota image generation. This fixes
    CVE-2008-5620. Thanks to Nico Golde for reporting it. Closes: #509596.
  * Add missing dependency on php5-gd, used for quota bar.
  * For roundcube-pgsql, depends on postgresql-client only. This package
    is provided by the currently supported real package.

 -- Vincent Bernat <bernat@debian.org>  Thu, 25 Dec 2008 11:38:13 +0100

roundcube (0.2~alpha-3) experimental; urgency=high

  [ Vincent Bernat ]
  * Fix a vulnerability in the use of preg_replace (Closes: #508628).
  * Adapt descriptions of roundcube-database packages to refer them as
    metapackages instead of virtual package (Closes: #495434).
  * Add robots.txt from upstream, even if in some configuration, it will
    not be considered (Closes: #499108).
  * Do not ship .htaccess files. Restrictions are set in Apache or
    Lighttpd configuration files (Closes: #500202).

  [ Romain Beauxis ]
  * Changed versioned dependency of rouncube from binary:Version to
    source:Version since these are all architecture independent packages.  

 -- Vincent Bernat <bernat@debian.org>  Sat, 13 Dec 2008 14:36:02 +0100

roundcube (0.2~alpha-2) experimental; urgency=low

  [ Vincent Bernat ]
  * Fix lintian warnings introduced by previous upload
  * Fix lighttpd.conf to make it work with latest versions (Closes: #494044)
  * Do not prepend path to lighty util in postinst and postrm, as per
    Policy Manual section 6.1
  * Ship a bug/control file to have all bugs submitted against roundcube
    metapackage
  * Fix debian/roundcube-core.cron.daily to use
    /etc/default/roundcube-core instead of /etc/default/roundcube which
    should not exist any more

  [ Romain Beauxis ]
  * Versioned roundcube-core dependency for roundcube 

 -- Vincent Bernat <bernat@debian.org>  Sat, 16 Aug 2008 13:22:08 +0200

roundcube (0.2~alpha-1) experimental; urgency=low

  * New upstream release
  * Update debian/watch file to correctly consider those new releases
  * Remove the following patches:
      + messageid-headers-ordering
      + mysql-update-fix
      + disable-tinymce-spellchecker
  * Update the following patches:
      + correct_install_path
      + use_packaged_tinymce
  * Add a new patch to fix a login problem
  * Depends on tinymce >= 3

 -- Vincent Bernat <bernat@debian.org>  Sun, 22 Jun 2008 14:10:44 +0200

roundcube (0.1.1-7) unstable; urgency=low

  * Another fix for incorrect tinymce path. This should be the last one!

 -- Vincent Bernat <bernat@debian.org>  Sun, 22 Jun 2008 12:36:59 +0200

roundcube (0.1.1-6) unstable; urgency=low

  * Fix use_packaged_tinymce patch which was incorrect after switch to
    tinymce2 package.

 -- Vincent Bernat <bernat@debian.org>  Sun, 22 Jun 2008 12:19:16 +0200

roundcube (0.1.1-5) unstable; urgency=low

  * Fix ordering of message-id in message headers, thanks to Reinhard
    Tartler (Closes: #486493)
  * Update Standards-Version to 3.8.0

 -- Vincent Bernat <bernat@debian.org>  Tue, 17 Jun 2008 00:33:40 +0200

roundcube (0.1.1-4) unstable; urgency=low

  * Add Slovak debconf translation, thanks to Ivan Masár (Closes: #481376)
  * Fix debian/copyright:
     + RoundCube is GPL-2 licensed, not GPL-2+
     + Add an explanation on the BSD license present at the top of
       index.php (Closes: #477119)
  * We do not support tinymce 3, yet. Depends on tinymce2 | tinymce (<<
    3). Closes: #481145, #483053, #482295

 -- Vincent Bernat <bernat@debian.org>  Tue, 20 May 2008 20:51:52 +0200

roundcube (0.1.1-3) unstable; urgency=low

  * Fix an error introduced when fixing bug #476803. Thanks to Micah
    Anderson for spotting it (Closes: #479775).
  * Avoid to pop language question at every upgrade. Thanks to Ivan Vucica
    for spotting this. The problem lied in the use of db_metaget to get
    the value of a key set by db_subst in a previous invocation. It seems
    this is not possible any more (Closes: #480043). The fix implies that
    we won't ask the question again if more languages are available since
    last upgrade.

 -- Vincent Bernat <bernat@debian.org>  Thu, 08 May 2008 09:50:24 +0200

roundcube (0.1.1-2) unstable; urgency=low

  * Comment by default Alias directive for tinymce in Apache configuration
    file (Closes: #476162).
  * Allow to preseed language value (Closes: #476803).

 -- Vincent Bernat <bernat@luffy.cx>  Sat, 19 Apr 2008 16:50:28 +0200

roundcube (0.1.1-1) unstable; urgency=low

  * New upstream release
    - Copy old SQL upgrade scripts into debian/sql to allow upgrade from
      versions older than 0.1
    - Patch new MySQL upgrade script to fix a typo
  * Debconf translation updates:
    - Spanish. Closes: #473788
  * Depends on php-mail-mime (>= 1.5.0) and drop compatibility patch
  * Install upstream changelog in /usr/share/doc/roundcube*

 -- Vincent Bernat <bernat@luffy.cx>  Sat, 05 Apr 2008 18:16:33 +0200

roundcube (0.1-4) unstable; urgency=low

  * Debconf translation updates:
    - French. Closes: #469802
    - Russian. Closes: #469847
    - Galician. Closes: #469866
    - German. Closes: #469875
    - Finnish. Closes: #469922
    - Italian. Closes: #469987
    - Czech. Closes: #470150
    - Portuguese. Closes: #470156
    - Spanish. Closes: #470732
    - Basque. Closes: #470871
    - Arabic. Closes: #471470

 -- Vincent Bernat <bernat@luffy.cx>  Sat, 08 Mar 2008 11:15:00 +0100

roundcube (0.1-3) unstable; urgency=low

  * Fix problem with too old php-mail-mime package (Closes: #469814)

 -- Vincent Bernat <bernat@luffy.cx>  Fri, 07 Mar 2008 11:06:49 +0100

roundcube (0.1-2) unstable; urgency=low

  * Ship bin/ directory as well. This fix conversion from HTML to text in
    composition.
  * Disable spellchecker for tinymce since it is not shipped with Debian
    package of tinymce.

 -- Vincent Bernat <bernat@luffy.cx>  Fri, 07 Mar 2008 09:42:39 +0100

roundcube (0.1-1) unstable; urgency=low

  * New upstream release (Closes: #469487).
     - This release seems to fix failure to set some fields when replying,
       with bincimap as IMAP server (Closes: #443562)
     - It also fixes the deletion of multiple messages, still with
       bincimap (Closes: #451404)
  * Remove 'ob_gzhandler.patch' and 'xss-fix.patch'. They have been
    merged upstream.
  * Upstream has switched to MDB2 database backend which is not packaged
    in Debian yet. We switch back to old backend.
  * Fix debian/watch to handle correctly detection of new versions.
  * Add support for lighttpd and remove support for older version of
    Apache. The debconf question about webserver autoconfiguration is
    reworded (Closes: #462961).
  * Do not depend on a specific revision of cdbs.
  * Move po-debconf from Build-Depends-Indep to Build-Depends since it is
    needed for clean target.
  * Correct path to /usr/share/file/magic, provided by libmagic1. Provide
    license information about this file in debian/copyright.

 -- Vincent Bernat <bernat@luffy.cx>  Wed, 05 Mar 2008 20:49:03 +0100

roundcube (0.1~rc2-6) unstable; urgency=high

  * Bug fix: "CVE-2007-6321: Cross-site scripting (XSS) vulnerability",
    thanks to Micah Anderson (Closes: #455840). The patch is from
    http://lists.roundcube.net/mail-archive/dev/2007-12/0000038.html and
    provided by Robin Elfrink. It has been modified with some functions
    stolen from Squirrelmail.
  * Finnish debconf template, thanks to Esko Arajärvi (Closes: #458244).

 -- Vincent Bernat <bernat@luffy.cx>  Sat, 29 Dec 2007 21:55:17 +0100

roundcube (0.1~rc2-5) unstable; urgency=low

  * Deal with old /etc/logrotate.d/roundcube by removing it if left
    untouched (Closes: #456546). Also deal with /etc/default/roundcube and
    /etc/cron.daily/roundcube.

 -- Vincent Bernat <bernat@luffy.cx>  Tue, 18 Dec 2007 23:02:46 +0100

roundcube (0.1~rc2-4) unstable; urgency=low

  * Thightened dependencies for a safe upgrade
  * Finally removed any circular dependency, -db packages no longer pull
    a full roundcube install

 -- Romain Beauxis <toots@rastageeks.org>  Sun, 09 Dec 2007 14:24:24 +0100

roundcube (0.1~rc2-3) unstable; urgency=low

  * Upload to unstable
  * Bumped standard version to 3.7.3 (no changes) 

 -- Romain Beauxis <toots@rastageeks.org>  Sun, 09 Dec 2007 14:19:28 +0100

roundcube (0.1~rc2-2) experimental; urgency=low

  [ Vincent Bernat ]
  * Fix a conflict between ob_gzhandler and zlib output compression,
    thanks to kaouete (Closes: #450482).

  [ Romain Beauxis ]
  * Fix tinymce patch and inclusion
    Closes: #452016
  * Splitted virtual packages to avoid circular dependencies.
    Uploading to experimental, as this is an important change and we may
    expect issues..

 -- Romain Beauxis <toots@rastageeks.org>  Mon, 26 Nov 2007 11:54:21 +0100

roundcube (0.1~rc2-1) unstable; urgency=low

  * New upstream, thanks to Nicolas Stransky (Closes: #447503). This
    release support tinymce as HTML editor. Look at README.Debian for more
    information.
  * Update Galician debconf template, thanks to Jacobo Tarrio (Closes: #447943).

 -- Vincent Bernat <bernat@luffy.cx>  Mon, 29 Oct 2007 22:08:43 +0100

roundcube (0.1~rc1-3) unstable; urgency=low

  * In respect to policy 12.3, do not put main.inc.php.dist in
    /usr/share/doc, thanks to Jonas Smedegaard (Closes: #446502).
  * Update German and French debconf templates, thanks to Christian
    Perrier (Closes: #446458) and Helge Kreutzmann (Closes: #446532).

 -- Vincent Bernat <bernat@luffy.cx>  Sun, 14 Oct 2007 08:41:24 +0200

roundcube (0.1~rc1-2) unstable; urgency=low

  * Fix dependencies by creating virtual packages for each database
    backend, thanks to Joey Hess (Closes: #444925).

 -- Vincent Bernat <bernat@luffy.cx>  Tue, 02 Oct 2007 20:09:19 +0200

roundcube (0.1~rc1-1) unstable; urgency=low

  * New upstream release
  * Removed non gpl file des.inc

 -- Romain Beauxis <toots@rastageeks.org>  Tue, 24 Jul 2007 13:36:20 +0200

roundcube (0.1~rc1~dfsg-3) unstable; urgency=low

  * Add php5-mcrypt dependency (Closes: #431177)

 -- Vincent Bernat <bernat@luffy.cx>  Sat, 30 Jun 2007 19:36:21 +0200

roundcube (0.1~rc1~dfsg-2) unstable; urgency=low

  * Removed custom unix_timestamp for sqlite: solved upstream
  * Debconf templates and debian/control reviewed by the debian-l10n-
    english team as part of the Smith review project.
    Closes: #426086, #427546, #427546
  * Debconf translation updates:
    - Galician. Closes: #426140
    - Basque. Closes: #426150
    - Czech. Closes: #426428
    - Portuguese. Closes: #426451
    - Arabic. Closes: #427110
    - Italian. Closes: #427206
    - German. Closes: #427536
    - French. Closes: #427736
    - Tamil. Closes: #428254
    - Russian. Closes: #428364
    - Spanish. Closes: #428573

 -- Romain Beauxis <toots@rastageeks.org>  Tue, 05 Jun 2007 15:22:36 +0200

roundcube (0.1~rc1~dfsg-1) unstable; urgency=low

  [ Vincent Bernat ]
  * New upstream release
  * Update script for sqlite in postinst
  [ Romain Beauxis ]
  * Fixed dh_link calls
    Closes: #423824
  * Added custom patch to use php unix timestamp support
    with sqlite since UNIX_TIMESTAMP is not supported by sqlite.
  * Dropped php4 dependencies

 -- Vincent Bernat <bernat@luffy.cx>  Sun, 20 May 2007 13:59:44 +0200

roundcube (0.1~beta2.2~dfsg-2) unstable; urgency=low

  * Fix a security issue by disallowing access to logs.
  * First upload to unstable.

 -- Vincent Bernat <bernat@luffy.cx>  Sat,  5 May 2007 00:23:40 +0200

roundcube (0.1~beta2.2~dfsg-1) experimental; urgency=low

  * Initial release. (Closes: #333756, #344949)

 -- Romain Beauxis <toots@rastageeks.org>  Tue, 13 Mar 2007 13:28:05 +0100