+roundcube (0.3.1-3) unstable; urgency=high
+
+ * RFC 5321, section 4.5.3.1, asks to not impose any limits on length if
+ possible. We respect this by dropping limitation of the local-part of
+ an email address. Closes: #568360, #568537.
+ * Suggests php-auth-sasl to enable use of SASL mechanisms for mail
+ servers. Closes: #567550.
+ * Disable DNS prefetching to avoid information leakage through links
+ embedded in messages. This fixes CVE-2010-0464. Closes: #569660.
+ * Bump Standards-Version. No changes required.
+
+ -- Vincent Bernat <bernat@debian.org> Sat, 13 Feb 2010 10:21:49 +0100
+
roundcube (0.3.1-2) unstable; urgency=low
- * Fix VCS links in debian/control, thanks to Torsten Landschoff. Closes: #555900.
+ * Fix VCS links in debian/control, thanks to Torsten Landschoff.
+ Closes: #555900.
* Really ship NEWS.Debian.
* Add changesets 3170 and 3202 from upstream to handle gracefully jQuery
1.4. Thanks to Volker Gropp for the report. Closes: #565715.
Priority: extra
Maintainer: Debian Roundcube Maintainers <pkg-roundcube-maintainers@lists.alioth.debian.org>
Uploaders: Vincent Bernat <bernat@debian.org>, Romain Beauxis <toots@rastageeks.org>
-Build-Depends: cdbs, debhelper, quilt, patchutils (>= 0.2.25), cdbs (>= 0.4.27), po-debconf
+Build-Depends: cdbs, debhelper (>= 5), quilt, patchutils (>= 0.2.25), cdbs (>= 0.4.27), po-debconf
Homepage: http://www.roundcube.net/
-Standards-Version: 3.8.3
+Standards-Version: 3.8.4
Vcs-Svn: svn://svn.debian.org/svn/pkg-roundcube/trunk
Vcs-Browser: http://svn.debian.org/wsvn/pkg-roundcube/trunk/
Package: roundcube-core
Architecture: all
Depends: dbconfig-common, debconf | debconf-2.0, apache2 | lighttpd | httpd, php5, php5-mcrypt, php5-gd, roundcube-sqlite (= ${source:Version}) | roundcube-mysql (= ${source:Version}) | roundcube-pgsql (= ${source:Version}), php-mdb2, php-auth, php-net-smtp, php-net-socket, php-mail-mime (>= 1.5.0), ucf, tinymce (>= 3), ${misc:Depends}, libmagic1, php5-pspell, libjs-jquery (>= 1.3.3)
+Suggests: php-auth-sasl
Replaces: roundcube
Conflicts: roundcube (<< 0.1~rc2-2)
Description: skinnable AJAX based webmail solution for IMAP servers
Uploaders: Vincent Bernat <bernat@debian.org>, Romain Beauxis <toots@rastageeks.org>
Build-Depends: @cdbs@, po-debconf
Homepage: http://www.roundcube.net/
-Standards-Version: 3.8.3
+Standards-Version: 3.8.4
Vcs-Svn: svn://svn.debian.org/svn/pkg-roundcube/trunk
Vcs-Browser: http://svn.debian.org/wsvn/pkg-roundcube/trunk/
Package: roundcube-core
Architecture: all
Depends: dbconfig-common, debconf | debconf-2.0, apache2 | lighttpd | httpd, php5, php5-mcrypt, php5-gd, roundcube-sqlite (= ${source:Version}) | roundcube-mysql (= ${source:Version}) | roundcube-pgsql (= ${source:Version}), php-mdb2, php-auth, php-net-smtp, php-net-socket, php-mail-mime (>= 1.5.0), ucf, tinymce (>= 3), ${misc:Depends}, libmagic1, php5-pspell, libjs-jquery (>= 1.3.3)
+Suggests: php-auth-sasl
Replaces: roundcube
Conflicts: roundcube (<< 0.1~rc2-2)
Description: skinnable AJAX based webmail solution for IMAP servers
--- /dev/null
+Disable DNS prefetching to solve CVE-2010-0464.
+
+Index: program/include/rcube_html_page.php
+===================================================================
+--- rcube/program/include/rcube_html_page.php (revision 3214)
++++ rcube/program/include/rcube_html_page.php (working copy)
+@@ -165,6 +165,13 @@
+ $__page_header.= $this->charset . '" />'."\n";
+ }
+
++ // add hint to disable DNS prefetching
++ if (!headers_sent()) {
++ header('X-DNS-Prefetch-Control: off');
++ } else {
++ $__page_header.= '<meta http-equiv="x-dns-prefetch-control" content="off" />'."\n";
++ }
++
+ // definition of the code to be placed in the document header and footer
+ if (is_array($this->script_files['head'])) {
+ foreach ($this->script_files['head'] as $file) {
--- /dev/null
+To fix #568360 and #568537, don't limit local part size.
+--- roundcube-0.3.1/program/include/main.inc~ 2009-10-31 14:44:19.751802878 +0100
++++ roundcube-0.3.1/program/include/main.inc 2010-02-05 19:46:12.000000000 +0100
+@@ -1427,7 +1427,7 @@
+ return false;
+
+ // Check that there's one @ symbol, and that the lengths are right
+- if (!preg_match('/^([^@]{1,64})@([^@]{1,255})$/', $email, $email_array))
++ if (!preg_match('/^([^@]+)@([^@]{1,255})$/', $email, $email_array))
+ return false;
+
+ // Check local part
loginbox-size.patch
changeset_r3170.patch
changeset_r3202.patch
+dont-limit-email-local-part.patch
+disable-dns-prefetch.patch
roundcube (0.3.1-2) unstable; urgency=low
- * Starting from Roundcube 0.3, an incompatibility with Suhosin session
+ Starting from Roundcube 0.3, an incompatibility with Suhosin session
encryption is present. This can be resolved by tuning php.ini for
Roundcube with the "suhosin.session.encrypt" set to "Off".
-
+
We ship a .htaccess in /var/lib/roundcube to disable this
option. However, this only works with a webserver like Apache with
- mod_php. If you are using a webserver with PHP configured as a *CGI
- process, you need to tune the php.ini for this process: either turn of
- globally Suhosin session encryption in /etc/php5/conf.d/suhosin or you
- can provide your own php.ini to php5-cgi with "-c" option.
+ mod_php. If you are using a webserver with PHP configured as a
+ *CGI process, you need to tune the php.ini for this process:
+ either turn of globally Suhosin session encryption in
+ /etc/php5/conf.d/suhosin or you can provide your own php.ini to
+ php5-cgi with "-c" option.
-- Vincent Bernat <bernat@debian.org> Mon, 02 Nov 2009 19:48:22 +0100