Version in base suite: 1.4.12+dfsg.1-1~deb11u1 Base version: roundcube_1.4.12+dfsg.1-1~deb11u1 Target version: roundcube_1.4.13+dfsg.1-1~deb11u1 Base file: /srv/ftp-master.debian.org/ftp/pool/main/r/roundcube/roundcube_1.4.12+dfsg.1-1~deb11u1.dsc Target file: /srv/ftp-master.debian.org/policy/pool/main/r/roundcube/roundcube_1.4.13+dfsg.1-1~deb11u1.dsc CHANGELOG | 4 + debian/changelog | 10 ++++ debian/patches/fix-FTBFS-with-phpunit-10.patch | 2 debian/patches/fix-FTBFS-with-phpunit-8.5.13-1.patch | 2 debian/patches/fix-FTBFS-with-phpunit-9.5.0-1.patch | 12 ++--- debian/patches/fix-Framework_Washtml-test_wash_xss_tests.patch | 23 ++++++++++ debian/patches/fix-install-path.patch | 4 - debian/patches/hint-at-which-packages-needs-installing-under-PHP8.patch | 2 debian/patches/series | 1 debian/patches/update-script.patch | 2 index.php | 2 installer/index.php | 2 program/include/iniset.php | 2 program/lib/Roundcube/bootstrap.php | 2 program/lib/Roundcube/rcube_washtml.php | 2 public_html/index.php | 2 tests/Framework/Washtml.php | 4 + 17 files changed, 60 insertions(+), 18 deletions(-) diff -Nru roundcube-1.4.12+dfsg.1/CHANGELOG roundcube-1.4.13+dfsg.1/CHANGELOG --- roundcube-1.4.12+dfsg.1/CHANGELOG 2021-11-12 21:35:37.000000000 +0000 +++ roundcube-1.4.13+dfsg.1/CHANGELOG 2021-12-29 22:45:05.000000000 +0000 @@ -1,6 +1,10 @@ CHANGELOG Roundcube Webmail =========================== +RELEASE 1.4.13 +-------------- +- Security: Fix cross-site scripting (XSS) via HTML messages with malicious CSS content + RELEASE 1.4.12 -------------- - Enigma: Fix bug where signature verification could fail for non-ascii bodies (#7919) diff -Nru roundcube-1.4.12+dfsg.1/debian/changelog roundcube-1.4.13+dfsg.1/debian/changelog --- roundcube-1.4.12+dfsg.1/debian/changelog 2021-11-18 19:07:03.000000000 +0000 +++ roundcube-1.4.13+dfsg.1/debian/changelog 2022-01-06 07:51:41.000000000 +0000 @@ -1,3 +1,13 @@ +roundcube (1.4.13+dfsg.1-1~deb11u1) bullseye-security; urgency=high + + * New security upstream release, with fix for CVE-2021-46144: XSS + vulnerability via HTML messages with malicious CSS content + (closes: #1003027). + * Prepend '' to the test vector of the above. + * Refresh d/patches. + + -- Guilhem Moulin Thu, 06 Jan 2022 08:51:41 +0100 + roundcube (1.4.12+dfsg.1-1~deb11u1) bullseye-security; urgency=high * New bugfix/security upstream release (closes: #1000156), with fixes for: diff -Nru roundcube-1.4.12+dfsg.1/debian/patches/fix-FTBFS-with-phpunit-10.patch roundcube-1.4.13+dfsg.1/debian/patches/fix-FTBFS-with-phpunit-10.patch --- roundcube-1.4.12+dfsg.1/debian/patches/fix-FTBFS-with-phpunit-10.patch 2021-11-18 19:07:03.000000000 +0000 +++ roundcube-1.4.13+dfsg.1/debian/patches/fix-FTBFS-with-phpunit-10.patch 2022-01-06 07:51:41.000000000 +0000 @@ -112,7 +112,7 @@ /** diff --git a/tests/Framework/Washtml.php b/tests/Framework/Washtml.php -index 230941c..318e092 100644 +index a643f4c..767273e 100644 --- a/tests/Framework/Washtml.php +++ b/tests/Framework/Washtml.php @@ -31,9 +31,9 @@ class Framework_Washtml extends \PHPUnit\Framework\TestCase diff -Nru roundcube-1.4.12+dfsg.1/debian/patches/fix-FTBFS-with-phpunit-8.5.13-1.patch roundcube-1.4.13+dfsg.1/debian/patches/fix-FTBFS-with-phpunit-8.5.13-1.patch --- roundcube-1.4.12+dfsg.1/debian/patches/fix-FTBFS-with-phpunit-8.5.13-1.patch 2021-11-18 19:07:03.000000000 +0000 +++ roundcube-1.4.13+dfsg.1/debian/patches/fix-FTBFS-with-phpunit-8.5.13-1.patch 2022-01-06 07:51:41.000000000 +0000 @@ -1400,7 +1400,7 @@ function _srcpath($fn) diff --git a/tests/Framework/Washtml.php b/tests/Framework/Washtml.php -index 5d62890..1ab0554 100644 +index ec4f4a3..1831b14 100644 --- a/tests/Framework/Washtml.php +++ b/tests/Framework/Washtml.php @@ -5,7 +5,7 @@ diff -Nru roundcube-1.4.12+dfsg.1/debian/patches/fix-FTBFS-with-phpunit-9.5.0-1.patch roundcube-1.4.13+dfsg.1/debian/patches/fix-FTBFS-with-phpunit-9.5.0-1.patch --- roundcube-1.4.12+dfsg.1/debian/patches/fix-FTBFS-with-phpunit-9.5.0-1.patch 2021-11-18 19:07:03.000000000 +0000 +++ roundcube-1.4.13+dfsg.1/debian/patches/fix-FTBFS-with-phpunit-9.5.0-1.patch 2022-01-06 07:51:41.000000000 +0000 @@ -153,10 +153,10 @@ /** diff --git a/tests/Framework/Washtml.php b/tests/Framework/Washtml.php -index 1ab0554..230941c 100644 +index 1831b14..a643f4c 100644 --- a/tests/Framework/Washtml.php +++ b/tests/Framework/Washtml.php -@@ -552,7 +552,7 @@ class Framework_Washtml extends \PHPUnit\Framework\TestCase +@@ -556,7 +556,7 @@ class Framework_Washtml extends \PHPUnit\Framework\TestCase $washed = $washer->wash($html); $this->assertTrue($washer->extlinks); @@ -165,7 +165,7 @@ $html = "