cdo (2.6.1-1) unstable; urgency=medium . * New upstream release * Simplify with dh-fortran 0.81 * patch: Don't use ENABLE_CF_INTERFACE in pc files; not defined debian-edu-install (2.13.0) unstable; urgency=medium . [ Philip Hands ] * Change install paths, to make package usrmerge-compliant. * Bump standards version to 4.7.2, no changes needed. * salsa-CI: enable default pipeline. . [ Mike Gabriel ] * debian/control: Bump Standards-Version: to 4.7.4. * debian/control: Drop Priority: field from global header. exim4 (4.99.3-1) unstable; urgency=medium . * Use new upstream tarball with CVE-2026-45185 fix included, drop separate patch. * Switch b-d from default-libmysqlclient-dev to libmariadb-dev. (Closes: #1137452). Also mention MariaDB in package descriptions. expeyes (5.3.5+repack-1) unstable; urgency=medium . * New upstream version 5.3.5+repack firebuild (0.8.6.1-2) unstable; urgency=medium . [ Balint Reczey ] * Fix FTBFS on LoongArch (Closes: #1129924) . [ Remus-Gabriel Chelu ] * Romanian translation of firebuild debconf template (Closes: #1137379) gettext (0.26-1) unstable; urgency=medium . * New upstream release. * Apply patch from Bruno Haible to allow building with glibc 2.43. * Skip test-pr_xid_continue and test-pr_xid_start (libunistring 1.4). * Refresh signing key. * Update standards-version. gettext (0.26-1~exp0) experimental; urgency=medium . * Test release for experimental. golang-github-go-openapi-loads (0.23.3-1) unstable; urgency=medium . * New upstream release. * Update Build-Depends for new upstream release. * Add lintian-overrides files. golang-github-go-openapi-loads (0.23.1-3) unstable; urgency=medium . * Remove «Priority: optional», which is now the default. * Bump Standards-Version to 4.7.4. * Fix debian/watch file. * Remove Tim from Uploaders, email bounces. * Remove --buildsystem=golang implicit since dh 13.4. * Change wrap-and-sort arguments in salsa-ci to -sat. golang-github-mdlayher-genetlink (1.4.0-2) unstable; urgency=medium . * Bump Standards-Version to 4.7.4. * Switch to debian/watch format version 5. * Run wrap-and-sort -ast. * Remove --buildsystem=golang implicit since dh 13.4. * Add myself to Uploaders. golang-github-prometheus-common (0.67.5-1) unstable; urgency=medium . * New upstream release. * Remove «Rules-Requires-Root: no», which is now the default. * Remove «Priority: optional», which is now the default. * Bump Standards-Version to 4.7.4. * Switch to debian/watch format version 5. * Run wrap-and-sort -ast. * Add myself to Uploaders. golang-github-prometheus-otlptranslator (1.0.0-2) unstable; urgency=medium . * Team upload. * Source only upload. golang-github-prometheus-otlptranslator (1.0.0-1) unstable; urgency=medium . * Initial release (Closes: #1136685) lava (2026.04-7) unstable; urgency=medium . * d/tests: restrict lava-dispatcher-host test architectures lava (2026.04-6) unstable; urgency=medium . * Revert "d/py3dist-overrides: remove hard dependency on python3-guestfs" * Revert "d/control: move python3-bpfcc to Recommends" * Revert "d/py3dist-overrides: remove hard dependency on python3-guestfs" * Revert "d/control: use versioned ranges for cross arch package deps" * Revert "d/control: mark dispatcher and dev packages Architecture: any" * d/control: make lava-dev arch-dependent * d/control: restrict lava-dev dep python3-guestfs to supported arches * d/control: switch lava-dispatcher to Architecture: any * d/control: restrict lava-dispatcher dep python3-guestfs to supported arches * d/control: move python3-guestfs to lava-dispatcher Depends * d/control: drop Multi-Arch: foreign from lava-dispatcher * d/control: restrict lava-dispatcher-host to bpfcc-supported arches * d/control: relax lava-dispatcher-host deps and add per-arch kernel headers * d/control: drop Multi-Arch: foreign from lava-dispatcher-host * d/control: update lava-dispatcher dep bmap-tools to bmaptool * d/control: relax lava-server gunicorn dep * d/t/control: add missing arches to python3-guestfs * d/t/control: relax deps * d/t/control: update comment about upstream test suite * d/py3dist-overrides: ignore guestfs * d/py3dist-overrides: ignore fakeroot mdit-py-plugins (0.6.1-1) unstable; urgency=medium . * New upstream version * Standards-Version: 4.7.4 (routine-update) * Update watch file format version to 5. * Use GitHub template in watch file instead of explicit Source/Matching-Pattern. * debputy lint --auto-fix (routine-update) morph-browser (1.99.4+dfsg-3) unstable; urgency=medium . * debian/control: + Add D: (morph-browser-qt6): qml6-module-qtcore. mypy (2.1.0-2) unstable; urgency=medium . * d/README.Debian: explain that the native parser & parallel parser is not currently available in Debian. * Release to unstable. mypy (2.1.0-1) experimental; urgency=medium . * New upstream version * d/control: needs librt 0.11+ * Refreshed patches mypy (2.0.0-1) experimental; urgency=medium . * New upstream version * Removed mypyc regression patch applied upstream. * d/control: needs the newer librt. * d/rules: re-enable testAllBase64Features_librt, upstream fixed it. * Added patch to remove the native parser as the ast_serialize Python package is not yet available in Debian. * d/changelog & d/README.source: fix typos * debputy lint --auto-fix (routine-update) * Refreshed the ast_serialize removal patch. * d/control: needs newer librt. pcp (7.1.5-1) unstable; urgency=high . * New release (full details in CHANGELOG). pcs (0.12.2-2) unstable; urgency=medium . * d/control: require newer version of ruby-json * d/control: update Standards-Version to 4.7.4 podman (5.8.2+ds1-2) unstable; urgency=medium . * Relax Build-Conflicts with golang-opentelemetry-contrib-dev (Closes: #1137229) proftpd-mod-geoip2 (0.1.1-1) unstable; urgency=medium . * New upstream version. . [ Debian Janitor ] * Set upstream metadata fields: Bug-Database, Bug-Submit, Repository-Browse. * Update standards version to 4.6.1, no changes needed. . * Enable Reprotest on Salsa CI. * Stop building the module twice. * Update d/watch file to version 5. * SALSA_CI_DISABLE_USCAN: 1 * Lintian overrides + fixes * Bump Standards version. * gbp.conf: handle pristine-tar upon pull / pull / import-orig rebar (2.6.4-10) unstable; urgency=medium . * Team upload. * Use the SOURCE_DATE_EPOCH environment variable instead of the current timestamp to embed into the rebar binary if available for reproducibility. * Temporarily disable one test clause which outcome differs for Erlang 27 and Erlang 29. rebar3 (3.27.0-3) unstable; urgency=medium . * Team upload * Fix unused variable which makes one test fail. rebar3 (3.27.0-2) unstable; urgency=medium . * Team upload * Add a patch which helps with running tests on Erlang 29. * Temporarily disable one test clause which outcome differs for Erlang 27 and Erlang 29. * Cleanup debian/copyright. * Bump standards version to 4.7.4. roundcube (1.6.16+dfsg-1) unstable; urgency=medium . * New upstream security and bugfix release (closes: #1137507). + Fix stored XSS/HTML/CSS injection in subject field of the draft restore dialog. + Fix CSS injection bypass in HTML sanitizer via SVG . + Fix pre-auth SQL injection in `virtuser_query plugin` via `preg_replace()` backslash escape bypass. + Fix SSRF bypass via specific local address URLs. + Fix local/private URL fetch bypass when remote resources were not allowed. + Fix bypass of remote image blocking via CSS `var()`. + Fix pre-auth arbitrary file delete via redis/memcache session poisoning bypass. + Code injection vulnerability via code evaluation support in LDAP autovalues option. Code evaluation support has been removed. * Refresh d/patches. * d/p/Avoid-dependency-on-new-package-mlocati-ip-lib.patch: Add support for non quad-dotted IPs and non-decimal fields to match the upstream behavior. * Update Standards-Version to 4.7.4 (no changes necessary). roundcube (1.6.15+dfsg-1) unstable; urgency=high . * New upstream security and bugfix release (closes: #1132268). + Fix SVG animate FUNCIRI attribute bypass (remote image loading via fill/filter/stroke). + Fix regression where mail search would fail on non-ascii search criteria. + Fix regression where some data url images could get ignored/lost. * Refresh d/patches and remove those applied upstream. * d/control: Add Build-Depends: node-source-map. * Improve custom patch to avoid dependency on mlocati/ip-lib: + Trim leading zeros from the decimal representation of IPv4 octets to match GuzzleHTTP's mangling of invalid IP addresses. + Treat IPv4-mapped and IPv4-compatible addresses as belonging to the local range when the v4 address is also local. roundcube (1.6.14+dfsg-1) unstable; urgency=high . * New upstream security and bugfix release (closes: #1131182). + Fix pre-auth arbitrary file write via unsafe deserialization in redis/memcache session handler. + Fix bug where a password could get changed without providing the old password. + Fix IMAP Injection + CSRF bypass in mail search. + Fix remote image blocking bypass via various SVG animate attributes. + Fix remote image blocking bypass via a crafted background attribute. + Fix fixed position mitigation bypass via use of `!important`. + Fix XSS vulnerability in HTML attachment preview. + Fix SSRF and information disclosure vulnerability via stylesheet links pointing to a local network hosts. * Refresh d/patches. * Cherry-pick upstream changes from 1.7 to fix PHP 8.2 deprecation warning on utf8_{encode,decode}() uses. * Cherry-pick upstream change from 1.7 to fix PHP 8.4 deprecation warning on str_getcsv() use. * Cherry-pick upstream regression fix where mail search would fail on non-ascii search criteria. * Add custom patch to avoid dependency on mlocati/ip-lib, which as of today is not present in Debian. * phpunit: Pass `--display-deprecations` and `--display-phpunit-deprecations` flags. roundcube (1.6.13+dfsg-1) unstable; urgency=high . * New upstream security and bugfix release (closes: #1127447). + Fix CSS injection vulnerability. + Fix remote image blocking bypass via SVG content. * Remove an obsolete maintscript entry. * Refresh d/patches. * d/control: Remove `Rules-Requires-Root: no`. * Update Standards-Version to 4.7.3. + Remove "Priority: optional" which is the current default and spelling it out is no longer recommended per Policy. roundcube (1.6.12+dfsg-1) unstable; urgency=high . * New upstream security and bugfix release (closes: #1122899). + Fix Cross-Site-Scripting vulnerability via SVG's animate tag. + Fix Information Disclosure vulnerability in the HTML style sanitizer. * d/watch: + Port to Version 5. + Simplify [UD]version-Mangle. + Use @STABLE_VERSION@ not @ANY_VERSION@ as tag matching pattern. * Refresh d/patches. roundcube (1.6.11+dfsg-1) unstable; urgency=high . * New upstream security and bugfix release. + Fix Post-Auth RCE via PHP Object Deserialization (closes: #1107073). * Refresh d/patches. roundcube (1.6.10+dfsg-2) unstable; urgency=medium . * d/t/control: Replace nginx-light dependency with nginx (closes: #1095638). * Update Standards-Version to 4.7.2 (no changes necessary). * d/copyright: Replace FSF's old postal address with an URL. roundcube (1.6.10+dfsg-1) unstable; urgency=medium . * New upstream release. Highlight includes: + IMAP: Partial support for ANNOTATE-EXPERIMENT-1 extension (RFC 5257) + OAuth: Support standard authentication with short-living password received with OIDC token + Fix PHP deprecation warnings + Fix whitespace handling in vCard line continuation + Fix regression causing inline SVG images to be missing in mail preview + Fix PHP fatal error when parsing some malformed BODYSTRUCTURE responses + Fix Oauth issues with use_secure_urls=true + Fix handling of binary mail parts (e.g. PDF) encoded with quoted-printable + Fix decoding of attachment names encoded using both RFC2231 and RFC2047 standards . [ наб ] * d/control: Build-Depends: remove dh-buildinfo (see #1068809). . [ Carles Pina i Estany ] * Added po-debconf Catalan translation. . [ Guilhem Moulin ] * Refresh d/patches. roundcube (1.6.9+dfsg-2) unstable; urgency=medium . * Fix FTBFS and DEP-8 tests with PHP8.4 (closes: #1089732): + Backport upstream commit to fix broken/flaky unit test. + Add ‘allow-stderr’ restriction to some autopkgtests to workaround #1090887. roundcube (1.6.9+dfsg-1) unstable; urgency=medium . * New upstream bugfix release. * d/patches: Add missing ‘Forwarded: not-needed’. * d/copyright: Change Upstream-Name to match composer.json-dist. * d/copyright: Bump copyright years. * Refresh d/patches and remove patches applied upstream. roundcube (1.6.8+dfsg-2) unstable; urgency=medium . * Regression fix: The fix for CVE-2024-42008 breaks printing and other handling of image attachments. (Closes: #1078456) * Fix FTBFS with phpunit 11. (Closes: #1039853, #1070637) roundcube (1.6.8+dfsg-1) unstable; urgency=medium . * New upstream bugfix and security release (closes: #1077969): + Fix fatal error when parsing some TNEF attachments. + Fix decoding mail parts with multiple base64-encoded text blocks. + Fix infinite loop when parsing malformed Sieve script. + Fix bug where imap_conn_option's 'socket' was ignored. + Fix CVE-2024-42008: XSS vulnerability in serving of attachments other than HTML or SVG. + Fix CVE-2024-42009: XSS vulnerability in post-processing of sanitized HTML content. + Fix CVE-2024-42010: Fix information leak (access to remote content) via insufficient CSS filtering. * Refresh d/patches. roundcube (1.6.7+dfsg-1) unstable; urgency=high . * New upstream bugfix and security release (closes: #1071474): + Fix command injection via crafted im_convert_path/im_identify_path on Windows. + Fix cross-site scripting (XSS) vulnerability in handling list columns from user preferences. + Fix cross-site scripting (XSS) vulnerability in handling SVG animate attributes. + Fix PHP8 warnings. * Update Standards-Version to 4.7.0 (no changes necessary). * Refresh d/patches. roundcube (1.6.6+dfsg-2) unstable; urgency=medium . * d/control: Drop ‘libmagic1’ from roundcube-core's Depends. (Closes: #1066853) roundcube (1.6.6+dfsg-1) unstable; urgency=medium . * New upstream bugfix release: + Fix regression in handling LDAP search_fields configuration parameter. + Fix PHP8 warnings. + Fix rcube::decrypt(). + Enigma: Fix finding of a private key when decrypting a message using GnuPG v2.3. + Fix page jump menu flickering on click. + Fix Sieve scripts comment parse with CRLF. + Fix bug where trailing non-ascii characters in email addresses could have been removed in recipient input. + Fix IMAP GETMETADATA command with options [RFC5464]. + Support (DEPTH 0) in GETMETADATA command. + Clear IMAP capabilities on connection close. * Add ‘logs/errors.log’ to d/clean. (Closes: #1046449) * Move version mangling from build to install targets. * d/roundcube-core.*.timer: Set Persistent=false. (Closes: #1057061) * d/roundcube-core.roundcube-cleandb.timer: Adjust OnCalendar= to match cronjob specification. * Refresh d/patches. * d/control: Add php-guzzlehttp-guzzle to Build-Depends (unless under ‘nocheck’ profile) as Actions_Utils_Modcss::test_run() requires it. * Backport upstream change from master branch to fix Actions_Utils_Modcss:: test_run(). * d/p/mark-flaky-tests-as-such.patch: Unmark test_encrypt_and_decrypt() as flaky. * d/origtargz-diff.sh: Drop query string in destination filename. roundcube (1.6.5+dfsg-1) unstable; urgency=high . * New upstream security and bugfix release: + Fix cross-site scripting (XSS) vulnerability in setting Content-Type/Content-Disposition for attachment preview/download. (Closes: #1055421) + Fix PHP8 fatal error when parsing a malformed BODYSTRUCTURE. + Fix UI issue when dealing with an invalid managesieve_default_headers value. + Fix bug where images attached to application/smil messages weren't displayed. + Fix PHP8 warnings. + Fix regression where ‘smtp_user’ did not allow pre/post strings before/after ‘%u’ placeholder. * d/control: Drop 10 year old Breaks+Replaces constraints. * d/rules: Update to reflect upstream Makefile. * roundcube-plugins: Remove obsolete maintscript. * roundcube-core: Suggests some potentially useful roundcube-plugin-*. * Refresh d/patches. roundcube (1.6.4+dfsg-1) unstable; urgency=high . * New upstream security and bugfix release: + Fix cross-site scripting (XSS) vulnerability in handling of SVG in HTML messages. (Closes: #1054079) + Managesieve plugin: Fix javascript error when relational or spamtest extension is not enabled. + Fix PHP8 warnings. * Add DEP-8 test to check RCMAIL_VERSION against d/changelog. * roundcube-core.postinst: Don't choke on non-existing symlink targets. (Closes: #1053709) roundcube (1.6.3+dfsg-2) unstable; urgency=low . * Replace upstream release “version” 1.6-git with the actual tagged version (currently 1.6.3). roundcube (1.6.3+dfsg-1) unstable; urgency=medium . * New upstream security and bugfix release: + Fix cross-site scripting (XSS) vulnerability in handling of linkrefs in plain text messages. (Closes: #1052059) + Fix regression that broke use_secure_urls feature hence OAuth2 authentication. (Closes: #1050317) + Fix regression where LDAP addressbook 'filter' option was ignored. + Fix regression in decoding mail parts FETCHed from IMAP. + Fix PHP8 warnings. * roundcube-core.cron: Trigger gc twice every hour. (Closes: #1043395) * Fix GuzzleHttp autoload location. (Closes: #1040705) * d/p/fix-autoload-location.patch: Set ‘Forwarded: not-needed’ DEP-3 header. * Refresh d/patches. roundcube (1.6.2+dfsg-1) unstable; urgency=medium . [ Amin Bandali ] * Test suite: Adjust short date test to make it work with all ICUs. (Closes: #1030161) . [ Remus-Gabriel Chelu ] * Add Romanian debconf templates translation. (Closes: #1033468) . [ Guilhem Moulin ] * New upstream bugfix release. * d/gbp.conf, d/README.source: Remove obsolete comment. * d/sql/mysql/1.3.0-1: Move inline comment. * d/p/fix-short-date-test-icu72.patch: Remove patch applied upstream. * Refresh patches. roundcube (1.6.1+dfsg-1) unstable; urgency=medium . * New upstream bugfix release. * Update d/sql for 1.6.1+dfsg-1. * Fix d/README.source order. * Refresh d/patches. * d/roundcube-core.postinst: Add $config['imap_host'] to $CONFFILE.ucftmp if needs be. This fixes d/t/config-ownership-perms. * d/t/config-ownership-perms: Use HOST:PORT in roundcube/hosts string. roundcube (1.6.0+dfsg-2) unstable; urgency=medium . * Salsa CI: Restore piuparts job. * Salsa CI: Install suitable RDBMS before running piuparts. * Salsa CI: Include recipes/debian.yml. * d/control: Build-Depends: Drop versioned constraint on uglifyjs. * Update standards version to 4.6.2, no changes needed. * Fix FTBFS (closes: #1026528). * d/s/lintian-overrides: Remove mismatched overrides. roundcube (1.6.0+dfsg-1.1) unstable; urgency=medium . * Non-maintainer upload. * No source change upload to rebuild with debhelper 13.10. roundcube (1.6.0+dfsg-1) unstable; urgency=low . * New upstream release. * d/p/fix-install-path.patch: Also adjust installer/index.php. * d/t/control: Factor stanzas with same dependencies and restrictions. * /etc/roundcube/*.php: Don't include files only once. * DEP-8: Run upstream installer checks in a dedicated autopkgtest. * d/t/cleanup: Sort sessions by changed date on error. * d/t/installer-checks: And also run 3rd step of installation checks. * DEP-8: Add ‘Restrictions: breaks-testbed’ when suitable. * DEP-8: Name inline tests. * debian/control: Replace 'Depends: libapache2-mod-php | php' with 'Depends: php'. * Add d/README.source to document the package workflow. roundcube (1.6~rc+dfsg-2) experimental; urgency=medium . * Adjust d/origtargz-diff.sh for 1.6~rc+dfsg. * Refresh lintian overrides to accommodate lintian v2.115. * Bump Standards-Version to 4.6.1 (no changes needed). * Promote GuzzleHttp\Client back to "require" from "suggest". * Revert "Don't install the installer into /usr/share/roundcube." * Run upstream installer checks for apache2 and lighttpd DEP-8 tests. * Add roundcube-cleandb.{service,timer} which replaces the cronjob on systems where PID1 is systemd. * Add roundcube-gc.{service,timer} to purge expired sessions, caches and tempfiles in the background in a scheduled fashion. * Don't force set session.gc_probability=1 since we don't have to rely on probabilistic synchronous garbage collection anymore. * Remove obsolete /etc/default/roundcube and /etc/cron.daily/roundcube-core files since removing temporary files is part of the normal garbage collection routine. * DEP-8: Create tempfiles in $AUTOPKGTEST_TMP not /tmp. * DEP-8: Test roundcube-{cleandb,gc}.service (cleanup and garbage collection routines). roundcube (1.6~rc+dfsg-1) experimental; urgency=medium . * New upstream release candidate 1.6. * d/u/signing-key.asc: Add Alec's key BEE674A019359DC1. * Refresh d/patches. roundcube (1.6~beta+dfsg-2) experimental; urgency=medium . * d/roundcube-core.NEWS: Mention roundcube-skin-* packages by name now that they cleared the NEW queue. * d/control: roundcube-core: Add 'Recommends: roundcube-skin-classic, roundcube-skin-larry'. * Update d/copyright. * d/watch: Add uversionmangle for /-(alpha|beta|rc)\d*$/. * d/watch: Improve dversionmangle. * d/sql/*.sql: Escape identifiers to fix compatibility with MySQL 8 (LP: #1970428). * New script d/sqlupdate replacing d/addsqlupdate.sh. * Update d/sql for 1.6~beta+dfsg-1 (remove 2020122900 which is in d/sql/*/1.5.0+dfsg.1-1 already). * Run wrap-and-sort(1). * Remove d/t/fix-format_date-x.patch and generate an en_US.utf8 locale for the upstream test suite instead. This adds Build-Depends: locales. roundcube (1.6~beta+dfsg-1) experimental; urgency=medium . * New beta upstream release. Highlights for major version 1.6 include: - Full PHP 8.1 support (closes: #1000642) - Unified and simplified services connection options: . renamed `default_host` resp. `smtp_server` to `imap_host` resp. `smtp_host` . removed `default_port`, `smtp_port`, `managesieve_port` and `managesieve_usetls` options - The classic and larry skins are no longer included in the upstream repository hence are excluded from this source package; we will ship in separate packages. * Add d/roundcube-core.NEWS to highlight the above. * Update default value for roundcube/hosts template to "localhost:143" to match the upstream default. * Update d/copyright. * Update d/sql. * Refresh d/patches. Remove the following patches (now obsolete or applied upstream): - fix-FTBFS-with-phpunit-8.patch - fix-file-list-in-phpunit-configuration.patch - fix-FTBFS-with-phpunit-9.patch * Add patch to fix `$rcmail->format_date(.., 'x')` calls. * Remove mismatched Lintian override. * Add 'Restrictions: rw-build-tree' to the phpunit DEP-8 test as it writes into tests/.phpunit.result.cache. * Add aspell-en and php-pspell to Build-Depends (unless under 'nocheck' build profile) and DEP-8 test to test Framework_SpellcheckerPspell. * Add hunspell-en-us and php-enchant to Build-Depends (unless under 'nocheck' build profile) and DEP-8 test to test Framework_SpellcheckerEnchant. * Add php-roundcube-rtf-html-php to Build-Depends (unless under 'nocheck' build profile) and DEP-8 test to test Framework_TnefDecoder. * Add php-bacon-qr-code to Build-Depends (unless under 'nocheck' build profile) and DEP-8 test to test Actions_Contacts_Qrcode. * d/rules, d/t/control: Mark flaky tests as such and run phpunit with `--exclude-group=flaky --fail-on-skipped` in build-time and DEP-8 tests. * CI: Disable piuparts which is bound to fail due to the schema upgrade. * d/rules: Replace '$(dir $@)' with '$(@D)'. . roundcube (1.5.2+dfsg-1) unstable; urgency=medium . * New upstream bugfix & security release (closes: #1003027). roundcube (1.5.1+dfsg-1) unstable; urgency=medium . * New upstream bugfix release. * Change repacking suffix to +dfsg from +dfsg.1. roundcube (1.5.0+dfsg.1-2) unstable; urgency=medium . * CI: Restore piuparts job. * DEP-8: config-ownership-perms: Add Restrictions: allow-stderr. roundcube (1.5.0+dfsg.1-1) unstable; urgency=low . * New upstream release. Highlights for major version 1.5 include: - full PHP 8.0 support (closes: #977687) - dark mode for Elastic skin - collected recipients and trusted senders - moving recipients between inputs with drag & drop - full unicode support with MySQL database - support of IMAP LITERAL [RFC7888] - support of [RFC2231] encoded names - cache refactoring * Ship upstream's bin/updatedb.sh to roundcube-core. * d/t/dbconfig-no-thanks: Also run bin/updatedb.sh. * d/t/dbconfig-no-thanks: Check DB ownership and permissions. * Exclude spellchecker from build-time and DEP8 tests, as dictionary mismatch makes it too brittle. * d/pkg-php-tools-overrides: Remove useless roundcube/net_sieve builtin. . roundcube (1.5~rc+dfsg.1-3) experimental; urgency=medium . * DEP-8: Add test for dbconfig-no-thanks (set custom $config['db_dsnw']). * Create symlink var/lib/roundcube/SQL pointing to usr/share/roundcube/SQL. This is required for dbconfig-no-thanks deployments (closes: #996613). * Refresh lintian overrides to accommodate lintian v2.109. * Retroactively update d/roundcube-core.NEWS to advertise the 1.4 smtp_* default settings (closes: #994446). . roundcube (1.5~rc+dfsg.1-2) experimental; urgency=medium . * Replace `which` with `command -v` in maint scripts. * Refresh lintian overrides to accommodate lintian v2.107. * Bump Standards-Version to 4.6.0 (no changes needed). * Remove 4 obsolete maintscript entries in 2 files. * Set upstream metadata fields: Security-Contact. . roundcube (1.5~rc+dfsg.1-1) experimental; urgency=medium . * New upstream release candidate 1.5 (closes: #949629). * d/rules: Exclude tinymce/js/tinymce/tinymce.d.ts in accordance with jsdeps.json. . roundcube (1.5~beta+dfsg.1-4) experimental; urgency=medium . * d/roundcube-core.cron.daily, d/addsqlupdate.sh: `set -ue` and improve quoting. * d/*: Fix space damage. * bin/update.sh: Hardcode define('INSTALL_PATH', '/var/lib/roundcube/'); (closes: #989140). * d/roundcube-core.postinst: Set DEBIAN_PKG=[0|1] for symmetry. * d/p/debianize-config.patch: Comment out sample plugins, see #884992. . roundcube (1.5~beta+dfsg.1-3) experimental; urgency=medium . * d/*.post*, d/*.config: Improve style consistency. * d/*.post*: pathfind(): Keep IFS null (instead of setting it to the empty string) if it was null before. * d/roundcube-core.postinst: Set ln(1)'s '-T' to flag protect against undesired semantics should the target be an existing directory. * d/roundcube-core.postinst, d/roundcube-core.config: Replace useless calls to sed. * d/*.pre*, d/*.post*, d/*.config: Fix space damage. * d/roundcube-core.postinst: Make configuration sample parsing and reading roundcube/hosts more robust. * d/roundcube-core.postinst: 3DES key generation: Use a random 18-bytes long string base64 encoded (the key needs to be 24 bytes long). * d/roundcube-core.postinst: lighttpd: Prefer the more efficient fastcgi-php-fpm over fastcgi-php on lighttpd 1.4.55-2 and later. * d/copyright: Add self. * DEP-8: Add basic Apache2 and lighttpd tests. * DEP-8: Add configuration file and log/temp directory ownership and mode checks. * DEP-8: Add an hardened deployment, with a dedicated PHP-FPM pool and dedicated user/group (so the HTTPd can't read sensitive roundcube data). * d/roundcube-core.post*: Reload webserver with deb-systemd-invoke(1) when possible. * d/roundcube-core.postinst: Avoid running bin/update.sh with root privileges, depending on /etc/roundcube/config.inc.php's ownership and mode: if the file is word-readable then issue a warning and run as www-data; otherwise, if the file not root-owned then run as its owner; otherwise, if the file is group readable and is not group owned by root, and the group is used as a primary group for a single user, then use that user. Should all that fail root privileges are preserved and a warning is issued. * d/roundcube-core.postinst: Issue a warning if a .dpkg-new leak is dedected. roundcube (1.5~rc+dfsg.1-3) experimental; urgency=medium . * DEP-8: Add test for dbconfig-no-thanks (set custom $config['db_dsnw']). * Create symlink var/lib/roundcube/SQL pointing to usr/share/roundcube/SQL. This is required for dbconfig-no-thanks deployments (closes: #996613). * Refresh lintian overrides to accommodate lintian v2.109. * Retroactively update d/roundcube-core.NEWS to advertise the 1.4 smtp_* default settings (closes: #994446). roundcube (1.5~rc+dfsg.1-2) experimental; urgency=medium . * Replace `which` with `command -v` in maint scripts. * Refresh lintian overrides to accommodate lintian v2.107. * Bump Standards-Version to 4.6.0 (no changes needed). * Remove 4 obsolete maintscript entries in 2 files. * Set upstream metadata fields: Security-Contact. roundcube (1.5~rc+dfsg.1-1) experimental; urgency=medium . * New upstream release candidate 1.5 (closes: #949629). * d/rules: Exclude tinymce/js/tinymce/tinymce.d.ts in accordance with jsdeps.json. roundcube (1.5~beta+dfsg.1-4) experimental; urgency=medium . * d/roundcube-core.cron.daily, d/addsqlupdate.sh: `set -ue` and improve quoting. * d/*: Fix space damage. * bin/update.sh: hardcode define('INSTALL_PATH', '/var/lib/roundcube/'); (closes: #989140). * d/roundcube-core.postinst: Set DEBIAN_PKG=[0|1] for symmetry. * d/p/debianize-config.patch: Comment out sample plugins, see #884992. roundcube (1.5~beta+dfsg.1-3) experimental; urgency=medium . * d/*.post*, d/*.config: Improve style consistency. * d/*.post*: pathfind(): Keep IFS null (instead of setting it to the empty string) if it was null before. * d/roundcube-core.postinst: Set ln(1)'s '-T' to flag protect against undesired semantics should the target be an existing directory. * d/roundcube-core.postinst, d/roundcube-core.config: Replace useless calls to sed. * d/*.pre*, d/*.post*, d/*.config: Fix space damage. * d/roundcube-core.postinst: Make configuration sample parsing and reading roundcube/hosts more robust. * d/roundcube-core.postinst: 3DES key generation: Use a random 18-bytes long string base64 encoded (the key needs to be 24 bytes long). * d/roundcube-core.postinst: lighttpd: Prefer the more efficient fastcgi-php-fpm over fastcgi-php on lighttpd 1.4.55-2 and later. * d/copyright: Add self. * DEP-8: Add basic Apache2 and lighttpd tests. * DEP-8: Add configuration file and log/temp directory ownership and mode checks. * DEP-8: Add an hardened deployment, with a dedicated PHP-FPM pool and dedicated user/group (so the HTTPd can't read sensitive roundcube data). * d/roundcube-core.post*: Reload webserver with deb-systemd-invoke(1) when possible. * d/roundcube-core.postinst: Avoid running bin/update.sh with root privileges, depending on /etc/roundcube/config.inc.php's ownership and mode: if the file is word-readable then issue a warning and run as www-data; otherwise, if the file not root-owned then run as its owner; otherwise, if the file is group readable and is not group owned by root, and the group is used as a primary group for a single user, then use that user. Should all that fail root privileges are preserved and a warning is issued. * d/roundcube-core.postinst: Issue a warning if a .dpkg-new leak is dedected. . roundcube (1.4.11+dfsg.1-4) unstable; urgency=medium . * d/roundcube-core.postinst: Remove the roundcube lighttpd module after it has been disabled, not before (closes: #988282). * d/roundcube-core.postinst: lighttpd: Don't enable fastcgi-php if there is already an enabled fastcgi .php handler (closes: #988236). * d/uupdate: Fix comment. roundcube (1.5~beta+dfsg.1-2) experimental; urgency=medium . * Add hunspell-en-us to Build-Depends and DEP-8 tests dependencies as spellcheck tests rely on that dictionary. roundcube (1.5~beta+dfsg.1-1) experimental; urgency=medium . * New upstream beta release. * Change default spellchecker engine from pspell to enchant as the latter is better supported and more flexible. * d/copyright: Update Files-Excluded stanza for tinymce component. * d/uupdate: Fix tinymce-langs URL. * d/control: Bump dependencies to match jsdeps.json and composer.json-dist. * d/control: Update build dependencies for the improved test suite. * Update d/copyright. * Fix DEP-8 tests: The test suite now requires reads the configuration file, so we need to run it as www-data. We test with SQLite3 backend, and also the default backend (MySQL) on testbeds providing container-level isolation. * d/rules: Treat plugins/*/readme* (not only plugins/*/README*) as documentation. * CI: Disable piuparts which is bound to fail due to the schema upgrade. roundcube (1.4.11+dfsg.1-4) unstable; urgency=medium . * d/roundcube-core.postinst: Remove the roundcube lighttpd module after it has been disabled, not before (closes: #988282). * d/roundcube-core.postinst: lighttpd: Don't enable fastcgi-php if there is already an enabled fastcgi .php handler (closes: #988236). * d/uupdate: Fix comment. roundcube (1.4.11+dfsg.1-3) unstable; urgency=medium . * Remove versioned dependency (php* <<8.0) as it prevents users from upgrading php-common (e.g. via 3rd-party repositories). Instead we give a hint which phpX.Y-* packages needs to be manually installed. Thanks to the Debian PHP PEAR Maintainers for their input! roundcube (1.4.11+dfsg.1-2) unstable; urgency=medium . * d/rules: Reorder targets based on the dh sequencer execution order. * d/roundcube-core.README.Debian: Add instructions for running Roundcube code as a user:group other than the default www-data:www-data. roundcube (1.4.11+dfsg.1-1) unstable; urgency=high . * New upstream bugfix/security release. * d/rules: Remove duplicate dh_link call. * d/rules: Fix sourcemap URLs in minified CSS. roundcube (1.4.10+dfsg.2-2) unstable; urgency=medium . [ Sandro Knauß ] * Remove retry-to-reach-imap-server.patch (Closes: #960302) It triggered too many issues for other users. . [ Guilhem Moulin ] * Update d/missing-sources/README. * Remove useless duplicate d/install-jsdeps.sh. * d/rules: Use execute_after_dh_* from Debhelper compatibility level 13 when relevant. * d/control: Require php* <8.0 in dependencies. roundcube (1.4.10+dfsg.2-1) unstable; urgency=low . * Retroactively update roundcube-plugins.NEWS as enigma is currently usable in Bullseye and sid. * d/rules: Complete refactoring. * Ship skin README files to /usr/share/doc/PACKAGE/skins. * Run bin/updatecss.sh at build time to (re-)stamp background images. * Exclude irrelevant scripts from binary packages: cssshrink.sh, initdb.sh, install-jsdeps.sh, installto.sh, jsshrink.sh, makedoc.sh, updatecss.sh, and updatedb.sh. * Don't install .htaccess into /usr/share/roundcube. The root directory for the HTTPd is /var/lib/roundcube and already ship the htaccess there. * Don't install the installer into /usr/share/roundcube. * Lintian overrides: Remove package annotations. * Remove upstream installation instructions from /usr/share/doc/roundcube-core * Lintian: Override false positive package-contains-documentation-outside-usr-share-doc and package-contains-empty-directory. * Install managesieve helpdocs to /usr/share/doc/roundcube-plugins. * Install password helpers into /usr/share/roundcube/plugins/password/helpers not into /usr/share/doc/roundcube-core/examples. * plugins/password/helpers/chpass-wrapper.py: use python3 as interpreter and add to roundcube-plugins' Suggests. * d/watch: Monitor git tags rather than release tarballs. * d/gbp.conf: Add upstream VCS tag as additional parent to upstream/$VERSION. * d/gbp.conf: Rename upstream branch to upstream/release-1.4. * Recommend using new directory /var/lib/roundcube/public_html as document root. * Update d/*.README.Debian with current instructions. * Run the upstream test suite (excluding Selenium-based web tests) at build time (unless under 'nocheck' build profile). This adds phpunit, php-masterminds-html5 and php-intl to Build-Depends. * Add DEP-8 tests. For now this only consists of the upstream test suite (excluding Selenium-based web tests). * Replace Build-Depends: closure-compiler, yui-compressor with cleancss, uglifyjs (>=3), used respectively for CSS and Javascript minification. Build also source maps alongside the minified code. (Closes: #978073) * Elastic skin: Ship non-minified CSS and sourcemap alongside Less source files. (Closes: #978070) * New Build-Depends: pigz. Ship gzipped (minified) JS and CSS files along side the non-compressed versions. Compatible HTTPds can send these files as is in order to avoid on-the-fly compression overhead. (Closes: #978075) roundcube (1.4.10+dfsg.1-1) unstable; urgency=high . * New upstream bugfix release, including security fix for: CVE-2020-35730: Cross-site scripting (XSS) vulnerability via HTML or Plain text messages with malicious content svg/namespace. (Closes: #978491) * d/rules: Make sure to fail the build when an error is raised in a for loop. (Closes: #978069) * d/rules: Refactor and move CSS/JS generation and minification from override_dh_auto_install to override_dh_auto_build. Thanks to Jonas Smedegaard pointing this out. * Bump Standards-Version to 4.5.1 (no changes needed). * Upgrade watch file to version 4. * Rename Debian branch to debian/latest for DEP-14 compliance. * d/gbp.conf: Remove custom setting compression=xz. roundcube (1.4.9+dfsg.1-1) unstable; urgency=medium . * New upstream bugfix release. roundcube (1.4.8+dfsg.1-1) unstable; urgency=high . * New upstream bugfix release, including security fix for CVE-2020-16145: Cross-site scripting (XSS) vulnerability via HTML messages with malicious svg or math content. (Closes: #968216) roundcube (1.4.7+dfsg.2-1) unstable; urgency=low . * d/rules: Exclude TinyMCE language Javascript packs from minification as Roundcube and TinyMCE load $code.js files not $code.min.js. * d/patches: Rename Use-system-JQueryUI.patch to use-system-JQueryUI.patch. * Bundle TinyCME as secondary orig tarballs (downloaded automatically using custom uscan(1) script) rather than in d/missing-sources. The TinyCME zip archive we used to ship in d/missing-sources violates DFSG (since 1.3.0+dfsg.1-1), because upstream's jsdeps.json links to the so-called "production package" which doesn't include preferred sources of modification. This remained unnoticed because lintian doesn't inspect the content of archives in d/missing-sources. Unfortunately Roundcube is still too dependent on the TinyCME version for us to switch to the packaged version (see #784351), so we use secondary tarballs (repacked to exclude generated files such as minified JS and CSS files) for now. * d/control: Bump minimum node-less version to 3.0.0 as for later versions evaluation of JavaScript inline is disabled by default unless the new --js flag is set. * d/patches: Add Forwarded: DEP-3 headers. roundcube (1.4.7+dfsg.1-1) unstable; urgency=high . * New upstream bugfix release, including security fixes for: Cross-Site Scripting (XSS) vulnerability via HTML messages with malicious svg/namespace (closes: #964355) roundcube (1.4.6+dfsg.1-3) unstable; urgency=low . * d/upstream/metadata: Add upstream's screenshot URL. * d/po/de.po: Convert from ISO-8859-15 to TDF-8. * Remove bundled OpenPGP.js as the bundled source is not the preferred form of modification hence violates DFSG. This breaks key generation in the enigma plugin (server-side OpenPGP support), but other key operations (incl. import of private keys) still work. That being said enigma is already broken in Buster (and Bullseye too right now) due to the missing dependency 'php-crypt-gpg'. Admins wanting enigma already need to manually install the dependency; they'll now need to also copy . https://raw.githubusercontent.com/openpgpjs/openpgpjs/v4.4.6/dist/openpgp.min.js . (or a later version) to /usr/share/roundcube/plugins/enigma/openpgp.min.js for key generation to keep working. roundcube (1.4.6+dfsg.1-2) unstable; urgency=medium . * d/rules: Fix FTBFS on systems where lessc(1) 1.6.3 uses node 12.18.0. * d/roundcube-core.preinst: Remove script as the dbconfig logic is a no-op. roundcube (1.4.6+dfsg.1-1) unstable; urgency=low . * New upstream bugfix release. * d/copyright: Add generated CSS (minified or compiled from LESS sources) to Files-Excluded:. We don't want these in our (repacked) orig tarball nor in our git tree. d/origtargz-diff.sh can be used to verify that all upstream-generated CSS/JS files are re-generated at build time and that none is missing from our .debs. roundcube (1.4.5+dfsg.1-2) unstable; urgency=low . * d/copyright: Upgrade URLs to secure HTTP. * d/copyright: Simplify Files-Excluded: pattern for generated JS files. Add new helper script d/origtargz-diff.sh to make sure we ship all files: generated files from the upstream tarball (before repacking) are excluded from the repacked .orig tarball, so we need to generate them back at build time and install them somewhere. * d/rules: Replace `find -print0 | xargs -r0` calls and loops with `find -exec`. * d/rules: Minify CSS files ourselves (like for .js files we minify all files, even the ones for which there is no .min.css in the upstream tree). * d/rules: Add yui-compressor to Build-Depends: for CSS minification. * d/patches/debianize-config.patch: typofix (closes: #931909). * d/rules: Also (re-)minify CSS/JS in roundcube-plugins, not only in roundcube-core. The upstream tarball contains multiple plugins/*/*.min.js files before repacking, and while Roundcube seems to manage without, there are no reasons not to re-minify these in additions to the files in -core. * d/roundcube-core.preinst: Drop logic to remove old symlinks with file targets (.js, .txt etc.) as dpkg is able to handle these on its own. * d/roundcube-core.{pre,post}inst: Drop logic to handle upgrade path from ancient versions ( directive. Thanks to Peter Nowee for the report and patch. (Closes: #880194.) * debian/roundcube-core.preinst: Add "#DEBHELPER#" placeholder. * debian/roundcube-core.links: Remove robots.txt, which is no longer shipped by the package since 1.3.0+dfsg.1-1. (Closes: #877275.) roundcube (1.3.1+dfsg.1-1) unstable; urgency=medium . * New upstream release. * resort copyright file. * update upstream-Add-get-and-extract-arguments-and-CACHEDIR-env-varia.patch. * Bump Standards-Version to 4.1.0 (no changes needed). * use dbc_go the propper way and use "$@". roundcube (1.3.0+dfsg.1-1) unstable; urgency=medium . * New upstream release. * Update patches: - remove patches that are not needed anymore - hunks - update_composer.patch to match new upstream release * robots.txt is not shipped anymore in the package * Get rid of unused overrides * Bump Standards-Version to 4.0.0 (no changes needed) * Bump compat level to 10 (no changes needed). * Update copyright file * Add SQL updates to Debian package * 3rdparty handling: - switch to install-jsdeps.sh - install unminified version whwn possible, too - modify jsdeps.json to be able to use sources - update all missing-sourcecs * create-jquery-ui-custom.sh don't handle input arguments * Update source.lintian-overrides roundcube (1.2.3+dfsg.1-4) unstable; urgency=high . * Backport fix for CVE-2017-8114: Roundcube Webmail allows arbitrary password resets by authenticated users. This affects versions before 1.0.11, 1.1.x before 1.1.9, and 1.2.x before 1.2.5. The problem is caused by an improperly restricted exec call in the virtualmin and sasl drivers of the password plugin. (Closes: #861388). roundcube (1.2.3+dfsg.1-3) unstable; urgency=high . * Backport fix for CVE-2015-5381: rcube_utils.php in Roundcube before 1.1.8 and 1.2.x before 1.2.4 is susceptible to a cross-site scripting vulnerability via a crafted Cascading Style Sheets (CSS) token sequence within an SVG element. (Closes: #857473). In 1.2.3+dfsg.1-2 the patch wasn't added to debian/patches/series. roundcube (1.2.3+dfsg.1-2) unstable; urgency=high . * Backport fix for CVE-2015-5381: rcube_utils.php in Roundcube before 1.1.8 and 1.2.x before 1.2.4 is susceptible to a cross-site scripting vulnerability via a crafted Cascading Style Sheets (CSS) token sequence within an SVG element. (Closes: #857473). roundcube (1.2.3+dfsg.1-1) unstable; urgency=high . [ Guilhem Moulin ] * New upstream release (closes: #847287). roundcube (1.2.2+dfsg.1-1) unstable; urgency=medium . [ Sandro Knauß ] * Change own mailadress to new debian one * Update Copyright years for myself . [ Guilhem Moulin ] * New upstream release. * debian/control: + Remove php-pspell from roundcube-plugins' Depends: field, as pspell is not used by any plugin. However we keep it in roundcube-core's Recommends: field as $config['spellcheck_engine'] defaults to 'pspell'. (Closes: #825500). + Add php-crypt-gpg, php-net-sieve and php-zip to roundcube-plugins' Suggests: field, respectively for the enigma, managesieve, and zipdownload plugins. Thanks, Jan Gerber. (Closes: #836909). + Upgrade Homepage: field from http:// to https://. * debian/watch: fix syntax error due to missing comment markers. roundcube (1.2.1+dfsg.1-2) unstable; urgency=medium . * Update B-D according to composer.json-dist (Closes: #833461) * Move gpg_crypt from depends to suggests roundcube (1.2.1+dfsg.1-1) unstable; urgency=medium . [ Guilhem Moulin ] * d/roundcube-core.cron.d: install new cronjob (executed as www-data) to finally remove all records that are marked as deleted (closes: #824676). . [ Sandro Knauß ] * New upstream release. * update update_composer.patch with upstream dependencies. * Use secured links roundcube (1.2.0+dfsg.1-1) unstable; urgency=medium . * New upstream release. * update patches (only file hunks updates) * add sql updates for 1.2.0 * make roundcube ready for PHP 7 (Closes: #821646) - replace dependencies from php5-* to php-* packages * Update default config file to match debian default installation - Disable spellchecking by default (needs pspell, that is only recommended) - Remove plugins from default config file (needs roundcube-plugins) * Update the internal copies of external libraries roundcube (1.1.5+dfsg.1-1) unstable; urgency=medium . [ Guilhem Moulin ] * New upstream release (Closes: #822333). * debian/watch: + Increase uscan version from 3 to 4. + Change release URL from http://sf.net to https://github.com . * debian/control: + Bump Standards-Version to 3.9.8 (no changes necessary). . [ Sandro Knauß ] * Use and check signed tarballs * update patch hunks roundcube (1.1.4+dfsg.1-3) unstable; urgency=medium . * No dependency to packages that are part of roundcube itself * Updated composer.json so it matches debian available versions. (Closes: 817792) roundcube (1.1.4+dfsg.1-2) unstable; urgency=medium . [ Vincent Bernat ] * Use an empty array for plugin configuration templates to ensure Roundcube knows the configuration file is valid. Closes: #809769. * Pre-Depends on appriopriate dpkg version for dir_to_symlink. Related to #810980. . [ Sandro Knauß ] * Use dh_phpcomposer to track php dependencies. (Closes: #814664) * Use safe urls for VCS fields * Bumped compat level to 9 * Updated lintian overrides * Added php-pear to depends for roundcube-core. (Closes: #801973) * Bump Standards-Version to 3.9.7 roundcube (1.1.4+dfsg.1-1) unstable; urgency=medium . * New upstream release. roundcube (1.1.3+dfsg.1-1) unstable; urgency=medium . [ Guilhem Moulin ] * New upstream release. * Add self to Uploaders. * debian/copyright: Add program/js/tinymce/plugins/media/moxieplayer.swf to Files-Excluded. * Remove unused lintian overide: package-contains-broken-symlink var/lib/roundcube/config/config.inc.php etc/roundcube/config.inc.php . roundcube (1.1.2+dfsg.1-5) unstable; urgency=medium . [ Vincent Bernat ] * Demote php-net-ldap3 to Recommends. . [ Guilhem Moulin ] * Roundcube: Add 'Breaks: roundcube-core (<< 1.1.1+dfsg.1-1)' to enable smooth upgrade from Wheezy and its backports. Closes: #800659. roundcube (1.1.2+dfsg.1-4) unstable; urgency=medium . * Also recommends php5-fpm and spawn-fcgi since they don't provide httpd-cgi. Closes: #731705. * Replace /var/lib/roundcube/config with a symlink. Closes: #629032. * Require php-net-ldap3 for LDAP. Closes: #785056. * Recommends php-net-sieve. Closes: #798307. roundcube (1.1.2+dfsg.1-3) unstable; urgency=medium . * Handle dir to symlink migration for /usr/share/doc/roundcube{,-plugins}. Closes: #788448 * Put a warning about access rights in empty configuration files for plugins. Closes: #739592 * Depends on php5-pspell for roundcube-plugins. Closes: #793857 * Remove /etc/roundcube/config.inc.php on purge. Closes: #793858 * Add back Enigma plugin. Closes: #771659 * Redact logout.html to not use a remote jquery.js. * Don't ship license.txt with TinyMCE. roundcube (1.1.2+dfsg.1-2) unstable; urgency=medium . * Remove old symlinks for TinyMCE and jQuery on preinst. Closes: #796318. roundcube (1.1.2+dfsg.1-1) unstable; urgency=medium . [ Vincent Bernat ] * Fix quotes in last SQL request for upgrades. Closes: #784573. * Update Apache/Lighttpd configuration files to not use out-of-tree TinyMCE. * Fix postrm for Lighttpd. * Use pathfind to check for a tool existence. * Add lintian overrides for embedded stuff. . [ Sandro Knauß ] * Use internal tinymce and jquery copy. Closes: #784351. Closes: #785333. * New upstream release. * Fixes for CVE-2015-5381 are included in upstream. * Fixes for CVE-2015-5382 are included in upstream. * Added missing sources * Updated copyright file roundcube (1.1.1+dfsg.1-2) unstable; urgency=medium . [ Sandro Knauß ] * Release to unstable (freeze is over) * Updated lintian-overrides + Config is created by postinst, so it is missing for lintian * Move from cdbs -> debhelper + Install & rename htaccess in /usr/share + Added link to external jquery.min.js + Make tinymce link to exp repo the right way around + Correct links from /var/lib -> /etc + Only minify js for own javascript and not linked ones + Create config.inc.php also for plugins in roundcube-core + Create /usr/share/bug/$(package)/control for every package * Link all docs dirs to roundcube-core instead of coping doc files + Move examples from roundcube-plugins -> roundcube-core * d/watch file: be able to match rc, alpha, beta tarballs . [ Vincent Bernat ] * d/watch: don't match "-complete" tarball roundcube (1.1.1+dfsg.1-1) experimental; urgency=medium . [ Vincent Bernat ] * Depends on php-mail-mimedecode. Closes: #740242. * Update jstz.js with the version specified in the header. * Build jquery-ui.custom.js from libjs-jquery-ui. . [ Ben Finney ] * debian/watch: + Handle a “+dfsg.N” suffix for the Debian upstream version string. . [ Richard Laager ] * Add a debian/.gitignore file * Refresh patch offsets * Refresh use_packaged_tinymce.patch to apply . [ Sandro Knauß ] * New upstream release. Closes: #752479. * Updated patches to use config.inc.php. * Updated: copyright file * Added patch to handle the upgrade from 0.9.5 -> 1.X.X * Use update script from upstream. * Cleanup debian/rules. * Added current version system table. * Move deletion of configfile to maintscript. * Added SQL and installer to be install. * Added NEWS entry about changing configuration. * Updated links to other packages. * Added jstz source zip to debian/source/include-binaries. * Relicensing all work of dedian mantainers with GPL-2+. * Bump Standards-Version to 3.9.6 (no changes needed). * Removed patch for CVE-2015-1433 (is part of upstream). * Ship bin and installer in package. * Added php-cli as dep, to rund the scripts in bin. roundcube (0.9.5+dfsg1-4.2) unstable; urgency=medium . * NMU. * Add a patch to fix XSS vulnerability. CVE-2015-1433. Closes: #776700. roundcube (0.9.5+dfsg1-4.1) unstable; urgency=low . * NMU - rc bug preventing roundcube from being included in jessie. * Changed debian/watch & debian/copyright so uscan repackage upstream tarball to remove files without source. Closes: #736782. * Added sources for jquery-ui and jstz.js to debian/missing-sources. * Modified debian/copyright to acknowledge copyrights of files in debian/missing-sources. * Added debian/create-jquery-ui-custom.sh that creates the jquery-ui-1.9.1.custom.min.js from upstream source. * Modified debian/rules to create jstz.min.js and jquery-ui-1.9.1.custom.min.js form the versions we have sources for. roundcube (0.9.5-4) unstable; urgency=low . * Depends directly on postgresql-client instead of a particular (and sometimes outdated) version. Closes: #732369. * Add mariadb-client/mariadb-server as possible alternatives for mysql-client/mysql-server. Closes: #732909. * Bump Standards-Version. roundcube (0.9.5-3) unstable; urgency=low . * Remove jquery-ui symlinks in preinst to avoid jquery-ui files to be modified. Thanks Andreas Beckman for raising the issue. Closes: #731499. roundcube (0.9.5-2) unstable; urgency=low . * Add Polish debconf translation, thanks to Magdalena Zofia Kubot (Closes: #728929). * Use embedded jquery-ui has it contains some modifications. Closes: #719781. roundcube (0.9.5-1) unstable; urgency=low . * Acknowledge NMU from Salvatore. Thanks! * New upstream release. Drop CVE patch since this is fixed upstream. roundcube (0.9.4-1.1) unstable; urgency=high . * Non-maintainer upload. * Add CVE-2013-6172.patch patch. CVE-2013-6172: An attacker can overwrite configuration settings using user preferences. This can result in random file access and manipulated SQL queries. (Closes: #727668) roundcube (0.9.4-1) unstable; urgency=low . * New upstream version. + Fix CVE-2013-5645 (Closes: #721592) + "Enigma" plugin has been removed. roundcube (0.9.2-2) unstable; urgency=low . * Depends on php5-sqlite instead of php5-sqlite3. Closes: #714727. * Add a patch to map "sqlite3" driver to "sqlite". * Breaks/replaces older versions of roundcube-plugins-extra (zipdownload plugin is now part of roundcube-plugins). Closes: #714135. * Downgrade php5-gd and php5-pspell to Recommends. Closes: #714448. * Depends on libapache2-mod-php5 | php5 to allow support of PHP FPM. roundcube (0.9.2-1) unstable; urgency=low . * New upstream version. roundcube (0.9.1-1) unstable; urgency=low . * New upstream version. Closes: #707809. + Add new zipdownload plugin. + Switch from MDB2 to PDO for database handling. + Add support for SQLite 3. * Bumps Standards-Version. * Depends on php5 but only recommends a web server. The web server can be installed on another host. * Transition towards Apache 2.4. Closes: #669804. + Also drop some old cruft (Apache configuration). roundcube (0.8.6-1) experimental; urgency=low . * New upstream version. Closes: #684769. roundcube (0.7.2-9) unstable; urgency=high . * Fix a vulnerability allowing logged users to override any variable which may be used to steal credentials of other users or read arbitrary files. roundcube (0.7.2-8) unstable; urgency=low . * In roundcube-core postinst, set appropriate rights on directory created when fixing symlinks. roundcube (0.7.2-7) unstable; urgency=low . * Fix dependencies to postgresql and postgresql-client. Closes: #699604. * Drop roundcube-sqlite transition package since we don't provide an automatic upgrade path. The user will have to remove the package by herself. Move the related NEWS entry from roundcube-sqlite to roundcube-core and explain how to continue upgrade. Closes: #688634. roundcube (0.7.2-6) unstable; urgency=low . * Fix the symlink mess in postinst when upgrading from 0.5 to a more recent version. Closes: #680917, #656886. roundcube (0.7.2-5) unstable; urgency=low . * Fix problem with some uuencoded attachments. Patch from Michał Mirosław. Closes: #686857. * Don't handle old configuration files from legacy roundcube package. roundcube package is an empty metapackage since Squeeze. Closes: #688230. roundcube (0.7.2-4) unstable; urgency=high . * Fix self XSS with plain signatures. CVE-2012-3508. Closes: #685475. roundcube (0.7.2-3) unstable; urgency=low * Remove old Replaces/Breaks for roundcube-core since it is not needed since Squeeze. * Add back roundcube-sqlite package as a transitional package, thanks to a suggestion by Andreas Beckmann. This enables one to upgrade from Squeeze. Closes: #677803. * Move the actual NEWS entry about dropping SQLite to the transitional package. And be more verbose about it. roundcube (0.7.2-2) unstable; urgency=low * Rotate /var/log/roundcube/session. Closes: #671472. * Fix rights of files generated by UCF. Closes: #671474. * Update Slovak debconf translation, thanks to Ivan Masár (Closes: #677907). roundcube (0.7.2-1) unstable; urgency=low * New upstream version. * Bump Standards-Version. No changes required. * Depends on php-mail-mime (>= 1.8.2). Closes: #656243. roundcube (0.7.1-2) unstable; urgency=high * Remove roundcube-sqlite package since php5 package does not ship SQLite 2.x support anymore. Roundcube is incompatible with SQLite 3.x. Closes: #657092. * Urgency set to high for php5 migration into testing. roundcube (0.7.1-1) unstable; urgency=low * New upstream version. Closes: #656093. * Add Dutch debconf translation, thanks to Jeroen Schot. Closes: #656082. roundcube (0.7-3) unstable; urgency=low * Ship jqueryui plugin. Closes: #653274. + Depend on libjs-jquery-ui package (instead of builtin copy). + Conflict with versions of roundcube-plugins-extra providing this plugin. * More SQL fixes on update. Closes: #654297. roundcube (0.7-2) unstable; urgency=low * Fix SQLite upgrade file. Closes: #653217. * Also fixes MySQL upgrade file and SQLite regular file. roundcube (0.7-1) unstable; urgency=low * New upstream version. Closes: #652564. + Does not ship SWF with TinyMCE anymore. roundcube (0.6+dfsg-1) unstable; urgency=low * New upstream version. Closes: #643707. + Repack to remove SWF file without source from TinyMCE. + Add SQL upgrade procedures. + Add new plugins: acl, enigma and newmail_notifier. + Update jQuery dependency to jQuery 1.6.4. roundcube (0.5.4+dfsg-1) unstable; urgency=high [ Vincent Bernat ] * New upstream version. + Fix XSS vulnerability in UI messages (Closes: #641996). * Switch to Git for version control thanks to Jérémy Bobbio. debian/control updated. * Ship INSTALL. Closes: #633698. [ Jérémy Bobbio ] * Re-add 'password' plugin to roundcube-plugins. roundcube (0.5.3+dfsg-1) unstable; urgency=low * New upstream release. + Fix identities "reply-to" and "bcc" fields have a bogus value when left empty (Closes: #628553). roundcube (0.5.2+dfsg-1) unstable; urgency=low * New upstream release * Update logrotate configuration. Closes: #619410. * Make debian-db.php owned by root. This really closes: #608976. * Bump Standards-Version. No changes required. roundcube (0.5.1+dfsg-7) unstable; urgency=low * Make dbconfig-common use sqlite by default to ensure that the package can be configured non-interactively in most cases. Closes: #617754. roundcube (0.5.1+dfsg-6) unstable; urgency=low * Handle incorrect upgrade from 0.3.1-6 when "changed" column already exists for table "identities". Closes: #617312. roundcube (0.5.1+dfsg-5) unstable; urgency=low * Don't use awk. Use plain shell to modify main.inc.php. Closes: #616074. roundcube (0.5.1+dfsg-4) unstable; urgency=low * Fix debian/watch to remove "+dfsg" suffix. * Use awk instead of sed to modify main.inc.php. Closes: #615277. roundcube (0.5.1+dfsg-3) unstable; urgency=low * Install show_additional_headers plugin in roundcube-plugins package. * Use dbconfig-common to force some upgrade commands using some ugly hacks. This should fix any remaining problems with MySQL upgrade. Closes: #613586. roundcube (0.5.1+dfsg-2) unstable; urgency=low * Remove all "ADD INDEX" from MySQL 0.5-1 upgrade file and put them in postinst script. If you have a problem during the upgrade, please, let me know. This upload is only done to prevent users who did not upgrade to 0.5 yet to have a problem during their upgrade. If you already upgraded to 0.5 and if the upgrade failed (or if some feature are missing like identities management), please look at bug #613586. roundcube (0.5.1+dfsg-1) unstable; urgency=low * Add plugins. Closes: #550454. * Rewrite (and update) of debian/copyright. * Use of yui-compressor to re-minify Javascript files. * Drop correct-magic-path.patch: libmagic1 now provides a symlink to the correct location since 4.24-4. * Repack orig.tar.gz to remove swf file shipped with TinyMCE with no sources available. roundcube (0.5.1-1) unstable; urgency=low * New upstream version. Some bugs are corrected in this release or in a previous release: + when switching to HTML mode, content type is now correctly set. Closes: #611321. + header delimiters handling has been fixed in 0.5. Closes: #603489. * Don't assign "skins" directory to www-data. Closes: #612552. * Add instructions on how to install and upgrade when not using dbconfig-common. We do not ship UPGRADING file any more since it is misleading. Closes: #612511. * Fix MySQL indexes if upgrading from 0.5-2 or lesser. Closes: #610725. * Rework how symlinks work. The only directory to use is /var/lib/roundcube. We use symlink from /usr/share/roundcube to /var/lib/roundcube and not the other way. Moreover, plugins and skins are also symlinked. A user should be able to add plugins and skins in /var/lib/roundcube while default ones are in /usr/share/roundcube. Closes: #612553. roundcube (0.5-2) experimental; urgency=low * If 0.3.1 was installed from scratch, upgrade does not work on MySQL and PostgreSQL because we try to create an index which already exists. With SQLite, the error is ignored, no fix needed. When using PostgreSQL, fix this by dropping the index if it already exists. Nothing similar seems to exist with MySQL. Therefore, just don't create the index. We need to handle this later. See bug #610725. Not closing. roundcube (0.5-1) experimental; urgency=low * New upstream release. Closes: #592312. + Drop patches included upstream (DNS prefetching, jQuery 1.4 handling, email address validation, duplicate headers, incorrectly formatted received headers). Adapt other patches. One of the patch now correctly states to use dpkg-reconfigure roundcube-core. Closes: #608977. + Update SQL commands to use to upgrade database. That also closes: #602922. Unfortunately, the user may get some harmless error messages because there is no way to know if 0.3.1 was installed from scratch or upgraded from 0.3. + Update dependencies to match INSTALL file. Only exception is the use of Mail_Mime 1.8.0 in place of 1.8.1 which is not available in Debian. We depends on jQuery 1.4.2 because 1.4.4 is not available in Debian. + All folders are correctly checked since 0.4. Closes: #552430. + Also, closes: #553194 since it seems to have been fixed too. + There is also the possibility to not top-quote since 0.4. Closes: #491063. + Closes: #602144. Also fixed. * Move .htaccess to /etc/roundcube and use a symlink (Closes: #591369). * Don't let www-data overwrite debian-db.php. Closes: #608976. * Bump Standards-Version. No changes required. roundcube (0.3.1-6) unstable; urgency=low * Update Arabic debconf translation, thanks to Ossama Khayat. Closes: #596181. * Update Portuguese debconf translation, thanks to Christian Perrier. Closes: #599575. * Add a patch to avoid duplicate boundaries in headers when adding an attachment. Closes: #599586. roundcube (0.3.1-5) unstable; urgency=low * Depends on php-mail-mime 1.7.0 or more recent to handle correctly 'mime_param_folding' directive. Closes: #588295. * Add Danish debconf translation, thanks to Joe Dalton. Closes: #593271. * Add a patch to fix Received header to behave better with Spam Assassin. Closes: #595204. roundcube (0.3.1-4) unstable; urgency=low * Update README.Debian to state that the variable to modify is 'htmleditor' instead of 'enable_htmleditor'. Thanks to Hans Spaans. Closes: #575556. * Add Brazilian Portuguese debconf translation, thanks to Eder L. Marques. Closes: #581745. * Switch default encoding to UTF-8 instead of ISO-8859-1. Closes: #588084. * Add more explanations on how to install roundcube in a Debian system in README.Debian. Closes: #584458, #582894. * Bump Standards-Version. No changes required. * Switch to 3.0 (quilt) format. * Use Breaks instead of Conflicts to move files from older roundcube installations. roundcube (0.3.1-3) unstable; urgency=high * RFC 5321, section 4.5.3.1, asks to not impose any limits on length if possible. We respect this by dropping limitation of the local-part of an email address. Closes: #568360, #568537. * Suggests php-auth-sasl to enable use of SASL mechanisms for mail servers. Closes: #567550. * Disable DNS prefetching to avoid information leakage through links embedded in messages. This fixes CVE-2010-0464. Closes: #569660. * Bump Standards-Version. No changes required. roundcube (0.3.1-2) unstable; urgency=low * Fix VCS links in debian/control, thanks to Torsten Landschoff. Closes: #555900. * Really ship NEWS.Debian. * Add changesets 3170 and 3202 from upstream to handle gracefully jQuery 1.4. Thanks to Volker Gropp for the report. Closes: #565715. roundcube (0.3.1-1) unstable; urgency=low * New upstream release. * Add a notice in NEWS.Debian about php.ini options that should be set to get Roundcube working properly. Closes: #549428, #552508. roundcube (0.3-2) unstable; urgency=low * Really fix #544579 since the default value is null without quotes. This really Closes: #544579. * Enlarge login box to accommodate sk_SK locale. Closes: #542933. roundcube (0.3-1) unstable; urgency=low * New upstream release. Closes: #545498. * Update debconf translations: + Italian, thanks to Luca Monducci. Closes: #544199. + Czech, thanks to Miroslav Kure. Closes: #546413. * Roundcube configuration now uses 'language' instead of 'locale_string' to specify the default language. Update postinst to reflect this change. Thanks to Richard van den Berg for noticing this. Closes: #544579. * Depends on libjs-jquery (>= 1.3) since this is now used by roundcube. * Don't ship any plugins for now but ship an empty plugins directory. * Ship main .htaccess since it is needed to setup correctly PHP (for example, to disable PHP Suhosin cookie encryption). * Bump Standards-Version. No changes required. roundcube (0.2.2-1) unstable; urgency=low * New upstream release * Bump Standards-Version. No changes required. * Remove *.js.src which are not needed at runtime. * Don't send email contents to Google by default by using php5-pspell instead. Thanks to Anand Kumria. Closes: #529563. * Update debconf translations: + Basque, thanks to Piarres Beobide. Closes: #534282. roundcube (0.1~rc2-5) unstable; urgency=low * Deal with old /etc/logrotate.d/roundcube by removing it if left untouched (Closes: #456546). Also deal with /etc/default/roundcube and /etc/cron.daily/roundcube. roundcube (0.1~rc2-4) unstable; urgency=low * Thightened dependencies for a safe upgrade * Finally removed any circular dependency, -db packages no longer pull a full roundcube install roundcube (0.1~rc2-3) unstable; urgency=low * Upload to unstable * Bumped standard version to 3.7.3 (no changes) roundcube (0.1~rc2-2) experimental; urgency=low [ Vincent Bernat ] * Fix a conflict between ob_gzhandler and zlib output compression, thanks to kaouete (Closes: #450482). [ Romain Beauxis ] * Fix tinymce patch and inclusion Closes: #452016 * Splitted virtual packages to avoid circular dependencies. Uploading to experimental, as this is an important change and we may expect issues.. roundcube (0.1~rc1-1) unstable; urgency=low * New upstream release * Removed non gpl file des.inc roundcube (0.1~rc1~dfsg-3) unstable; urgency=low * Add php5-mcrypt dependency (Closes: #431177) roundcube (0.1~rc1~dfsg-2) unstable; urgency=low * Removed custom unix_timestamp for sqlite: solved upstream * Debconf templates and debian/control reviewed by the debian-l10n- english team as part of the Smith review project. Closes: #426086, #427546, #427546 * Debconf translation updates: - Galician. Closes: #426140 - Basque. Closes: #426150 - Czech. Closes: #426428 - Portuguese. Closes: #426451 - Arabic. Closes: #427110 - Italian. Closes: #427206 - German. Closes: #427536 - French. Closes: #427736 - Tamil. Closes: #428254 - Russian. Closes: #428364 - Spanish. Closes: #428573 roundcube (0.1~rc1~dfsg-1) unstable; urgency=low [ Vincent Bernat ] * New upstream release * Update script for sqlite in postinst [ Romain Beauxis ] * Fixed dh_link calls Closes: #423824 * Added custom patch to use php unix timestamp support with sqlite since UNIX_TIMESTAMP is not supported by sqlite. * Dropped php4 dependencies roundcube (0.1~beta2.2~dfsg-2) unstable; urgency=low * Fix a security issue by disallowing access to logs. * First upload to unstable. roundcube (0.1~beta2.2~dfsg-1) experimental; urgency=low * Initial release. (Closes: #333756, #344949) roundcube-plugin-compose-addressbook (8.0.4-1) unstable; urgency=medium . * Upload to unstable. * d/copyright: Fix Upstream-Name. * Add d/README.Debian for instructions how to enable and configure this plugin. roundcube-plugin-compose-addressbook (8.0.4-1~exp) experimental; urgency=medium . * Initial release, split from roundcube-plugins-extra=1.4.10+1-4. roundcube-plugin-contextmenu (3.3.1+ds-2) unstable; urgency=medium . * d/copyright: Fix Upstream-Name. * d/control: Add Build-Depends: node-source-map. * d/control: Update Standards-Version to 4.7.4. * d/control: Remove "Rules-Requires-Root: no". * d/watch: Port to Version 5. + Remove "Priority: optional" which is the current default and spelling it out is no longer recommended per Policy. roundcube-plugin-contextmenu (3.3.1+ds-1) unstable; urgency=medium . * Upload to unstable. * New upstream release: + Support Dark Mode in Elastic. + Add placeholder for undeleted icon. * d/copyright: Also exclude skins/elastic/*.css when repacking. * Add d/README.Debian for instructions how to enable this plugin. * d/gbp.conf: Set ‘compression = xz’. * d/control: Bump minimum Roundcube (Build-)Depends version to 1.5. roundcube-plugin-contextmenu (3.2.1+ds-1~exp) experimental; urgency=medium . * Initial release, split from roundcube-plugins-extra=1.4.10+1-4. roundcube-plugin-dovecot-impersonate (2.1-1) unstable; urgency=medium . * Upload to unstable. * Remove php-curl dependency in composer.json. * Relicense debian/* under GPL-2+. * Add d/README.Debian for instructions how to enable and configure this plugin. roundcube-plugin-dovecot-impersonate (2.1-1~exp) experimental; urgency=medium . * Initial release, split from roundcube-plugins-extra=1.4.10+1-4. roundcube-plugin-fail2ban (1.3-1) unstable; urgency=medium . * Upload to unstable. * Add d/README.Debian for instructions how to enable this plugin. roundcube-plugin-fail2ban (1.3-1~exp) experimental; urgency=medium . * Initial release, split from roundcube-plugins-extra=1.4.10+1-4. roundcube-plugin-html5-notifier (0.6.4-1) unstable; urgency=medium . * Upload to unstable. * Add d/README.Debian for instructions how to enable and configure this plugin. * d/copyright: Fix Upstream-Name and project license. * d/control: Fix Vcs-Git and Vcs-Browser URLs. roundcube-plugin-html5-notifier (0.6.4-1~exp) experimental; urgency=medium . * Initial release, split from roundcube-plugins-extra=1.4.10+1-4. roundcube-plugin-keyboard-shortcuts (3.1-1) unstable; urgency=medium . * Upload to unstable. * Point upstream at the dapphp/keyboard_shortcuts fork since the original project https://github.com/corbosman/listcommands is abandoned. * New upstream release from Drew Phillips (dapphp): + Add compatibility with Roundcube 1.6 (closes: #1042731, #1053452). + Add ‘m’ shortcut to mark selected message(s) read or unread. + Adding Bulgarian translation. + Add ‘/’ shortcut for search. + Fix for ‘s’ shortcut not working in elastic theme due to incorrect HTML ID of search box set in javascript code. + New keyboard icon with a proper fa-keyboard-o symbol for elastic theme. * d/copyright: Fix Upstream-Name. * Add d/README.Debian for instructions how to enable and configure this plugin. * d/gbp.conf: Set ‘compression = xz’. * Refresh d/patches. roundcube-plugin-keyboard-shortcuts (2.5-1~exp) experimental; urgency=medium . * Initial release, split from roundcube-plugins-extra=1.4.10+1-4. roundcube-plugin-listcommands (2.7.1-1) unstable; urgency=medium . * Upload to unstable. * Point upstream at the Takika/listcommands fork since the original project https://github.com/corbosman/listcommands is abandoned. * New upstream release from Sándor Takács (Takika): + Add compatibility with Roundcube 1.6. + Fix PHP8 warnings. + Add X-Unsubscribe-Web header. * Fix d/gbp.conf. * Relicense debian/* under GPL-2+. * Add d/README.Debian for instructions how to enable this plugin. * d/gbp.conf: Set ‘compression = xz’. roundcube-plugin-listcommands (2.5.2-1~exp) experimental; urgency=medium . * Initial release, split from roundcube-plugins-extra=1.4.10+1-4. roundcube-plugin-message-highlight (4.4-1) unstable; urgency=medium . * Upload to unstable. * Relicense debian/* under GPL-2+. * Add d/README.Debian for instructions how to enable and configure this plugin. * Add patch from Duncan Hill to avoid warnings with PHP8. * d/copyright: Fix Upstream-Name. roundcube-plugin-message-highlight (4.4-1~exp) experimental; urgency=medium . * Initial release, split from roundcube-plugins-extra=1.4.10+1-4. roundcube-plugin-sauserprefs (1.21+ds-2) unstable; urgency=medium . * d/control: Add Build-Depends: node-source-map. * d/control: Update Standards-Version to 4.7.4. + Remove "Priority: optional" which is the current default and spelling it out is no longer recommended per Policy. roundcube-plugin-sauserprefs (1.21+ds-1) unstable; urgency=medium . * New upstream release: + Enable SA v4 support by default. * d/watch: Port to Version 5. * d/control: Remove `Rules-Requires-Root: no`. roundcube-plugin-sauserprefs (1.20.2+ds-1) unstable; urgency=medium . * New bugfix upstream release. * Drop d/patches applied upstream. * Update Standards-Version to 4.7.2 (no changes necessary). roundcube-plugin-sauserprefs (1.20.1+ds-1) unstable; urgency=medium . * Upload to unstable. * New upstream release: + Add compatibility with Roundcube 1.5 and above (closes: #1041862). + Fix miss-matched score_allow/blocklist labels. + Add backwards compatibility for _score_user_black/whitelist. + Add support for SpamAssassin v4. + Support Dark Mode in Elastic. + Replace references to white/blacklist with allow/block list. + Add basic support for TX Rep AWL plugin. + Fix PHP8 warnings. * d/copyright: Fix Upstream-Name. * Add d/README.Debian for instructions how to enable and configure this plugin. * d/gbp.conf: Set ‘compression = xz’. * d/control: Bump minimum Roundcube (Build-)Depends version to 1.5. * Backport upstream patches to silence PHP8 warnings. roundcube-plugin-sauserprefs (1.18.4+ds-1~exp) experimental; urgency=medium . * Initial release, split from roundcube-plugins-extra=1.4.10+1-4. roundcube-plugin-thunderbird-labels (1.6.2-1) unstable; urgency=medium . * New upstream release. * d/copyright: Fix Upstream-Name. * d/patches: Remove patches applied upstream. * d/control: Update Standards-Version to 4.7.2 (no changes necessary). * d/control: Drop redundant rule "Rules-Requires-Root: no". roundcube-plugin-thunderbird-labels (1.6.1-1) unstable; urgency=medium . * Upload to unstable. * New upstream release: + Fix compatibility with Roundcube 1.6.1 and later. + Remove coffeescript source, no longer state of the art. + Security: Fix RCE vulnerability in custom label titles. + Only allow specific values for tb_label_style. + Fix labels position on Larry skin. * Backport upstream patch to fix PHP 8.2 deprecation of dynamic properties (closes: #1043513). * d/gbp.conf: Set ‘compression = xz’. * Drop ‘+ds’ suffix (don't repack source) since tb_label.js is no longer generated from .coffee sources. * d/control: Remove Build-Depends: coffeescript because of the above. * d/rules: Drop tb_label.js generation rules. * Add d/README.Debian for instructions how to enable and configure this plugin. roundcube-plugin-thunderbird-labels (1.4.10+ds-1~exp) experimental; urgency=medium . * Initial release, split from roundcube-plugins-extra=1.4.10+1-4. rust-cargo-toml (0.22.3-2) unstable; urgency=medium . * Team upload. * Package cargo_toml 0.22.3 from crates.io using debcargo 2.8.2 * Bump toml dependency to version 1. rust-gix-trace (0.1.19-1) unstable; urgency=medium . * Package gix-trace 0.1.19 from crates.io using debcargo 2.8.2 rust-gix-utils (0.3.2-1) unstable; urgency=medium . * Package gix-utils 0.3.2 from crates.io using debcargo 2.8.2 rust-mpd-client (1.4.1-1) unstable; urgency=medium . * Package mpd_client 1.4.1 from crates.io using debcargo 2.7.11 rust-slab (0.4.12-1) unstable; urgency=medium . * Team upload. * Package slab 0.4.12 from crates.io using debcargo 2.8.2 universal-pathlib (0.3.10-2) unstable; urgency=medium . [ Bas Couwenberg ] * Bump Standards-Version to 4.7.4, no changes. zope.interface (8.4-1) unstable; urgency=medium . * New upstream release.