This is a bug fix release, and includes a few important security fixes.
It is strongly recommended that IMAP and POP users upgrade as soon as
possible.
Upstream changes:
Version 1.5111:
- Ensure that temp file is created in temp dir
- Fix Makefile.PL warning
- Fix deleting of inc during release process
- Better fix for AutomatedTester warning
Version 1.5110:
- Updating META.yml
Version 1.5109:
- Switch to File::Slurper
Version 1.5108:
- Trying once again to fix the compile test on windows
Version 1.5107:
- Check in standard tests, including one that skips the compile check on Windows
Version 1.5106:
- Add standard tests
- Detect mailboxes that contain a mix of newline types. Complain about it, but
also allow the force option to continue processing. Thanks to Pali Rohár
<pali.rohar@gmail.com> for the bug report.
- Avoid OO interface to File::Temp, which in some versions and on some operating
systems, deletes the file when it is closed. Thanks to Paul Howarth
<paul@city-fan.org> for the bug report.
https://rt.cpan.org/Public/Bug/Display.html?id=103835
- Fix compatibility issue with newer versions of perl, which remove "." from
@INC. https://rt.cpan.org/Ticket/Display.html?id=121466
v0.5.2:
+ Implement plugin for the a vendor-defined IMAP capability called
"FILTER=SIEVE". It adds the ability to manually invoke Sieve filtering
in IMAP. More information can be found in
doc/plugins/imap_filter_sieve.txt.
- The Sieve addess test caused an assertion panic for invalid addresses
with UTF-8 codepoints in the localpart. Fixed by properly detecting
invalid addresses with UTF-8 codepoints in the localpart and skipping
these like other invalid addresses while iterating addresses for the
address test.
- Make the length of the subject header for the vacation response
configurable and enforce the limit in UTF-8 codepoints rather than
bytes. The subject header for a vacation response was statically
truncated to 256 bytes, which is too limited for multi-byte UTF-8
characters.
- Sieve editheader extension: Fix assertion panic occurring when it is
used to manipulate a message header with a very large header field.
- Properly abort execution of the sieve_discard script upon error.
Before, the LDA Sieve plugin attempted to execute the sieve_discard
script when an error occurs. This can lead to the message being lost.
- Fix the interaction between quota and the sieve_discard script. When
quota was used together with a sieve_discard script, the message
delivery did not bounce when the quota was exceeded.
v2.3.2 still had a few unexpected bugs:
- SSL/TLS servers may have crashed during client disconnection
- lmtp: With lmtp_rcpt_check_quota=yes mail deliveries may have
sometimes assert-crashed.
- v2.3.2: "make check" may have crashed with 32bit systems
v2.3.2 is mainly a bugfix release. It contains all the changes in v2.2.36, as well as a bunch of other fixes (mainly for v2.3-only bugs). Binary packages are already in https://repo.dovecot.org/
* old-stats plugin: Don't temporarily enable PR_SET_DUMPABLE while
opening /proc/self/io. This may still cause security problems if the
process is ptrace()d at the same time. Instead, open it while still
running as root.
+ doveadm: Added mailbox cache decision&remove commands. See
doveadm-mailbox(1) man page for details.
+ doveadm: Added rebuild attachments command for rebuilding
$HasAttachment or $HasNoAttachment flags for matching mails. See
doveadm-rebuild(1) man page for details.
+ cassandra: Use fallback_consistency on more types of errors
+ lmtp proxy: Support outgoing SSL/TLS connections
+ lmtp: Add lmtp_rawlog_dir and lmtp_proxy_rawlog_dir settings.
+ submission: Add support for rawlog_dir
+ submission: Add submission_client_workarounds setting.
+ lua auth: Add password_verify() function and additional fields in
auth request.
- doveadm-server: TCP connections are hanging when there is a lot of
network output. This especially caused hangs in dsync-replication.
- Using multiple type=shared mdbox namespaces crashed
- mail_fsync setting was ignored. It was always set to "optimized".
- lua auth: Fix potential crash at deinit
- SSL/TLS servers may have crashed if client disconnected during
handshake.
- SSL/TLS servers: Don't send extraneous certificates to client when
alt certs are used.
- lda, lmtp: Return-Path header without '<' may have assert-crashed.
- lda, lmtp: Unencoded UTF-8 in email address headers may assert-crash
- lda: -f parameter didn't allow empty/null/domainless address
- lmtp, submission: Message size limit was hardcoded to 40 MB.
Exceeding it caused the connection to get dropped during transfer.
- lmtp: Fix potential crash when delivery fails at DATA stage
- lmtp: login_greeting setting was ignored
- Fix to work with OpenSSL v1.0.2f
- systemd unit restrictions were too strict by default
- Fix potential crashes when a lot of log output was produced
- SMTP client may have assert-crashed when sending mail
- IMAP COMPRESS: Send "end of compression" marker when disconnecting.
- cassandra: Fix consistency=quorum to work
- dsync: Lock file generation failed if home directory didn't exist
- Snippet generation for HTML mails didn't ignore &entities inside
blockquotes, producing strange looking snippets.
- imapc: Fix assert-crash if getting disconnected and after
reconnection all mails in the selected mailbox are gone.
- pop3c: Handle unexpected server disconnections without assert-crash
- fts: Fixes to indexing mails via virtual mailboxes.
- fts: If mails contained NUL characters, the text around it wasn't
indexed.
- Obsolete dovecot.index.cache offsets were sometimes used. Trying to
fetch a field that was just added to cache file may not have always
found it.
Performing substitutions during post-patch breaks tools such as mkpatches,
making it very difficult to regenerate correct patches after making changes,
and often leading to substituted string replacements being committed.
2018-06-22 Richard Russon <rich@flatcap.org>
* Features
- Expand variables inside backticks
- Honour SASL-IR IMAP capability in SASL PLAIN
* Bug Fixes
- Fix toggle-read
- Do not truncate shell commands on ; or #
- pager: index must be rebuilt on MUTT_REOPENED
- Handle a BAD response in AUTH PLAIN w/o initial response
- fcc_attach: Don't ask every time
- Enlarge path buffers PATH_MAX (4096)
- Move LSUB call from connection establishment to mailbox SELECTion
* Translations
- Update Chinese (Simplified): 100%
- Update Czech: 100%
- Update German: 100%
- Update Lithuanian: 100%
- Update Portuguese (Brazil): 100%
- Update Slovak: 59%
- Reduce duplication of messages
* Code
- Tidy up the mailbox API
- Tidy up the header cache API
- Tidy up the encryption API
- Add doxygen docs for more functions
- Refactor more structs to use STAILQ
Upstream changes:
-- VERSION 0.53 --
2018-05-27: Marc Bradshaw <marc@marcbradshaw.net>
* Make tests less dependent on local resolver setup
* Add thanks to Valimail
Upstream changes:
1.04 Sat Jun 09 18:20:28 2018
- fix docevot parser to disallow leading dot in dot-atom
- fix generating and validating email addresses with empty user part
- fix generating email address with leading or trailing dot in user part
- try to parse invalid email addresses and mark them as invalid
- when generating address do not escape an apostrophe character
- fix formatting email addresses which contain nul bytes, TAB, LF or CR
- fix formatting comments which contain nul bytes
- Fixed crash bug in STARTTLS handling of loaded DH parameters.
- Added $TLS_COMPAT flag to disable certain TLS (security) features for
maximum compatibility with buggy clients.
Notmuch 0.27 (2018-06-13)
=========================
General
-------
Add support for thread:{} queries
Queries of the form `thread:{foo} and thread:{bar}` match threads
containing (possibly distinct) messages matching foo and bar. See
`notmuch-search-terms(7)` for details.
Command Line Interface
----------------------
Add the --full-scan option to `notmuch new`
This option disables mtime based optimization of scanning for new mail.
Add new --decrypt=stash option for `notmuch show`
This facilitates a workflow for encrypted messages where message
cleartext are indexed on first read, but the user's decryption key
does not have to be available during message receipt.
Documentation
-------------
An initial manual for `notmuch-emacs` is now installed by default (in
`info` format).
Dependencies
------------
As of this release, support for versions of Xapian before 1.4.0 is
deprecated, and may disappear in a future release of notmuch.
Changelog:
* Mew now supports Emacs 24.3 or later only.
* Supporting stunnel 5.
* Supporting GnuPG 2.1.23 or later.
The command name should be "gpg" instead of "gpg2".
Put the following to your "~/.gnupg/gpg.conf".
no-auto-key-retrieve
auto-key-locate local
* Using LibreOffice (soffice) on Unix by default
- Added support for STARTTLS directly in the SMTP protocol.
Adapted from contribution by John R. Levine.
- Added support for "final ok" rules in mailrules plugin.
- Added hook for debugging plugin invocation (set $MSG_DEBUG=1).
Changelog:
#CVE-2018-5183: Backport critical security fixes in Skia
#CVE-2018-5184: Full plaintext recovery in S/MIME via chosen-ciphertext attack
#CVE-2018-5154: Use-after-free with SVG animations and clip paths
#CVE-2018-5155: Use-after-free with SVG animations and text paths
#CVE-2018-5159: Integer overflow and out-of-bounds write in Skia
#CVE-2018-5161: Hang via malformed headers
#CVE-2018-5162: Encrypted mail leaks plaintext through src attribute
#CVE-2018-5170: Filename spoofing for external attachments
#CVE-2018-5168: Lightweight themes can be installed without user interaction
#CVE-2018-5174: Windows Defender SmartScreen UI runs with less secure behavior
for downloaded files in Windows 10 April 2018 Update
#CVE-2018-5178: Buffer overflow during UTF-8 to Unicode string conversion
through legacy extension
#CVE-2018-5185: Leaking plaintext through HTML forms
#CVE-2018-5150: Memory safety bugs fixed in Firefox 60, Firefox ESR 52.8,
and Thunderbird 52.8
2018-05-12 Richard Russon <rich@flatcap.org>
* Features
- echo command
- Add $browser_abbreviate_mailboxes
- Add ~M pattern to match mime Content-Types
- Add support for multipart/multilingual emails
- Jump to a collapsed email
- Add support for idn2 (IDNA2008)
* Bug Fixes
- Let mutt_ch_choose report conversion failure
- minor IMAP string handling fixes
* Translations
- Chinese (Simplified) (100%)
- Czech (100%)
- German (100%)
- Lithuanian (62%)
- Portuguese (Brazil) (100%)
* Coverity defects
- match prototypes to their functions
- make logic clearer
- reduce scope of variables
- fix coverity defects
* Docs
- development: analysis
- development: easy tasks
- development: roadmap
* Code
- start refactoring libconn
- split out progress functions
- split out window functions
- split out terminal setting
- convert MyVars to use TAILQ
- split mutt_file_{lock,unlock}
- Move IDN version string to mutt/idna.c
- refactor: init_locale()
- Eliminate static variable in mutt_file_dirname
* Tidy
- test int functions against 0
- rename lots of constants
- rename lots of functions
- sort lots of fields/definitions
* Upstream
- Increase account.user/login size to 128
- Fix comparison of flags with multiple bits set
- Change mutt_error call in mutt_gpgme_set_sender() to dprint
- Improve the error message when a signature is missing
- pager specific "show incoming mailboxes list" macro
- Improve gss debug printing of status_string
- Remove trailing null count from gss_buffer_desc.length field
- Add a comment in auth_gss about RFCs and null-termination
- Change prompt string for $crypt_verify_sig
Changes:
v0.5.1 28-03-2018 Stephan Bosch <stephan@rename-it.nl>
- Explicitly disallow UTF-8 in localpart in addresses parsed from Sieve
script.
- editheader extension: Corrected the stream position calculations
performed while making the modified message available as a stream.
Pigeonhole Sieve crashed in LMTP with an assertion panic when the
Sieve editheader extension was used before the message was redirected.
Experiments indicate that the problem occurred only with LMTP and that
LDA is not affected.
- fileinto extension: Fix assert panic occurring when fileinto is used
without being listed in the require line, while the copy extension is
listed there. This is a very old bug.
- imapsieve plugin: Do not assert crash or log an error for messages
that disappear concurrently while applying Sieve scripts. This event
is now logged as a debug message.
- Sieve extprograms plugin: Large output from "execute" command crashed
delivery. Fixed buffering issue in code that handles output from the
external program.
Changes:
* Submission server support improvements and bug fixes
- Lots of bug fixes to submission server
* API CHANGE: array_idx_modifiable will no longer allocate space
- Particularly affects how you should check MODULE_CONTEXT result, or use REQUIRE_MODULE_CONTEXT.
+ mail_attachment_detection_options setting controls when
$HasAttachment and $HasNoAttachment keywords are set for mails.
+ imap: Support fetching body snippets using FETCH (SNIPPET) or
(SNIPPET (LAZY=FUZZY))
+ fs-compress: Automatically detect whether input is compressed or not.
Prefix the compression algorithm with "maybe-" to enable the
detection, for example: "compress:maybe-gz:6:..."
+ Added settings to change dovecot.index* files' optimization behavior.
See https://wiki2.dovecot.org/IndexFiles#Settings
+ Auth cache can now utilize auth workers to do password hash
verification by setting auth_cache_verify_password_with_worker=yes.
+ Added charset_alias plugin. See
https://wiki2.dovecot.org/Plugins/CharsetAlias
+ imap_logout_format and pop3_logout_format settings now support all of the generic variables (e.g. %{rip}, %{session}, etc.)
* add licenses
* remove kerberos conditional pre-configure rule (fixed in upstream)
Changes:
fetchmail-6.3.26 (released 2013-04-23, 26180 LoC):
# NOTE THAT FETCHMAIL IS NO LONGER PUBLISHED THROUGH IBIBLIO.
* They have stopped accepting submissions and consider themselves an archive.
# CRITICAL BUG FIX for setups using "mimedecode":
* The mimedecode feature failed to ship the last line of the body if it was
encoded as quoted-printable and had a MIME soft line break in the very last
line. Reported by Lars Hecking in June 2011.
Bug introduced on 1998-03-20 when the mimedecode support was added by ESR
before release 4.4.1 through code contributed by Henrik Storner.
Workaround for older releases: do not use mimedecode feature.
Earlier versions of this NEWS file claimed this bug fixed in fetchmail-6.3.23,
but it was not.
Fixes Launchpad Bug#1171818.
fetchmail-6.3.25 (released 2013-03-18, 26149 LoC):
# NOTE THAT FETCHMAIL IS NO LONGER PUBLISHED THROUGH IBIBLIO.
* They have stopped accepting submissions and consider themselves an archive.
# BUG FIXES
* Fix a memory leak in out-of-memory error condition while handling plugins.
Report and patch by John Beck (found with Parfait static code analyzer).
* Fix a NULL pointer dereference in out-of-memory error condition while handling
plugins.
Report and patch by John Beck (found with Parfait static code analyzer).
# CHANGES
* Improved reporting when SSL/TLS X.509 certificate validation has failed,
working around a not-so-recent swapping of two OpenSSL error codes, and
a practical impossibility to distinguish broken certification chains from
missing trust anchors (root certificates).
* OpenSSL decoded errors are now reported through report(), rather than dumped
to stderr, so that they should show up in logfiles and/or syslog.
* The fetchmail manual page no longer claims that MD5 were the default OpenSSL
hash format (for use with --sslfingerprint). Reported by Jakob Wilk,
PARTIAL fix for Debian Bug#700266.
* The fetchmail manual page now refers the user to --softbounce from the
SMTP/ESMTP ERROR HANDLING section. Reported by Anton Shterenlikht.
# WORKAROUNDS
* Older systems that provide the older RFC-2553 implementation of getaddrinfo,
rather than the current RFC-3493, and systems that do not provide this
getaddrinfo() interface at all and thus use the replacement functions from
libesmtp/getaddrinfo.?, might return EAI_NODATA when a host is registered in
DNS as MX or similar, but without A or AAAA records. Handle this situation
when checking for multidrop aliases and treat EAI_NODATA the same as
EAI_NONAME, i. e. name cannot be resolved.
The proper fix, however, is to upgrade the operating system.
# TRANSLATION UPDATES
[cs] Czech, by Petr Pisar
[da] Danish, by Joe Hansen
[de] German
[eo] Esperanto, by Sian Mountbatten and Felipe Castro
[fr] French, by Frédéric Marchal
[ja] Japanese, by Takeshi Hamasaki
[pl] Polish, by Jakub Bogusz
[sv] Swedish, by Göran Uddeborg
[vi] Vietnamese, by Trần Ngọc Quân
[An on-line version of this announcement will be available at
http://www.postfix.org/announcements/postfix-3.3.1.html]
Fixed in Postfix 3.3:
* Postfix did not support running as a PID=1 process, which
complicated Postfix deployment in containers. The "postfix
start-fg" command will now run the Postfix master daemon as a
PID=1 process if possible. Thanks for inputs from Andreas
Schulze, Eray Aslan, and Viktor Dukhovni.
* Segfault in the postconf(1) command after it could not open a
Postfix database configuration file due to a file permission
error (dereferencing a null pointer). Reported by Andreas
Hasenack, fixed by Viktor Dukhovni.
Fixed in Postfix 3.3, 3.2, 3.1, 3.0:
* The luser_relay feature became a black hole, when the luser_relay
parameter was set to a non-existent local address (i.e. mail
disappeared silently). Reported by J?rgen Thomsen.
* Missing error propagation in the tlsproxy(8) daemon could result
in a segfault after TLS handshake error (dereferencing a
0xffff...ffff pointer). This daemon handles the TLS protocol
when a non-whitelisted client sends a STARTTLS command to
postscreen(8).
This is a feature release. Changes since version 1.9.5:
! $reply_self is now respected for group-reply, even with $metoo unset.
! Enabled $imap_poll_timeout when $imap_idle is set.
! Added %R (number of read messages) expando for $status_format.
+ When $change_folder_next is set, the <change-folder> function
mailbox suggestion will start at the next folder in your
"mailboxes" list, instead of starting at the first folder in the
list.
+ $new_mail_command specifies a command to run after a new message is
received.
+ $pgp_default_key specifies the default key-pair to use for PGP
operations. It will be used for both encryption and signing
(unless $pgp_sign_as is set). See contrib/gpg.rc.
! $smime_default_key now specifies the default key-pair to use for
both encryption and signing S/MIME operations. See
contrib/smime.rc.
+ $smime_sign_as can be used to specify a sign-only key-pair for
S/MIME operations.
- $pgp_self_encrypt_as is now deprecated, and is an alias for
$pgp_default_key. $smime_self_encrypt_as is also deprecated, and
is an alias for $smime_default_key.
! $pgp_self_encrypt and $smime_self_encrypt now default to set.
This makes setting $pgp_default_key or $smime_default_key all that
is required to enable self-encryption (for both classic and GPGME
mode).
+ The <history-search> function (default: ^R) will search history based
on the text currently typed in. That is, type the search string first,
then hit ^R.
+ The $abort_noattach quadoption controls whether to abort sending a
message that matches $abort_noattach_regexp and has no attachments.
+ Mutt can now be configured --with-idn2. This requires the libidn1
compatibility layer present in libidn2 v2.0.0 or greater.
+ Unsetting $browser_abbreviate_mailboxes turns off '=' and '~'
shortcuts for mailbox names in the browser mailbox list.
! $sort_browser now has 'count' and 'unread' options.
+ <error-history> will display the last $error_history count of
error/informational messages generated.
+ The ~M pattern matches content-type headers. Note that this
pattern may be slow because it reads each message in.
+ The "echo" command can be used to display a message, for instance
when running a macro or sourcing a file.
changed, and a new environment variable can be set so that users who
haven't configured pymsgauth can have their messages passed through
(unchanged). Bump PKGREVISION.
- Added support for "and" lines to mailrules plugin.
- Modified rbl plugin to log all responses in a single line.
- Fixed minor memory leak in the rbl plugin.
* [Conf] Major stock config updates:
- Workers are now specified in a new format worker "type" { ... }
- Enable fuzzy worker to simplify local fuzzy storages configuration
- Bind all workers to localhost by default to avoid security flaws
* [Conf] Make more sane fuzzy_check default settings
* [CritFix] Fix ucl escape for bad symbols
* [Feature] Add failure symbol for AV module
* [Feature] Add lazy expiration mode for new classifier schema
* [Feature] Add preliminary version of maps stats plugin
* [Feature] Allow to block fuzzy requests from specific networks
* [Feature] Allow to change `expire` of live statistics
* [Feature] Distinguish AV failure from clean result
* [Feature] Further improvements of language detector by using khash
* [Feature] Further optimization of the lang_detection
* [Feature] Implement cluster-aware bayes expiry
* [Feature] Implement exclude patterns in rspamc
* [Feature] Implement glob maps in addition to regexp maps
* [Feature] Implement map statistics function for lua API
* [Feature] Implement stop symbols for Clickhouse collection
* [Feature] Support recipients separated by commas
* [Feature] Try harder to upload scripts to the Redis server
* [Feature] Upgrade t1ha distribution
* [Feature] use_domain_sign_inbound
* [Feature] Use scores from maps if `symbols_set` is not defined
* [Fix] Add resolving version of radix map helper
* [Fix] Check URL before adding implicit prefix
* [Fix] Do not check pid/state when using PRNG
* [Fix] Fix CentOS logrotate script for systemd
* [Fix] Fix slash + dot in urls
* [Fix] Fix systemd version of the logrotate script
* [Fix] Propagate key when import implicit array from Lua
* [Fix] Strip spaces from map keys and values
* [Fix] Try to fix a specific case when processing milter protocol
* [Fix] Try to fix crash when a tcp connection cannot be set
* [Fix] Typo use_domain_local --> use_domain_sign_local
* [Fix] Various fixes to once_received module
* [Project] Store hits counters for map elements
* add JavaScript dependencies listed in jsdeps.json
* put them on /pub/pkgsrc/distfiles/roundcube to avoid checksum error due
to archive automatic generation (e.g. tinymce_languages.zip)
* remove patch-ac
* add example configuration fragment for www/lighttpd
CHANGELOG Roundcube Webmail
===========================
RELEASE 1.3.6
-------------
- Fix parsing date strings (e.g. from a Date: mail header) with comments (#6216)
- Fix PHP 7.2: count(): Parameter must be an array in enchant-based spellchecker (#6234)
- Fix possible IMAP command injection and type juggling vulnerabilities (#6229)
- Enigma: Fix key selection for signing
- Enigma: Enable keypair generation on Internet Explorer 11
- Fix check_request() bypass in places using get_uids() [CVE-2018-9846] (#6238)
- Fix bug where usernames without domain part could be malformed or converted to lower-case on logon (#6224)
RELEASE 1.3.5
-------------
- Managesieve: Fix bug where text: syntax was forced for strings longer than 1024 characters (#6143)
- Managesieve: Fix missing Save button in Edit Filter Set page of Classic skin (#6154)
- Fix duplicated labels in Test SMTP Config section (#6166)
- Fix PHP Warning: exif_read_data(...): Illegal IFD size (#6169)
- Enigma: Fix key generation in Safari by upgrade to OpenPGP 2.6.2 (#6149)
- Fix security issue in remote content blocking on HTML image and style tags (#6178)
- Added 9pt and 11pt to the list of font sizes in HTML editor
- Fix handling encoding of HTML tags in "inline" JSON output (#6207)
- Fix bug where some unix timestamps were not handled correctly by rcube_utils::anytodatetime() (#6212)
RELEASE 1.3.4
-------------
- Fix bug where contacts search could skip some records (#6130)
- Fix possible information leak - add more strict sql error check on user creation (#6125)
- Fix a couple of warnings on PHP 7.2 (#6098)
- Fix broken long filenames when using imap4d server - workaround server bug (#6048)
- Fix so temp_dir misconfiguration prints an error to the log (#6045)
- Fix untagged COPYUID responses handling - again (#5982)
- Fix PHP warning "idn_to_utf8(): INTL_IDNA_VARIANT_2003 is deprecated" with PHP 7.2 (#6075)
- Fix bug where Archive folder wasn't auto-created on login with create_default_folders=true
- Fix performance issue when parsing malformed and long Date header (#6087)
- Fix syntax error in mssql.initial.sql (#6097)
- Fix bug where contacts export by selection returned no more than 10 entries (#6103)
- Fix searching contacts by address in LDAP source (#6084)
- Fix X-Frame-Options:ALLOW-FROM support, remove custom click-jacking protection (#6057)
RELEASE 1.3.3
-------------
- Fix decoding of mailto: links with + character in HTML messages (#6020)
- Fix false reporting of failed upgrade in installto.sh (#6019)
- Fix file disclosure vulnerability caused by insufficient input validation [CVE-2017-16651] (#6026)
- Fix mangled non-ASCII characters in links in HTML messages (#6028)
RELEASE 1.3.2
-------------
- Improve detection for Egde browser and add pointer event support (#5922)
- Fix bug where pink image was used instead of a thumbnail when image resize fails (#5933)
- Fix so files size/count limit is verified (client-side) also on drag-n-drop uploads (#5940)
- Fix invalid template loading on a message error in preview frame (#5941)
- Fix bug where HTML messages could have been rendered empty on some systems (#5957)
- Fix wording of "Mark previewed messages as read" to "Mark messages as read" (#5952)
- Enigma: Fix decryption of messages encoded with non-ascii charset (#5962)
- Fix missing cursor in HTML editor on mail reply (#5969)
- Fix (again) bug where image data URIs in css style were treated as evil/remote in mail preview (#5580)
- Fix bug where mail search could return empty result on servers without SORT capability (#5973)
- Fix bug where assets_path wasn't added to some watermark frames
- Fix so untagged COPYUID responses are also supported according to RFC6851 (#5982)
- Fix issue caused by non-default session.cookie_lifetime setting (#5961)
- Fix Edge encoding bug when pasting text into the HTML editor, update to TinyMCE 4.5.8 (#5885)
- Fix handling of unknown Content-Disposition type (#6002)
- Fix truncated folder name on messages list in multi-folder mode, for folders with non-ascii characters (#6004)
- Fix bug where removing the last subfolder did not hide toggle button on its parent record (#6007)
- Fix bug where ghost messages could be added to the list after fast delete (#5941)
RELEASE 1.3.1
-------------
- Don't ignore (global) userlogins/sendmail logs in per_user_logging mode
- Add Preferences > Mailbox View > Main Options > Layout (#5829)
- Password: Fix compatibility with PHP 7+ in cpanel_webmail driver (#5820)
- Managesieve: Fix parsing dot-staffed lines in multiline text (#5838)
- Managesieve: Fix AM/PM suffix in vacation time selectors
- Managesieve: Fix bug where 'exists' operator was reset to 'contains' (#5899)
- Remove non-printable characters from filenames on download/display (#5880)
- Fix decoding non-ascii attachment names from TNEF attachments (#5646, #5799)
- Fix uninitialized string offset in rcube_utils::bin2ascii() and make sure rcube_utils::random_bytes() result has always requested length (#5788)
- Fix bug where HTML messages with @media styles could moddify style of page body (#5811)
- Fix style issue on selected and unfocused message that is part of a thread (#5798)
- Fix bug where a.button style from managesieve plugin could impact other elements (#5800)
- Fix position of selected icon for (Mailvelope) Encrypt button
- Fix fatal error when using DMY- or MDY-based date format in PostgreSQL (#5808)
- Fix bug where errors were not printed when using bin/update.sh (#5834)
- Fix PHP 7.2 warnings on count() use (#5845)
- Fix bug where Chrome could not upload the same file that was selected before (#5854)
- Fix duplicate messages on the list after deleting messages on the next to the last page (#5862)
- Fix bug where messages count was not updated after delete when imap_cache is set (#5872)
- Fix potential XSS vulnerability with malformed HTML message markup
- Fix sending message with "Too many public recipients" dialog buttons (#5924)
- Bring back double-click behavior on the message list which was removed in 1.3.0 (#5823)
- Enigma: Fix decrypting an encrypted+signed message when signature verification fails (#5914)
RELEASE 1.3.0
-------------
- Update to TinyMCE 4.5.7
- Fix bug where invalid recipients could be silently discarded (#5739)
- Fix conflict with _gid cookie of Google Analytics (#5748)
- Print error from CLI scripts when system/exec function is disabled (#5744)
- Fix bug where comment notation within style tag would cause the whole style to be ignored (#5747)
- Fix bug where it wasn't possible to scroll folders list in Edge (#5750)
- Fix folders list sorting on Windows - if php-intl is available (#5732)
- Fix addressbook searching by gender (#5757)
- Fix prevention from using % and * characters in folder name (#5762)
- Fix POST parameter reflection in default_charset selector (#5768)
- Enigma: Fix compatibility with assets_dir
- Managesieve: Skip redundant LISTSCRIPTS command
- Fix SQL syntax error on MariaDB 10.2 (#5774)
- Fix bug where zipdownload ignored files with the same name (#5777)
- Fix bug where it wasn't possible to set timezone to auto-detected value (#5782)
RELEASE 1.3-rc
--------------
- "Flattened" the larry theme: fresher look by removing shadows and gradients
- Support logging to php://stdout (#5721)
- Add support for DelSp=Yes in format=flowed messages (#5702)
- Update to jQuery 3.2.1
- Update to TinyMCE 4.5.6
- Plugin API: Call message_part_structure hook for sub-parts of multipart/alternative message (#5678)
- Enigma: Always use detached signatures (#5624)
- Enigma: Fix handling of messages with nested PGP encrypted parts (#5634)
- Minimize unwanted message loading in preview frame on drag (#5616)
- Fix failing database schema check in all engines except mysql (#5730)
- Fix autocomplete popup closing with click outside the input, don't handle Tab key as Enter (#5606)
- Fix jsdeps.json synchronization on update, warn about missing requirements of install-jsdeps.sh (#5598)
- Fix missing thread expand icon on search result in widescreen mode (#5613)
- Fix bug where image data URIs in css style were treated as evil/remote in mail preview (#5580)
- Fix bug where external content in src attribute of input/video tags was not secured (#5583)
- Fix PHP error on update of a contact with multiple email addresses when using PHP 7.1 (#5587)
- Fix bug where mail content frame couldn't be reset in some corner cases (#5608)
- Fix bug where some classic skin images were not displayed in IE/Edge (#5614)
- Fix bug where signature couldn't be added above the quote in Firefox 51 (#5628)
- Fix regression where groups with email address were resolved to its members' addresses
- Fix update of group name in the contacts list header on group rename (#5648)
- Add rewrite rule to disable access to /vendor/bin folder in .htaccess (#5630)
- Fix bug where it was too easy accidentally move a folder when using the subscription checkbox (#5655)
- Managesieve: Fix parser issue with empty lines between comments (#5657)
- Managesieve: Fix possible defect in handling \r\n in scripts (#5685)
- Fix/rephrase "unsaved changes" warning when cancelling a draft (#5610)
- Fix XSS issue in handling of a style tag inside of an svg element [CVE-2017-6820]
- Fix bug where settings/upload.inc could not be used by plugins (#5694)
- Fix regression in LDAP fuzzy search where it always used prefix search instead (#5713)
- Fix bug where namespace prefix could not be truncated on folders list if show_real_foldernames=true (#5695)
- Fix undesired effects when postgres database uses different timezone than PHP host (#5708)
- Installer: Fix DB schema initialization on MS SQL Server
- Fix bug where base_dn setting was ignored inside group_filters (#5720)
- Password: Fix security issue in virtualmin and sasl drivers [CVE-2017-8114]
RELEASE 1.3-beta
----------------
- Nicely handle contact deletion on contact edit (#5522)
- vcard_attachments: Add possibility to attach contact vCard to composed message (#4997)
- Preserve message internal/received date on import in mbox format (#5559)
- Zipdownload: Fix date format in mbox "From line"
- Possibility to display QR code for contacts data (#5030)
- Added identicon plugin
- Widescreen layout aka three column view (#5093)
- Unify automatic marking as \Seen in preview pane, full-page and extwin views (#5071)
- Disable double-click on the list when preview pane is on (#5199)
- Support hostname and hostname:port in force_https option (#5511)
- Support ALLOW-FROM in x_frame_options (#5122)
- Allow to omit a subject when sending an email (#5068)
- Warn about too many disclosed recipients in composed email [max_disclosed_recipients] (#5132)
- identity_select: Support Received header (#5085)
- Plugin API: Added get_compose_responses hook (#5457)
- Display error when trying to upload more files than specified in max_file_uploads (#5483)
- Add missing sql upgrade file for 'ip' column resize in session table (#5465)
- Do not show inline images of unsupported mimetype (#5463)
- Password: Added replacement variables support in password_pop_host (#5539)
- Password: Don't store passwords in temp files when using dovecotpw (#5531)
- Password: Added LDAP PPolicy driver (#5364)
- Password: Added cpanel_webmail driver (#5549)
- Password: Added possibility to nicely redirect from other plugins on password expiration (#5468)
- Implement separate action to mark all messages in a folder as \Seen (#5006)
- Implement marking as \Seen in all folders or in a folder and its subfolders (#5076)
- Archive: Don't reload messages list when it's not needed (#5225)
- Archive: Add option to automatically mark archived messages as \Seen (#5142)
- Improve randomness of password salts and random hashes (#5266)
- Password/cPanel: Add support for hash authentication and reseller accounts (#5252)
- Support host-specific imap_conn_options/smtp_conn_options/managesieve_conn_options (#5136)
- Center and scale images in attachment preview frame (#5421)
- Added max_message_size option enforced when attaching files to a composed message (#4993)
- Added Search button in quick search menus (#5312)
- Implement "one click" attachment/messages/photo upload (#5024)
- Squirrelmail_usercopy: Add option to define character set of data files
- Removed useless 'created' column from 'session' table (#5389)
- Dropped legacy browsers support (#5167)
- Removed legacy_browser plugin
- Removed hacks for IE < 10
- Update to jQuery 3.1.1 and jQuery-UI 1.12.0
- compile .min.js files with ECMASCRIPT5 option
- Require PHP >= 5.4
- Add possibility to preview and download attachments in mail compose (#5053)
- Add possibility to rename attachments in mail compose (#4996)
- Remove backward compatibility "layer" of bc.php (#4902)
- Support WEBP images in mail messages (#5362)
- Support MathML in HTML message preview (#5182)
- Rename Addressbook to Contacts (#5233)
- Remove PHP mail() support, smtp_server is required now (#5340)
- Display full message subject in onmouseover on truncated subject in mail view (#5346)
- Enigma: Support GnuPG 2.1 (#5313)
- Enigma: Support key generation for multiple identities (#5383)
- Enigma: Import keys from key-server(s) (#5286)
- Enigma: Search missing public keys on a key-server in mail compose (#5286)
- Enigma: Delete user keys when using deluser.sh script
- Enigma: Fix redundant list-secret-keys/list-public-keys calls on signing/encryption
- Enigma: Implement PGP encryption and signing in one go (#5302)
- Enigma: Display signature verification status for encrypted+signed messages (#5302)
- Display different attachment icon on encrypted messages
- Display different confirmation text when moving messages to Trash (#5220)
- Indicate that a collapsed thread has flagged children (#5013)
- Implemented message/rfc822 attachment preview
- Update to jsTimezoneDetect 1.0.6
- Managesieve: Add (optional) RAW script editor (#5414)
- Managesieve: Add option to automatically set vacation :from address (#5428)
- Managesieve: Support 'string' test from variables extension [RFC 5229] (#5248)
- Managesieve: Support 'duplicate' extension [RFC 7352]
- Managesieve: Unhide advanced rule controls if there are inputs with errors
- Managesieve: Display warning message when filter form contains errors
- Control search engine crawlers via X-Robots-Tag header instead of <meta> and robots.txt (#5098)
- Fixed redundancy in sql caching system and compatibility with Galera Cluster (#5439)
- Removed redundant 'created' column from cache and cache_shared tables
- Removed use of redundant data records
- Added missing primary keys (dictionary, cache, cache_shared tables)
- Fix so templating system does not mess with external (e.g. email) content (#5499)
- Fix redundant keep-alive/refresh after session error on compose page (#5500)
- Managesieve: Fix handling of scripts with nested rules (#5540)
- Fix variable substitution in ldap host for some use-cases, e.g. new_user_identity (#5544)
- Enigma: Fix PHP fatal error when decrypting a message with invalid signature (#5555)
- Fix adding images to new identity signatures
- Fix rsync error handling in installto.sh script (#5562)
- Fix some advanced search issues with multiple addressbooks (#5572)
- Fix so group/addressbook selection is retained on page refresh
- Fix the build with OpenSSL 1.1.0 backporting a patch from upstream.
- Minor mostly cosmetic changes (pointed out by pkglint)
- Take MAINTAINERship
Bump PKGREVISION
