Features: Cleaned up the configuration into a single file Importing email messages and contact group assignments Advanced LDAP address book functionality Toggle to switch between HTML and plaintext view Save Drafts to local storage for recovery Canned responses to save and recall boilerplate texts Improved keyboard navigation in messages list Optimized UI to work on tablet and mobile devices Attachment reminder plugin With the announcement, they have also introduced the Roundcube Plugin Repository. http://plugins.roundcube.net/ Reproducible: Always Steps to Reproduce: 1. emerge roundcube Actual Results: it emerges the old version Expected Results: it emerges 1.0.0
done in ::ixit overlay, feel free to use it. BEWARE: you should move configuration into defaults.inc.php but it will work with old config anyway, so no need to rush.
There are three new bundled libs that should be removed from program/lib and added as dependencies: * dev-php/PEAR-Crypt_GPG (program/lib/Crypt) * dev-php/PEAR-Net_Sieve (program/lib/Sieve) * dev-php/PEAR-Net_Socket (program/lib/Net/Socket.php) Please also address bug #489970 during the bump.
Note: 1.0.1 has been released, so we might just want to jump to that. See bug #510264.
*** Bug 510264 has been marked as a duplicate of this bug. ***
Created attachment 378270 [details] roundcube-1.0.1.ebuild I made the changes requested in comment #2 above to okias's earlier mentioned ebuild, he's accepted the changes on github @ https://github.com/okias/ixit/tree/master/mail-client/roundcube -- I've attached the file for ease-of-use.
1.0-beta fixed an XSS issue in the addressbook group name field. The release notes at http://trac.roundcube.net/wiki/Changelog further add a fix, released in 1.0.0 for an unspecified "security issue in DomainFactory? driver of Password plugin". Furthermore, a security issue was found in 1.0-beta with a "wrong rule in .htaccess". Furthermore, 1.0.1 fixed an "XSS issue in plain text spellchecker"[2] that was apparently found in 1.0.0, and was later demoted to a "Mail composing" issue because "[y]ou can only XSS yourself with this". I stopped looking for more vulnerabilities after this. [1] http://trac.roundcube.net/ticket/1489477 [2] http://trac.roundcube.net/ticket/1489806
Roundcube 1.0.2 was released: http://roundcube.net/news/2014/07/20/update-1.0.2-released/
News?
Arch teams, please test and mark stable: =mail-client/roundcube-1.0.2 =dev-php/PEAR-Crypt_GPG-1.3.2 Targeted stable KEYWORDS : amd64 arm ppc x86 Arch teams, please test and keyword: =mail-client/roundcube-1.0.2 =dev-php/PEAR-Crypt_GPG-1.3.2 Targeted unstable KEYWORDS : ppc64 sparc
amd64 stable
x86 stable
arm stable, and ~sparc done
ppc64 done. Maintainer(s), please cleanup. Security, please vote.
No GLSA for Cross Site Scripting
As per Jer's STABLEREQ add Please correct me if I am wrong but based on comment 9 PPC stabilization was missed for : =mail-client/roundcube-1.0.2 =dev-php/PEAR-Crypt_GPG-1.3.2 Setting back to stable from (noglsa/cleanup), adding ppc arch.
ppc stable. Maintainer(s), please cleanup. Security, please vote.
(In reply to Agostino Sarubbo from comment #16) > ppc stable. > > Maintainer(s), please cleanup. > Security, please vote. Still no GLSA for XSS. Maintainer(s), please cleanup.
*** Bug 508202 has been marked as a duplicate of this bug. ***
It looks like we're still missing hppa and ppc64 stabilizations on both, =mail-client/roundcube-1.0.2 =dev-php/PEAR-Crypt_GPG-1.3.2 Is ppc64 a stable arch? The "Add arches" box in Bugzilla suggests that it is, but if not, feel free to ignore. HPPA however I'm pretty sure is a stable arch.
(In reply to Michael Orlitzky from comment #19) > It looks like we're still missing hppa and ppc64 stabilizations on both, > > =mail-client/roundcube-1.0.2 http://sources.gentoo.org/cgi-bin/viewvc.cgi/gentoo-x86/mail-client/roundcube/roundcube-0.9.5.ebuild?hideattic=0&view=markup KEYWORDS="amd64 arm ~hppa ppc ~ppc64 ~sparc x86" They were never stable to begin with. > =dev-php/PEAR-Crypt_GPG-1.3.2 Maybe that's for another stabilisation bug.
Ah I see, sorry for the noise. Just wanted to be sure.
This is cleaned up now.