[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#1052611: marked as done (bullseye-pu: package roundcube/1.4.14+dfsg.1-1~deb11u1)

Your message dated Sat, 07 Oct 2023 12:41:28 +0100
with message-id <84bb5ff8312f749ebe536897993782bf35aa1977.camel@adam-barratt.org.uk>
and subject line Closing opu requests for updates included in 11.8
has caused the Debian Bug report #1052611,
regarding bullseye-pu: package roundcube/1.4.14+dfsg.1-1~deb11u1
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
1052611: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1052611
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems
--- Begin Message --- 
Package: release.debian.org
Severity: normal
Tags: bullseye
User: release.debian.org@packages.debian.org
Usertags: pu
X-Debbugs-Cc: roundcube@packages.debian.org
Control: affects -1 + src:roundcube

[ Reason ]

roundcube 1.4.13+dfsg.1-1~deb11u1 is vulnerable to CVE-2023-43770:
cross-site scripting (XSS) vulnerability in handling of linkrefs in
plain text messages.

The Security Team decided not to issue a DSA for that CVE, but it's now
fixed in buster-security (1.3.17+dfsg.1-1~deb10u3) as well as
testing/sid (1.6.3+dfsg-1), so it makes sense to fix it via (o)s-pu
too.

[ Impact ]

Roundcube users will remain vulnerable to the XSS issue.  For users
uprading from buster-security to bullseye, that would be a security
regression.

[ Tests ]

The XSS fix is covered by automated tests (phpunit) at build time, and I
also manually tested the fix.

[ Risks ]

I believe the regression risk is very low, given the diff is fairly
simple, and this is not a backport but an official upstream release from
the LTS branch.

[ Checklist ]

  [x] *all* changes are documented in the d/changelog
  [x] I reviewed all changes and I approve them
  [x] attach debdiff against the package in oldstable
  [x] the issue is verified as fixed in unstable

[ Changes ]

  * New security/bugfix upstream release:
    + Fix CVE-2023-43770: cross-site scripting (XSS) vulnerability in handling
      of linkrefs in plain text messages. (Closes: #1052059)
    + Enigma: Fix initial synchronization of private keys.
  * d/u/signing-key.asc: Add Alec's key BEE674A019359DC1.
  * Refresh d/patches.

[ Other info ]

bullseye(-security) has been following the upstream 1.4 branch, so I
propose to upload 1.4.14+dfsg.1-1~deb11u1 rather than cherry-pick the
CVE-2023-43770 fix on top of 1.4.13+dfsg.1-1~deb11u1.

-- 
Guilhem.

diffstat for roundcube-1.4.13+dfsg.1 roundcube-1.4.14+dfsg.1

 CHANGELOG                                                               |    8 
 composer.json-dist                                                      |    5 
 debian/changelog                                                        |   11 
 debian/patches/fix-FTBFS-with-phpunit-8.5.13-1.patch                    |    4 
 debian/patches/fix-FTBFS-with-phpunit-9.5.0-1.patch                     |    8 
 debian/patches/fix-install-path.patch                                   |    4 
 debian/patches/hint-at-which-packages-needs-installing-under-PHP8.patch |    2 
 debian/patches/update-composer.patch                                    |    9 
 debian/patches/update-script.patch                                      |    2 
 debian/upstream/signing-key.asc                                         |  199 +++++++---
 index.php                                                               |    2 
 installer/index.php                                                     |    2 
 plugins/enigma/lib/enigma_driver_gnupg.php                              |    7 
 program/include/iniset.php                                              |    2 
 program/lib/Roundcube/bootstrap.php                                     |    2 
 program/lib/Roundcube/rcube_string_replacer.php                         |    4 
 public_html/index.php                                                   |    2 
 public_html/plugins/enigma/lib/enigma_driver_gnupg.php                  |    7 
 tests/Framework/StringReplacer.php                                      |   12 
 tests/Framework/Text2Html.php                                           |   17 
 20 files changed, 223 insertions(+), 86 deletions(-)

diff -Nru roundcube-1.4.13+dfsg.1/CHANGELOG roundcube-1.4.14+dfsg.1/CHANGELOG
--- roundcube-1.4.13+dfsg.1/CHANGELOG	2021-12-29 23:45:05.000000000 +0100
+++ roundcube-1.4.14+dfsg.1/CHANGELOG	2023-09-16 22:01:19.000000000 +0200
@@ -1,5 +1,9 @@
-CHANGELOG Roundcube Webmail
-===========================
+# Changelog Roundcube Webmail
+
+RELEASE 1.4.14
+--------------
+- Fix cross-site scripting (XSS) vulnerability in handling of linkrefs in plain text messages
+- Enigma: Fix initial synchronization of private keys
 
 RELEASE 1.4.13
 --------------
diff -Nru roundcube-1.4.13+dfsg.1/composer.json-dist roundcube-1.4.14+dfsg.1/composer.json-dist
--- roundcube-1.4.13+dfsg.1/composer.json-dist	2021-12-29 23:45:05.000000000 +0100
+++ roundcube-1.4.14+dfsg.1/composer.json-dist	2023-09-16 22:01:19.000000000 +0200
@@ -27,5 +27,10 @@
     "suggest": {
         "kolab/net_ldap3": "~1.1.1 required for connecting to LDAP",
         "mkopinsky/zxcvbn-php": "^4.4.2 required for Zxcvbn password strength driver"
+    },
+    "config": {
+        "allow-plugins": {
+            "roundcube/plugin-installer": true
+        }
     }
 }
diff -Nru roundcube-1.4.13+dfsg.1/debian/changelog roundcube-1.4.14+dfsg.1/debian/changelog
--- roundcube-1.4.13+dfsg.1/debian/changelog	2022-01-06 08:51:41.000000000 +0100
+++ roundcube-1.4.14+dfsg.1/debian/changelog	2023-09-25 11:32:59.000000000 +0200
@@ -1,3 +1,14 @@
+roundcube (1.4.14+dfsg.1-1~deb11u1) bullseye; urgency=high
+
+  * New security/bugfix upstream release:
+    + Fix CVE-2023-43770: cross-site scripting (XSS) vulnerability in handling
+      of linkrefs in plain text messages. (Closes: #1052059)
+    + Enigma: Fix initial synchronization of private keys.
+  * d/u/signing-key.asc: Add Alec's key BEE674A019359DC1.
+  * Refresh d/patches.
+
+ -- Guilhem Moulin <guilhem@debian.org>  Mon, 25 Sep 2023 11:32:59 +0200
+
 roundcube (1.4.13+dfsg.1-1~deb11u1) bullseye-security; urgency=high
 
   * New security upstream release, with fix for CVE-2021-46144: XSS
diff -Nru roundcube-1.4.13+dfsg.1/debian/patches/fix-FTBFS-with-phpunit-8.5.13-1.patch roundcube-1.4.14+dfsg.1/debian/patches/fix-FTBFS-with-phpunit-8.5.13-1.patch
--- roundcube-1.4.13+dfsg.1/debian/patches/fix-FTBFS-with-phpunit-8.5.13-1.patch	2022-01-06 08:51:41.000000000 +0100
+++ roundcube-1.4.14+dfsg.1/debian/patches/fix-FTBFS-with-phpunit-8.5.13-1.patch	2023-09-25 11:32:59.000000000 +0200
@@ -1335,7 +1335,7 @@
  
      /**
 diff --git a/tests/Framework/StringReplacer.php b/tests/Framework/StringReplacer.php
-index ace8bf6..9d56fe2 100644
+index 16dff6a..756eddd 100644
 --- a/tests/Framework/StringReplacer.php
 +++ b/tests/Framework/StringReplacer.php
 @@ -5,7 +5,7 @@
@@ -1348,7 +1348,7 @@
  
      /**
 diff --git a/tests/Framework/Text2Html.php b/tests/Framework/Text2Html.php
-index db2dbac..273eeed 100644
+index 1d6ffd2..8f86b86 100644
 --- a/tests/Framework/Text2Html.php
 +++ b/tests/Framework/Text2Html.php
 @@ -5,7 +5,7 @@
diff -Nru roundcube-1.4.13+dfsg.1/debian/patches/fix-FTBFS-with-phpunit-9.5.0-1.patch roundcube-1.4.14+dfsg.1/debian/patches/fix-FTBFS-with-phpunit-9.5.0-1.patch
--- roundcube-1.4.13+dfsg.1/debian/patches/fix-FTBFS-with-phpunit-9.5.0-1.patch	2022-01-06 08:51:41.000000000 +0100
+++ roundcube-1.4.14+dfsg.1/debian/patches/fix-FTBFS-with-phpunit-9.5.0-1.patch	2023-09-25 11:32:59.000000000 +0200
@@ -52,19 +52,19 @@
  
      function test_links()
 diff --git a/tests/Framework/StringReplacer.php b/tests/Framework/StringReplacer.php
-index 9d56fe2..d60cbd0 100644
+index 756eddd..32ce877 100644
 --- a/tests/Framework/StringReplacer.php
 +++ b/tests/Framework/StringReplacer.php
-@@ -75,8 +75,8 @@ class Framework_StringReplacer extends \PHPUnit\Framework\TestCase
+@@ -77,8 +77,8 @@ class Framework_StringReplacer extends \PHPUnit\Framework\TestCase
          $result = $replacer->replace($input);
          $result = $replacer->resolve($result);
  
 -        $this->assertContains('[<a href="http://en.wikipedia.org/wiki/Email";>1</a>] to', $result, "Numeric linkref replacements");
 -        $this->assertContains('[<a href="http://www.link-ref.com";>ref0</a>] repl', $result, "Alphanum linkref replacements");
--        $this->assertContains('of [Roundcube].', $result, "Don't touch strings wihtout an index entry");
+-        $this->assertContains('of [Roundcube].[ref<0]', $result, "Don't touch strings wihtout an index entry");
 +        $this->assertStringContainsString('[<a href="http://en.wikipedia.org/wiki/Email";>1</a>] to', $result, "Numeric linkref replacements");
 +        $this->assertStringContainsString('[<a href="http://www.link-ref.com";>ref0</a>] repl', $result, "Alphanum linkref replacements");
-+        $this->assertStringContainsString('of [Roundcube].', $result, "Don't touch strings wihtout an index entry");
++        $this->assertStringContainsString('of [Roundcube].[ref<0]', $result, "Don't touch strings wihtout an index entry");
      }
  }
 diff --git a/tests/Framework/Utils.php b/tests/Framework/Utils.php
diff -Nru roundcube-1.4.13+dfsg.1/debian/patches/fix-install-path.patch roundcube-1.4.14+dfsg.1/debian/patches/fix-install-path.patch
--- roundcube-1.4.13+dfsg.1/debian/patches/fix-install-path.patch	2022-01-06 08:51:41.000000000 +0100
+++ roundcube-1.4.14+dfsg.1/debian/patches/fix-install-path.patch	2023-09-25 11:32:59.000000000 +0200
@@ -161,10 +161,10 @@
  require_once INSTALL_PATH . 'program/include/clisetup.php';
  
 diff --git a/program/include/iniset.php b/program/include/iniset.php
-index 1f8bfd7..a26900e 100644
+index d9388db..11142d2 100644
 --- a/program/include/iniset.php
 +++ b/program/include/iniset.php
-@@ -28,7 +28,7 @@ define('RCMAIL_VERSION', '1.4.13');
+@@ -28,7 +28,7 @@ define('RCMAIL_VERSION', '1.4.14');
  define('RCMAIL_START', microtime(true));
  
  if (!defined('INSTALL_PATH')) {
diff -Nru roundcube-1.4.13+dfsg.1/debian/patches/hint-at-which-packages-needs-installing-under-PHP8.patch roundcube-1.4.14+dfsg.1/debian/patches/hint-at-which-packages-needs-installing-under-PHP8.patch
--- roundcube-1.4.13+dfsg.1/debian/patches/hint-at-which-packages-needs-installing-under-PHP8.patch	2022-01-06 08:51:41.000000000 +0100
+++ roundcube-1.4.14+dfsg.1/debian/patches/hint-at-which-packages-needs-installing-under-PHP8.patch	2023-09-25 11:32:59.000000000 +0200
@@ -15,7 +15,7 @@
  1 file changed, 3 insertions(+), 1 deletion(-)
 
 diff --git a/program/include/iniset.php b/program/include/iniset.php
-index 3919f74..cb6636b 100644
+index 9c4c773..956750d 100644
 --- a/program/include/iniset.php
 +++ b/program/include/iniset.php
 @@ -20,7 +20,9 @@
diff -Nru roundcube-1.4.13+dfsg.1/debian/patches/update-composer.patch roundcube-1.4.14+dfsg.1/debian/patches/update-composer.patch
--- roundcube-1.4.13+dfsg.1/debian/patches/update-composer.patch	2022-01-06 08:51:41.000000000 +0100
+++ roundcube-1.4.14+dfsg.1/debian/patches/update-composer.patch	2023-09-25 11:32:59.000000000 +0200
@@ -20,10 +20,10 @@
  1 file changed, 10 insertions(+), 12 deletions(-)
 
 diff --git a/composer.json-dist b/composer.json-dist
-index 192551a..2307894 100644
+index 13064ce..a73e69d 100644
 --- a/composer.json-dist
 +++ b/composer.json-dist
-@@ -10,22 +10,20 @@
+@@ -10,23 +10,21 @@
      ],
      "require": {
          "php": ">=5.4.0 <8",
@@ -54,5 +54,6 @@
 +        "kolab/net_ldap3": ">=1.1.1",
 +        "pear-pear.php.net/crypt_gpg": ">=1.6.0",
 +        "mkopinsky/zxcvbn-php": ">=4.4.2 required for Zxcvbn password strength driver"
-     }
- }
+     },
+     "config": {
+         "allow-plugins": {
diff -Nru roundcube-1.4.13+dfsg.1/debian/patches/update-script.patch roundcube-1.4.14+dfsg.1/debian/patches/update-script.patch
--- roundcube-1.4.13+dfsg.1/debian/patches/update-script.patch	2022-01-06 08:51:41.000000000 +0100
+++ roundcube-1.4.14+dfsg.1/debian/patches/update-script.patch	2023-09-25 11:32:59.000000000 +0200
@@ -88,7 +88,7 @@
  
      // update composer dependencies
 diff --git a/program/include/iniset.php b/program/include/iniset.php
-index a26900e..3919f74 100644
+index 11142d2..9c4c773 100644
 --- a/program/include/iniset.php
 +++ b/program/include/iniset.php
 @@ -39,6 +39,10 @@ if (!defined('RCUBE_LOCALIZATION_DIR')) {
diff -Nru roundcube-1.4.13+dfsg.1/debian/upstream/signing-key.asc roundcube-1.4.14+dfsg.1/debian/upstream/signing-key.asc
--- roundcube-1.4.13+dfsg.1/debian/upstream/signing-key.asc	2022-01-06 08:51:41.000000000 +0100
+++ roundcube-1.4.14+dfsg.1/debian/upstream/signing-key.asc	2023-09-25 11:32:59.000000000 +0200
@@ -116,62 +116,145 @@
 R5Tx6/YtysHeydQLrqjev9NSVUVjzcmqLSUB1Ra4smTRg76CW5jsAXId0t/s4OpK
 IZLniDIPYJLrbB0voZ54UsTc9DzlpgRSJTzmAvd3WphohnVZRGSrYVWZFUrrFQjB
 NGo9AhuRBH5dioO2iTlq+Hqers1fGK8XhSw84XWedJL/itdEpINH14tpJnM9hVNn
-1/W4DFOUElp1C2a+d9NM8XVWSRa5Ag0EVPYxAQEQAM6TZmb86hsfXeTqiV4JMpBL
-RiZ+6/mTDbdYRZEeErm/Vgw16r6tE7m3bNno0r/BRm3XmDBy4U72KP8oHiL55cUV
-Y+5ogrJBCq4BbZLyhtVcnDSI2uavwWMS9g6nKbAPl78IFoIg0E+QeJqJPZhRN6ec
-uBm2flOmhPyPK5NI0L03rYRpnC6XWBHqEtq8Rjj9KewhZiU2VisvGHbYi2Uj9Axc
-cZY1+O4p6rPjYqJEkjAOE1kOlm+96bzL+VuxXr8H+Js7Ae1+3A0rm360qfIEDOYd
-3vpQ4Om9rvrgwaX5XCZqTj6IFhlDS6gUMnyy2w9kes5YD/WVtH2jmjkOTi4ko9vC
-diSdixQA1DXUkyCZk5A25yWR9N9AHXv5/kijVOpHJ5mqoPdsOBIG3RFCjmaUTmqJ
-3nXhU8Zcd5/h7dVOwSq+NxYjYvF0CrB0TtzYXaA9UtHpTvbA2IuZarXn208RWgrr
-Pp+H1zP3NAS/pJ1FgX/izZxFhAWC7fhJfpHHTQkVFt4mJ25873QSuwCSsO6qS6mq
-oypByxNEAfVvIJUcf2ZdZkaRRFqOBgT13PhP8tKyRYp7wnuzngYDR7Pb2E9JRKT/
-WeAqEcEzWWmjNCs2MkOrDRNd3PC5VvkFCQnoIRsg763jcNrqNEfkm1lJ/Bf+qINr
-PYJJTc1MjWBt5sWs8iJrABEBAAGJBD4EGAECAAkFAlT2MQECGwICKQkQPlQo0CYs
-VPjBXSAEGQECAAYFAlT2MQEACgkQ0QXeoLVFs2zfsxAAzkKiAmiqQPWyjHV61IJl
-13HrJrJS2KZJBu1AY0HjWkSf0zzy4DNF/P3iPmaZvk6rxAb9Mwk5JHx0vlk/m5yW
-uM7yR97cyAt7FNrTq7PoVDzmB6nOcHYfLTnrA9Y7difUxE3ShVXWuSM/CDouSaPS
-mRIw+BIuP9Op0peGuwM1UBWZ+bKUjRZOVhDDQPrbGApzcg1Mp+zgHhpFUa6enIG8
-P/O6ApteoFrKLGx4/SjeKgv52+YyfD2odHlliHbcu/k+g+Dp+VkPW1I1FQREijGG
-K8c19UonBsSZxwT2gQwKtu++ZtLGsRkcpoonmR2mUkU8ruqoEdKk9Co3OQirrgep
-Viadv1pcJsa59r6lYIVPdBkJVE0UA2WWp4tullmB5lRD4NNw07HoYnDalz4O/Myb
-wjy9FCLgU7WZYtKDH+UiIe6uYIElkRbBBzO16MifgDrh0oNGmkl9m4EIkZeF/t+O
-4KF2xEiYqcvv/tVgRjQ/PuHKJh/uspeyUSpcJz8l4x2aAKHJu9RmCp8dD5BcHIk7
-bG9XGiXbr8MsDCC8RtMOfdJIQSTW0FDU/1T8RLAYxw/G+6ESvp+8DDwPqWn1I6Wl
-v8bBKwB3eNe1X35lHNsoFHhxsVPpdEvmMI43OWPXZ9CyU9O03FXADBp5L9A8Jq09
-qYasdAgt30ye7iPaTvtZWrS8SRAAgot+talYPKDemCGGXcm7Gj+hnRGe0h2kFzG5
-BJj0yYMcwlWK1fKHsmxxnBN9z3Eto5dcQZ36iLOwOjgdB24E3AEGbGxVnGUfHmqV
-Qb/SxSKYuTmeXTfCTicEydW7uX4Esfq91EXdZbqsg4OeS5/J5WB2InXH+FhguTvE
-9EkF2T/G4c+A837wOYphmPNnjKuw+so8WPUCaPR2CrjUh6diIjE3gVNloLvQlyke
-QGHGKjeA0RmNZOcEKfOFLWNT4s82Yp7syOXQNMNbUhsgl02OFuSekjVdYUApa1qs
-bo9P0A4AHk0EC0Paf6V8t6K1LUKUmfaueVQHC6TdHlEJmGU5azw86nKxyX3EtDKq
-HahWVPbGpeFKtm36Bis6yQaImQ3tVzV/7yTAkCmLCnct9lAy10OA/21Unb8u6Gmt
-AogOAIlELwKyC3mc1J1Br498uykaFgDrE4zXeg5d6x3btgd/0DBJlN65zz38s7Jv
-H7QITrTsSXD2tJcp56XAQ4fHNgVgiKS3pRPa7XkbJcaZpb38JotKyfajG9Ig9If6
-bTWkfksL6dEfb67ZO37jmTg4dan1O3IbSUTB0Pn1ske1BKjIMMANcMjcxvS1wDuE
-3WR4Ef+otIS6U4sVpkGHACUtjzfTxSSD6oTKxzXhvqQNVdRT7/LQlpg5FkjypP1Z
-kusW/UW5Ag0EVPXdCAEQAMGVKyTQqWizKqdhhNzaq6rwn1vCP8qjfPjg1IsK2b+R
-E0GObCuYIomotqOci5zWBqkLJUkZYqTyUqfh3w9BSB7nYi8TJXOYl19pxD2BPoOt
-ZrB6Qm8t7w8Bw4tZ7gb5qPmrULC22q7yTwo+zAzFeExIC4K3MUCnrhzEAszAOhnx
-qODXkxjImm42xEyS5wIARMEadAklfLmFZgCMIUiQ3eIpOGOYyfcXtySd9VrpyJ5Y
-VJ3VECCyfcZXrrPxarX0/3dmW5oJkew9m1blN744zEx1RsmOe7GjJR0wioANy1/k
-cjpJXnyKt5/XHGpHjuoHmjff+0BZzSS/Bjr0CiKijco/XauGvaRjYl0cvspnQqMl
-0lLyMM0Ecol/06SvN5PQ7dm9Yc4V6Rz5XHL/LsWhxsDFvSavMeumXQFeAGvldfva
-mLRuKfLZXA/A0G90nZdYC8MQt4NZvtcJLhpzowULFZEKfW9gDLcH3GQAVBrCMje7
-CGDL07fAzgDflwsm+W3fmAVKDACdjCrtgYn9No88Uj/JgpziiXk4fB/BUtySbODW
-Eg//7pqFfVodBcMv/4Sf6jf2WZI0s9VH0gbkGjIAHEtG7dIRKW2SqGrzIHv8Sj3G
-cUU6v+aF8GyI0mqM/IQG6JFA8eBAFt/120Ebk2aPd/3yoHP69bXU3fUuV6GDZ6Rx
-ABEBAAGJAh8EGAECAAkFAlT13QgCGwwACgkQPlQo0CYsVPgsFA//Xjglp6XoEjmX
-dk3upkT3+lgnWs5pHeHH23uPHd1VpNgVoGfl6ReQssqT4P5yRo9e00FKTlAokuEB
-fEsJzBR8JBWLVt2LAO7d7BORd3jNRZH/TvVBrKhX+VipKNNC6gE3V64VAUwOhFAG
-kSo2LtxXs/8nvPJ36fOriHOyoD1EMUe2lKyrVy8ox7qlRWu4YhMtZsLZutCsF64p
-2OcaAwqMeR1HWMszdNO+oPfXAR3F8ubiBkHQl92fCs1/BaLOlFhm0DIre4/p47nM
-q4fHjZE2N+D8K4tE76Z2kOgEjMGNfG4VCJOAIcj06Wq7QuCVlPv4dRUO2PfqW4ZS
-8/5sH+KJfy6XTelA4w92Jd1r5vd497iQDezc4hRTdVOHsdZTqkdBp1a61jl2GhDg
-PLoyDb+gCXnlucpg+vUdPUHDwRj+tOrfci3juwHI0WhUmWSXEGuCwJoagmtwMmnQ
-2uhMp5TbKfATMcNTtCSx8HDomXfSgSvuVt7BKt0OP5wdhje5PisXtyyvwuT1pH6J
-28PGPnRIiFDUFDLmDOC363F0w7Ng3FVJ2vryVIzp80yh6q+i5N3xvFrKVkZvnvUW
-6x5ADkLHGpZlxnjwRhgJPYyte8r/0V/m1OOeykO0IpWkU1A1IiSR1A/zT0tDSx/I
-nJvZpdFplfhUqMa5YRuuaVwAVlunTQU=
-=PYcV
+1/W4DFOUElp1C2a+d9NM8XVWSRa0KVRob21hcyBCcnVlZGVybGkgPGJydWVkZXJs
+aUBrb2xhYnN5cy5jb20+iQI4BBMBAgAiBQJVCeY5AhsDBgsJCAcDAgYVCAIJCgsE
+FgIDAQIeAQIXgAAKCRA+VCjQJixU+OK3D/0RKgxFHmIwqCuj4JSF1FWCc1D8jxcC
+PLWXnrZ8IhTIkplaWYQ7EIPPhT05pNFPlCFAc8w67YqZw0UCCChAeK0InxyFQtrs
+qBcqO1PedqqseX9wPlaoDFLVU6rC0BmG9e/3GQ+gcg6+cvEoQQ9Mp19oDZY33kUZ
+JYMhdiCsxaDwPSfz4ObZTEz9iMBdfYzNG38LSDu8v4H9x59ryQldErhYZyi9hIKu
+Fs+DoL3OnJxD7niyPqg3/wqNcVSgEaeV7al90LfgHYGyL7pr2sES0IXP+0kZfJAX
+7YWlk2QiW50nxrEasb+ntodXybjHpe9Vt4my2FSJPaOg2m1T46gamArR3TpVaJm5
+oN9D/ZFPdMnBJiwfEwE4d1hUCsbViJ8izIQoLiMqM+NgLAX4eAU/fbCn53zb5b8N
+LrdY5m6OHYyQ5J4+7bBBucc5LS64PqDdhmgBzWUOnVn3fNbfjoxxzbBQ7tF+S0zU
+JRj5zgxaaWBs5knLA/vbjA0h9pM+3yG5N2oEB29NTLsuKBrMBELP/bJRzQGcnPeR
+OYVVe1qfSbzXX2Ph8U42nNd7SAIOJdtzoqE4EbRlCJQaFAFjIEVTIUjw1Wrtruw+
+9YyJZLc9Fr1kEx4jc7BLy7QzJkrqcZxutAGAOW2iRraT8FAXERjfHGWUKcvt3GvF
+ts5HGTvL/0Aln7QtVGhvbWFzIEJydWVkZXJsaSA8YnJ1ZWRlcmxpQGtvbGFic3lz
+dGVtcy5jb20+iQI4BBMBAgAiBQJU9d0IAhsDBgsJCAcDAgYVCAIJCgsEFgIDAQIe
+AQIXgAAKCRA+VCjQJixU+DipD/99hnk5ldlkxqENZiUMBjjkoT9hgE1u6AAcJgSI
+rTbBmWMa0QJp69hJ5bOsQq82wolCHnnM9o9dMRMzQuX2fG9Es3DK+Fk8kUT6lDJF
+OHvY5KP1ya1DI1uozvrzRZojBcPLUk1Ijg74PzgS5Gg9n7UFQ9LAo4xnlhB+KzgA
+agp1Si6jVJCSOLUCRHuauDwQNBJjp/18+aSRiI0Gx827gGsJ8ohot2N40EaVgw0K
+d2Q6WzfEZIyoXakRE9bjBK+lrWRVBNYiWAc+1CsFwf6y48eyn0NIlU2HKJiq8UnS
+hP5Wjp11YyUUiFm06zPYveMWOUyCQuJV55fh1/nG++c9SNct8RAvh7b7FjWmIowV
+eUjm1KBb0JoOrCEsooLwKU5/CKrALrfF3B3kunTI9JJ1mHQ2ZbjjwbVj7/CeEXXM
+uHgs17eZSD1IRZphlVu8X8QT03g0Diq+g7jH+tQLXXRNOGdaNCVSYj7gAveHkt8I
+NevviVeVcIdR/nd923Nalio9IznWf5QyS9sTep+bivH4P1iidX+LT40AcowrGN3g
+XLEDOc+UhV6974hhCaHN/8sLbEKugxZPLMyehFUW3K+GJlEYcNW7dOgk0QtYwMH/
+PdpLKasSr7aqzA0C9dvhYbPeWovSPOVfUPnkyHaSsLR1cCRMv74qKy0kCrqLGhEB
+r/uAZrkCDQRU9jEBARAAzpNmZvzqGx9d5OqJXgkykEtGJn7r+ZMNt1hFkR4Sub9W
+DDXqvq0Tubds2ejSv8FGbdeYMHLhTvYo/ygeIvnlxRVj7miCskEKrgFtkvKG1Vyc
+NIja5q/BYxL2DqcpsA+XvwgWgiDQT5B4mok9mFE3p5y4GbZ+U6aE/I8rk0jQvTet
+hGmcLpdYEeoS2rxGOP0p7CFmJTZWKy8YdtiLZSP0DFxxljX47inqs+NiokSSMA4T
+WQ6Wb73pvMv5W7Fevwf4mzsB7X7cDSubfrSp8gQM5h3e+lDg6b2u+uDBpflcJmpO
+PogWGUNLqBQyfLLbD2R6zlgP9ZW0faOaOQ5OLiSj28J2JJ2LFADUNdSTIJmTkDbn
+JZH030Ade/n+SKNU6kcnmaqg92w4EgbdEUKOZpROaonedeFTxlx3n+Ht1U7BKr43
+FiNi8XQKsHRO3NhdoD1S0elO9sDYi5lqtefbTxFaCus+n4fXM/c0BL+knUWBf+LN
+nEWEBYLt+El+kcdNCRUW3iYnbnzvdBK7AJKw7qpLqaqjKkHLE0QB9W8glRx/Zl1m
+RpFEWo4GBPXc+E/y0rJFinvCe7OeBgNHs9vYT0lEpP9Z4CoRwTNZaaM0KzYyQ6sN
+E13c8LlW+QUJCeghGyDvreNw2uo0R+SbWUn8F/6og2s9gklNzUyNYG3mxazyImsA
+EQEAAYkEPgQYAQIACQUCVPYxAQIbAgIpCRA+VCjQJixU+MFdIAQZAQIABgUCVPYx
+AQAKCRDRBd6gtUWzbN+zEADOQqICaKpA9bKMdXrUgmXXcesmslLYpkkG7UBjQeNa
+RJ/TPPLgM0X8/eI+Zpm+TqvEBv0zCTkkfHS+WT+bnJa4zvJH3tzIC3sU2tOrs+hU
+POYHqc5wdh8tOesD1jt2J9TETdKFVda5Iz8IOi5Jo9KZEjD4Ei4/06nSl4a7AzVQ
+FZn5spSNFk5WEMNA+tsYCnNyDUyn7OAeGkVRrp6cgbw/87oCm16gWsosbHj9KN4q
+C/nb5jJ8Pah0eWWIdty7+T6D4On5WQ9bUjUVBESKMYYrxzX1SicGxJnHBPaBDAq2
+775m0saxGRymiieZHaZSRTyu6qgR0qT0Kjc5CKuuB6lWJp2/Wlwmxrn2vqVghU90
+GQlUTRQDZZani26WWYHmVEPg03DTsehicNqXPg78zJvCPL0UIuBTtZli0oMf5SIh
+7q5ggSWRFsEHM7XoyJ+AOuHSg0aaSX2bgQiRl4X+347goXbESJipy+/+1WBGND8+
+4comH+6yl7JRKlwnPyXjHZoAocm71GYKnx0PkFwciTtsb1caJduvwywMILxG0w59
+0khBJNbQUNT/VPxEsBjHD8b7oRK+n7wMPA+pafUjpaW/xsErAHd417VffmUc2ygU
+eHGxU+l0S+Ywjjc5Y9dn0LJT07TcVcAMGnkv0DwmrT2phqx0CC3fTJ7uI9pO+1la
+tLxJEACCi361qVg8oN6YIYZdybsaP6GdEZ7SHaQXMbkEmPTJgxzCVYrV8oeybHGc
+E33PcS2jl1xBnfqIs7A6OB0HbgTcAQZsbFWcZR8eapVBv9LFIpi5OZ5dN8JOJwTJ
+1bu5fgSx+r3URd1luqyDg55Ln8nlYHYidcf4WGC5O8T0SQXZP8bhz4DzfvA5imGY
+82eMq7D6yjxY9QJo9HYKuNSHp2IiMTeBU2Wgu9CXKR5AYcYqN4DRGY1k5wQp84Ut
+Y1PizzZinuzI5dA0w1tSGyCXTY4W5J6SNV1hQClrWqxuj0/QDgAeTQQLQ9p/pXy3
+orUtQpSZ9q55VAcLpN0eUQmYZTlrPDzqcrHJfcS0MqodqFZU9sal4Uq2bfoGKzrJ
+BoiZDe1XNX/vJMCQKYsKdy32UDLXQ4D/bVSdvy7oaa0CiA4AiUQvArILeZzUnUGv
+j3y7KRoWAOsTjNd6Dl3rHdu2B3/QMEmU3rnPPfyzsm8ftAhOtOxJcPa0lynnpcBD
+h8c2BWCIpLelE9rteRslxpmlvfwmi0rJ9qMb0iD0h/ptNaR+Swvp0R9vrtk7fuOZ
+ODh1qfU7chtJRMHQ+fWyR7UEqMgwwA1wyNzG9LXAO4TdZHgR/6i0hLpTixWmQYcA
+JS2PN9PFJIPqhMrHNeG+pA1V1FPv8tCWmDkWSPKk/VmS6xb9RbkCDQRU9d0IARAA
+wZUrJNCpaLMqp2GE3NqrqvCfW8I/yqN8+ODUiwrZv5ETQY5sK5giiai2o5yLnNYG
+qQslSRlipPJSp+HfD0FIHudiLxMlc5iXX2nEPYE+g61msHpCby3vDwHDi1nuBvmo
++atQsLbarvJPCj7MDMV4TEgLgrcxQKeuHMQCzMA6GfGo4NeTGMiabjbETJLnAgBE
+wRp0CSV8uYVmAIwhSJDd4ik4Y5jJ9xe3JJ31WunInlhUndUQILJ9xleus/FqtfT/
+d2ZbmgmR7D2bVuU3vjjMTHVGyY57saMlHTCKgA3LX+RyOklefIq3n9ccakeO6gea
+N9/7QFnNJL8GOvQKIqKNyj9dq4a9pGNiXRy+ymdCoyXSUvIwzQRyiX/TpK83k9Dt
+2b1hzhXpHPlccv8uxaHGwMW9Jq8x66ZdAV4Aa+V1+9qYtG4p8tlcD8DQb3Sdl1gL
+wxC3g1m+1wkuGnOjBQsVkQp9b2AMtwfcZABUGsIyN7sIYMvTt8DOAN+XCyb5bd+Y
+BUoMAJ2MKu2Bif02jzxSP8mCnOKJeTh8H8FS3JJs4NYSD//umoV9Wh0Fwy//hJ/q
+N/ZZkjSz1UfSBuQaMgAcS0bt0hEpbZKoavMge/xKPcZxRTq/5oXwbIjSaoz8hAbo
+kUDx4EAW3/XbQRuTZo93/fKgc/r1tdTd9S5XoYNnpHEAEQEAAYkCHwQYAQIACQUC
+VPXdCAIbDAAKCRA+VCjQJixU+CwUD/9eOCWnpegSOZd2Te6mRPf6WCdazmkd4cfb
+e48d3VWk2BWgZ+XpF5CyypPg/nJGj17TQUpOUCiS4QF8SwnMFHwkFYtW3YsA7t3s
+E5F3eM1Fkf9O9UGsqFf5WKko00LqATdXrhUBTA6EUAaRKjYu3Fez/ye88nfp86uI
+c7KgPUQxR7aUrKtXLyjHuqVFa7hiEy1mwtm60KwXrinY5xoDCox5HUdYyzN0076g
+99cBHcXy5uIGQdCX3Z8KzX8Fos6UWGbQMit7j+njucyrh8eNkTY34Pwri0TvpnaQ
+6ASMwY18bhUIk4AhyPTpartC4JWU+/h1FQ7Y9+pbhlLz/mwf4ol/LpdN6UDjD3Yl
+3Wvm93j3uJAN7NziFFN1U4ex1lOqR0GnVrrWOXYaEOA8ujINv6AJeeW5ymD69R09
+QcPBGP606t9yLeO7AcjRaFSZZJcQa4LAmhqCa3AyadDa6EynlNsp8BMxw1O0JLHw
+cOiZd9KBK+5W3sEq3Q4/nB2GN7k+Kxe3LK/C5PWkfonbw8Y+dEiIUNQUMuYM4Lfr
+cXTDs2DcVUna+vJUjOnzTKHqr6Lk3fG8WspWRm+e9RbrHkAOQscalmXGePBGGAk9
+jK17yv/RX+bU457KQ7QilaRTUDUiJJHUD/NPS0NLH8icm9ml0WmV+FSoxrlhG65p
+XABWW6dNBZkBDQRMvU7ZAQgAuHn9CCWqkw0DUGeQj6x7zbOZHAAr7X38Mna03ESd
+vHR8I2Q/HWksX1WBKGnMgEXr0zr7Kd+lYKvGLewE7usuzDwWj4/S6tJMF+xzPEA5
+/I037nwIDI8XMOWw/iTUefvBvYVBdxd+YFbgHeO9YUvkAf1IPz3s3DcfR+chVDLr
+6zt8m8iA4cOaiSNkaCTIzK+QzylBu8/NdNXvzVu8vRXx6vjp8uwO9MPr3H79S/iy
+1+YH66SiN5tMypu3I9b8sWXwvUYoyM1mTdxoBMXsSCiXW5HIPRf84oCqO9kyYYL4
+8umGT9Nx5lmVXKbHd2iE908HoNHAor2ilQTXBUdaHWul7wARAQABtBZBLkwuRS5D
+IDxhbGVjQGFsZWMucGw+iQFSBBMBAgAlAhsjBgsJCAcDAgYVCAIJCgsEFgIDAQIe
+AQIXgAUCTL1QMAIZAQAhCRC+5nSgGTWdwRYhBLsi73Gclqhu70za0b7mdKAZNZ3B
+EhkH/1eAuCOSXsWg8YwZzmABoKKZfNpJZ3QTwAMxXyCPjJMwLMLHsrVO+VbGupFc
+IW/q/3bvt1r8LwPB73rg0TFiHoYzeQzdnOVYFW7wOYz9BDVjLE4goDk6xN5Nj1Cp
+BMXzQFdr3HVKyuRK1CLd9p13CofiBlLsQ4JqtosnlvSCEjTLyIajACU3kY2je1e5
+8N5VHzZ+VMeg2xbuQJ3q1iTkYggZ+xRC1muw4Xgt2vxgfWjn7u3dmjYMT3H2WFpr
+LZwliejHgzhWdYABdyCU5VuGCLOV+xk2UCADya0hvVVIezA/4YG3w01yjsljRrKy
+HFJUqw+MqagA6dsfflZSvmROKMa0IkFsZWtzYW5kZXIgTWFjaG5pYWsgPGFsZWNA
+YWxlYy5wbD6JAU8EEwECACIFAky9UCUCGyMGCwkIBwMCBhUIAgkKCwQWAgMBAh4B
+AheAACEJEL7mdKAZNZ3BFiEEuyLvcZyWqG7vTNrRvuZ0oBk1ncHd6ggAoEj7tCV6
+VCueubKKkzLMLguELX0LUnA7990in5yqVFLvoVg7Kg/z67SnjT6DGYlyW+OPgvxz
+E+urJJ7eljVaYv9Yh5/UpF/ubTloQByBRI7g7dAOMhpFWO/Cp1qVlr6RJSbmDyFB
+xZBI0mDEpy/SmoUz0PqpxVIlrt7/8ND8ghYnxGo3+Db8+h1WiXRi6Miz7v7y3L0A
+H6/iKAA3u52lB1cxBLQWiEiKlQylRDhsIkjXa9LqF/kHRfUAIGUxWRyuQdLnRaYx
+2pyBNPcDYej+8zHqSdSkXSctVila2l/ZdEosqvRreFhpRQVDR2WKHjC8eNHUoD3I
+07x8PiMkpw6Z4rQtQWxla3NhbmRlciBNYWNobmlhayA8bWFjaG5pYWtAYXBoZWxl
+aWEtaXQuY2g+iQFOBBMBCgA4FiEEuyLvcZyWqG7vTNrRvuZ0oBk1ncEFAmHcFOMC
+GyMFCwkIBwIGFQoJCAsCBBYCAwECHgECF4AACgkQvuZ0oBk1ncHfBwf8Dq9YzPA3
+gxIJKZ2XZpgQi1XtB0fpV02IVi//wEvhwy3aE0hsNnw44g8FDy1jtMkhvvz2kGbk
+3chXfBMoMCSrfla7lLuJ54t+z59KmIpmVOai5HUz9FAkHSrG/d0ZNsomuYT+mWD9
+9sDTODQT429YZ02+AecRudQAW/2ny+0cySdrKvSlvQ8C73axiy4wAMiYWSl7LU36
+G4wtC/H3ZQL2LHToiAQmn5F4ECln7vJOKXr3MzUOI6kHFkjuArL1njI/D2BinsDt
+HWwHovNgbMqIecwcg43E/HKgpq9dK+ti2QMppjF6Vz/H3nkQ3e/WIKm9395zq1Hs
+jdt+3mwL78pXTLQrQWxla3NhbmRlciBNYWNobmlhayA8bWFjaG5pYWtAa29sYWJz
+eXMuY29tPokBTwQTAQIAIgUCTnH06gIbIwYLCQgHAwIGFQgCCQoLBBYCAwECHgEC
+F4AAIQkQvuZ0oBk1ncEWIQS7Iu9xnJaobu9M2tG+5nSgGTWdwShlCACIexVvyaW6
+hMp6wK3eRHBVH4onKrCo/ayBIYBm2Rjzcm71tWfbVa8PE+C+IxweRL3S19OpDAO2
+2ymca8w9wcihLJ/HKZ7uYhTSQDcsLPyazBTHNKHTvDGO+kLFVzBJ+aLeLXPm8ums
+fR6/ZzGJt1E4qHeCHpBFhbN0IL2o8QvE9idMOZzDAB+mOSldircqGwzFx9eML0TJ
+6/vgrYvHGBnkC+FHD7I2xdFgnW5nef+p/5TYmQ7SS4vOw6A3WHKgKlFi4yyfTczo
+M4GEqtdqE40T16526OVv7VkBTiy4pgUna3JA4Sua0dpy1rfnUTr0y/VYrdHxnUZO
+YgA44cWcBeF2tC9BbGVrc2FuZGVyIE1hY2huaWFrIDxtYWNobmlha0Brb2xhYnN5
+c3RlbXMuY29tPokBTgQTAQgAIQUCWTJWlwIbIwULCQgHAgYVCAkKCwIEFgIDAQIe
+AQIXgAAhCRC+5nSgGTWdwRYhBLsi73Gclqhu70za0b7mdKAZNZ3Bh90IALeMO7uq
+yPOS7KVp+gbHbmgeROG2/rxDFE6SoY64Vpqy/ZPRiZXQzjPBy6gkgY2Fr8n2ZBbp
+NdxOHSKIc0SDWMO8ZxDteFhMi+9Y7uFO7ZqEL/BII0L2d4fRWiXCNnLQqoaI/f6Q
+UP3kB6DQtvRg1sxT8wM1RPZBphUnT2xFvHnLgayI+uM83xJiUREArA0tLinRH8HU
+O64iKMdvVAExWJ0BQQDDLia/CkTD4wh8d0iww978zySoFsLYF0Mv5wk6cclUgXwz
+KpSp3WGZ9hX4vbFLzMYk/KVQbuoHq4ZtlD4IVVH7q9lCavz452PfzFDIwpytCIBd
+RdsKmg8uuqspiym5AQ0ETL1O2QEIANHbid+rMQ/IX0/UyVtnLWunDEg6Yl2BtwHT
+ecZ4Ym3tBxc1sbPDoYpY0DZ86gYi9DCbolrdjnrRK9ldYItVJ8rJUkEIDz/2yhjc
+r3s3p2SyI94bocoG0WW+VRlssJMxTB2ihblihkY5HqT+9PgOFxnpSqz1ksTaI3JO
+VcokidhoB7MJmuyb28rNtZCJP7upRUwBSoZfHiL83w3Ad1Fn49QVO7kshH11lNyJ
+9jB17BTl1I0sj7RPqAorJcMxsSOJXW71ZcipXWym+GacY/qziQw7bT9CQYSmr4Si
+RV7GahD91enDkdv+pUAnb8NEifQ1LT26XcL6Ng9EbG5AT4qI46kAEQEAAYkBNgQY
+AQIACQUCTL1O2QIbDAAhCRC+5nSgGTWdwRYhBLsi73Gclqhu70za0b7mdKAZNZ3B
+7ZMIAJq7HeUeK0Pwgg7l/LpHE+rKbq8yUqI3QjKKVqG0nQDaG02rBsVvpO6SnMrD
+TgMZI8Q4Y9qjiF2wu1C2oA/CqtH4UYkNzpX+MPSs+NOELc1y+Qm6iLrbZksKyLxM
+AvmQGYXY1h3t6OzMHfXkTO+ldJ4RLz72m/rKyHNRuisSD1AqE/FbTK+t2PY7AVSV
+Gvr+MukqYwvNLHkXTISDXS6u9971K22TlNXMfJw5rWcpLOPv0XWNdOX+aOL+LTza
+zWeXBvx3os1WubR7W0YzFKT9amCEVVVKbg4y9S8yQQQOTAayb6Y9yZfhQ9y+r/BT
+eEaEN5WWmR9VMlAa8NsRTNNdvPo=
+=cGVH
 -----END PGP PUBLIC KEY BLOCK-----
diff -Nru roundcube-1.4.13+dfsg.1/index.php roundcube-1.4.14+dfsg.1/index.php
--- roundcube-1.4.13+dfsg.1/index.php	2021-12-29 23:45:05.000000000 +0100
+++ roundcube-1.4.14+dfsg.1/index.php	2023-09-16 22:01:19.000000000 +0200
@@ -2,7 +2,7 @@
 /**
  +-------------------------------------------------------------------------+
  | Roundcube Webmail IMAP Client                                           |
- | Version 1.4.13                                                          |
+ | Version 1.4.14                                                          |
  |                                                                         |
  | Copyright (C) The Roundcube Dev Team                                    |
  |                                                                         |
diff -Nru roundcube-1.4.13+dfsg.1/installer/index.php roundcube-1.4.14+dfsg.1/installer/index.php
--- roundcube-1.4.13+dfsg.1/installer/index.php	2021-12-29 23:45:05.000000000 +0100
+++ roundcube-1.4.14+dfsg.1/installer/index.php	2023-09-16 22:01:19.000000000 +0200
@@ -3,7 +3,7 @@
 /**
  +-------------------------------------------------------------------------+
  | Roundcube Webmail setup tool                                            |
- | Version 1.4.13                                                          |
+ | Version 1.4.14                                                          |
  |                                                                         |
  | Copyright (C) The Roundcube Dev Team                                    |
  |                                                                         |
diff -Nru roundcube-1.4.13+dfsg.1/plugins/enigma/lib/enigma_driver_gnupg.php roundcube-1.4.14+dfsg.1/plugins/enigma/lib/enigma_driver_gnupg.php
--- roundcube-1.4.13+dfsg.1/plugins/enigma/lib/enigma_driver_gnupg.php	2021-12-29 23:45:05.000000000 +0100
+++ roundcube-1.4.14+dfsg.1/plugins/enigma/lib/enigma_driver_gnupg.php	2023-09-16 22:01:19.000000000 +0200
@@ -586,6 +586,13 @@
                     continue;
                 }
 
+                // Private keys might be located in 'private-keys-v1.d' subdirectory. Make sure it exists.
+                if (strpos($file, '/private-keys-v1.d/')) {
+                    if (!file_exists($this->homedir . '/private-keys-v1.d')) {
+                        mkdir($this->homedir . '/private-keys-v1.d', 0700);
+                    }
+                }
+
                 $tmpfile = $file . '.tmp';
 
                 if (file_put_contents($tmpfile, $data, LOCK_EX) === strlen($data)) {
diff -Nru roundcube-1.4.13+dfsg.1/program/include/iniset.php roundcube-1.4.14+dfsg.1/program/include/iniset.php
--- roundcube-1.4.13+dfsg.1/program/include/iniset.php	2021-12-29 23:45:05.000000000 +0100
+++ roundcube-1.4.14+dfsg.1/program/include/iniset.php	2023-09-16 22:01:19.000000000 +0200
@@ -24,7 +24,7 @@
 }
 
 // application constants
-define('RCMAIL_VERSION', '1.4.13');
+define('RCMAIL_VERSION', '1.4.14');
 define('RCMAIL_START', microtime(true));
 
 if (!defined('INSTALL_PATH')) {
diff -Nru roundcube-1.4.13+dfsg.1/program/lib/Roundcube/bootstrap.php roundcube-1.4.14+dfsg.1/program/lib/Roundcube/bootstrap.php
--- roundcube-1.4.13+dfsg.1/program/lib/Roundcube/bootstrap.php	2021-12-29 23:45:05.000000000 +0100
+++ roundcube-1.4.14+dfsg.1/program/lib/Roundcube/bootstrap.php	2023-09-16 22:01:19.000000000 +0200
@@ -58,7 +58,7 @@
 }
 
 // framework constants
-define('RCUBE_VERSION', '1.4.13');
+define('RCUBE_VERSION', '1.4.14');
 define('RCUBE_CHARSET', 'UTF-8');
 define('RCUBE_TEMP_FILE_PREFIX', 'RCMTEMP');
 
diff -Nru roundcube-1.4.13+dfsg.1/program/lib/Roundcube/rcube_string_replacer.php roundcube-1.4.14+dfsg.1/program/lib/Roundcube/rcube_string_replacer.php
--- roundcube-1.4.13+dfsg.1/program/lib/Roundcube/rcube_string_replacer.php	2021-12-29 23:45:05.000000000 +0100
+++ roundcube-1.4.14+dfsg.1/program/lib/Roundcube/rcube_string_replacer.php	2023-09-16 22:01:19.000000000 +0200
@@ -59,8 +59,8 @@
         $link_prefix = "([\w]+:\/\/|{$this->noword}[Ww][Ww][Ww]\.|^[Ww][Ww][Ww]\.)";
 
         $this->options         = $options;
-        $this->linkref_index   = '/\[([^\]#]+)\](:?\s*' . substr($this->pattern, 1, -1) . ')/';
-        $this->linkref_pattern = '/\[([^\]#]+)\]/';
+        $this->linkref_index   = '/\[([^<>\]#]+)\](:?\s*' . substr($this->pattern, 1, -1) . ')/';
+        $this->linkref_pattern = '/\[([^<>\]#]+)\]/';
         $this->link_pattern    = "/$link_prefix($utf_domain([$url1]*[$url2]+)*)/";
         $this->mailto_pattern  = "/("
             . "[-\w!\#\$%&*+~\/^`|{}=]+(?:\.[-\w!\#\$%&*+~\/^`|{}=]+)*"  // local-part
diff -Nru roundcube-1.4.13+dfsg.1/public_html/index.php roundcube-1.4.14+dfsg.1/public_html/index.php
--- roundcube-1.4.13+dfsg.1/public_html/index.php	2021-12-29 23:45:05.000000000 +0100
+++ roundcube-1.4.14+dfsg.1/public_html/index.php	2023-09-16 22:01:19.000000000 +0200
@@ -3,7 +3,7 @@
 /*
  +-----------------------------------------------------------------------+
  | Roundcube Webmail IMAP Client                                         |
- | Version 1.4.13                                                        |
+ | Version 1.4.14                                                        |
  |                                                                       |
  | Copyright (C) The Roundcube Dev Team                                  |
  |                                                                       |
diff -Nru roundcube-1.4.13+dfsg.1/public_html/plugins/enigma/lib/enigma_driver_gnupg.php roundcube-1.4.14+dfsg.1/public_html/plugins/enigma/lib/enigma_driver_gnupg.php
--- roundcube-1.4.13+dfsg.1/public_html/plugins/enigma/lib/enigma_driver_gnupg.php	2021-12-29 23:45:05.000000000 +0100
+++ roundcube-1.4.14+dfsg.1/public_html/plugins/enigma/lib/enigma_driver_gnupg.php	2023-09-16 22:01:19.000000000 +0200
@@ -586,6 +586,13 @@
                     continue;
                 }
 
+                // Private keys might be located in 'private-keys-v1.d' subdirectory. Make sure it exists.
+                if (strpos($file, '/private-keys-v1.d/')) {
+                    if (!file_exists($this->homedir . '/private-keys-v1.d')) {
+                        mkdir($this->homedir . '/private-keys-v1.d', 0700);
+                    }
+                }
+
                 $tmpfile = $file . '.tmp';
 
                 if (file_put_contents($tmpfile, $data, LOCK_EX) === strlen($data)) {
diff -Nru roundcube-1.4.13+dfsg.1/tests/Framework/StringReplacer.php roundcube-1.4.14+dfsg.1/tests/Framework/StringReplacer.php
--- roundcube-1.4.13+dfsg.1/tests/Framework/StringReplacer.php	2021-12-29 23:45:05.000000000 +0100
+++ roundcube-1.4.14+dfsg.1/tests/Framework/StringReplacer.php	2023-09-16 22:01:19.000000000 +0200
@@ -64,12 +64,14 @@
         $this->assertEquals($output, $result);
     }
 
+    /**
+     * Test link references
+     */
     function test_linkrefs()
     {
-        $input = "This is a sample message [1] to test the new linkref [ref0] replacement feature of [Roundcube].\n";
-        $input.= "\n";
-        $input.= "[1] http://en.wikipedia.org/wiki/Email\n";;
-        $input.= "[ref0] www.link-ref.com\n";
+        $input = "This is a sample message [1] to test the linkref [ref0] replacement feature of [Roundcube].[ref<0]\n"
+            . "[1] http://en.wikipedia.org/wiki/Email\n";
+            . "[ref0] www.link-ref.com\n";
 
         $replacer = new rcube_string_replacer;
         $result = $replacer->replace($input);
@@ -77,6 +79,6 @@
 
         $this->assertContains('[<a href="http://en.wikipedia.org/wiki/Email";>1</a>] to', $result, "Numeric linkref replacements");
         $this->assertContains('[<a href="http://www.link-ref.com";>ref0</a>] repl', $result, "Alphanum linkref replacements");
-        $this->assertContains('of [Roundcube].', $result, "Don't touch strings wihtout an index entry");
+        $this->assertContains('of [Roundcube].[ref<0]', $result, "Don't touch strings wihtout an index entry");
     }
 }
diff -Nru roundcube-1.4.13+dfsg.1/tests/Framework/Text2Html.php roundcube-1.4.14+dfsg.1/tests/Framework/Text2Html.php
--- roundcube-1.4.13+dfsg.1/tests/Framework/Text2Html.php	2021-12-29 23:45:05.000000000 +0100
+++ roundcube-1.4.14+dfsg.1/tests/Framework/Text2Html.php	2023-09-16 22:01:19.000000000 +0200
@@ -137,4 +137,21 @@
 
         $this->assertEquals($expected, $html);
     }
+
+    /**
+     * Test XSS issue
+     */
+    function test_text2html_xss2()
+    {
+        $input = "\n[<script>evil</script>] https://google.com\n";;
+        $t2h = new rcube_text2html($input);
+
+        $html = $t2h->get_html();
+
+        $expected = "<div class=\"pre\"><br>\n[&lt;script&gt;evil&lt;/script&gt;] "
+            . "<a rel=\"noreferrer\" target=\"_blank\" href=\"https://google.com\";>https://google.com</a><br>\n"
+            . "</div>";
+
+        $this->assertEquals($expected, $html);
+    }
 }

Attachment: signature.asc
Description: PGP signature


--- End Message ---
--- Begin Message --- 
Package: release.debian.org
Version: 11.8

Hi,

The updates referred to by each of these requests were included in
today's 11.8 bullseye point release.

Regards,

Adam

--- End Message ---
Reply to: