Security fixes:
- Cross-Site Scripting (XSS) via malicious HTML content
- CSRF attack can cause an authenticated user to be logged out
- Remote code execution via crafted config options
- Path traversal vulnerability allowing local file inclusion via crafted
'plugins' option
The latter two vulnerabilities are classified minor because they only
affect Roundcube installations with public access to the Roundcube
installer. That’s generally a high-risk situation and is expected to be
rare or practically non-existent in productive Roundcube deployments.
However, the fixes are done in core in order to also prevent from future
and yet unknown attack vectors.
Changelog at https://github.com/roundcube/roundcubemail/releases/tag/1.4.4
sthen@ reported that clisp sometimes fails to build, with an error at
MAP_ANON. Some tests, including MAP_ANON, might give a random 'no' when
their fixed addresses conflict with ASLR. Override to 'yes'.
ok sthen@
Alexei dot Malinin at mail dot ru reported a compiler warning that,
in my opinion, probably indicates a security vulnerability, but due
to an incomplete description of the affected feature in the
documentation, it is unclear how it should be fixed. The program
appears to be sloppily written, sloppily documented, and abandoned
upstream 15 years ago.
OK ajacoutot@ for deleting it.
more available.
Also backport an upstream commit so all archs use clock_gettime(2) to
get ticks, instead of architecture/implementation dependent code.
This fixes the build on powerpc.
OK bentley@ (maintainer) and jca@
clang defines __ppc__, unlike ports-gcc that was used previously, and
tries to make use of obsoleted Darwin (Mac OS X) flavored assembly code.
Use the C code instead, until upstream decides what to do about this.
Thanks a lot to gkoehler@ for further precisions!
While here, move HOMEPAGE to https.
OK bcallah@
Do not use the integrated assembler because it break the build.
jca@ proposed to include arm in the fix to give this arch a chance
to build it.
While here, move HOMEPAGE to https.
OK jca@
Just use /var/spool/mpd as the home dir but tweak the perms to prevent
group write access and avoid security(8) warnings. If you already have
mpd installed you might want to update the home dir by hand as
documented in the README.
Prompted by questions and diffs from chrisz@ and a report from Moises
Simon, input from ratchov@ and sthen@, ok sthen@
cpplint.py was only installed for leatherman developers purposes:
4af4e296f5
No need to attract people's attention towards this 10 years old python2
script with a MESSAGE.
ok kn@ sthen@
Leatherman is a dependency of facter which is a dependency of puppet.
Assuming that leatherman is most prominently installed for its C++ and
CMake libs, suggest the optional Python 2 dependency in a message rather
than installing it by default.
OK sthen
in spice-client-gtk-3.0.pc. We have seen intermittent failures in bulk builds for
remmina which depends on spice-gtk which it turns out is due to pkg-config not
seeing that spice-client-gtk exists, jasper@ figured out the missing dep.
OK jasper@ aja@
of git conversions of the tree. suggested by f.holop, ok jca@
as pointed out by semarie@, got doesn't support this syntax, but it parses
.cvsignore as well anyway so that's not important.
Some powerpc-specific assembly code use '.stabs', that clang does not
understand, remove them. Thanks to jca@ and Brad for their help!
OK jca@ and Brad (maintainer)
