Opened 3 years ago

Closed 3 years ago

#10391 closed Task/To do item (fixed)

Roundcube Webmail 1.1.0 released

Reported by: https://id.mayfirst.org/srevilak Owned by: https://id.mayfirst.org/srevilak
Priority: Medium Component: Tech
Keywords: roundcube, stallman.mayfirst.org Cc:
Sensitive: no

Description

There's a new version of Roundcube -- time to upgrade.

Date: Mon, 9 Feb 2015 21:05:48 +0100
From: Thomas Bruederli <thomas@roundcube.net>
To: Roundcube Announce List <announce@lists.roundcube.net>
Cc: Roundcube Users List <users@lists.roundcube.net>, Roundcube Dev List
        <dev@lists.roundcube.net>
Subject: [Roundcube Announce] Roundcube Webmail 1.1.0 released
Message-ID: <CAO3naw6cn5_n406px=9Yj6nca90B4XKZV4KjUQqu=kDQtAQz1Q@mail.gmail.com>

Dear subscribers

We’re proud to announce the arrival of the next major version 1.1.0 of
Roundcube webmail which is now available for download. With this
milestone we introduce new features since version 1.0 as well as some
clean-up with the 3rd party libraries:

- Allow searching across multiple folders
- Improved support for screen readers and assistive technology using
WCAG 2.0 andWAI ARIA standards
- Update to TinyMCE 4.1 to support images in HTML signatures (copy & paste)
- Added namespace filter and folder searching in folder manager
- New config option to disable UI elements/actions
- Stronger password encryption using OpenSSL
- Support for the IMAP SPECIAL-USE extension
- Support for Oracle as database backend
- Manage 3rd party libs with Composer

In addition to that, we added some new features to improve protection
against possible but yet unknown CSRF attacks - thanks to the help of
Kolab Systems who supplied the concept and development resources for
this.

Although the new security features are yet experimental and disabled
by default, our wiki describes how to enable the Secure URLs [1] and
give it a try.

And of course, this new version also includes all patches for reported
CSRF and XSS vulnerabilities previously released in the 1.0.x series.

IMPORTANT: with the 1.1.x series, we drop support for PHP < 5.3.7 and
Internet Explorer < 9.
IE7/IE8 support can be restored by enabling the ‘legacy_browser’
plugin which is part of the default package.

See the complete changelog at http://trac.roundcube.net/wiki/Changelog
and download the new packages from http://roundcube.net/download.

The download packages come in two flavors: "dependent", which requires
the manual installation of 3rd party libs using Composer and
"complete", with all the required libraries already packed into the
vendor directory and ready to run.

Best,
Thomas

[1] http://trac.roundcube.net/wiki/Howto_Config/Secure_URLs

Change History (9)

comment:1 Changed 3 years ago by https://id.mayfirst.org/srevilak

  • Owner set to https://id.mayfirst.org/srevilak
  • Status changed from new to assigned

comment:2 Changed 3 years ago by https://id.mayfirst.org/dkg

Cool, looking forward to trying this out on https://roundcube.dev.mayfirst.org/. Thanks, srevilak!

comment:3 Changed 3 years ago by https://id.mayfirst.org/srevilak

Code Prep

0 sunny:roundcube$ git remote update
Fetching gmo
Fetching origin
remote: Counting objects: 578, done.
remote: Compressing objects: 100% (384/384), done.
remote: Total 578 (delta 289), reused 361 (delta 191)
Receiving objects: 100% (578/578), 639.59 KiB | 0 bytes/s, done.
Resolving deltas: 100% (289/289), done.
From https://github.com/roundcube/roundcubemail
   b7c35d5..4e3de10  master     -> origin/master
   bd3e202..5321cbd  release-1.0 -> origin/release-1.0
 * [new branch]      release-1.1 -> origin/release-1.1
 * [new tag]         1.1.0      -> 1.1.0

0 sunny:roundcube$ git branch -r --contains 1.1.0
  origin/master
  origin/release-1.1

The 1.1.0 tag lives on the upstream release-1.1 branch. So, let's cut a new local tracking branch.

0 sunny:roundcube$ git checkout -b mfpl-release-1.1 1.1.0
Switched to a new branch 'mfpl-release-1.1'
0 sunny:roundcube$ 

0 sunny:roundcube$ git log --oneline 1.0.5..roundcube-1.0.5-mfpl1
796f603 Merge tag '1.0.5' into mfpl-release-1.0
a0daf9a Merge tag '1.0.4' into mfpl-release-1.0
5def02c Merge branch 'mfpl-release-1.0' of git://git.mayfirst.org/mfpl/roundcube into mfpl-release-1.0
4c14f9a (fetch_identity_objects): avoid redundant call to unserialize
dabb303 Adding two plugins: import_horde_contacts, import_horde_identities
4a8aac8 (fetch_identity_objects): avoid redundant call to unserialize
96c2a16 Adding two plugins: import_horde_contacts, import_horde_identities


0 sunny:roundcube$ git cherry-pick 96c2a16
[mfpl-release-1.1 cd41b88] Adding two plugins: import_horde_contacts, import_horde_identities
 Date: Sat Dec 1 21:11:29 2012 -0500
 2 files changed, 212 insertions(+)
 create mode 100644 plugins/import_horde_contacts/import_horde_contacts.php
 create mode 100644 plugins/import_horde_identities/import_horde_identities.php
0 sunny:roundcube$ git cherry-pick 4a8aac8
[mfpl-release-1.1 52a3d9c] (fetch_identity_objects): avoid redundant call to unserialize
 Date: Sat Dec 1 22:02:41 2012 -0500
 1 file changed, 1 insertion(+), 1 deletion(-)

0 sunny:roundcube$ git log --oneline 1.1.0..HEAD
52a3d9c (fetch_identity_objects): avoid redundant call to unserialize
cd41b88 Adding two plugins: import_horde_contacts, import_horde_identities

That looks good: 1.1.0, plus our two plugins. Cut tag and push.

$ git tag -s roundcube-1.1.0-mfpl1

0 sunny:roundcube$ git push gmo mfpl-release-1.1
Counting objects: 549, done.
Delta compression using up to 4 threads.
Compressing objects: 100% (304/304), done.
Writing objects: 100% (549/549), 159.52 KiB | 0 bytes/s, done.
Total 549 (delta 386), reused 399 (delta 238)
remote: To git-roundcube@moses.mayfirst.org:/srv/git/roundcube
remote:  * [new branch]      mfpl-release-1.1 -> mfpl-release-1.1
To ssh://gitosis@git.mayfirst.org/mfpl/roundcube
 * [new branch]      mfpl-release-1.1 -> mfpl-release-1.1


0 sunny:roundcube$ git push gmo mfpl-release-1.1 --tags
Counting objects: 1, done.
Writing objects: 100% (1/1), 813 bytes | 0 bytes/s, done.
Total 1 (delta 0), reused 0 (delta 0)
remote: To git-roundcube@moses.mayfirst.org:/srv/git/roundcube
remote:  * [new tag]         1.1.0 -> 1.1.0
remote:  * [new tag]         roundcube-1.1.0-mfpl1 -> roundcube-1.1.0-mfpl1
To ssh://gitosis@git.mayfirst.org/mfpl/roundcube
 * [new tag]         1.1.0 -> 1.1.0
 * [new tag]         roundcube-1.1.0-mfpl1 -> roundcube-1.1.0-mfpl1
0 sunny:roundcube$ 

comment:4 Changed 3 years ago by https://id.mayfirst.org/srevilak

roundcube.dev (basic upgrade)

0 roundcube-code@stallman:/srv/roundcube-dev$ git remote update
Fetching gmo
remote: Counting objects: 11088, done.
remote: Compressing objects: 100% (3373/3373), done.
remote: Total 9719 (delta 6735), reused 9086 (delta 6126)
Receiving objects: 100% (9719/9719), 3.70 MiB | 2.07 MiB/s, done.
Resolving deltas: 100% (6735/6735), completed with 497 local objects.
From git://git.mayfirst.org/mfpl/roundcube
 * [new branch]      mfpl-release-1.1 -> gmo/mfpl-release-1.1
 * [new tag]         roundcube-1.1.0-mfpl1 -> roundcube-1.1.0-mfpl1
From git://git.mayfirst.org/mfpl/roundcube
 * [new tag]         1.1-beta   -> 1.1-beta
 * [new tag]         1.1-rc     -> 1.1-rc
 * [new tag]         1.1.0      -> 1.1.0
0 roundcube-code@stallman:/srv/roundcube-dev$


128 roundcube-code@stallman:/srv/roundcube-dev$ git tag -v roundcube-1.1.0-mfpl1
object 52a3d9c4317094ab04e22c7a0b6009d0791f3855
type commit
tag roundcube-1.1.0-mfpl1
tagger Steve Revilak <steve@...> 1424641956 -0500

Taking 1.1.0 from upstream
gpg: Signature made Sun 22 Feb 2015 04:52:58 PM EST
gpg:                using RSA key 0x3EB22DE4E594DCF2
gpg: Good signature from "Steve Revilak <steve@....>"


0 roundcube-code@stallman:/srv/roundcube-dev$ git checkout roundcube-1.1.0-mfpl1
Previous HEAD position was 796f603... Merge tag '1.0.5' into mfpl-release-1.0
HEAD is now at 52a3d9c... (fetch_identity_objects): avoid redundant call to unserialize

Oops, something went wrong:

0 roundcube-dev@stallman:/srv/roundcube-dev$ php bin/update.sh 
ERROR: Failed to load plugin file /srv/roundcube-dev/plugins/filters/filters.phpWhat version are you upgrading from? Type '?' if you don't know.
?
Executing database schema update.
ERROR: Failed to load plugin file /srv/roundcube-dev/plugins/filters/filters.phpThis instance of Roundcube is up-to-date.
Have fun!
0 roundcube-dev@stallman:/srv/roundcube-dev$

Appears that our configuration references a filter that's no longer part of the roundcube distribution.

0 roundcube-code@stallman:/srv/roundcube-dev/config$ grep filters config.inc.php
$config['plugins'] = array ('new_user_dialog', 'import_horde_contacts', 'import_horde_identities', 'filters');

Removed the `filters' plugin, and try again.

0 roundcube-dev@stallman:/srv/roundcube-dev$ php bin/update.sh 
What version are you upgrading from? Type '?' if you don't know.
?
Executing database schema update.
This instance of Roundcube is up-to-date.
Have fun!
0 roundcube-dev@stallman:/srv/roundcube-dev$ 


0 roundcube-dev@stallman:/srv/roundcube-dev$ php bin/indexcontacts.sh 
Indexing contacts for user 1...done.
Indexing contacts for user 2...done.
  ...
Indexing contacts for user 53...done.
Indexing contacts for user 54...done.
0 roundcube-dev@stallman:/srv/roundcube-dev$

Sigh. Logging in to roundcube.dev gives me a white screen of death :(

[22-Feb-2015 22:05:23 UTC] PHP Fatal error:  Class 'Net_IDNA2' not found in /srv/roundcube-dev/program/lib/Roundcube/bootstrap.php on line 438
[22-Feb-2015 22:05:40 UTC] PHP Fatal error:  Class 'Net_IDNA2' not found in /srv/roundcube-dev/program/lib/Roundcube/bootstrap.php on line 438

According to https://github.com/roundcube/roundcubemail/blob/master/program/lib/Roundcube/bootstrap.php, this class is loaded if the functions idn_to_utf8 and idn_to_ascii doesn't exist.

http://php.net/manual/en/ref.intl.idn.php tells me that these functions are contained in php5-idn.

127 stallman:~# apt-get install php5-idn
Reading package lists... Done
Building dependency tree       
Reading state information... Done
Note, selecting 'php5-intl' instead of 'php5-idn'
The following extra packages will be installed:
  libapache2-mod-php5 libicu48 php5-cgi php5-cli php5-common php5-imap php5-mcrypt php5-mysql
  php5-pgsql
The following NEW packages will be installed:
  libicu48 php5-intl
The following packages will be upgraded:
  libapache2-mod-php5 php5-cgi php5-cli php5-common php5-imap php5-mcrypt php5-mysql
  php5-pgsql
8 upgraded, 2 newly installed, 0 to remove and 86 not upgraded.
Need to get 4,814 kB/16.1 MB of archives.
After this operation, 24.0 MB of additional disk space will be used.
Do you want to continue [Y/n]? n
Abort.
1 stallman:~#

This doesn't look too bad, but I'd like to get a second opinion before upgrading.

For now, go back to prior roundcube version

0 roundcube-code@stallman:/srv/roundcube-dev$ git checkout roundcube-1.0.5-mfpl1
Previous HEAD position was 52a3d9c... (fetch_identity_objects): avoid redundant call to unserialize
HEAD is now at 796f603... Merge tag '1.0.5' into mfpl-release-1.0

comment:5 Changed 3 years ago by https://id.mayfirst.org/srevilak

roundcube.dev upgrade (take 2)

Installed php-intl on stallman. Roundcube 1.1 requires PHP IDN functions.

After installing the new php modules, restarted roundcube-dev

100 stallman:~# sv stop roundcube-dev
ok: down: roundcube-dev: 0s, normally up
0 stallman:~# sv start roundcube-dev
ok: run: roundcube-dev: (pid 734) 0s
0 stallman:~#
0 roundcube-code@stallman:/srv/roundcube-dev$ git branch -v  | head -1
* (no branch) 796f603 Merge tag '1.0.5' into mfpl-release-1.0


0 roundcube-code@stallman:/srv/roundcube-dev$ git checkout roundcube-1.1.0-mfpl1
Previous HEAD position was 796f603... Merge tag '1.0.5' into mfpl-release-1.0
HEAD is now at 52a3d9c... (fetch_identity_objects): avoid redundant call to unserialize

0 roundcube-dev@stallman:/srv/roundcube-dev$ php bin/update.sh
What version are you upgrading from? Type '?' if you don't know.
?
Executing database schema update.
This instance of Roundcube is up-to-date.
Have fun!
0 roundcube-dev@stallman:/srv/roundcube-dev$

Yay, now I can log in to roundcube.dev!

That's the basic upgrade. Next: have a look at the new CSRF prevention mechanisms that are in v1.1.

comment:6 Changed 3 years ago by https://id.mayfirst.org/srevilak

  • Keywords stallman.mayfirst.org added

comment:7 Changed 3 years ago by https://id.mayfirst.org/srevilak

roundcube.dev CSRF configuration

Here's the basic gist. Added this bit to roundcube-dev's config.inc.php

// Improve system security by using special URL with security token.
// This can be set to a number defining token length. Default: 16.
// Warning: This requires http server configuration. Sample:
//    RewriteRule ^/roundcubemail/[a-f0-9]{16}/(.*) /roundcubemail/$1 [PT]
//    Alias /roundcubemail /var/www/roundcubemail/
// Note: Use assets_path to not prevent the browser from caching assets
$config['use_secure_urls'] = 16;

Next, modified /etc/apache2/sites-enabled/roundcube.dev.mayfirst.org, so that the RewriteRules section looks like this:

           RewriteEngine On
           # the first rule strips roundcube security tokens.  See
           # http://trac.roundcube.net/wiki/Howto_Config/Secure_URLs
           # `16' must match the length specified by $config['use_secure_urls']
           RewriteRule ^/[a-f0-9]{16}/(.*) /$1
           # the next two rules are for fastcgi
           RewriteRule ^$ /index.php
           RewriteRule ^(.*)/$ $1/index.php

Reloaded apache, restarted roundcube.

Now, roundcube URL accesses look like this:

https://roundcube.dev.mayfirst.org/zzzzzzzzzzzzzzzz/?_task=mail&_mbox=INBOX

where 'zzzzzz...' is a hex string.

Suppose you have an active session. If the leading path token is not 16 (hex) characters long, you'll get a 404.

If you change the 16-character hex token, you'll see "REQUEST CHECK FAILED" ... "click here to try again". Clicking "click here to try again" restores the CSRF session token.

comment:8 Changed 3 years ago by https://id.mayfirst.org/srevilak

roundcube.mayfirst.org upgrade

# pre-upgrade
0 roundcube-code@stallman:/srv/roundcube$ git branch -v | head -1
* (no branch) 796f603 Merge tag '1.0.5' into mfpl-release-1.0


# fetch new code
0 roundcube-code@stallman:/srv/roundcube$ git remote update
Fetching gmo
remote: Counting objects: 11088, done.
remote: Compressing objects: 100% (3373/3373), done.
remote: Total 9719 (delta 6735), reused 9086 (delta 6126)
Receiving objects: 100% (9719/9719), 3.70 MiB | 5.52 MiB/s, done.
Resolving deltas: 100% (6735/6735), completed with 497 local objects.
From git://git.mayfirst.org/mfpl/roundcube
 * [new branch]      mfpl-release-1.1 -> gmo/mfpl-release-1.1
 * [new tag]         roundcube-1.1.0-mfpl1 -> roundcube-1.1.0-mfpl1
From git://git.mayfirst.org/mfpl/roundcube
 * [new tag]         1.1-beta   -> 1.1-beta
 * [new tag]         1.1-rc     -> 1.1-rc
 * [new tag]         1.1.0      -> 1.1.0


# verify tag
0 roundcube-code@stallman:/srv/roundcube$ git tag --verify roundcube-1.1.0-mfpl1
object 52a3d9c4317094ab04e22c7a0b6009d0791f3855
type commit
tag roundcube-1.1.0-mfpl1
tagger Steve Revilak <steve@...> 1424641956 -0500

Taking 1.1.0 from upstream
gpg: Signature made Sun 22 Feb 2015 04:52:58 PM EST
gpg:                using RSA key 0x3EB22DE4E594DCF2
gpg: Good signature from "Steve Revilak <steve@...>"
0 roundcube-code@stallman:/srv/roundcube$


# checkout new code
0 roundcube-code@stallman:/srv/roundcube$ git checkout roundcube-1.1.0-mfpl1
Previous HEAD position was 796f603... Merge tag '1.0.5' into mfpl-release-1.0
HEAD is now at 52a3d9c... (fetch_identity_objects): avoid redundant call to unserialize
0 roundcube-code@stallman:/srv/roundcube$ 


# check for database updates
0 roundcube@stallman:/srv/roundcube$ php bin/update.sh 
What version are you upgrading from? Type '?' if you don't know.
?
Executing database schema update.
This instance of Roundcube is up-to-date.
Have fun!
0 roundcube@stallman:/srv/roundcube$


# re-index contacts
0 roundcube@stallman:/srv/roundcube$ php bin/indexcontacts.sh 
Indexing contacts for user 1...done.
Indexing contacts for user 2...done.
  ...

Updated apache and roundcube configurations for `secure urls'.

0 stallman:/etc/apache2/sites-available# /etc/init.d/apache2 restart
Restarting web server: apache2 ... waiting .
0 stallman:/etc/apache2/sites-available# sv stop roundcube
ok: down: roundcube: 0s, normally up
0 stallman:/etc/apache2/sites-available# sv start roundcube
ok: run: roundcube: (pid 27458) 0s
0 stallman:/etc/apache2/sites-available# 

Tested. Seems good.

comment:9 Changed 3 years ago by https://id.mayfirst.org/srevilak

  • Resolution set to fixed
  • Status changed from assigned to closed

Please login to add comments to this ticket.

Note: See TracTickets for help on using tickets.