Opened 3 years ago

Closed 3 years ago

#10721 closed Task/To do item (fixed)

Roundcube upgrade

Reported by: https://id.mayfirst.org/srevilak Owned by: https://id.mayfirst.org/srevilak
Priority: Medium Component: Tech
Keywords: roundcube Cc:
Sensitive: no

Description

A new version of roundcube is out. We should upgrade.

Date: Sat, 6 Jun 2015 14:19:13 +0200
From: Thomas Bruederli <thomas@...>
To: Roundcube Announce List <announce@...>
Cc: Roundcube Users List <users@...>, Roundcube Dev List
        <dev@....>
Subject: [Roundcube Announce] Updates 1.1.2 and 1.0.6 released
Message-ID: <CAO3naw4HeLxXNmDuh5AC2FSJYw2eZ_pBWb5bMWTVFLYxwhkk9w@mail.gmail.com>

Dear Roundcube users

We just published updates to both stable versions 1.0 and 1.1 after
fixing many minor bugs and adding some security improvements to the
1.1 release branch. Version 1.0.6 comes with cherry-picked fixes from
the more recent version to ensure proper long term support especially
in regards of security and compatibility.

The security-related fixes in particular are:

 - XSS vulnerability in _mbox argument
 - security improvement in contact photo handling
 - potential info disclosure from temp directory

See the full changelog here: http://trac.roundcube.net/wiki/Changelog

Both versions are considered stable and we recommend to update all
productive installations of Roundcube with either of these versions.
Download them from https://roundcube.net/download

As usual, don't forget to backup your data before updating.

And there's one more thing:

Our crowdfunding campaign for Roundcube Next is still ongoing and has
just been updated with more details of what we want to achieve. We'd
much appreciate your support for this exciting new project. Please
visit https://roundcu.be/next and spread the word about it.

Change History (5)

comment:1 Changed 3 years ago by https://id.mayfirst.org/srevilak

  • Owner set to https://id.mayfirst.org/srevilak
  • Status changed from new to assigned

comment:2 Changed 3 years ago by https://id.mayfirst.org/srevilak

Source prep

0 sunny:roundcube$ git merge 1.1.2

0 sunny:roundcube$ git log --graph --oneline 1.1.2..HEAD
* f697fff Merge tag '1.1.2' into mfpl-release-1.1
*   47c565e Merge remote-tracking branch 'gmo/mfpl-release-1.1' into mfpl-release-1.1
|\  
| * 52a3d9c (fetch_identity_objects): avoid redundant call to unserialize
| * cd41b88 Adding two plugins: import_horde_contacts, import_horde_identities
* ab51f8e (fetch_identity_objects): avoid redundant call to unserialize
* 4fb5a18 Adding two plugins: import_horde_contacts, import_horde_identities

0 sunny:roundcube$ git tag -s roundcube-1.1.2-mfpl1

0 sunny:roundcube$ git push gmo
Counting objects: 815, done.
Delta compression using up to 4 threads.
Compressing objects: 100% (503/503), done.
Writing objects: 100% (815/815), 646.53 KiB | 0 bytes/s, done.
Total 815 (delta 496), reused 552 (delta 306)
remote: To git-roundcube@moses.mayfirst.org:/srv/git/roundcube
remote:    47c565e..f697fff  mfpl-release-1.1 -> mfpl-release-1.1
To ssh://gitosis@git.mayfirst.org/mfpl/roundcube
   47c565e..f697fff  mfpl-release-1.1 -> mfpl-release-1.1

0 sunny:roundcube$ git push gmo --tags
Counting objects: 130, done.
Delta compression using up to 4 threads.
Compressing objects: 100% (81/81), done.
Writing objects: 100% (130/130), 19.07 KiB | 0 bytes/s, done.
Total 130 (delta 102), reused 76 (delta 49)
remote: To git-roundcube@moses.mayfirst.org:/srv/git/roundcube
remote:  * [new tag]         1.0.6 -> 1.0.6
remote:  * [new tag]         1.1.2 -> 1.1.2
remote:  * [new tag]         roundcube-1.1.2-mfpl1 -> roundcube-1.1.2-mfpl1
To ssh://gitosis@git.mayfirst.org/mfpl/roundcube
 * [new tag]         1.0.6 -> 1.0.6
 * [new tag]         1.1.2 -> 1.1.2
 * [new tag]         roundcube-1.1.2-mfpl1 -> roundcube-1.1.2-mfpl1

comment:3 Changed 3 years ago by https://id.mayfirst.org/srevilak

roundcube.dev upgrade

$ pg_dump -b -C roundcube-dev | gzip -v9 > roundcube-dev.$(date +%F).sql.gz

0 roundcube-code@stallman:/srv/roundcube-dev$ git remote update
Fetching gmo
remote: Counting objects: 1131, done.
remote: Compressing objects: 100% (354/354), done.
remote: Total 817 (delta 496), reused 777 (delta 457)
Receiving objects: 100% (817/817), 589.89 KiB, done.
Resolving deltas: 100% (496/496), completed with 190 local objects.
From git://git.mayfirst.org/mfpl/roundcube
   47c565e..f697fff  mfpl-release-1.1 -> gmo/mfpl-release-1.1
 * [new tag]         roundcube-1.1.2-mfpl1 -> roundcube-1.1.2-mfpl1
From git://git.mayfirst.org/mfpl/roundcube
 * [new tag]         1.1.2      -> 1.1.2

0 roundcube-code@stallman:/srv/roundcube-dev$ git tag --verify roundcube-1.1.2-mfpl1
object f697fff1665d411a320780c142756e0e4a265972
type commit
tag roundcube-1.1.2-mfpl1
tagger Steve Revilak <steve@...> 1436046645 -0400

Integrated roundcube 1.1.2 tag from upstream
gpg: Signature made Sat 04 Jul 2015 05:51:14 PM EDT
gpg:                using RSA key 0x3EB22DE4E594DCF2
gpg: Good signature from "Steve Revilak <steve@...>"

0 roundcube-code@stallman:/srv/roundcube-dev$ git checkout roundcube-1.1.2-mfpl1
Previous HEAD position was 47c565e... Merge remote-tracking branch 'gmo/mfpl-release-1.1' into mfpl-release-1.1
HEAD is now at f697fff... Merge tag '1.1.2' into mfpl-release-1.1

0 roundcube-dev@stallman:/srv/roundcube-dev$ php bin/update.sh 
What version are you upgrading from? Type '?' if you don't know.
?
Executing database schema update.
This instance of Roundcube is up-to-date.
Have fun!

0 roundcube-dev@stallman:/srv/roundcube-dev$ php bin/indexcontacts.sh 
Indexing contacts for user 1...done.
Indexing contacts for user 2...done.

Indexing contacts for user 55...done.
Indexing contacts for user 56...done.
Indexing contacts for user 57...done.
Indexing contacts for user 58...done.
Indexing contacts for user 59...done.
0 roundcube-dev@stallman:/srv/roundcube-dev$

Tested by looking through various folders, sending mail + attachments, downloading attachments. Upgrade looks okay to me.

Because of what's in this upgrade, I'm going to continue and promote the new tag to roundcube.mayfirst.org.

comment:4 Changed 3 years ago by https://id.mayfirst.org/srevilak

roundcube.mayfirst.org upgrade

0 roundcube@stallman:~$ pg_dump -b -C roundcube | gzip -v9 > roundcube.$(date +%F).sql.gz

0 roundcube-code@stallman:/srv/roundcube$ git remote update
Fetching gmo
remote: Counting objects: 1131, done.
remote: Compressing objects: 100% (354/354), done.
remote: Total 817 (delta 496), reused 777 (delta 457)
Receiving objects: 100% (817/817), 589.89 KiB, done.
Resolving deltas: 100% (496/496), completed with 190 local objects.
From git://git.mayfirst.org/mfpl/roundcube
   47c565e..f697fff  mfpl-release-1.1 -> gmo/mfpl-release-1.1
 * [new tag]         roundcube-1.1.2-mfpl1 -> roundcube-1.1.2-mfpl1
From git://git.mayfirst.org/mfpl/roundcube
 * [new tag]         1.1.2      -> 1.1.2


0 roundcube-code@stallman:/srv/roundcube$ git tag -v roundcube-1.1.2-mfpl1
object f697fff1665d411a320780c142756e0e4a265972
type commit
tag roundcube-1.1.2-mfpl1
tagger Steve Revilak <steve@...> 1436046645 -0400

Integrated roundcube 1.1.2 tag from upstream
gpg: Signature made Sat 04 Jul 2015 05:51:14 PM EDT
gpg:                using RSA key 0x3EB22DE4E594DCF2
gpg: Good signature from "Steve Revilak <steve@....>"


0 roundcube-code@stallman:/srv/roundcube$ git checkout roundcube-1.1.2-mfpl1
Previous HEAD position was 47c565e... Merge remote-tracking branch 'gmo/mfpl-release-1.1' into mfpl-release-1.1
HEAD is now at f697fff... Merge tag '1.1.2' into mfpl-release-1.1


0 roundcube@stallman:/srv/roundcube$ php bin/update.sh 
What version are you upgrading from? Type '?' if you don't know.
?
Executing database schema update.
This instance of Roundcube is up-to-date.
Have fun!

0 roundcube@stallman:/srv/roundcube$ php bin/indexcontacts.sh 
Indexing contacts for user 1...done.
Indexing contacts for user 2...done.
  ...
Indexing contacts for user 1577...done.
Indexing contacts for user 1578...done.
Indexing contacts for user 1580...done.
Indexing contacts for user 1581...done.
0 roundcube@stallman:/srv/roundcube$

comment:5 Changed 3 years ago by https://id.mayfirst.org/srevilak

  • Resolution set to fixed
  • Status changed from assigned to closed

Please login to add comments to this ticket.

Note: See TracTickets for help on using tickets.