2141: update roundcube to 1.5.2 (security fix) r=mergify[bot] a=willofr
New roundcube release (1.5.2) where a XSS is addressed: https://roundcube.net/news/2021/12/30/update-1.5.2-released
## What type of PR?
security fix
## What does this PR do?
Update roundcube from 1.5.1 to 1.5.2
This update fixes an XSS: https://roundcube.net/news/2021/12/30/update-1.5.2-released
### Related issue(s)
None
## Prerequisites
Before we can consider review and merge, please make sure the following list is done and checked.
If an entry in not applicable, you can check it or remove it from the list.
- [x] In case of feature or enhancement: documentation updated accordingly
- [x] Unless it's docs or a minor change: add [changelog](https://mailu.io/master/contributors/workflow.html#changelog) entry file.
Co-authored-by: willofr <willofr@users.noreply.github.com>
2140: Fix 2138: Pin DANE with the full cert r=mergify[bot] a=nextgens
## What type of PR?
bug-fix
## What does this PR do?
Pin the intermediates rather than the root for DANE. If you have setup TLSA records following previous suggestion from Mailu please update them.
This hasn't been tested.
The four options here are:
- stop suggesting DANE records
- send the root CA (4096 bits extra per handshake!)
- pin the intermediates : the downside is that these are only valid for 3y, see https://letsencrypt.org/certificates/ and we should pin 4: R3,R4,E1,E2
- setup a 'full' DANE record in DNS (this is what this PR does)
The high priority is warranted by the fact that some SMTP servers may not trust root CAs and may enforce DANE strictly (it may break things).
### Related issue(s)
- close#2138
## Prerequisites
Before we can consider review and merge, please make sure the following list is done and checked.
If an entry in not applicable, you can check it or remove it from the list.
- [ ] In case of feature or enhancement: documentation updated accordingly
- [x] Unless it's docs or a minor change: add [changelog](https://mailu.io/master/contributors/workflow.html#changelog) entry file.
Co-authored-by: Florent Daigniere <nextgens@freenetproject.org>
Co-authored-by: Florent Daigniere <nextgens@users.noreply.github.com>
2132: Fixes#2131 - Carddav synchronization issue r=mergify[bot] a=bkraul
## What type of PR?
bug-fix
## What does this PR do?
Adds php support for `simplexml` extension which is apparently needed by rainloop to handle carddav synchronizations.
### Related issue(s)
- closes#2131
## Prerequisites
Before we can consider review and merge, please make sure the following list is done and checked.
If an entry in not applicable, you can check it or remove it from the list.
- [ ] In case of feature or enhancement: documentation updated accordingly
- [ ] Unless it's docs or a minor change: add [changelog](https://mailu.io/master/contributors/workflow.html#changelog) entry file.
Co-authored-by: bkraul <bkraul@belmankraul.com>
2130: Fix 2125: Make the caller responsible to know whether the rate-limit code should be called or not r=mergify[bot] a=nextgens
## What type of PR?
bug-fix
## What does this PR do?
Make the caller responsible to know whether the rate-limit code should be called or not. If the webmail isn't configured its address can't be determined.
The rate limiting code should always be called except when we are verifying temporary tokens from the webmail.
### Related issue(s)
- close#2125
- close#2129
- close#2128
## Prerequisites
Before we can consider review and merge, please make sure the following list is done and checked.
If an entry in not applicable, you can check it or remove it from the list.
- [ ] In case of feature or enhancement: documentation updated accordingly
- [x] Unless it's docs or a minor change: add [changelog](https://mailu.io/master/contributors/workflow.html#changelog) entry file.
Co-authored-by: Florent Daigniere <nextgens@freenetproject.org>
2121: Update CHANGELOG.md with items that were not added by mistake. r=mergify[bot] a=Diman0
## What type of PR?
documentation
## What does this PR do?
Due to using the wrong suffix, a lot of newsfragments were not added to the CHANGELOG.md.
This PR amends this. This PR should be backported as well. Otherwise it is very difficult to see what newsfragments are relevant for a new x.y.z. release.
### Related issue(s)
## Prerequisites
Before we can consider review and merge, please make sure the following list is done and checked.
If an entry in not applicable, you can check it or remove it from the list.
- [x] Unless it's docs or a minor change: add [changelog](https://mailu.io/master/contributors/workflow.html#changelog) entry file.
Co-authored-by: Dimitri Huisman <diman@huisman.xyz>
2119: Fix#2117. Gpg-agent package was missing for roundcube image. r=mergify[bot] a=Diman0
## What type of PR?
Bug fix
## What does this PR do?
In the past gpg-agent was installed as dependency of gpg for the roundcube image.
The packages gpg and gpgagent are used by the enigmail plugin in roundcube. This plugin is one of the default plugins for roundcube.
After updating to a newer php (debian) image in 1.9, gpg-agent is not installed anymore together with gpg. I suspect this was changed in a newer debian version.
The fix has already been confirmed by the issue reporter. See #2117.
### Related issue(s)
- closes#2117
## Prerequisites
Before we can consider review and merge, please make sure the following list is done and checked.
If an entry in not applicable, you can check it or remove it from the list.
- [x] Unless it's docs or a minor change: add [changelog](https://mailu.io/master/contributors/workflow.html#changelog) entry file.
Co-authored-by: Dimitri Huisman <diman@huisman.xyz>
Co-authored-by: Florent Daigniere <nextgens@freenetproject.org>
2099: update Dockerfile to alpine 3.14.3 r=mergify[bot] a=willofr
## What type of PR?
Security fix
## What does this PR do?
Updated the Dockerfile to use the latest alpine version 3.14.3 where several CVEs have been fixed: https://alpinelinux.org/posts/Alpine-3.14.3-released.html
New images successfully built on my test env.
### Related issue(s)
None
## Prerequisites
Before we can consider review and merge, please make sure the following list is done and checked.
If an entry in not applicable, you can check it or remove it from the list.
- [x] In case of feature or enhancement: documentation updated accordingly
- [x] Unless it's docs or a minor change: add [changelog](https://mailu.io/master/contributors/workflow.html#changelog) entry file.
Co-authored-by: Will <will@packer-output-c8fcfb40-3d93-4475-8f87-e14a9dd683b6>
Co-authored-by: willofr <willofr@users.noreply.github.com>
2116: fix 2114: redirect old path r=mergify[bot] a=nextgens
## What type of PR?
bug-fix
## What does this PR do?
Old paths may still be cached in browsers, it's easy enough to redirect them
### Related issue(s)
- close#2114
Co-authored-by: Florent Daigniere <nextgens@freenetproject.org>
2111: Preparations for 1.9 release r=mergify[bot] a=Diman0
## What type of PR?
Preparations for 1.9 release.
## What does this PR do?
All changes required for the 1.9 release. This PR does not trigger the 1.9 release yet. For that we only have to create a 1.9 branch after this PR has been merged.
Please double check all the documentation. Feel free to directly commit to this branch any spelling errors you see.
After this is merged, I only have to create the 1.9 branch and update the infra project to release 1.9.
### Related issue(s)
- closes#1930
## Prerequisites
Before we can consider review and merge, please make sure the following list is done and checked.
If an entry in not applicable, you can check it or remove it from the list.
- [x] In case of feature or enhancement: documentation updated accordingly
- [x] Unless it's docs or a minor change: add [changelog](https://mailu.io/master/contributors/workflow.html#changelog) entry file.
Co-authored-by: Dimitri Huisman <diman@huisman.xyz>
Co-authored-by: Florent Daigniere <nextgens@freenetproject.org>
Co-authored-by: Alexander Graf <ghostwheel42@users.noreply.github.com>
2097: The DB_PORT and ROUNDCUBE_DB_PORT env vars were not used r=mergify[bot] a=Diman0
## What type of PR?
Bug fix
## What does this PR do?
The DB_PORT and ROUNDCUBE_DB_PORT env vars were not used and are not required.
This PR removes these not used environment variables from the documentation.
The documentation and setup utility are enhanced with instructions how to specify a different port for the database url.
### Related issue(s)
- See #2073
## Prerequisites
Before we can consider review and merge, please make sure the following list is done and checked.
If an entry in not applicable, you can check it or remove it from the list.
- [x] In case of feature or enhancement: documentation updated accordingly
- [x] Unless it's docs or a minor change: add [changelog](https://mailu.io/master/contributors/workflow.html#changelog) entry file.
Co-authored-by: Dimitri Huisman <diman@huisman.xyz>
2108: Fix build dependencies pycares r=mergify[bot] a=Erriez
## What type of PR?
Fix missing build dependencies `postfix-mta-sts-resolver` for `pycares` which requires `py3-wheel` and `libffi-dev` packages.
Restore virtual build in single RUN line.
## What does this PR do?
### Related issue(s)
- Mention an issue like: #2106
- Auto close an issue like: closes#2106
Co-authored-by: Erriez <Erriez@users.noreply.github.com>
2107: Remove weblate from documentation r=mergify[bot] a=Diman0
## What type of PR?
documentation
## What does this PR do?
See #1869. The weblate instance is not available anymore. Therefore this not available weblate instance should not be mentioned in the documentation anymore.
This PR removes it from the documentation
### Related issue(s)
- #1869
## Prerequisites
Before we can consider review and merge, please make sure the following list is done and checked.
If an entry in not applicable, you can check it or remove it from the list.
Co-authored-by: Dimitri Huisman <diman@huisman.xyz>
2101: Fix documentation INITIAL_ADMIN_* variables r=mergify[bot] a=Erriez
## What type of PR?
Fix `master` documentation `INITIAL_ADMIN_*` environment variables:
- `setup.rst`
- `configuration.rst`
## What does this PR do?
Fix documentation `Docker Compose setup` and `Web settings | Admin account`.
### Related issue(s)
- Mention an issue like: #2092
- Auto close an issue like: closes#2092
## Prerequisites
Before we can consider review and merge, please make sure the following list is done and checked.
If an entry in not applicable, you can check it or remove it from the list.
- [X] In case of feature or enhancement: documentation updated accordingly
- [ ] Unless it's docs or a minor change: add [changelog](https://mailu.io/master/contributors/workflow.html#changelog) entry file.
Co-authored-by: Erriez <Erriez@users.noreply.github.com>
2103: Fix issue 2102 (bug introduced in 2098) r=mergify[bot] a=Diman0
## What type of PR?
Bug-fix
## What does this PR do?
The changes to session management introduced in #2094#2098 introduced new bugs. This PR addresses these.
### Related issue(s)
- Auto close an issue like: closes#2102
## Prerequisites
Before we can consider review and merge, please make sure the following list is done and checked.
If an entry in not applicable, you can check it or remove it from the list.
- [x] In case of feature or enhancement: documentation updated accordingly
- [x] Unless it's docs or a minor change: add [changelog](https://mailu.io/master/contributors/workflow.html#changelog) entry file.
Co-authored-by: Dimitri Huisman <diman@huisman.xyz>
2098: Sessions tweaks2 r=mergify[bot] a=nextgens
## What type of PR?
bug-fix
## What does this PR do?
Additional tweaks suggested by `@ghostwheel42:`
- fix cleanup_sessions (important)
- ensure we delete tokens on delete()
Co-authored-by: Florent Daigniere <nextgens@freenetproject.org>
Florent Daigniere