-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Format: 1.8 Date: Mon, 24 Feb 2020 06:39:10 +0100 Source: roundcube Architecture: source Version: 1.4.3+dfsg.1-1 Distribution: unstable Urgency: medium Maintainer: Debian Roundcube Maintainers <pkg-roundcube-maintainers@lists.alioth.debian.org> Changed-By: Guilhem Moulin <guilhem@debian.org> Closes: 951194 Changes: roundcube (1.4.3+dfsg.1-1) unstable; urgency=medium . * New upstream release. * d/roundcube-core.post*: + Replace tabs with spaces. + Pass flag '-f' to rm(1). * d/roundcube-core.postinst: + Create temporary config file with restricted permissions. Previously the file was created with mode 0644 (minus umask), possibly leaking secrets to a local attacker during a short time window. (The file was, and still is, removed later during the postinst stage.) + If the config file /etc/roundcube/config.inc.php already exists, don't override its ownership or mode. Otherwise (atomically) create it with owner root:www-data and mode 0640, like before. (Closes: #951194) + Honor dpkg-statoverride(1) rules on /var/lib/roundcube/temp and /var/log/roundcube: don't chown/chmod these directories if the local admin has defined overrides. * d/roundcube-core.postrm: + Also remove '.ucf-{new,old,dist}'-suffixed configuration files on purge, as suggested by ucf(1). + Only recursively remove /var/lib/roundcube/temp on purge, not its parent /var/lib/roundcube. Roundcube needs only write access to the temp dir. * d/patches/update_script.patch: Restore patch removed in 1.4.1+dfsg.1-1 to fix the ucf logic. * d/patches/dbconfig-common_support.patch: Use C++ style comment for consistency. Checksums-Sha1: 0e60d443e5ae5990318444201447542a4def4068 2466 roundcube_1.4.3+dfsg.1-1.dsc 25858554290c0138c9fd5b21fdcdf2df6c07412f 2969932 roundcube_1.4.3+dfsg.1.orig.tar.xz 25358772144d0df2ebfc69596419629c45ec4cc1 1226976 roundcube_1.4.3+dfsg.1-1.debian.tar.xz 68600b826c9b26e4ec7582ecf4bbcf57b79ac9e1 9512 roundcube_1.4.3+dfsg.1-1_amd64.buildinfo Checksums-Sha256: 325bfd9dfe56f34043c6651ce5728ea9b960b58ad145d994c50d5db7f674ea58 2466 roundcube_1.4.3+dfsg.1-1.dsc 143a4c7a076f7efdfe3b03f02b6888f134fb75b9b280477a4bfffa2114e309b7 2969932 roundcube_1.4.3+dfsg.1.orig.tar.xz 09100c04cd86f2b227114889ba47690d5194500edccd03a3f6a07f6e88eabb40 1226976 roundcube_1.4.3+dfsg.1-1.debian.tar.xz 22aaacbf9fe17bf83c7044a069546e069d95ac07708ee93370379e46d276c6a0 9512 roundcube_1.4.3+dfsg.1-1_amd64.buildinfo Files: 7f670231fb669ee8c78f77bfe2fb60d4 2466 web optional roundcube_1.4.3+dfsg.1-1.dsc 5c84a4f58e4cd0dbc92ba76e424eaac2 2969932 web optional roundcube_1.4.3+dfsg.1.orig.tar.xz 58213f34a64b9749a5b9297c00c0b8b7 1226976 web optional roundcube_1.4.3+dfsg.1-1.debian.tar.xz 99b975778388125c855d32cf669389bd 9512 web optional roundcube_1.4.3+dfsg.1-1_amd64.buildinfo -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEERpy6p3b9sfzUdbME05pJnDwhpVIFAl5TYfwACgkQ05pJnDwh pVLESQ/8CR7VdGJsnty8dqsqgrGIz+9xEegjzfPkonF7HaVGGSeN5RuyV4ZX6Tak EnFdmAYxjy2JWqHjS9c4W11g+aUi0s4hPFGbSkGz0gWDdP2OAIwV+m/TGa2aicT1 O1LgFgIr+m/e9p35c9yqzR7oGt6aBWr0URAXYgIZ7souLB3GxvIuZhPYUEcfl0AT rGDgt+c/sqSCWmwDlJ/XHI4QTmC26jg4svx6rDPAkzdYKmc3gs4UTaX31ngGJDfX VfCiiMAAeoDrURBIVuoiDR+Gf5XqW1rXbILnx4yNXrmk/saygsWxFPSREUi58Vmo yx540pfAgLIr27DbcYmUdRq1EsZS+S4KinqWJiyFTnHHyv9EJktL0mRMFNyupcNN DL/XyNyapUINnCpJib1ZBON1dp8uUbxAq7OSGo8qCpE2MJE3lNYalqXvqTExgcrb HhrHmFxY3D7HvXaAIQSZaWJbxnPd5MDscUGPMxYrRMGxiYBYjf92P7PL+h3f40IS rnDAgiIduQgiHFJ+oQkpqiFCKI81qUJfMpsG88q38EZkbwubxnC0mEaw3YAiYees 90pvGXu2QQl5f/nUZm33sJ3KCOnssSMFaIXxidQmQ6EXErMeVfJ7rHDtpws7TpX0 lFszfpPmqLB6hIxcXECqTsulX8wRwTSav+u32Hww1J3gUknrc3s= =XE5a -----END PGP SIGNATURE-----