Hello community, here is the log from the commit of package roundcubemail for openSUSE:Factory checked in at 2016-01-17 09:23:22 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/roundcubemail (Old) and /work/SRC/openSUSE:Factory/.roundcubemail.new (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Package is "roundcubemail" Changes: -------- --- /work/SRC/openSUSE:Factory/roundcubemail/roundcubemail.changes 2016-01-01 19:51:18.000000000 +0100 +++ /work/SRC/openSUSE:Factory/.roundcubemail.new/roundcubemail.changes 2016-01-17 09:23:26.000000000 +0100 @@ -1,0 +2,5 @@ +Fri Jan 15 11:57:10 UTC 2016 - aj@ajaissle.de + +- Changed apache2 config + +------------------------------------------------------------------- @@ -23 +28 @@ - Fix path traversal vulnerability (CWE-22) in setting a skin (#1490620) + Fix path traversal vulnerability (CWE-22) in setting a skin (#1490620) [CVE-2015-8770] [bnc#962067] ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ roundcubemail-httpd.conf ++++++ --- /var/tmp/diff_new_pack.rurBpB/_old 2016-01-17 09:23:27.000000000 +0100 +++ /var/tmp/diff_new_pack.rurBpB/_new 2016-01-17 09:23:27.000000000 +0100 @@ -48,6 +48,7 @@ php_value post_max_size 6M php_value memory_limit 64M + php_flag register_globals Off php_flag zlib.output_compression Off php_flag magic_quotes_gpc Off php_flag magic_quotes_runtime Off @@ -59,18 +60,21 @@ php_value session.gc_maxlifetime 21600 php_value session.gc_divisor 500 php_value session.gc_probability 1 - - # http://bugs.php.net/bug.php?id=30766 - php_value mbstring.func_overload 0 </IfModule> <IfModule mod_rewrite.c> RewriteEngine On RewriteRule ^favicon\.ico$ skins/larry/images/favicon.ico + + # security rules: + # - deny access to files not containing a dot or starting with a dot + # in all locations except installer directory + RewriteRule ^(?!installer|\.well-known\/|[a-f0-9]{16})(\.?[^\.]+)$ - [F] + # - deny access to some locations + RewriteRule ^/?(\.git|\.tx|SQL|bin|config|logs|temp|tests|program\/(include|lib|localization|steps)) - [F] + # - deny access to some documentation files + RewriteRule /?(README\.md|composer\.json-dist|composer\.json|package\.xml|Dockerfile)$ - [F] # security rules - RewriteRule .git - [F] - RewriteRule ^/?(README(.md)?|INSTALL|LICENSE|SQL|bin|CHANGELOG)$ - [F] - RewriteRule ^(?!installer|[a-f0-9]{16})(\.?[^\.]+)$ - [F] </IfModule> <IfModule mod_deflate.c>