[no description] https://git.osdyson.ru/mirror/pkgsrc/atom?h=pkgsrc-2011Q2 2011-07-13T19:09:16Z 2011-07-13T19:09:16Z tron tron@pkgsrc.org 2011-07-13T19:09:16Z urn:sha1:007cbba8ced5306db860d0e5ac81065eda9f4b2c mail/squirrelmail: security update Revisions pulled up: - mail/squirrelmail/MESSAGE 1.6 - mail/squirrelmail/Makefile 1.117-1.118 - mail/squirrelmail/PLIST 1.38 - mail/squirrelmail/distinfo 1.61 --- Module Name: pkgsrc Committed By: taca Date: Wed Jul 13 01:30:34 UTC 2011 Modified Files: pkgsrc/mail/squirrelmail: Makefile Log Message: take MAINTAINER. --- Module Name: pkgsrc Committed By: taca Date: Wed Jul 13 12:22:44 UTC 2011 Modified Files: pkgsrc/mail/squirrelmail: MESSAGE Makefile PLIST distinfo Log Message: Update squirrelmail package to 1.4.22. Version 1.4.22 - 12 July 2011 ----------------------------- - Backported default timezone fix from version 1.5.2; helps mitigate timezone errors in environments where a default has not been set by the administrator. - Fixed system lock-ups caused by a combination of certain rare, malformed message headers and buggy versions of PHP mbstring (#3053349). - Now allow multiple plugins to handle (add links for) a single attachment MIME type. - Now allow administrators to disable all plugins or enable just a select few plugins (overriding the active plugins in the normal configuration) by setting $temporary_plugins as an empty array (all disabled) or an array with one or more plugin directory names in config_local.php. - Backport fix for call_user_func_array not supporting NULL as empty array in PHP 5.3.3 - Fixed sqauth_read_password() for plugins on the login_verified hook. - Added SMTP SASL PLAIN authentication option to configuration tool (core support for such is not new). - Gmail doens't support standard search commands; removed sort buttons. - Forced addition of a file suffix to attachments that lack a filename (helps forwarded messages avoid spam filters) (thanks to Petr Kletecka) (#3139004). - Fixed missing security token in listcommands plugin. - Added smtp_auth hook (thanks to Emmanuel Dreyfus). - Made speed enhancements to threaded message display (thanks to Siim Poder) (#3288123). - Allow administrators to configure subfolders of user INBOXes to be treated as special folders by adding $subfolders_of_inbox_are_special to config_local.php. - Fixed incorrect display of INBOX subfolders under some configurations. IMPORTANT: You may need to update your configuration so that $default_sub_of_inbox is TRUE if it was FALSE (e.g., Courier IMAP users) and after updating to this version, your special folders are no longer listed at the top of your folder list. Also, if this change prevents users from logging in with an error such as "ERROR: Could not complete request. Query: CREATE "Trash" Reason Given: Invalid mailbox name.", you will need to correct the user preference values for the problem folders. You can do so with commands such as the following for file- based preferences (adjust the data directory location as needed): find /var/lib/squirrelmail/data/ -name *.pref -exec sed --in-place 's/trash_folder=Trash/trash_folder=INBOX.Trash/g' {} \; find /var/lib/squirrelmail/data/ -name *.pref -exec sed --in-place 's/trash_folder=Drafts/trash_folder=INBOX.Drafts/g' {} \; find /var/lib/squirrelmail/data/ -name *.pref -exec sed --in-place 's/trash_folder=Sent/trash_folder=INBOX.Sent/g' {} \; Or, for database-based preferences: UPDATE userprefs SET prefval = 'INBOX.Trash' WHERE prefkey = 'trash_folder' AND prefval = 'Trash'; UPDATE userprefs SET prefval = 'INBOX.Drafts' WHERE prefkey = 'draft_folder' AND prefval = 'Drafts'; UPDATE userprefs SET prefval = 'INBOX.Sent' WHERE prefkey = 'sent_folder' AND prefval = 'Sent'; MAKE SURE to back up your user preferences first! - Optimized message highlighting rules; faster message list display and faster highlight rules management (thanks to C. Bensend for extensive effort helping diagnose) - New Mail plugin no longer removes normal organization title when putting the number of new messages in the browser title - Added clickjacking protection (thanks to Asbjorn Thorsen and Geir Hansen for bringing this to our attention). [CVE-2010-4554] - Fixed XSS holes in generic options inputs, XSS hole in the SquirrelSpell plugin, XSS hole in the Index Order page, and added anti-CSRF protection to the empty trash feature and the Index Order page (thanks to Nicholas Carlini for finding all these issues). [CVE-2010-4555] - Fixed XSS problem with unsanitized style tags in messages. [CVE-2011-2023] 2010-09-28T13:21:29Z wiz wiz@pkgsrc.org 2010-09-28T13:21:29Z urn:sha1:db1db21367e4e602c3b07b9a34d6ea4071cbc3ac 2010-07-24T12:20:33Z tron tron@pkgsrc.org 2010-07-24T12:20:33Z urn:sha1:ef0fd7a076d4eca10df83df5f475923313eba178 - Now allow more than one plugin to control the compose form submit action. - When sorting by received date, the received date is now shown on the message list. - Explicitly disable browser caching for left_main and right_main pages (#2983134). - Fix error with SpamCop reporting plugin not being able to send report as emails (#1795310). - Fix typo in SpamCop plugin. - Reduced default time security tokens stay valid from 30 days to 2 days (reduces chances of session data growing too large) - Several speed enhancements for recent fixes regarding the display of encoded subjects, including a fix for messages with invalid subject encoding (includes #2987016 amongst several other issues reported via mailing list, etc.) (Many thanks to Zdenek Pytela for the untiring help diagnosing and testing.) - Fixed minor vulnerability in Mail Fetch plugin. [CVE-2010-1637/TEHTRI-SA-2010-009] - Now properly quote personal part of encoded addresses when replying. - Now fill in default subject when forwarding as attachment (#2936541). - Implement header folding that doesn't add extraneous spaces so unfolding is less ambiguous (#1951776). - Fixed issues caused by use of PostgreSQL keyword "user" in SquirrelMail's default preferences database schema (#2943483). - Fixed attachment filename decoding problems (#2994865). - Now default search criteria to the TO header when searching the sent folder. - Fixed literal processing of 8-bit usernames/passwords during login. [CVE-2010-2813] 2010-03-07T03:41:49Z taca taca@pkgsrc.org 2010-03-07T03:41:49Z urn:sha1:c9d19b003d8001743e4e9ba7925762c357a28e78 Version 1.4.20 - 06 Mar 2010 --------------------------- - Fixed issue with search not using literals correctly (#2846511). - Fixed issue with returning to search results due to new security token code. - Fixed issue with multi-part related messages not showing all attachments (#2830140). - Fixed for security token missing in newmail plugin (#2919418). - Fixed sort in Sent folder to sort by "To" field instead of "From" field (#2907412). - Fixed mailto: urls containing + characters. Thanks to Michael Puls II for the patch. - Made base URL autodetection more robust; fixes some lighttpd issues (probably #1741469). - Encoded From headers are now properly quoted (#2830141). - Multibyte strings (notably subjects) are now handled correctly (#2824813, #2925731). - X-DNS-Prefetch-Control: off header is now sent to browsers to prevent information leakage when Firefox does DNS prefetching for URLs contained in emails. - Added unread links in message view. - Added the ability to configure Google Mail (Gmail) as the mail server behind SquirrelMail. - Added option in display preferences that allows the signature to be stripped from the original message when replying (#2952876). Thanks to Sven Strickroth. 2010-03-05T03:05:40Z taca taca@pkgsrc.org 2010-03-05T03:05:40Z urn:sha1:2fb01cc90a6271e04f51df041620cad91d67f596 Bump PKGREVISION. 2010-03-04T16:00:37Z taca taca@pkgsrc.org 2010-03-04T16:00:37Z urn:sha1:409c1bc28d4bc45e95338bb72555c7fd1c2eaa11 * Add DESTDIR support. * Add more changes from squirrelmail's repositry including secure token support, hoping early release of real 1.4.20. Bump PKGREVISION. 2010-02-05T17:40:51Z wiz wiz@pkgsrc.org 2010-02-05T17:40:51Z urn:sha1:c0ac0800edb15e17bf0bf48825b00dc180279f4b http://thread.gmane.org/gmane.mail.squirrelmail.user/36642 Bump PKGREVISION. 2009-10-04T01:27:15Z taca taca@pkgsrc.org 2009-10-04T01:27:15Z urn:sha1:abb3a899273f8f21ee150259d96c6b8793b24fd2 * Use case ignore match for detecting encoded header. This is language independent problem. * Improve handling of file name of attachment in Japanese environment. These fixes make squirrelmail usable after remove of japaneses patch. Bump PKGREVISION. 2009-09-29T13:30:54Z taca taca@pkgsrc.org 2009-09-29T13:30:54Z urn:sha1:f3cf5a3b8f9812fcae414b98d200203d1c7c1788 * Currently, squirrelmail package is brokwn when enable squirrelmail-japanese option and are/squirrelmail/functions/decode/iso_2022_jp.php was conflicted between squirrelmail and squirrelmail-decode package. * squirrelmail-japanese isn't available for squirrelmail-1.4.20-RC2. Bump PKGREVISION. 2009-08-26T12:47:17Z tron tron@pkgsrc.org 2009-08-26T12:47:17Z urn:sha1:fc0e5cf769507dc1e50bd77062f9147128011293 - Protect message deletion with security token system. (Secunia Advisory SA346) - Removed the shut down DSBL blocklists (#2796734). - Fixed broken RFC1918 reference in contrib/.htaccess and doc/.htaccess (#2798839). - Updated INSTALL doc to remove possible bad system admin typos (#2827153). - PHP 5.3 deprecates ereg functions (#2820952). - Filters plugin uses badly formatted literals request (#2805201). - Provide option for complete removal of usernames and user IP addresses from message headers, and remove personal data from Message ID seed. (#880029/847107) - Implemented page referal verification mechanism. (Secunia Advisory SA34627) - Implemented security token system. (Secunia Advisory SA34627) Approved by Martti Kuparinen.