diff options
| author | taca <taca@pkgsrc.org> | 2017-06-21 15:07:03 +0000 |
|---|---|---|
| committer | taca <taca@pkgsrc.org> | 2017-06-21 15:07:03 +0000 |
| commit | 34d49e87507db5945d0037c08d0d3ceef3332a92 (patch) | |
| tree | 30d42aab76f889c1645f9c401d435d4e639a987c /mail/squirrelmail | |
| parent | 0c3395e1d3bc3d48b9cd4a42c365b9148a4fa883 (diff) | |
| download | pkgsrc-34d49e87507db5945d0037c08d0d3ceef3332a92.tar.gz | |
Update squirrelmail to 1.4.23pre14688.
Note: CVE-2017-7692 is already fixed by 1.4.23pre14605nb1.
- compose_send hook now has $draft flag in hook arguments
- Fixed insufficient sendmail command argument escaping (thanks
to Mitchel Sahertian, Beyond Security/Dawid Golunski and Filippo
Cavallarin for bringing this to our attention). [CVE-2017-7692]
- Upgraded preferences for the delete_move_next plugin. Automatic
user preference updates are included, but note that if your
installation is new, or all user prefs have been converted from
"on"/"off" to 0/1 then you can add the following to SquirrelMail's
config/config_local.php to avoid convertign legacy values over and over:
$do_not_convert_delete_move_next_legacy_preferences = TRUE;
- Added ability to control the display of the "Check Spelling"
button provided by the squirrelspell plugin, which allows
administrators to offer this plugin but keep it out of the way
for users who do not want it. Put sqspell_show_button=0 in
default preferences if it should be hidden by default
Diffstat (limited to 'mail/squirrelmail')
| -rw-r--r-- | mail/squirrelmail/Makefile | 5 | ||||
| -rw-r--r-- | mail/squirrelmail/PLIST | 3 | ||||
| -rw-r--r-- | mail/squirrelmail/distinfo | 10 | ||||
| -rw-r--r-- | mail/squirrelmail/patches/patch-class_deliver_Deliver__SendMail.class.php | 23 |
4 files changed, 9 insertions, 32 deletions
diff --git a/mail/squirrelmail/Makefile b/mail/squirrelmail/Makefile index bcf13f75d3a..00ee2445863 100644 --- a/mail/squirrelmail/Makefile +++ b/mail/squirrelmail/Makefile @@ -1,7 +1,6 @@ -# $NetBSD: Makefile,v 1.132 2017/04/19 17:10:18 maya Exp $ +# $NetBSD: Makefile,v 1.133 2017/06/21 15:07:03 taca Exp $ -DISTNAME= squirrelmail-webmail-1.4.23pre14605 -PKGREVISION= 1 +DISTNAME= squirrelmail-webmail-1.4.23pre14688 PKGNAME= ${DISTNAME:S/-webmail//} CATEGORIES= mail www MASTER_SITES= ${MASTER_SITE_LOCAL} diff --git a/mail/squirrelmail/PLIST b/mail/squirrelmail/PLIST index 911b5acb118..dfa584a8dd4 100644 --- a/mail/squirrelmail/PLIST +++ b/mail/squirrelmail/PLIST @@ -1,4 +1,4 @@ -@comment $NetBSD: PLIST,v 1.40 2015/09/06 12:04:12 taca Exp $ +@comment $NetBSD: PLIST,v 1.41 2017/06/21 15:07:03 taca Exp $ man/man8/squirrelmail-conf.pl.8 share/examples/squirrelmail/data/.htaccess share/examples/squirrelmail/data/index.php @@ -325,6 +325,7 @@ share/squirrelmail/plugins/squirrelspell/js/index.php share/squirrelmail/plugins/squirrelspell/js/init.js share/squirrelmail/plugins/squirrelspell/modules/.htaccess share/squirrelmail/plugins/squirrelspell/modules/WHATISTHIS +share/squirrelmail/plugins/squirrelspell/modules/change_main_options.mod share/squirrelmail/plugins/squirrelspell/modules/check_me.mod share/squirrelmail/plugins/squirrelspell/modules/crypto.mod share/squirrelmail/plugins/squirrelspell/modules/crypto_badkey.mod diff --git a/mail/squirrelmail/distinfo b/mail/squirrelmail/distinfo index 633ee866f3c..30b593c643c 100644 --- a/mail/squirrelmail/distinfo +++ b/mail/squirrelmail/distinfo @@ -1,9 +1,9 @@ -$NetBSD: distinfo,v 1.68 2017/04/19 17:10:18 maya Exp $ +$NetBSD: distinfo,v 1.69 2017/06/21 15:07:03 taca Exp $ -SHA1 (squirrelmail-webmail-1.4.23pre14605.tar.bz2) = b0301f777ac5e71b08cd8d718358ce0f3417a21d -RMD160 (squirrelmail-webmail-1.4.23pre14605.tar.bz2) = ee9c4d6bd6975f0134797cfc383821368a140542 -SHA512 (squirrelmail-webmail-1.4.23pre14605.tar.bz2) = f884e324c4f89469ef92e0edb16e83930bdcb73d17df659425972a786cd1449531ab40bf4ea5a17fdc97bcfd8a4c26fc80ca68bad2ae54502236dc5b0456967b -Size (squirrelmail-webmail-1.4.23pre14605.tar.bz2) = 558045 bytes +SHA1 (squirrelmail-webmail-1.4.23pre14688.tar.bz2) = 0b094c86464f0a67948191f8daeb62b35024350b +RMD160 (squirrelmail-webmail-1.4.23pre14688.tar.bz2) = 3b3d19bcbd0e3c32983707423d91263e3649f26b +SHA512 (squirrelmail-webmail-1.4.23pre14688.tar.bz2) = ec428f5a77757d29dd0a8f905210e7f9b527e75a549162d9d2ad2ad2fdfed1c9fa4e399433e656065f24a593d76e14c043a34c0c7fffb03943de94505599a1e0 +Size (squirrelmail-webmail-1.4.23pre14688.tar.bz2) = 560901 bytes SHA1 (patch-aa) = 4ba7ea0a85308816b9dc77c0af3c927359ed1275 SHA1 (patch-ab) = 30bf68c730f20e817fbe81d18bc2a95899ee3fd0 SHA1 (patch-ai) = 1c08904ecf074ff3ba7e6042becc0f0771388b9f diff --git a/mail/squirrelmail/patches/patch-class_deliver_Deliver__SendMail.class.php b/mail/squirrelmail/patches/patch-class_deliver_Deliver__SendMail.class.php deleted file mode 100644 index eceb722cbc7..00000000000 --- a/mail/squirrelmail/patches/patch-class_deliver_Deliver__SendMail.class.php +++ /dev/null @@ -1,23 +0,0 @@ -$NetBSD: patch-class_deliver_Deliver__SendMail.class.php,v 1.1 2017/04/19 17:10:18 maya Exp $ - -Patch CVE-2017-7692 by separately escaping $envelopefrom -concatenating it with a space before escaping allows for injecting command -parameters. - -From Filippo Cavallarin -https://www.wearesegment.com/research/Squirrelmail-Remote-Code-Execution.html - ---- class/deliver/Deliver_SendMail.class.php.orig 2016-01-01 20:04:30.000000000 +0000 -+++ class/deliver/Deliver_SendMail.class.php -@@ -95,9 +95,9 @@ class Deliver_SendMail extends Deliver { - $envelopefrom = trim($from->mailbox.'@'.$from->host); - $envelopefrom = str_replace(array("\0","\n"),array('',''),$envelopefrom); - // save executed command for future reference -- $this->sendmail_command = "$sendmail_path $this->sendmail_args -f$envelopefrom"; -+ $this->sendmail_command = escapeshellcmd("$sendmail_path $this->sendmail_args -f") . escapeshellarg($envelopefrom); - // open process handle for writing -- $stream = popen(escapeshellcmd($this->sendmail_command), "w"); -+ $stream = popen($this->sendmail_command, "w"); - return $stream; - } - |