Age | Commit message (Collapse) | Author | Files | Lines |
|
This version, 1.4.10 is a maintenance release, addressing
the following problems since 1.4.9a:
- Some security fixes (see below)
- Small enhancements
- A collection of bugfixes and stability enhancements
(see ChangeLog for a full list)
Security issues
===============
This release addresses security issues found since the release of 1.4.9a:
There's an ongoing battle to further secure the HTML filter against malicious
HTML mail and the browsers that accept almost any malformed piece of HTML.
This release contains fixes for the following:
- HTML attachments containing "data:" URLs;
- Internet Explorer in various versions accepts many permutations of HTML
and JavaScript in many charsets. We now properly canonicalize the incoming
HTML to us-ascii before applying further filters. IE only.
- Request forgery through images. It was possible to include "images" in
HTML mails which were in fact GET requests for the compose.php page sending
mail. These images are now properly detected, and the compose form will only
send mail through a POST request.
Thanks to Mikhail Markin, Tomas Kuliavas and Michael Jordon for reporting
(parts of) these issues and working with us to get them resolved.
These are known as CVE-2007-1262. Further details on SquirrelMail
vulnerabilities can be found at the following address:
http://www.squirrelmail.org/security/
|
|
ChangLog:
Version 1.4.9a - 3 December 2006
--------------------------------
- Security: Multiple IE cross site scripting issues related to the
widely acceptation of the word expression and url by IE.
- Security: Removing @import when sanitizing html mail.
Version 1.4.9 - 2 December 2006
-------------------------------
- Drop obsolete script plugins/make_archive.pl.
- Fixed Google translate form in translate plugin. Added new language
pairs.
- Added XMAGICTRASH extension tests in configtest utility. Removed code
that handled 'inbox.trash' as special folder in courier (#1354393).
- Allowed moving folders to trash in courier.
- Fix misspelled constant PREG_SPLIT_NI_EMPTY in sqimap_get_message
(#1543573).
- Provide View Unsafe Images link on viewing a text/html attachment.
- Fix variable typo in folders_create.php (#1545316).
- Added Courier IMAP OUTBOX check to configtest utility.
- If mailbox name starts with slash or contains ../, error message is
generated. Safety check for insecure default UW IMAP setup (#1557078).
- Ignore message copy errors when messages are deleted. Allows to delete
messages when quota is exceeded (#614887, #646386, #1446026).
- Fixed unintended literal fetching (#1562271).
- Added global file based address book listing controls. Added line
length configuration option for local_file address book backend
(#1181561). Added address book data integrity checks in local_file
address book backend. Fixed eregi and object notices in local_file
and database address book backends. Added additional address book
field support.
- Fixed variable corruption in configtest utility.
- Checked if configuration file is readable in configuration utility
(#1568355).
- Special mailboxes marked in special_mailbox hook are no longer listed
in folder delete, rename and subscription options.
- Translate plugin: prevent PHP notice when viewing empty message.
- Add CEST and MEST (non-standard) timezone codes for +0200.
- Add <label> to From field in message list.
- Add support for parsing SpamAssassin's X-Spam-Status header (#1589520).
- Fix in bodystructure parser code related to strings ending with an
escape character.
- Added "attachment */*" hook
- Added third parameter $logout_link to logout_error hook that allows
plugin control over login page URI displayed on login error page.
- Security: close cross site scripting vulnerability in draft, compose
and mailto functionality [CVE-2006-6142].
- Security: work around an issue in Internet Explorer that would guess
the mime type of a file based on contents, not Content-Type header.
|
|
- Fixed URL for Read Receipts being incorrect in some cases (#1177518).
- Fixed endless loop when trying to parse "From: )(" (#1517867).
- Using is_file() instead of file_exists() in fortune plugin (#1499134).
- Add manual page for conf.pl under contrib.
- Don't allow selecting INBOX as Sent, Draft or Trash folder (#1242346).
|
|
Bump package revision.
|
|
* added patch for Ukrainian translation (needed by the new squirrelmail-locales)
|
|
This release is very important, and we strongly advise everybody to
update to the latest release.
Security Update
===============
This version contains a number of security updates that were brought
to our attention via a number of sources.
- In webmail.php, the right_frame parameter was not properly sanitized
to deal with very lenient browsers, which allowed for cross site
scripting or frame replacing. [CVE-2006-0188]
- In the MagicHTML function, some very obscure constructs were
discovered to be exploitable: 'u\rl' was interpreted as 'url' (privacy
concern), and comments could be inside keywords (allows for cross site
scripting). Both only affect Internet Explorer users. Found by Martijn
Brinkers and Scott Hughes. [CVE-2006-0195]
- The function sqimap_mailbox_select did not strip newlines from the
mailbox parameter, and thereby allowed for IMAP command injection.
Found by Vicente Aguilera. [CVE-2006-0377]
|
|
|
|
- avoid corrupted attachment downloads (pkg/32175).
|
|
several files that occurs with PHP 5.0.5 by applying the small
"squirrelmail-stable.diff" from the SourceForge page about the bug:
http://sourceforge.net/tracker/index.php?func=detail&aid=1237160&group_id=311&atid=423679
Problem reported by Nathan Arthur in private mail. Fix OK'd by martti@.
|
|
* lots of bug fixes
* translation updates
|
|
* Fix several cross site scripting vulnerabilities
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-0337
|
|
|
|
We are pleased to announce the release of SquirrelMail 1.4.4. This
release is a strongly recommended upgrade due to a number of security
issues that have been resolved since 1.4.3a.
About This Release
------------------
This release contains a number of bug fixes, and security updates. The
list is very long, as this version has been hiding in the trees for a
while. For a full list of the changes, you can see the changelog here:
http://www.squirrelmail.org/changelog.php
A general summary of updates includes a few cross site scripting issues,
and two possible file inclusion issue (one remote, one local). Better
IMAP handling introduced for certain IMAP servers that advertise
LOGINDISABLED, folder handling, and a number of locales issues.
Locales
-------
Shortly after the release of 1.4.3, the locales were broken out of the
main branch into their own branch. This makes the SquirrelMail package
itself a lot smaller, along with allowing administrators to download just
the packages they need. Details on this change can be found in the
ReleaseNotes and the INSTALL files.
|
|
There is a cross site scripting issue in the decoding of encoded text
in certain headers. SquirrelMail correctly decodes the specially
crafted header, but doesn't sanitize the decoded strings.
http://article.gmane.org/gmane.mail.squirrelmail.user/21169
|
|
|
|
Remove $Id: $ from the patch, and regen distinfo.
|
|
"Fix typo in compose.php reply/reply to all quoting (#963499)."
Without this, reply/reply all won't work when quoting a message.
Bump PKGREVISION.
|
|
Main Changes:
lots of bug fixes, including some critical XSS (cross site scripting) issues.
Some new translations.
Added new preference that determines cursor focus when replying.
Display total number of new messages in newmail-plugin popup window.
Ported charset decoding support functions from SM head. Increases
number of readable charsets.
Fix SquirrelMail to work with PHP5.
Disabled Quick-email-reporting feature in spamcop plugin. (#809452). Admin
can enable it by setting variable in plugins/spamcop/setup.php.
Replaced obsolete 2mbit.com RBL with ahbl.org RBL (#829887).
Added new reply citation to include date and author.
|
|
- lots of bug fixes
I couldn't make this work without the latest PHP (4.3.3)...
|
|
* A complete rewrite of the way we send mail (Deliver-class),
and of the way we parse mail (MIME-bodystructure parsing).
This makes SquirrelMail more reliable and more efficient
at the same time!
* Support for IMAP UID which makes SquirrelMail more reliable.
* Optimizations to code and the number of IMAP calls; SquirrelMail
is now a very scalable webmail solution.
* Support for a wider range of authentication mechanisms.
* Lots of bugfixes, some new features and a couple of UI-tweaks.
|
|
- Bug fixes
- Added POP3 Before SMTP option
- Added a server-side thread sorting option per folder
- Added a server-side sorting global option
- Compose in new window size can be set in Display prefs
- PostgreSQL is now supported for database backed use
- Added user option to sort messages by internal date
- Added option to auto-append sig before reply/forward text
- Filters can be applied to only new mail
- Filtering now happens on folder list refresh
|
|
* Collapsible Folders - The folder list can be collapsed at any
parent folder. This makes folder lists with large
hierarchical structures much easier to manage and navigate.
* The Paginator! - This enables quick access to any page in the
message list by simply choosing the page number to view
rather than tediously clicking "next" 50 times.
* Hundreds of UI tweaks - The user interface has been given a
face-lift. The HTML has been largely overhauled, and while
it still has the same general feel, it has been made more
intuitive.
* Drafts - It is now possible to compose a message and save it to
be sent at a later date with the drafts option.
* New Options Page - The options page has been completely
rewritten for several reasons, the main of which was to
allow seamless integration of plugin options and to
provide uniformity throughout the entire section.
* Multiple Identities - It is now possible to create different
identities (home, work, school) that can be chosen upon
sending. Each identity can have its own email address,
full name, and signature.
* Reply Citations - Different types of citations are now possible
when replying to messages.
* Better Attachment Handling - The plugin, attachment_common, has
been fully integrated into the core of SquirrelMail. This
allows inline viewing of several different types of
attachments.
* Integration of Several Plugins - The following plugins have been
put directly into the core. As a result, be sure not to
install these as plugins, as the result may be (at best)
unpredictable: attachment_common, paginator, priority,
printer_friendly, sqclock, xmailer.
* Improved support for newer versions of PHP. Note that you may
have trouble if you are running PHP version 4.0.100
(commonly distributed with Debian 3.0).
* Ability to mark messages as read and unread from the message listing.
* Alternating Colors - The message list now alternates row colors
by default. This presents a much cleaner and easier to
read interface to the user.
|
|
- Respect ${APACHE_SYSCONFDIR} setting.
- Install example squirrelmail.conf Apache config file fragment into
${PREFIX}/share/examples/squirrelmail.
Changes from version 1.0.3 include:
- Reworked validation for each page. It's now standardized in validate.php
- Fixed login bug that resulted from 1.0.5 security updates
- Fixed plugin incompatibilities that were introduced in 1.0.5
- Added more security checking to preference saving/loading
- Updated German translation (thanks to Roland Bauerschmidt <rb@debian.org>)
- Updated Finnish help files
- MAJOR security issues addressed. Please upgrade as soon as possible.
- Downloading attachments should work better due to a tip by Ray Black III.
- Fixed bug with drop-down folder list not containing INBOX
- Added Sweedish help files Teemu Junnila <teejun@vallcom.com>
- Added Italian help files Antonetti Roberto <antonr@piceniaweb.com>
- Fixed some bugs with folder creation
- Security fix for UW IMAP server to disallow folder paths outside of $folder_pr
efix
- Some problems with header encoding/decoding fixed
- Made subject column take up whatever width is available
- Added bcc to html addressbook search
|
|
Revision 1.46.2.1:
* UW workaround improved, methinks (1.0 branch)
Fixes a problem when used with imap-uw: 1.0.3 couldn't read folders
in subdirectories.
|
|
version 0.9.3:
- Improved the way sqimap_read_data() is handled
- Sped up "no sorting" even more
- Fixed problems with sending messages
- Fixed some pass-by-reference calls that caused problems with newer PHP
versions
- Fixed bug that didn't display last folder subscribed to
- Removed requirement of PHP 4.0.1 for array_unique() function
- Removed unnecessary echo statements by breaking out of PHP
- Changed evaluation method from using " to ' for speed improvements
- If no plugin array set in config.php, now handled correctly
- If subject is > 55 chars, trims it and puts "..." in message list
- Hundreds of minor changes to remove all verbose PHP warning messages
- Updated config_default.php to include attachment_common plugin (now in
distribution)
- A few minor speed improvements
- Fixed problems in sqimap_read_body(), made it more reliable
- Added French translation of help files by gore K <gore_k@ymca-cepiere.org>
- Added Finnish translation by Teemu Junnila <teejun@vallcom.com>
- Updated Sweedish translation
- Updated Russian translation
|
|
We've been lacking a pkgsrc webmail package for a while. I still haven't
figured out how to package IMP and make PHP4 work with the shared IMAP
module. But in the meantime, here's SquirrelMail, a straightforward
implementation of a webmail gateway to IMAP server implemented completely
in PHP4.
|