Age | Commit message (Collapse) | Author | Files | Lines |
|
security fix for squirrelmail
Revisions pulled up:
- pkgsrc/mail/squirrelmail/Makefile 1.71, 1.73
- pkgsrc/mail/squirrelmail/distinfo 1.31, 1.32
- pkgsrc/mail/squirrelmail/patches/patch-ab 1.12
- pkgsrc/mail/squirrelmail/patches/patch-ac 1.3
- pkgsrc/mail/ja-squirrelmail/MESSAGE 1.3
- pkgsrc/mail/ja-squirrelmail/Makefile 1.27, 1.28, 1.30
- pkgsrc/mail/ja-squirrelmail/PLIST 1.4
- pkgsrc/mail/ja-squirrelmail/distinfo 1.9, 1.10, 1.11
- pkgsrc/mail/ja-squirrelmail/patches/patch-ab 1.3
- pkgsrc/mail/ja-squirrelmail/patches/patch-ac 1.3
- pkgsrc/mail/ja-squirrelmail/patches/patch-ad removed
- pkgsrc/mail/ja-squirrelmail/patches/patch-ae removed
- pkgsrc/mail/ja-squirrelmail/patches/patch-af removed
- pkgsrc/mail/ja-squirrelmail/patches/patch-ag removed
- pkgsrc/mail/ja-squirrelmail/patches/patch-ah removed
Module Name: pkgsrc
Committed By: martti
Date: Tue Apr 11 05:24:20 UTC 2006
Modified Files:
pkgsrc/mail/squirrelmail: Makefile distinfo
Added Files:
pkgsrc/mail/squirrelmail/patches: patch-ab
Log Message:
Updated mail/squirrelmail to 1.4.6nb1
* added patch for Ukrainian translation (needed by the new
* squirrelmail-locales)
---
Module Name: pkgsrc
Committed By: taca
Date: Fri May 5 02:46:54 UTC 2006
Modified Files:
pkgsrc/mail/ja-squirrelmail: MESSAGE Makefile distinfo
Removed Files:
pkgsrc/mail/ja-squirrelmail/patches: patch-ab patch-ac patch-ad
patch-ae patch-af patch-ag patch-ah
Log Message:
Update ja-squirrelmail package to 1.4.6 after talking with martti@.
Prior to this release, there are security vulnerability the same as
squirrelmail 1.4.5.
This update made with temporary Japanese patch based on the patch
for 1.4.5.
---
Module Name: pkgsrc
Committed By: martti
Date: Fri May 5 05:32:36 UTC 2006
Modified Files:
pkgsrc/mail/ja-squirrelmail: Makefile PLIST distinfo
Added Files:
pkgsrc/mail/ja-squirrelmail/patches: patch-ab
Log Message:
Updated ja-squirrelmail to 1.4.6nb1
* sync with squirrelmail-1.4.6nb1
---
Module Name: pkgsrc
Committed By: tron
Date: Sun Jun 4 12:31:31 UTC 2006
Modified Files:
pkgsrc/mail/ja-squirrelmail: Makefile distinfo
pkgsrc/mail/squirrelmail: Makefile distinfo
Added Files:
pkgsrc/mail/ja-squirrelmail/patches: patch-ac
pkgsrc/mail/squirrelmail/patches: patch-ac
Log Message:
Add fix for security issue 2006-06-01 from SquirrelMail CVS repository.
Bump package revision.
|
|
- pkglint -Wall fixes
|
|
This release is very important, and we strongly advise everybody to
update to the latest release.
Security Update
===============
This version contains a number of security updates that were brought
to our attention via a number of sources.
- In webmail.php, the right_frame parameter was not properly sanitized
to deal with very lenient browsers, which allowed for cross site
scripting or frame replacing. [CVE-2006-0188]
- In the MagicHTML function, some very obscure constructs were
discovered to be exploitable: 'u\rl' was interpreted as 'url' (privacy
concern), and comments could be inside keywords (allows for cross site
scripting). Both only affect Internet Explorer users. Found by Martijn
Brinkers and Scott Hughes. [CVE-2006-0195]
- The function sqimap_mailbox_select did not strip newlines from the
mailbox parameter, and thereby allowed for IMAP command injection.
Found by Vicente Aguilera. [CVE-2006-0377]
|
|
|
|
|
|
|
|
"find foo -exec bar {} \;" while here, the former is faster, but can't
cope with all quoting issues and is also more likely to hit argument
length limits. CONFLICT to ja-squirrelmail.
|
|
automatically detects whether we want the pkginstall machinery to be
used by the package Makefile.
|
|
to avoid problems with bulk builds with CHECK_FILES=yes. Suggested
by Johnny Lam on tech-pkg@ list.
|
|
|
|
- use post-patch instead of pre-configure
|
|
example MAKE_ENV+=FOO=${BAR} is changed to MAKE_ENV+=FOO=${BAR:Q}. Some
other changes are outlined in
http://mail-index.netbsd.org/tech-pkg/2005/12/02/0034.html
|
|
|
|
- avoid corrupted attachment downloads (pkg/32175).
|
|
several files that occurs with PHP 5.0.5 by applying the small
"squirrelmail-stable.diff" from the SourceForge page about the bug:
http://sourceforge.net/tracker/index.php?func=detail&aid=1237160&group_id=311&atid=423679
Problem reported by Nathan Arthur in private mail. Fix OK'd by martti@.
|
|
- Some modification to MESSAGES:
* remove trailing white space.
* use www.example.com as example URL.
|
|
* lots of bug fixes
* translation updates
|
|
from including perl5/buildlink3.mk. These packages just need the Perl
interpreter, and can just add "perl" to USE_TOOLS instead.
|
|
|
|
|
|
|
|
* Fix several cross site scripting vulnerabilities
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-0337
|
|
|
|
|
|
|
|
|
|
like "*.orig" by find(1).
|
|
|
|
We are pleased to announce the release of SquirrelMail 1.4.4. This
release is a strongly recommended upgrade due to a number of security
issues that have been resolved since 1.4.3a.
About This Release
------------------
This release contains a number of bug fixes, and security updates. The
list is very long, as this version has been hiding in the trees for a
while. For a full list of the changes, you can see the changelog here:
http://www.squirrelmail.org/changelog.php
A general summary of updates includes a few cross site scripting issues,
and two possible file inclusion issue (one remote, one local). Better
IMAP handling introduced for certain IMAP servers that advertise
LOGINDISABLED, folder handling, and a number of locales issues.
Locales
-------
Shortly after the release of 1.4.3, the locales were broken out of the
main branch into their own branch. This makes the SquirrelMail package
itself a lot smaller, along with allowing administrators to download just
the packages they need. Details on this change can be found in the
ReleaseNotes and the INSTALL files.
|
|
|
|
|
|
|
|
|
|
|
|
There is a cross site scripting issue in the decoding of encoded text
in certain headers. SquirrelMail correctly decodes the specially
crafted header, but doesn't sanitize the decoded strings.
http://article.gmane.org/gmane.mail.squirrelmail.user/21169
|
|
leave the DEPENDS in a form which allows PHP 5.x to match, since it should
work just as well
|
|
|
|
Version 1.4.3a - 2 June 2004
----------------------------
- Fix typo in compose.php reply/reply to all quoting (#963499).
|
|
Remove $Id: $ from the patch, and regen distinfo.
|
|
|
|
"Fix typo in compose.php reply/reply to all quoting (#963499)."
Without this, reply/reply all won't work when quoting a message.
Bump PKGREVISION.
|
|
Main Changes:
lots of bug fixes, including some critical XSS (cross site scripting) issues.
Some new translations.
Added new preference that determines cursor focus when replying.
Display total number of new messages in newmail-plugin popup window.
Ported charset decoding support functions from SM head. Increases
number of readable charsets.
Fix SquirrelMail to work with PHP5.
Disabled Quick-email-reporting feature in spamcop plugin. (#809452). Admin
can enable it by setting variable in plugins/spamcop/setup.php.
Replaced obsolete 2mbit.com RBL with ahbl.org RBL (#829887).
Added new reply citation to include date and author.
|
|
|
|
problems on Solaris (pkg/24122 by Charlie Allom).
|
|
* bug fixes
* translation updates
* new minimal bw theme
|
|
|
|
- lots of bug fixes
I couldn't make this work without the latest PHP (4.3.3)...
|
|
|
|
|
|
* A complete rewrite of the way we send mail (Deliver-class),
and of the way we parse mail (MIME-bodystructure parsing).
This makes SquirrelMail more reliable and more efficient
at the same time!
* Support for IMAP UID which makes SquirrelMail more reliable.
* Optimizations to code and the number of IMAP calls; SquirrelMail
is now a very scalable webmail solution.
* Support for a wider range of authentication mechanisms.
* Lots of bugfixes, some new features and a couple of UI-tweaks.
|