Author: Thijs Kinkhorst
Revision Date: 2012-12-20 20:41:02 UTC

* Add patch from upstream to cope with changed behaviour of
  htmlspecialchars() in PHP 5.4 (closes: #664895).
* Add patch from upstream to cope with removal of
  session_unregister() in PHP 5.4.

Author: Thijs Kinkhorst
Revision Date: 2012-12-20 20:41:02 UTC

* Add patch from upstream to cope with changed behaviour of
  htmlspecialchars() in PHP 5.4 (closes: #664895).
* Add patch from upstream to cope with removal of
  session_unregister() in PHP 5.4.

Author: Thijs Kinkhorst
Revision Date: 2012-12-20 20:41:02 UTC

* Add patch from upstream to cope with changed behaviour of
  htmlspecialchars() in PHP 5.4 (closes: #664895).
* Add patch from upstream to cope with removal of
  session_unregister() in PHP 5.4.

Author: Thijs Kinkhorst
Revision Date: 2012-12-20 20:41:02 UTC

* Add patch from upstream to cope with changed behaviour of
  htmlspecialchars() in PHP 5.4 (closes: #664895).
* Add patch from upstream to cope with removal of
  session_unregister() in PHP 5.4.

Author: Thijs Kinkhorst
Revision Date: 2012-12-20 20:41:02 UTC

* Add patch from upstream to cope with changed behaviour of
  htmlspecialchars() in PHP 5.4 (closes: #664895).
* Add patch from upstream to cope with removal of
  session_unregister() in PHP 5.4.

Author: Thijs Kinkhorst
Revision Date: 2012-12-20 20:41:02 UTC

* Add patch from upstream to cope with changed behaviour of
  htmlspecialchars() in PHP 5.4 (closes: #664895).
* Add patch from upstream to cope with removal of
  session_unregister() in PHP 5.4.

Author: Thijs Kinkhorst
Revision Date: 2012-12-20 20:41:02 UTC

* Add patch from upstream to cope with changed behaviour of
  htmlspecialchars() in PHP 5.4 (closes: #664895).
* Add patch from upstream to cope with removal of
  session_unregister() in PHP 5.4.

Author: Thijs Kinkhorst
Revision Date: 2012-04-06 13:18:54 UTC

* New upstream snapshot release.
  - Addresses PHP 5.4 compatibility issues (closes: #664895).
  - Fixes PHP warning (closes: #641869).
  - Fixes hide_auth_header (closes: #661394).

Author: Thijs Kinkhorst
Revision Date: 2011-07-24 14:40:01 UTC

* New upstream release, fixes several security issues
  (CVE-2011-2023, CVE-2010-4554, CVE-2010-4555,
   closes: #593345, #634822).
* Move to dpkg source format 3.0, separate out Debian patches.
  Small packaging cleanups.

Author: Thijs Kinkhorst
Revision Date: 2011-07-24 14:40:01 UTC

* New upstream release, fixes several security issues
  (CVE-2011-2023, CVE-2010-4554, CVE-2010-4555,
   closes: #593345, #634822).
* Move to dpkg source format 3.0, separate out Debian patches.
  Small packaging cleanups.

Author: Thijs Kinkhorst
Revision Date: 2010-07-31 13:54:45 UTC

* New upstream release.
  + Addresses two low-imact security issues, bump urgency.
    [CVE-2010-1637, CVE-2010-2813]
* Checked for policy 3.9.1, no changes necessary.

Author: Thijs Kinkhorst
Revision Date: 2010-07-31 13:54:45 UTC

* New upstream release.
  + Addresses two low-imact security issues, bump urgency.
    [CVE-2010-1637, CVE-2010-2813]
* Checked for policy 3.9.1, no changes necessary.

Author: Andreas Wenning
Revision Date: 2010-06-24 14:18:27 UTC

* SECURITY UPDATE: (LP: #598077)
* The Mail Fetch plugin allows remote authenticated users to bypass firewall
  restrictions and use SquirrelMail as a proxy to scan internal networks via
  a modified POP3 port number.
  - http://squirrelmail.org/security/issue/2010-06-21
  - CVE-2010-1637
  - Patch taken from upstream svn rev. 13951. Applied inline.

Author: Andreas Wenning
Revision Date: 2010-06-24 14:16:52 UTC

* SECURITY UPDATE: (LP: #598077)
* The Mail Fetch plugin allows remote authenticated users to bypass firewall
  restrictions and use SquirrelMail as a proxy to scan internal networks via
  a modified POP3 port number.
  - http://squirrelmail.org/security/issue/2010-06-21
  - CVE-2010-1637
  - Patch taken from upstream svn rev. 13951. Applied inline.

Author: Andreas Wenning
Revision Date: 2010-06-24 14:17:43 UTC

* SECURITY UPDATE: (LP: #598077)
* The Mail Fetch plugin allows remote authenticated users to bypass firewall
  restrictions and use SquirrelMail as a proxy to scan internal networks via
  a modified POP3 port number.
  - http://squirrelmail.org/security/issue/2010-06-21
  - CVE-2010-1637
  - Patch taken from upstream svn rev. 13951. Applied inline.

Author: Andreas Wenning
Revision Date: 2010-06-24 14:16:06 UTC

* SECURITY UPDATE: (LP: #598077)
* The Mail Fetch plugin allows remote authenticated users to bypass firewall
  restrictions and use SquirrelMail as a proxy to scan internal networks via
  a modified POP3 port number.
  - http://squirrelmail.org/security/issue/2010-06-21
  - CVE-2010-1637
  - Patch taken from upstream svn rev. 13951. Applied inline.

Author: Andreas Wenning
Revision Date: 2010-06-24 14:18:27 UTC

* SECURITY UPDATE: (LP: #598077)
* The Mail Fetch plugin allows remote authenticated users to bypass firewall
  restrictions and use SquirrelMail as a proxy to scan internal networks via
  a modified POP3 port number.
  - http://squirrelmail.org/security/issue/2010-06-21
  - CVE-2010-1637
  - Patch taken from upstream svn rev. 13951. Applied inline.

Author: Andreas Wenning
Revision Date: 2010-06-24 14:17:43 UTC

* SECURITY UPDATE: (LP: #598077)
* The Mail Fetch plugin allows remote authenticated users to bypass firewall
  restrictions and use SquirrelMail as a proxy to scan internal networks via
  a modified POP3 port number.
  - http://squirrelmail.org/security/issue/2010-06-21
  - CVE-2010-1637
  - Patch taken from upstream svn rev. 13951. Applied inline.

Author: Andreas Wenning
Revision Date: 2010-06-24 14:16:52 UTC

* SECURITY UPDATE: (LP: #598077)
* The Mail Fetch plugin allows remote authenticated users to bypass firewall
  restrictions and use SquirrelMail as a proxy to scan internal networks via
  a modified POP3 port number.
  - http://squirrelmail.org/security/issue/2010-06-21
  - CVE-2010-1637
  - Patch taken from upstream svn rev. 13951. Applied inline.

Author: Andreas Wenning
Revision Date: 2010-06-24 14:16:06 UTC

* SECURITY UPDATE: (LP: #598077)
* The Mail Fetch plugin allows remote authenticated users to bypass firewall
  restrictions and use SquirrelMail as a proxy to scan internal networks via
  a modified POP3 port number.
  - http://squirrelmail.org/security/issue/2010-06-21
  - CVE-2010-1637
  - Patch taken from upstream svn rev. 13951. Applied inline.

Author: Thijs Kinkhorst
Revision Date: 2010-03-07 16:26:58 UTC

* New upstream release.
  + Addresses search bug (closes: #550763).
* Update to policy 3.8.4, no changes necessary.

Author: Leonel Nunez
Revision Date: 2009-10-11 19:18:52 UTC

* SECURITY UPDATE: (LP: #446838)
* Multiple cross-site request forgery (CSRF) in all
  forms submissions
* edited:
  src/addrbook_search_html.php,src/addressbook.php,src/compose.php
  src/folders_create.php,src/folders_delete.php,src/folders.php,
  src/folders_rename_do.php,src/folders_rename_getname.php,
  src/folders_subscribe.php,functions/forms.php,
  functions/mailbox_display.php,src/move_messages.php,
  src/options_highlight.php,src/options_identities.php,
  src/options_order.php,src/options.php,src/search.php,
  functions/strings.php,src/vcard.php
* Fixes : CVE-2009-2964
  - http://www.squirrelmail.org/security/issue/2009-08-12
  - patches taken from upstream rev 13818
  - patches applied inline

Author: Leonel Nunez
Revision Date: 2009-10-10 19:30:41 UTC

* SECURITY UPDATE: (LP: #446838)
* Multiple cross-site request forgery (CSRF) in all
  forms submissions
* edited:
  src/addrbook_search_html.php,src/addressbook.php,src/compose.php
  src/folders_create.php,src/folders_delete.php,src/folders.php,
  src/folders_rename_do.php,src/folders_rename_getname.php,
  src/folders_subscribe.php,functions/forms.php,
  functions/mailbox_display.php,src/move_messages.php,
  src/options_highlight.php,src/options_identities.php,
  src/options_order.php,src/options.php,src/search.php,
  functions/strings.php,src/vcard.php
* Fixes : CVE-2009-2964
  - http://www.squirrelmail.org/security/issue/2009-08-12
  - patches taken from upstream rev 13818
  - patches applied inline

Author: Leonel Nunez
Revision Date: 2009-10-11 21:33:16 UTC

* SECURITY UPDATE: (LP: #446838)
* Multiple cross-site request forgery (CSRF) in all
  forms submissions
* edited:
  src/addrbook_search_html.php,src/addressbook.php,src/compose.php
  src/folders_create.php,src/folders_delete.php,src/folders.php,
  src/folders_rename_do.php,src/folders_rename_getname.php,
  src/folders_subscribe.php,functions/forms.php,
  functions/mailbox_display.php,src/move_messages.php,
  src/options_highlight.php,src/options_identities.php,
  src/options_order.php,src/options.php,src/search.php,
  functions/strings.php,src/vcard.php
* Fixes : CVE-2009-2964
  - http://www.squirrelmail.org/security/issue/2009-08-12
  - patches taken from upstream rev 13818
  - patches applied inline

Author: Leonel Nunez
Revision Date: 2009-10-11 06:41:56 UTC

* SECURITY UPDATE: (LP: #446838)
* Multiple cross-site request forgery (CSRF) in all
  forms submissions
* edited:
  src/addrbook_search_html.php,src/addressbook.php,src/compose.php
  src/folders_create.php,src/folders_delete.php,src/folders.php,
  src/folders_rename_do.php,src/folders_rename_getname.php,
  src/folders_subscribe.php,functions/forms.php,
  functions/mailbox_display.php,src/move_messages.php,
  src/options_highlight.php,src/options_identities.php,
  src/options_order.php,src/options.php,src/search.php,
  functions/strings.php,src/vcard.php
* Fixes : CVE-2009-2964
  - http://www.squirrelmail.org/security/issue/2009-08-12
  - patches taken from upstream rev 13818
  - patches applied inline

Author: Thijs Kinkhorst
Revision Date: 2008-12-07 16:18:03 UTC

Address cross site scripting issue in the HTML filter
(CVE-2008-2379).

Author: Thijs Kinkhorst
Revision Date: 2008-09-28 16:33:48 UTC

Cookies sent over HTTPS will now be confined to HTTPS only
(cookie secure flag) and more support for the HTTPOnly cookie
attribute. Patch taken from upstream release.
(CVE-2008-3663, closes: #499942)

Author: Daniel Hahler
Revision Date: 2008-04-02 02:22:42 UTC

* Sync from Debian (LP: #204754)
* README.locales: add paragraph about setting up locales for gettext
  (LP: #133845)
* Modify Maintainer value to match the DebianMaintainerField
  specification.

Author: Thijs Kinkhorst
Revision Date: 2007-05-31 19:34:29 UTC

* Make use of new dictionaries-common SquirrelMail interface to
  detect the installed squirrelspell dictionaries (Closes: #420877).
* Remove obsolete upgrading code.
* Make sure config files are not closed with '?>' since it's then
  too easy to get stray whitespace at the end of the file.

Author: Thijs Kinkhorst
Revision Date: 2006-12-04 09:18:09 UTC

* New upstream security release.
  - Additionally tightens HTML filter for IE <= 5 parsing
    absolutely everything and it's horse.

Author: Thijs Kinkhorst
Revision Date: 2006-08-11 13:53:20 UTC

* New upstream release
  - Includes security fix: variable overwriting in compose.php
    by logged-in user [CVE-2006-4019]
  - Does not ship SquirrelMail developer's documentation anymore.

* Remove duplicate content from README.locales.

Author: Thijs Kinkhorst
Revision Date: 2006-03-07 14:56:06 UTC

* New upstream release.
* Includes the following security fixes:
  - Fix IMAP command injection in sqimap_mailbox_select
    with upstream patch. [CVE-2006-0377] (Closes: #354063)
  - Fix possible XSS in MagicHTML, concerning the parsing
    of u\rl and comments in styles. Internet Explorer
    specific. [CVE-2006-0195] (Closes: #354062)
  - Fix possible cross site scripting through the right_main
    parameter of webmail.php. This now uses a whitelist of
    acceptable values. [CVE-2006-0188] (Closes: #354064, #355424)

Author: Martin Schulze
Revision Date: 2005-07-11 15:21:59 UTC

* Non-maintainer upload by the Security Team
* Corrected the patch based on upstream input
  [src/options_identities.php, CAN-2005-2095]

Author: Thijs Kinkhorst
Revision Date: 2005-02-06 21:41:51 UTC

* Move default_pref config file from /var to /etc, as per Debian policy
  (Closes: #293281)
* [JvW] (finally) override two lintian warnings about nonstandard
  permissions that are intentional (Closes: #293366)

Author: Sam Johnston
Revision Date: 2004-02-04 01:42:12 UTC

* New upstream release. Closes #230921.
* RFC3501 compliance for mailbox naming (eg trailing spaces).
  Closes: #176590, #215183.
* Adds a squirrelmail symlink in /var/www/. Closes: #229282.
* Adds PHP safe_mode workaround to README.Debian. Closes: #222071.
* Adds daily cron job to clean attachments directory. Closes: #228400.
* Checks for config_default.php before copying in postinst.
  Closes: #229737.

Author: Leonel Nunez
Revision Date: 2009-10-11 21:33:16 UTC

* SECURITY UPDATE: (LP: #446838)
* Multiple cross-site request forgery (CSRF) in all
  forms submissions
* edited:
  src/addrbook_search_html.php,src/addressbook.php,src/compose.php
  src/folders_create.php,src/folders_delete.php,src/folders.php,
  src/folders_rename_do.php,src/folders_rename_getname.php,
  src/folders_subscribe.php,functions/forms.php,
  functions/mailbox_display.php,src/move_messages.php,
  src/options_highlight.php,src/options_identities.php,
  src/options_order.php,src/options.php,src/search.php,
  functions/strings.php,src/vcard.php
* Fixes : CVE-2009-2964
  - http://www.squirrelmail.org/security/issue/2009-08-12
  - patches taken from upstream rev 13818
  - patches applied inline

Author: Leonel Nunez
Revision Date: 2009-10-11 21:33:16 UTC

* SECURITY UPDATE: (LP: #446838)
* Multiple cross-site request forgery (CSRF) in all
  forms submissions
* edited:
  src/addrbook_search_html.php,src/addressbook.php,src/compose.php
  src/folders_create.php,src/folders_delete.php,src/folders.php,
  src/folders_rename_do.php,src/folders_rename_getname.php,
  src/folders_subscribe.php,functions/forms.php,
  functions/mailbox_display.php,src/move_messages.php,
  src/options_highlight.php,src/options_identities.php,
  src/options_order.php,src/options.php,src/search.php,
  functions/strings.php,src/vcard.php
* Fixes : CVE-2009-2964
  - http://www.squirrelmail.org/security/issue/2009-08-12
  - patches taken from upstream rev 13818
  - patches applied inline

Author: Andreas Wenning
Revision Date: 2009-02-13 08:03:02 UTC

* SECURITY UPDATE: cross site scripting issue in the HTML filter.
  Patch taken from upstream release. (LP: #306536)
  - CVE-2008-2379
  - http://www.squirrelmail.org/security/issue/2008-12-04
* SECURITY UPDATE: Cookies sent over HTTPS will now be confined to
  HTTPS only (cookie secure flag) and more support for the HTTPOnly
  cookie attribute. Patch taken from upstream release. (LP: #328938)
  - CVE-2008-3663
  - http://www.squirrelmail.org/security/issue/2008-09-28

Author: Andreas Wenning
Revision Date: 2009-02-13 08:03:02 UTC

* SECURITY UPDATE: cross site scripting issue in the HTML filter.
  Patch taken from upstream release. (LP: #306536)
  - CVE-2008-2379
  - http://www.squirrelmail.org/security/issue/2008-12-04
* SECURITY UPDATE: Cookies sent over HTTPS will now be confined to
  HTTPS only (cookie secure flag) and more support for the HTTPOnly
  cookie attribute. Patch taken from upstream release. (LP: #328938)
  - CVE-2008-3663
  - http://www.squirrelmail.org/security/issue/2008-09-28

Author: Scott Kitterman
Revision Date: 2007-07-20 10:23:43 UTC

Automated backport upload; no source changes.

Author: Leonel Nunez
Revision Date: 2007-05-11 18:39:34 UTC

* SECURITY UPDATE: CSRF and XSS via HTML filter.
* functions/mime.php, src/compose.php, src/view_text.php: Patched in-place
  with upstream changes.
* References
  http://www.squirrelmail.org/security/issue/2007-05-09
  CVE-2007-1262

Author: Leonel Nunez
Revision Date: 2007-05-11 18:39:34 UTC

* SECURITY UPDATE: CSRF and XSS via HTML filter.
* functions/mime.php, src/compose.php, src/view_text.php: Patched in-place
  with upstream changes.
* References
  http://www.squirrelmail.org/security/issue/2007-05-09
  CVE-2007-1262

Author: Scott Kitterman
Revision Date: 2007-07-20 10:23:08 UTC

Automated backport upload; no source changes.

Author: Andreas Wenning
Revision Date: 2009-03-26 14:21:47 UTC

* SECURITY UPDATE: Possible cookie theft in src/redirect.php if
  register_globals is enabled, and malicous site is running in same
  domain. Patch taken from upstream svn rev 10851. (LP: #348839)
  - CVE-2006-3665
* SECURITY UPDATE: Possible cross-site scripting (XSS) vulnerability in
  search.php, when register_globals is enabled. Patch taken from upstream
  svn rev 11319. (LP: #348839)
  - CVE-2006-3174
  - http://squirrelmail.org/security/issue/2006-06-22

Author: Leonel Nunez
Revision Date: 2007-05-15 18:49:35 UTC

* SECURITY UPDATE: XSS and CSRF in various areas
* src/compose.php, src/right_main.php, src/login.php, src/mailto.php,
  src/redirect.php, src/webmail.php, src/mime.php: back-ported fixes for
  XSS in compose, draft and HTML mail. (CVE-2006-6142)
  http://www.squirrelmail.org/security/issue/2006-12-02
* fuctions/mime.php, src/compose.php, src/view_text.php: back-ported fixes
  for XSS in HTML filter (CVE-2007-1262)
  http://www.squirrelmail.org/security/issue/2007-05-09

Author: Leonel Nunez
Revision Date: 2007-05-15 18:49:35 UTC

* SECURITY UPDATE: XSS and CSRF in various areas
* src/compose.php, src/right_main.php, src/login.php, src/mailto.php,
  src/redirect.php, src/webmail.php, src/mime.php: back-ported fixes for
  XSS in compose, draft and HTML mail. (CVE-2006-6142)
  http://www.squirrelmail.org/security/issue/2006-12-02
* fuctions/mime.php, src/compose.php, src/view_text.php: back-ported fixes
  for XSS in HTML filter (CVE-2007-1262)
  http://www.squirrelmail.org/security/issue/2007-05-09

Author: Scott Kitterman
Revision Date: 2007-07-20 10:22:13 UTC

Automated backport upload; no source changes.

Author: Andreas Wenning
Revision Date: 2009-03-26 14:21:47 UTC

* SECURITY UPDATE: Possible cookie theft in src/redirect.php if
  register_globals is enabled, and malicous site is running in same
  domain. Patch taken from upstream svn rev 10851. (LP: #348839)
  - CVE-2006-3665
* SECURITY UPDATE: Possible cross-site scripting (XSS) vulnerability in
  search.php, when register_globals is enabled. Patch taken from upstream
  svn rev 11319. (LP: #348839)
  - CVE-2006-3174
  - http://squirrelmail.org/security/issue/2006-06-22

Author: Matthew Palmer
Revision Date: 2005-09-11 01:11:28 UTC

* Security patches cross-ported from Debian Sarge.
* Fix several cross-site scripting vulnerabilities [CAN-2005-1769]
* Work around arbitrary variable injection with extract() [CAN-2005-2095]

Author: Gerardo Di Giacomo
Revision Date: 2004-12-05 19:40:35 UTC

* SECURITY UPDATE: decodeHeader HTML Injection Vulnerability
* functions/mime.php:
  - applied vendor patch.
* References:
  - CAN-2004-1036
  - http://www.securityfocus.com/bid/11653

Author: Thijs Kinkhorst
Revision Date: 2009-05-21 20:16:48 UTC

* New upstream release.
  + Corrects incomplete fix for CVE-2009-1579 [CVE-2009-1381]
  + Fixes filter plugin regression (closes: #529328)