lp:ubuntu/hardy-proposed/squirrelmail
- Get this branch:
- bzr branch lp:ubuntu/hardy-proposed/squirrelmail
Branch merges
Branch information
Recent revisions
- 22. By Leonel Nunez
-
* SECURITY UPDATE: (LP: #446838)
* Multiple cross-site request forgery (CSRF) in all
forms submissions
* edited:
src/addrbook_search_ html.php, src/addressbook .php,src/ compose. php
src/folders_create. php,src/ folders_ delete. php,src/ folders. php,
src/folders_rename_ do.php, src/folders_ rename_ getname. php,
src/folders_subscribe. php,functions/ forms.php,
functions/mailbox_ display. php,src/ move_messages. php,
src/options_highlight. php,src/ options_ identities. php,
src/options_order.php, src/options. php,src/ search. php,
functions/strings. php,src/ vcard.php
* Fixes : CVE-2009-2964
- http://www.squirrelmai l.org/security/ issue/2009- 08-12
- patches taken from upstream rev 13818
- patches applied inline - 21. By Andreas Wenning
-
* SECURITY UPDATE: (LP: #396306)
* Server-side code injection in map_yp_alias username map. An issue was
fixed that allowed arbitrary server-side code execution when SquirrelMail
was configured to use the example "map_yp_alias" username mapping
functionality.
- Fixes incomplete fix for CVE-2009-1579
- http://squirrelmail. org/security/ issue/2009- 05-10
- CVE-2009-1381
- Patch taken from upstream svn rev. 13733. Applied inline. - 20. By Andreas Wenning
-
* SECURITY UPDATE: (LP: #375513)
* Multiple cross site scripting issues. Two issues were fixed that both
allowed an attacker to run arbitrary script (XSS) on most any
SquirrelMail page by getting the user to click on specially crafted
SquirrelMail links.
- http://squirrelmail. org/security/ issue/2009- 05-08
- CVE-2009-1578
- Patch taken from upstream svn rev. 13670. Applied inline.
* Cross site scripting issues in decrypt_headers. php. An issue was fixed
wherein input to the contrib/decrypt_ headers. php script was not sanitized
and allowed arbitrary script execution upon submission of certain values.
- http://squirrelmail. org/security/ issue/2009- 05-09
- CVE-2009-1578
- Patch taken from upstream svn rev. 13672. Applied inline.
* Server-side code injection in map_yp_alias username map. An issue was
fixed that allowed arbitrary server-side code execution when SquirrelMail
was configured to use the example "map_yp_alias" username mapping
functionality.
- http://squirrelmail. org/security/ issue/2009- 05-10
- CVE-2009-1579
- Patch taken from upstream svn rev. 13674. Applied inline.
* Session fixation vulnerability. An issue was fixed that allowed an
attacker to possibly steal user data by hijacking the SquirrelMail
login session.
- http://squirrelmail. org/security/ issue/2009- 05-11
- CVE-2009-1580
- Patch taken from upstream svn rev. 13676. Applied inline.
* CSS positioning vulnerability. An issue was fixed that allowed phishing
and cross-site scripting (XSS) attacks to be run by surreptitious
placement of content in specially-crafted emails sent to SquirrelMail
users.
- http://squirrelmail. org/security/ issue/2009- 05-12
- CVE-2009-1581
- Patch taken from upstream svn rev. 13667. Applied inline. - 19. By Andreas Wenning
-
* SECURITY UPDATE: Cookies sent over HTTPS will now be confined to
HTTPS only (cookie secure flag) and more support for the HTTPOnly
cookie attribute. Patch taken from upstream release. (LP: #328938)
- CVE-2008-3663
- http://www.squirrelmai l.org/security/ issue/2008- 09-28 - 18. By Reinhard Tartler
-
* SECURITY UPDATE: cross site scripting issue in the HTML filter
(CVE-2008-2379). LP: #306536.
- functiions/mime.php: from the debian package version 1.4.15-4. - 17. By Daniel Hahler
-
* Sync from Debian (LP: #204754)
* README.locales: add paragraph about setting up locales for gettext
(LP: #133845)
* Modify Maintainer value to match the DebianMaintainerField
specification. - 14. By Thijs Kinkhorst
-
Fix broken attachment handling in PHP4 by applying patch
from upstream.
NOTE: this is only a courtesy to PHP4 users, it must be noted
that Debian does not support PHP4 in current unstable anymore.
(Closes: #444970) - 13. By Thijs Kinkhorst
-
* Make use of new dictionaries-common SquirrelMail interface to
detect the installed squirrelspell dictionaries (Closes: #420877).
* Remove obsolete upgrading code.
* Make sure config files are not closed with '?>' since it's then
too easy to get stray whitespace at the end of the file.
Branch metadata
- Branch format:
- Branch format 7
- Repository format:
- Bazaar repository format 2a (needs bzr 1.16 or later)
- Stacked on:
- lp:ubuntu/lucid/squirrelmail