Ubuntu
squirrelmail package

lp:ubuntu/hardy-updates/squirrelmail

  1. Hardy (8.04)
  2. hardy-updates
Created by James Westby and last modified
Get this branch:
bzr branch lp:ubuntu/hardy-updates/squirrelmail
Members of Ubuntu branches can upload to this branch. Log in for directions.

Branch merges

Related bugs

Related blueprints

Branch information

Owner:
Ubuntu branches
Review team:
Ubuntu Development Team
Status:
Mature

Recent revisions

23. By Andreas Wenning

* SECURITY UPDATE: (LP: #598077)
* The Mail Fetch plugin allows remote authenticated users to bypass firewall
  restrictions and use SquirrelMail as a proxy to scan internal networks via
  a modified POP3 port number.
  - http://squirrelmail.org/security/issue/2010-06-21
  - CVE-2010-1637
  - Patch taken from upstream svn rev. 13951. Applied inline.

22. By Leonel Nunez

* SECURITY UPDATE: (LP: #446838)
* Multiple cross-site request forgery (CSRF) in all
  forms submissions
* edited:
  src/addrbook_search_html.php,src/addressbook.php,src/compose.php
  src/folders_create.php,src/folders_delete.php,src/folders.php,
  src/folders_rename_do.php,src/folders_rename_getname.php,
  src/folders_subscribe.php,functions/forms.php,
  functions/mailbox_display.php,src/move_messages.php,
  src/options_highlight.php,src/options_identities.php,
  src/options_order.php,src/options.php,src/search.php,
  functions/strings.php,src/vcard.php
* Fixes : CVE-2009-2964
  - http://www.squirrelmail.org/security/issue/2009-08-12
  - patches taken from upstream rev 13818
  - patches applied inline

21. By Andreas Wenning

* SECURITY UPDATE: (LP: #396306)
* Server-side code injection in map_yp_alias username map. An issue was
  fixed that allowed arbitrary server-side code execution when SquirrelMail
  was configured to use the example "map_yp_alias" username mapping
  functionality.
  - Fixes incomplete fix for CVE-2009-1579
  - http://squirrelmail.org/security/issue/2009-05-10
  - CVE-2009-1381
  - Patch taken from upstream svn rev. 13733. Applied inline.

20. By Andreas Wenning

* SECURITY UPDATE: (LP: #375513)
* Multiple cross site scripting issues. Two issues were fixed that both
  allowed an attacker to run arbitrary script (XSS) on most any
  SquirrelMail page by getting the user to click on specially crafted
  SquirrelMail links.
  - http://squirrelmail.org/security/issue/2009-05-08
  - CVE-2009-1578
  - Patch taken from upstream svn rev. 13670. Applied inline.
* Cross site scripting issues in decrypt_headers.php. An issue was fixed
  wherein input to the contrib/decrypt_headers.php script was not sanitized
  and allowed arbitrary script execution upon submission of certain values.
  - http://squirrelmail.org/security/issue/2009-05-09
  - CVE-2009-1578
  - Patch taken from upstream svn rev. 13672. Applied inline.
* Server-side code injection in map_yp_alias username map. An issue was
  fixed that allowed arbitrary server-side code execution when SquirrelMail
  was configured to use the example "map_yp_alias" username mapping
  functionality.
  - http://squirrelmail.org/security/issue/2009-05-10
  - CVE-2009-1579
  - Patch taken from upstream svn rev. 13674. Applied inline.
* Session fixation vulnerability. An issue was fixed that allowed an
  attacker to possibly steal user data by hijacking the SquirrelMail
  login session.
  - http://squirrelmail.org/security/issue/2009-05-11
  - CVE-2009-1580
  - Patch taken from upstream svn rev. 13676. Applied inline.
* CSS positioning vulnerability. An issue was fixed that allowed phishing
  and cross-site scripting (XSS) attacks to be run by surreptitious
  placement of content in specially-crafted emails sent to SquirrelMail
  users.
  - http://squirrelmail.org/security/issue/2009-05-12
  - CVE-2009-1581
  - Patch taken from upstream svn rev. 13667. Applied inline.

19. By Andreas Wenning

* SECURITY UPDATE: Cookies sent over HTTPS will now be confined to
  HTTPS only (cookie secure flag) and more support for the HTTPOnly
  cookie attribute. Patch taken from upstream release. (LP: #328938)
  - CVE-2008-3663
  - http://www.squirrelmail.org/security/issue/2008-09-28

18. By Reinhard Tartler

* SECURITY UPDATE: cross site scripting issue in the HTML filter
  (CVE-2008-2379). LP: #306536.
  - functiions/mime.php: from the debian package version 1.4.15-4.

17. By Daniel Hahler

* Sync from Debian (LP: #204754)
* README.locales: add paragraph about setting up locales for gettext
  (LP: #133845)
* Modify Maintainer value to match the DebianMaintainerField
  specification.

16. By Thijs Kinkhorst

New upstream release.

15. By Thijs Kinkhorst

* New upstream release.
* Minor packaging cleanups.

14. By Thijs Kinkhorst

Fix broken attachment handling in PHP4 by applying patch
from upstream.
NOTE: this is only a courtesy to PHP4 users, it must be noted
that Debian does not support PHP4 in current unstable anymore.
(Closes: #444970)

Branch metadata

Branch format:
Branch format 7
Repository format:
Bazaar repository format 2a (needs bzr 1.16 or later)
Stacked on:
lp:ubuntu/karmic/squirrelmail
This branch contains Public information 
Everyone can see this information.

Subscribers