lp:ubuntu/intrepid-security/squirrelmail
- Get this branch:
- bzr branch lp:ubuntu/intrepid-security/squirrelmail
Branch merges
Branch information
Recent revisions
- 16. By Leonel Nunez
-
* SECURITY UPDATE: (LP: #446838)
* Multiple cross-site request forgery (CSRF) in all
forms submissions
* edited:
src/addrbook_search_ html.php, src/addressbook .php,src/ compose. php
src/folders_create. php,src/ folders_ delete. php,src/ folders. php,
src/folders_rename_ do.php, src/folders_ rename_ getname. php,
src/folders_subscribe. php,functions/ forms.php,
functions/mailbox_ display. php,src/ move_messages. php,
src/options_highlight. php,src/ options_ identities. php,
src/options_order.php, src/options. php,src/ search. php,
functions/strings. php,src/ vcard.php
* Fixes : CVE-2009-2964
- http://www.squirrelmai l.org/security/ issue/2009- 08-12
- patches taken from upstream rev 13818
- patches applied inline - 15. By Andreas Wenning
-
* SECURITY UPDATE: (LP: #396306)
* Server-side code injection in map_yp_alias username map. An issue was
fixed that allowed arbitrary server-side code execution when SquirrelMail
was configured to use the example "map_yp_alias" username mapping
functionality.
- Fixes incomplete fix for CVE-2009-1579
- http://squirrelmail. org/security/ issue/2009- 05-10
- CVE-2009-1381
- Patch taken from upstream svn rev. 13733. Applied inline. - 14. By Andreas Wenning
-
* SECURITY UPDATE: (LP: #375513)
* Multiple cross site scripting issues. Two issues were fixed that both
allowed an attacker to run arbitrary script (XSS) on most any
SquirrelMail page by getting the user to click on specially crafted
SquirrelMail links.
- http://squirrelmail. org/security/ issue/2009- 05-08
- CVE-2009-1578
- Patch taken from upstream svn rev. 13670. Applied inline.
* Cross site scripting issues in decrypt_headers. php. An issue was fixed
wherein input to the contrib/decrypt_ headers. php script was not sanitized
and allowed arbitrary script execution upon submission of certain values.
- http://squirrelmail. org/security/ issue/2009- 05-09
- CVE-2009-1578
- Patch taken from upstream svn rev. 13672. Applied inline.
* Server-side code injection in map_yp_alias username map. An issue was
fixed that allowed arbitrary server-side code execution when SquirrelMail
was configured to use the example "map_yp_alias" username mapping
functionality.
- http://squirrelmail. org/security/ issue/2009- 05-10
- CVE-2009-1579
- Patch taken from upstream svn rev. 13674. Applied inline.
* Session fixation vulnerability. An issue was fixed that allowed an
attacker to possibly steal user data by hijacking the SquirrelMail
login session.
- http://squirrelmail. org/security/ issue/2009- 05-11
- CVE-2009-1580
- Patch taken from upstream svn rev. 13676. Applied inline.
* CSS positioning vulnerability. An issue was fixed that allowed phishing
and cross-site scripting (XSS) attacks to be run by surreptitious
placement of content in specially-crafted emails sent to SquirrelMail
users.
- http://squirrelmail. org/security/ issue/2009- 05-12
- CVE-2009-1581
- Patch taken from upstream svn rev. 13667. Applied inline. - 13. By Kees Cook
-
* SECURITY UPDATE: cross site scripting issue in the HTML filter
(CVE-2008-2379). LP: #306536.
- functions/mime.php: from the debian package version 1.4.15-4. - 12. By Thijs Kinkhorst
-
Cookies sent over HTTPS will now be confined to HTTPS only
(cookie secure flag) and more support for the HTTPOnly cookie
attribute. Patch taken from upstream release.
(CVE-2008-3663, closes: #499942) - 11. By Thijs Kinkhorst
-
* New upstream security release.
- Additionally tightens HTML filter for IE <= 5 parsing
absolutely everything and it's horse. - 10. By Thijs Kinkhorst
-
* Add note to README.Debian about server side sorting (Closes: #394286)
and regular_globals not being supported.
* Add IfModule conditionals for register_globals setting in
apache.conf (Closes: #398173). - 9. By Thijs Kinkhorst
-
* Update Debian patch to display options to cope with the custom
charset plugin. Thanks Tomas Kuliavas, Closes: #385300.
* Suggest php[45]-ldap, Closes: #392306.
* Improve package description. - 8. By Thijs Kinkhorst
-
* New upstream release
- Includes security fix: variable overwriting in compose.php
by logged-in user [CVE-2006-4019]
- Does not ship SquirrelMail developer's documentation anymore.* Remove duplicate content from README.locales.
- 7. By Thijs Kinkhorst
-
* New upstream bugfix release.
+ Addresses some low-impact, theoretical or disputed security bugs,
for which the code is tightened just-in-case:
- Possible local file inclusion (Closes: #373731, CVE-2006-2842)
- XSS in search.php (Closes: #375782, CVE-2006-3174)
+ Adds note to db-backend.txt about postgreSQL (Closes: #376605).* Checked for standards version to 3.7.2, no changes necessary.
* Update maintainer address.
Branch metadata
- Branch format:
- Branch format 7
- Repository format:
- Bazaar repository format 2a (needs bzr 1.16 or later)
- Stacked on:
- lp:ubuntu/karmic/squirrelmail