Ubuntu
squirrelmail package

lp:ubuntu/intrepid-security/squirrelmail

  1. Intrepid (8.10)
  2. intrepid-security
Created by James Westby and last modified
Get this branch:
bzr branch lp:ubuntu/intrepid-security/squirrelmail
Members of Ubuntu branches can upload to this branch. Log in for directions.

Branch merges

Related bugs

Related blueprints

Branch information

Owner:
Ubuntu branches
Review team:
Ubuntu Development Team
Status:
Mature

Recent revisions

16. By Leonel Nunez

* SECURITY UPDATE: (LP: #446838)
* Multiple cross-site request forgery (CSRF) in all
  forms submissions
* edited:
  src/addrbook_search_html.php,src/addressbook.php,src/compose.php
  src/folders_create.php,src/folders_delete.php,src/folders.php,
  src/folders_rename_do.php,src/folders_rename_getname.php,
  src/folders_subscribe.php,functions/forms.php,
  functions/mailbox_display.php,src/move_messages.php,
  src/options_highlight.php,src/options_identities.php,
  src/options_order.php,src/options.php,src/search.php,
  functions/strings.php,src/vcard.php
* Fixes : CVE-2009-2964
  - http://www.squirrelmail.org/security/issue/2009-08-12
  - patches taken from upstream rev 13818
  - patches applied inline

15. By Andreas Wenning

* SECURITY UPDATE: (LP: #396306)
* Server-side code injection in map_yp_alias username map. An issue was
  fixed that allowed arbitrary server-side code execution when SquirrelMail
  was configured to use the example "map_yp_alias" username mapping
  functionality.
  - Fixes incomplete fix for CVE-2009-1579
  - http://squirrelmail.org/security/issue/2009-05-10
  - CVE-2009-1381
  - Patch taken from upstream svn rev. 13733. Applied inline.

14. By Andreas Wenning

* SECURITY UPDATE: (LP: #375513)
* Multiple cross site scripting issues. Two issues were fixed that both
  allowed an attacker to run arbitrary script (XSS) on most any
  SquirrelMail page by getting the user to click on specially crafted
  SquirrelMail links.
  - http://squirrelmail.org/security/issue/2009-05-08
  - CVE-2009-1578
  - Patch taken from upstream svn rev. 13670. Applied inline.
* Cross site scripting issues in decrypt_headers.php. An issue was fixed
  wherein input to the contrib/decrypt_headers.php script was not sanitized
  and allowed arbitrary script execution upon submission of certain values.
  - http://squirrelmail.org/security/issue/2009-05-09
  - CVE-2009-1578
  - Patch taken from upstream svn rev. 13672. Applied inline.
* Server-side code injection in map_yp_alias username map. An issue was
  fixed that allowed arbitrary server-side code execution when SquirrelMail
  was configured to use the example "map_yp_alias" username mapping
  functionality.
  - http://squirrelmail.org/security/issue/2009-05-10
  - CVE-2009-1579
  - Patch taken from upstream svn rev. 13674. Applied inline.
* Session fixation vulnerability. An issue was fixed that allowed an
  attacker to possibly steal user data by hijacking the SquirrelMail
  login session.
  - http://squirrelmail.org/security/issue/2009-05-11
  - CVE-2009-1580
  - Patch taken from upstream svn rev. 13676. Applied inline.
* CSS positioning vulnerability. An issue was fixed that allowed phishing
  and cross-site scripting (XSS) attacks to be run by surreptitious
  placement of content in specially-crafted emails sent to SquirrelMail
  users.
  - http://squirrelmail.org/security/issue/2009-05-12
  - CVE-2009-1581
  - Patch taken from upstream svn rev. 13667. Applied inline.

13. By Kees Cook

* SECURITY UPDATE: cross site scripting issue in the HTML filter
  (CVE-2008-2379). LP: #306536.
  - functions/mime.php: from the debian package version 1.4.15-4.

12. By Thijs Kinkhorst

Cookies sent over HTTPS will now be confined to HTTPS only
(cookie secure flag) and more support for the HTTPOnly cookie
attribute. Patch taken from upstream release.
(CVE-2008-3663, closes: #499942)

11. By Thijs Kinkhorst

* New upstream security release.
  - Additionally tightens HTML filter for IE <= 5 parsing
    absolutely everything and it's horse.

10. By Thijs Kinkhorst

* Add note to README.Debian about server side sorting (Closes: #394286)
  and regular_globals not being supported.
* Add IfModule conditionals for register_globals setting in
  apache.conf (Closes: #398173).

9. By Thijs Kinkhorst

* Update Debian patch to display options to cope with the custom
  charset plugin. Thanks Tomas Kuliavas, Closes: #385300.
* Suggest php[45]-ldap, Closes: #392306.
* Improve package description.

8. By Thijs Kinkhorst

* New upstream release
  - Includes security fix: variable overwriting in compose.php
    by logged-in user [CVE-2006-4019]
  - Does not ship SquirrelMail developer's documentation anymore.

* Remove duplicate content from README.locales.

7. By Thijs Kinkhorst

* New upstream bugfix release.
  + Addresses some low-impact, theoretical or disputed security bugs,
    for which the code is tightened just-in-case:
    - Possible local file inclusion (Closes: #373731, CVE-2006-2842)
    - XSS in search.php (Closes: #375782, CVE-2006-3174)
  + Adds note to db-backend.txt about postgreSQL (Closes: #376605).

* Checked for standards version to 3.7.2, no changes necessary.
* Update maintainer address.

Branch metadata

Branch format:
Branch format 7
Repository format:
Bazaar repository format 2a (needs bzr 1.16 or later)
Stacked on:
lp:ubuntu/karmic/squirrelmail
This branch contains Public information 
Everyone can see this information.

Subscribers