Change log for squirrelmail package in Ubuntu
| 1 → 71 of 71 results | First • Previous • Next • Last |
squirrelmail (2:1.4.23~svn20120406-2+deb8u3ubuntu0.16.04.2) xenial-security; urgency=medium
* SECURITY UPDATE: Cross-site scripting (XSS) vulnerability
- debian/patches/CVE-2019-12970.patch: Fix XSS due to improper handling
of RCDATA and RAWTEXT elements.
- CVE-2019-12970
-- Paulo Flabiano Smorigo <email address hidden> Wed, 09 Dec 2020 14:57:30 +0000
squirrelmail (2:1.4.23~svn20120406-2+deb8u3ubuntu0.16.04.1) xenial-security; urgency=medium
* SECURITY UPDATE: XSS vulnerabilities
- CVE-2018-14950-55.patch: Non-maintainer upload by the Debian LTS Team.
Fix for several XSS vulnerabilities
- CVE-2018-14950 CVE-2018-14951 CVE-2018-14952 CVE-2018-14953 CVE-2018-14954
CVE-2018-14955
-- Mike Salvatore <email address hidden> Fri, 31 Aug 2018 10:44:45 -0400
Available diffs
squirrelmail (2:1.4.23~svn20120406-2+deb8u3build0.14.04.1) trusty-security; urgency=medium * fake sync from Debian
Available diffs
squirrelmail (2:1.4.23~svn20120406-2+deb8u2ubuntu0.16.04.3) xenial-security; urgency=medium
[ Nishanth Aravamudan ]
* debian/patches/php7_remove_e_modifier_preg_replace: Remove use of
deprecated /e modifier in preg_replace. Thanks to Thijs Kinkhorst
<email address hidden>. Closes LP: #1636333.
-- <email address hidden> (Leonidas S. Barbosa) Wed, 11 Apr 2018 14:24:18 -0300
Available diffs
squirrelmail (2:1.4.23~svn20120406-2+deb8u2ubuntu0.16.04.2) xenial-security; urgency=medium [ Nishanth Aravamudan ] * Update to PHP7.0 dependencies (LP: #1566587). -- <email address hidden> (Leonidas S. Barbosa) Tue, 10 Apr 2018 14:24:53 -0300
Available diffs
squirrelmail (2:1.4.23~svn20120406-2+deb8u2build0.16.04.1) xenial-security; urgency=medium * fake sync from Debian
Available diffs
squirrelmail (2:1.4.23~svn20120406-2+deb8u2build0.14.04.1) trusty-security; urgency=medium * fake sync from Debian
Available diffs
squirrelmail (2:1.4.23~svn20120406-2+deb8u1build0.14.04.1) trusty-security; urgency=medium * fake sync from Debian
Available diffs
squirrelmail (2:1.4.23~svn20120406-2+deb8u1ubuntu0.16.10.1) yakkety-security; urgency=medium
* SECURITY UPDATE: post-auth remote code execution
- debian/patches/CVE-2017-7692.patch: perform escaping on input
- CVE-2017-7692
-- Steve Beattie <email address hidden> Fri, 19 May 2017 15:52:58 -0700
squirrelmail (2:1.4.23~svn20120406-2+deb8u1ubuntu0.16.04.1) xenial-security; urgency=medium
* SECURITY UPDATE: post-auth remote code execution
- debian/patches/CVE-2017-7692.patch: perform escaping on input
(thanks to debian)
- CVE-2017-7692
-- Steve Beattie <email address hidden> Fri, 19 May 2017 15:28:31 -0700
squirrelmail (2:1.4.23~svn20120406-2ubuntu1.16.04.1) xenial; urgency=medium
* debian/patches/php7_remove_e_modifier_preg_replace: Remove use of
deprecated /e modifier in preg_replace. Thanks to Thijs Kinkhorst
<email address hidden>. Closes LP: #1636333.
-- Nishanth Aravamudan <email address hidden> Mon, 28 Nov 2016 16:31:02 -0800
Available diffs
squirrelmail (2:1.4.23~svn20120406-2ubuntu1.16.10.1) yakkety; urgency=medium
* debian/patches/php7_remove_e_modifier_preg_replace: Remove use of
deprecated /e modifier in preg_replace. Thanks to Thijs Kinkhorst
<email address hidden>. Closes LP: #1636333.
-- Nishanth Aravamudan <email address hidden> Mon, 28 Nov 2016 16:27:50 -0800
Available diffs
| Deleted in zesty-release (Reason: (From Debian) RoQA; RC-buggy; little upstream activity; D...) |
| Deleted in zesty-proposed (Reason: moved to release) |
squirrelmail (2:1.4.23~svn20120406-2ubuntu2) zesty; urgency=medium
* debian/patches/php7_remove_e_modifier_preg_replace: Remove use of
deprecated /e modifier in preg_replace. Thanks to Thijs Kinkhorst
<email address hidden>. Closes LP: #1636333.
-- Nishanth Aravamudan <email address hidden> Mon, 28 Nov 2016 16:23:55 -0800
Available diffs
| Superseded in zesty-release |
| Obsolete in yakkety-release |
| Published in xenial-release |
| Deleted in xenial-proposed (Reason: moved to release) |
squirrelmail (2:1.4.23~svn20120406-2ubuntu1) xenial; urgency=medium * Update to PHP7.0 dependencies (LP: #1566587). -- Nishanth Aravamudan <email address hidden> Tue, 05 Apr 2016 16:58:07 -0700
Available diffs
| Superseded in xenial-release |
| Obsolete in wily-release |
| Obsolete in vivid-release |
| Obsolete in utopic-release |
| Published in trusty-release |
| Obsolete in saucy-release |
| Obsolete in raring-release |
| Deleted in raring-proposed (Reason: moved to release) |
squirrelmail (2:1.4.23~svn20120406-2) unstable; urgency=medium
* Add patch from upstream to cope with changed behaviour of
htmlspecialchars() in PHP 5.4 (closes: #664895).
* Add patch from upstream to cope with removal of
session_unregister() in PHP 5.4.
-- Thijs Kinkhorst <email address hidden> Thu, 20 Dec 2012 20:41:02 +0100
Available diffs
squirrelmail (2:1.4.23~svn20120406-1) unstable; urgency=medium
* New upstream snapshot release.
- Addresses PHP 5.4 compatibility issues (closes: #664895).
- Fixes PHP warning (closes: #641869).
- Fixes hide_auth_header (closes: #661394).
-- Thijs Kinkhorst <email address hidden> Fri, 06 Apr 2012 13:18:54 +0200
Available diffs
squirrelmail (2:1.4.22-1) unstable; urgency=medium * New upstream release, fixes several security issues (CVE-2011-2023, CVE-2010-4554, CVE-2010-4555, closes: #593345, #634822). * Move to dpkg source format 3.0, separate out Debian patches. Small packaging cleanups. -- Thijs Kinkhorst <email address hidden> Sun, 24 Jul 2011 14:40:01 +0000
squirrelmail (2:1.4.21-1) unstable; urgency=medium
* New upstream release.
+ Addresses two low-imact security issues, bump urgency.
[CVE-2010-1637, CVE-2010-2813]
* Checked for policy 3.9.1, no changes necessary.
-- Bhavani Shankar <email address hidden> Sat, 31 Jul 2010 13:54:45 +0200
Available diffs
- diff from 2:1.4.20-1ubuntu1 to 2:1.4.21-1 (19.4 KiB)
squirrelmail (2:1.4.13-2ubuntu1.6) hardy-security; urgency=low * SECURITY UPDATE: (LP: #598077) * The Mail Fetch plugin allows remote authenticated users to bypass firewall restrictions and use SquirrelMail as a proxy to scan internal networks via a modified POP3 port number. - http://squirrelmail.org/security/issue/2010-06-21 - CVE-2010-1637 - Patch taken from upstream svn rev. 13951. Applied inline. -- Andreas Wenning <email address hidden> Thu, 24 Jun 2010 14:16:06 +0200
Available diffs
squirrelmail (2:1.4.15-4ubuntu0.4) jaunty-security; urgency=low * SECURITY UPDATE: (LP: #598077) * The Mail Fetch plugin allows remote authenticated users to bypass firewall restrictions and use SquirrelMail as a proxy to scan internal networks via a modified POP3 port number. - http://squirrelmail.org/security/issue/2010-06-21 - CVE-2010-1637 - Patch taken from upstream svn rev. 13951. Applied inline. -- Andreas Wenning <email address hidden> Thu, 24 Jun 2010 14:16:52 +0200
Available diffs
squirrelmail (2:1.4.19-1ubuntu0.2) karmic-security; urgency=low * SECURITY UPDATE: (LP: #598077) * The Mail Fetch plugin allows remote authenticated users to bypass firewall restrictions and use SquirrelMail as a proxy to scan internal networks via a modified POP3 port number. - http://squirrelmail.org/security/issue/2010-06-21 - CVE-2010-1637 - Patch taken from upstream svn rev. 13951. Applied inline. -- Andreas Wenning <email address hidden> Thu, 24 Jun 2010 14:17:43 +0200
Available diffs
squirrelmail (2:1.4.20-1ubuntu0.1) lucid-security; urgency=low * SECURITY UPDATE: (LP: #598077) * The Mail Fetch plugin allows remote authenticated users to bypass firewall restrictions and use SquirrelMail as a proxy to scan internal networks via a modified POP3 port number. - http://squirrelmail.org/security/issue/2010-06-21 - CVE-2010-1637 - Patch taken from upstream svn rev. 13951. Applied inline. -- Andreas Wenning <email address hidden> Thu, 24 Jun 2010 14:18:27 +0200
Available diffs
| Superseded in maverick-release |
squirrelmail (2:1.4.20-1ubuntu1) maverick; urgency=low * SECURITY UPDATE: (LP: #598077) * The Mail Fetch plugin allows remote authenticated users to bypass firewall restrictions and use SquirrelMail as a proxy to scan internal networks via a modified POP3 port number. - http://squirrelmail.org/security/issue/2010-06-21 - CVE-2010-1637 - Patch taken from upstream svn rev. 13951. Applied inline. -- Andreas Wenning <email address hidden> Thu, 24 Jun 2010 14:19:29 +0200
Available diffs
squirrelmail (2:1.4.20-1) unstable; urgency=low
* New upstream release.
+ Addresses search bug (closes: #550763).
* Update to policy 3.8.4, no changes necessary.
-- Andreas Wenning <email address hidden> Mon, 22 Mar 2010 18:25:35 +0000
Available diffs
- diff from 2:1.4.20~rc2-1 to 2:1.4.20-1 (38.6 KiB)
| Superseded in karmic-security |
| Superseded in karmic-updates |
| Superseded in karmic-updates |
| Superseded in karmic-security |
| Deleted in karmic-proposed (Reason: copied to -updates) |
squirrelmail (2:1.4.19-1ubuntu0.1) karmic-security; urgency=low * SECURITY UPDATE: (LP: #446838) * Multiple cross-site request forgery (CSRF) in all forms submissions * edited: src/addrbook_search_html.php,src/addressbook.php,src/compose.php src/folders_create.php,src/folders_delete.php,src/folders.php, src/folders_rename_do.php,src/folders_rename_getname.php, src/folders_subscribe.php,functions/forms.php, functions/mailbox_display.php,src/move_messages.php, src/options_highlight.php,src/options_identities.php, src/options_order.php,src/options.php,src/search.php, functions/strings.php,src/vcard.php * Fixes : CVE-2009-2964 - http://www.squirrelmail.org/security/issue/2009-08-12 - patches taken from upstream rev 13818 - patches applied inline -- Leonel Nunez <email address hidden> Sun, 11 Oct 2009 19:18:52 -0600
Available diffs
| Superseded in jaunty-updates |
| Superseded in jaunty-security |
| Deleted in jaunty-proposed (Reason: moved to -updates) |
| Superseded in jaunty-proposed |
squirrelmail (2:1.4.15-4ubuntu0.3) jaunty-security; urgency=low * SECURITY UPDATE: (LP: #446838) * Multiple cross-site request forgery (CSRF) in all forms submissions * edited: src/addrbook_search_html.php,src/addressbook.php,src/compose.php src/folders_create.php,src/folders_delete.php,src/folders.php, src/folders_rename_do.php,src/folders_rename_getname.php, src/folders_subscribe.php,functions/forms.php, functions/mailbox_display.php,src/move_messages.php, src/options_highlight.php,src/options_identities.php, src/options_order.php,src/options.php,src/search.php, functions/strings.php,src/vcard.php * Fixes : CVE-2009-2964 - http://www.squirrelmail.org/security/issue/2009-08-12 - patches taken from upstream rev 13818 - patches applied inline -- Leonel Nunez <email address hidden> Sat, 10 Oct 2009 19:30:41 -0600
Available diffs
| Obsolete in intrepid-updates |
| Obsolete in intrepid-security |
| Deleted in intrepid-proposed (Reason: moved to -updates) |
| Superseded in intrepid-proposed |
squirrelmail (2:1.4.15-3ubuntu0.4) intrepid-security; urgency=low * SECURITY UPDATE: (LP: #446838) * Multiple cross-site request forgery (CSRF) in all forms submissions * edited: src/addrbook_search_html.php,src/addressbook.php,src/compose.php src/folders_create.php,src/folders_delete.php,src/folders.php, src/folders_rename_do.php,src/folders_rename_getname.php, src/folders_subscribe.php,functions/forms.php, functions/mailbox_display.php,src/move_messages.php, src/options_highlight.php,src/options_identities.php, src/options_order.php,src/options.php,src/search.php, functions/strings.php,src/vcard.php * Fixes : CVE-2009-2964 - http://www.squirrelmail.org/security/issue/2009-08-12 - patches taken from upstream rev 13818 - patches applied inline -- Leonel Nunez <email address hidden> Sun, 11 Oct 2009 21:33:16 -0600
Available diffs
| Superseded in hardy-updates |
| Superseded in hardy-security |
| Deleted in hardy-proposed (Reason: moved to -updates) |
| Superseded in hardy-proposed |
squirrelmail (2:1.4.13-2ubuntu1.5) hardy-security; urgency=low * SECURITY UPDATE: (LP: #446838) * Multiple cross-site request forgery (CSRF) in all forms submissions * edited: src/addrbook_search_html.php,src/addressbook.php,src/compose.php src/folders_create.php,src/folders_delete.php,src/folders.php, src/folders_rename_do.php,src/folders_rename_getname.php, src/folders_subscribe.php,functions/forms.php, functions/mailbox_display.php,src/move_messages.php, src/options_highlight.php,src/options_identities.php, src/options_order.php,src/options.php,src/search.php, functions/strings.php,src/vcard.php * Fixes : CVE-2009-2964 - http://www.squirrelmail.org/security/issue/2009-08-12 - patches taken from upstream rev 13818 - patches applied inline -- Leonel Nunez <email address hidden> Sun, 11 Oct 2009 06:41:56 -0600
Available diffs
| Superseded in lucid-release |
squirrelmail (2:1.4.20~rc2-1) unstable; urgency=medium
* New upstream release candidate.
+ Addresses cross site request forgery (CVE-2009-2964,
closes: #543818).
* Update to policy 3.8.3, no changes necessary.
-- Ubuntu Archive Auto-Sync <email address hidden> Fri, 06 Nov 2009 10:36:03 +0000
Available diffs
- diff from 2:1.4.19-1 to 2:1.4.20~rc2-1 (36.9 KiB)
squirrelmail (2:1.4.15-4ubuntu0.2) jaunty-security; urgency=low * SECURITY UPDATE: (LP: #396306) * Server-side code injection in map_yp_alias username map. An issue was fixed that allowed arbitrary server-side code execution when SquirrelMail was configured to use the example "map_yp_alias" username mapping functionality. - Fixes incomplete fix for CVE-2009-1579 - http://squirrelmail.org/security/issue/2009-05-10 - CVE-2009-1381 - Patch taken from upstream svn rev. 13733. Applied inline. -- Andreas Wenning <email address hidden> Tue, 07 Jul 2009 02:39:55 +0200
Available diffs
squirrelmail (2:1.4.15-3ubuntu0.3) intrepid-security; urgency=low * SECURITY UPDATE: (LP: #396306) * Server-side code injection in map_yp_alias username map. An issue was fixed that allowed arbitrary server-side code execution when SquirrelMail was configured to use the example "map_yp_alias" username mapping functionality. - Fixes incomplete fix for CVE-2009-1579 - http://squirrelmail.org/security/issue/2009-05-10 - CVE-2009-1381 - Patch taken from upstream svn rev. 13733. Applied inline. -- Andreas Wenning <email address hidden> Tue, 07 Jul 2009 02:48:17 +0200
Available diffs
squirrelmail (2:1.4.13-2ubuntu1.4) hardy-security; urgency=low * SECURITY UPDATE: (LP: #396306) * Server-side code injection in map_yp_alias username map. An issue was fixed that allowed arbitrary server-side code execution when SquirrelMail was configured to use the example "map_yp_alias" username mapping functionality. - Fixes incomplete fix for CVE-2009-1579 - http://squirrelmail.org/security/issue/2009-05-10 - CVE-2009-1381 - Patch taken from upstream svn rev. 13733. Applied inline. -- Andreas Wenning <email address hidden> Tue, 07 Jul 2009 02:50:06 +0200
Available diffs
squirrelmail (2:1.4.19-1) unstable; urgency=high
* New upstream release.
+ Corrects incomplete fix for CVE-2009-1579 [CVE-2009-1381]
+ Fixes filter plugin regression (closes: #529328)
-- Ubuntu Archive Auto-Sync <email address hidden> Mon, 01 Jun 2009 10:46:28 +0100
Available diffs
- diff from 2:1.4.18-1 to 2:1.4.19-1 (6.7 KiB)
squirrelmail (2:1.4.13-2ubuntu1.3) hardy-security; urgency=low * SECURITY UPDATE: (LP: #375513) * Multiple cross site scripting issues. Two issues were fixed that both allowed an attacker to run arbitrary script (XSS) on most any SquirrelMail page by getting the user to click on specially crafted SquirrelMail links. - http://squirrelmail.org/security/issue/2009-05-08 - CVE-2009-1578 - Patch taken from upstream svn rev. 13670. Applied inline. * Cross site scripting issues in decrypt_headers.php. An issue was fixed wherein input to the contrib/decrypt_headers.php script was not sanitized and allowed arbitrary script execution upon submission of certain values. - http://squirrelmail.org/security/issue/2009-05-09 - CVE-2009-1578 - Patch taken from upstream svn rev. 13672. Applied inline. * Server-side code injection in map_yp_alias username map. An issue was fixed that allowed arbitrary server-side code execution when SquirrelMail was configured to use the example "map_yp_alias" username mapping functionality. - http://squirrelmail.org/security/issue/2009-05-10 - CVE-2009-1579 - Patch taken from upstream svn rev. 13674. Applied inline. * Session fixation vulnerability. An issue was fixed that allowed an attacker to possibly steal user data by hijacking the SquirrelMail login session. - http://squirrelmail.org/security/issue/2009-05-11 - CVE-2009-1580 - Patch taken from upstream svn rev. 13676. Applied inline. * CSS positioning vulnerability. An issue was fixed that allowed phishing and cross-site scripting (XSS) attacks to be run by surreptitious placement of content in specially-crafted emails sent to SquirrelMail users. - http://squirrelmail.org/security/issue/2009-05-12 - CVE-2009-1581 - Patch taken from upstream svn rev. 13667. Applied inline. -- Andreas Wenning <email address hidden> Tue, 12 May 2009 21:13:30 +0200
Available diffs
squirrelmail (2:1.4.15-4ubuntu0.1) jaunty-security; urgency=low * SECURITY UPDATE: (LP: #375513) * Multiple cross site scripting issues. Two issues were fixed that both allowed an attacker to run arbitrary script (XSS) on most any SquirrelMail page by getting the user to click on specially crafted SquirrelMail links. - http://squirrelmail.org/security/issue/2009-05-08 - CVE-2009-1578 - Patch taken from upstream svn rev. 13670. Applied inline. * Cross site scripting issues in decrypt_headers.php. An issue was fixed wherein input to the contrib/decrypt_headers.php script was not sanitized and allowed arbitrary script execution upon submission of certain values. - http://squirrelmail.org/security/issue/2009-05-09 - CVE-2009-1578 - Patch taken from upstream svn rev. 13672. Applied inline. * Server-side code injection in map_yp_alias username map. An issue was fixed that allowed arbitrary server-side code execution when SquirrelMail was configured to use the example "map_yp_alias" username mapping functionality. - http://squirrelmail.org/security/issue/2009-05-10 - CVE-2009-1579 - Patch taken from upstream svn rev. 13674. Applied inline. * Session fixation vulnerability. An issue was fixed that allowed an attacker to possibly steal user data by hijacking the SquirrelMail login session. - http://squirrelmail.org/security/issue/2009-05-11 - CVE-2009-1580 - Patch taken from upstream svn rev. 13676. Applied inline. * CSS positioning vulnerability. An issue was fixed that allowed phishing and cross-site scripting (XSS) attacks to be run by surreptitious placement of content in specially-crafted emails sent to SquirrelMail users. - http://squirrelmail.org/security/issue/2009-05-12 - CVE-2009-1581 - Patch taken from upstream svn rev. 13667. Applied inline. -- Andreas Wenning <email address hidden> Tue, 12 May 2009 21:06:15 +0200
Available diffs
squirrelmail (2:1.4.15-3ubuntu0.2) intrepid-security; urgency=low * SECURITY UPDATE: (LP: #375513) * Multiple cross site scripting issues. Two issues were fixed that both allowed an attacker to run arbitrary script (XSS) on most any SquirrelMail page by getting the user to click on specially crafted SquirrelMail links. - http://squirrelmail.org/security/issue/2009-05-08 - CVE-2009-1578 - Patch taken from upstream svn rev. 13670. Applied inline. * Cross site scripting issues in decrypt_headers.php. An issue was fixed wherein input to the contrib/decrypt_headers.php script was not sanitized and allowed arbitrary script execution upon submission of certain values. - http://squirrelmail.org/security/issue/2009-05-09 - CVE-2009-1578 - Patch taken from upstream svn rev. 13672. Applied inline. * Server-side code injection in map_yp_alias username map. An issue was fixed that allowed arbitrary server-side code execution when SquirrelMail was configured to use the example "map_yp_alias" username mapping functionality. - http://squirrelmail.org/security/issue/2009-05-10 - CVE-2009-1579 - Patch taken from upstream svn rev. 13674. Applied inline. * Session fixation vulnerability. An issue was fixed that allowed an attacker to possibly steal user data by hijacking the SquirrelMail login session. - http://squirrelmail.org/security/issue/2009-05-11 - CVE-2009-1580 - Patch taken from upstream svn rev. 13676. Applied inline. * CSS positioning vulnerability. An issue was fixed that allowed phishing and cross-site scripting (XSS) attacks to be run by surreptitious placement of content in specially-crafted emails sent to SquirrelMail users. - http://squirrelmail.org/security/issue/2009-05-12 - CVE-2009-1581 - Patch taken from upstream svn rev. 13667. Applied inline. -- Andreas Wenning <email address hidden> Tue, 12 May 2009 21:09:43 +0200
Available diffs
| Superseded in karmic-release |
squirrelmail (2:1.4.18-1) unstable; urgency=high
* New upstream release.
+ Addresses several security issues (closes: #528528):
CVE-2009-1578, CVE-2009-1579, CVE-2009-1580, CVE-2009-1581.
* Update to debhelper 7 and policy 3.8.1.
* Make squirrelmail.cron.daily cope with the administrator
enabling the hashed dir feature, thanks Marcello Nuccio
(closes: #508287).
* Update Recommends and Suggests:
+ Remove all php4-related relations.
+ Add recommends for php5-mcode which speeds up crypto.
+ Suggest php5-recode for some character sets.
+ Recommend plugins: squirrelmail-viewashtml for HTML mail,
squirrelmail-logger to provide logging.
(closes: #523966, #527964)
-- Ubuntu Archive Auto-Sync <email address hidden> Fri, 15 May 2009 11:13:44 +0100
Available diffs
- diff from 2:1.4.15-4 to 2:1.4.18-1 (174.4 KiB)
squirrelmail (2:1.4.6-1ubuntu0.3) dapper-security; urgency=low
* SECURITY UPDATE: Possible cookie theft in src/redirect.php if
register_globals is enabled, and malicous site is running in same
domain. Patch taken from upstream svn rev 10851. (LP: #348839)
- CVE-2006-3665
* SECURITY UPDATE: Possible cross-site scripting (XSS) vulnerability in
search.php, when register_globals is enabled. Patch taken from upstream
svn rev 11319. (LP: #348839)
- CVE-2006-3174
- http://squirrelmail.org/security/issue/2006-06-22
-- Andreas Wenning <email address hidden> Thu, 26 Mar 2009 14:21:47 +0100
Available diffs
squirrelmail (2:1.4.6-1ubuntu0.2) dapper-security; urgency=low
* SECURITY UPDATE: cross site scripting issue in the HTML filter.
Patch taken from upstream release. (LP: #306536)
- CVE-2008-2379
- http://www.squirrelmail.org/security/issue/2008-12-04
* SECURITY UPDATE: Cookies sent over HTTPS will now be confined to
HTTPS only (cookie secure flag) and more support for the HTTPOnly
cookie attribute. Patch taken from upstream release. (LP: #328938)
- CVE-2008-3663
- http://www.squirrelmail.org/security/issue/2008-09-28
-- Andreas Wenning <email address hidden> Fri, 13 Feb 2009 06:25:43 +0100
Available diffs
squirrelmail (2:1.4.13-2ubuntu1.2) hardy-security; urgency=low
* SECURITY UPDATE: Cookies sent over HTTPS will now be confined to
HTTPS only (cookie secure flag) and more support for the HTTPOnly
cookie attribute. Patch taken from upstream release. (LP: #328938)
- CVE-2008-3663
- http://www.squirrelmail.org/security/issue/2008-09-28
-- Andreas Wenning <email address hidden> Fri, 13 Feb 2009 07:53:14 +0100
Available diffs
squirrelmail (2:1.4.10a-2ubuntu0.1) gutsy-security; urgency=low
* SECURITY UPDATE: cross site scripting issue in the HTML filter.
Patch taken from upstream release. (LP: #306536)
- CVE-2008-2379
- http://www.squirrelmail.org/security/issue/2008-12-04
* SECURITY UPDATE: Cookies sent over HTTPS will now be confined to
HTTPS only (cookie secure flag) and more support for the HTTPOnly
cookie attribute. Patch taken from upstream release. (LP: #328938)
- CVE-2008-3663
- http://www.squirrelmail.org/security/issue/2008-09-28
-- Andreas Wenning <email address hidden> Fri, 13 Feb 2009 08:03:02 +0100
Available diffs
squirrelmail (2:1.4.15-3ubuntu0.1) intrepid-security; urgency=low
* SECURITY UPDATE: cross site scripting issue in the HTML filter
(CVE-2008-2379). LP: #306536.
- functions/mime.php: from the debian package version 1.4.15-4.
-- Kees Cook <email address hidden> Mon, 15 Dec 2008 14:33:21 -0800
Available diffs
squirrelmail (2:1.4.13-2ubuntu1.1) hardy-security; urgency=low
* SECURITY UPDATE: cross site scripting issue in the HTML filter
(CVE-2008-2379). LP: #306536.
- functiions/mime.php: from the debian package version 1.4.15-4.
-- Reinhard Tartler <email address hidden> Tue, 09 Dec 2008 14:58:07 +0100
Available diffs
squirrelmail (2:1.4.15-4) unstable; urgency=high
* Address cross site scripting issue in the HTML filter
(CVE-2008-2379).
-- Ubuntu Archive Auto-Sync <email address hidden> Wed, 10 Dec 2008 07:13:44 +0000
Available diffs
- diff from 2:1.4.15-3 to 2:1.4.15-4 (680 bytes)
squirrelmail (2:1.4.15-3) unstable; urgency=high
* Cookies sent over HTTPS will now be confined to HTTPS only
(cookie secure flag) and more support for the HTTPOnly cookie
attribute. Patch taken from upstream release.
(CVE-2008-3663, closes: #499942)
Available diffs
- diff from 2:1.4.15-1 to 2:1.4.15-3 (4.2 KiB)
| Superseded in intrepid-release |
squirrelmail (2:1.4.15-1) unstable; urgency=low
* New upstream bugfix release.
* Remove Sam Johnston from Uploaders.
* Update README.locales to be more verbose about which locales
need to be enabled on the system, thanks Daniel Hahler.
(closes: #473861)
* Do not install index.html under /usr/share/doc, it doesn't add
much value but requires Debian-specific patching which still
doesn't work well with gzipped files (closes: #457524).
-- Emanuele Gentili <email address hidden> Fri, 13 Jun 2008 09:32:28 +0100
Available diffs
- diff from 2:1.4.13-2ubuntu1 to 2:1.4.15-1 (43.0 KiB)
| Superseded in hardy-release |
squirrelmail (2:1.4.13-1) unstable; urgency=low * New upstream release. -- Laurent Bigonville <email address hidden> Thu, 20 Dec 2007 10:09:03 +0000
| Superseded in hardy-release |
squirrelmail (2:1.4.12-1) unstable; urgency=low * New upstream release. * Minor packaging cleanups. -- Ubuntu Archive Auto-Sync <email address hidden> Fri, 07 Dec 2007 09:37:28 +0000
| Superseded in hardy-release |
squirrelmail (2:1.4.11-2) unstable; urgency=low
* Fix broken attachment handling in PHP4 by applying patch
from upstream.
NOTE: this is only a courtesy to PHP4 users, it must be noted
that Debian does not support PHP4 in current unstable anymore.
(Closes: #444970)
| Obsolete in feisty-backports |
squirrelmail (2:1.4.10a-2~feisty1) feisty-backports; urgency=low * Automated backport upload; no source changes.
| Obsolete in edgy-backports |
squirrelmail (2:1.4.10a-2~edgy1) edgy-backports; urgency=low * Automated backport upload; no source changes.
| Obsolete in dapper-backports |
squirrelmail (2:1.4.10a-2~dapper1) dapper-backports; urgency=low * Automated backport upload; no source changes.
squirrelmail (2:1.4.10a-2) unstable; urgency=low
* Make use of new dictionaries-common SquirrelMail interface to
detect the installed squirrelspell dictionaries (Closes: #420877).
* Remove obsolete upgrading code.
* Make sure config files are not closed with '?>' since it's then
too easy to get stray whitespace at the end of the file.
-- Ubuntu Archive Auto-Sync <email address hidden> Fri, 01 Jun 2007 09:11:01 +0100
squirrelmail (2:1.4.6-1ubuntu0.1) dapper-security; urgency=low
* SECURITY UPDATE: XSS and CSRF in various areas, local file inclusion,
variable overwriting.
* src/compose.php, src/right_main.php, src/login.php, src/mailto.php,
src/redirect.php, src/webmail.php, src/mime.php: back-ported fixes for
XSS in compose, draft and HTML mail. (CVE-2006-6142)
http://www.squirrelmail.org/security/issue/2006-12-02
* fuctions/mime.php, src/compose.php, src/view_text.php: back-ported fixes
for XSS in HTML filter (CVE-2007-1262)
http://www.squirrelmail.org/security/issue/2007-05-09
* functions/global.php: back-ported fixes for local file inclusion.
(CVE-2006-2842)
http://www.squirrelmail.org/security/issue/2006-06-01
* functions/auth.php, src/compose.php, src/login.php, src/redirect.php,
src/webmail.php: back-ported fixes for variable overwriting.
(CVE-2006-4019)
http://www.squirrelmail.org/security/issue/2006-08-11
-- Leonel Nunez <email address hidden> Wed, 16 May 2007 13:02:10 -0600
squirrelmail (2:1.4.8-1ubuntu0.1) edgy-security; urgency=low
* SECURITY UPDATE: XSS and CSRF in various areas
* src/compose.php, src/right_main.php, src/login.php, src/mailto.php,
src/redirect.php, src/webmail.php, src/mime.php: back-ported fixes for
XSS in compose, draft and HTML mail. (CVE-2006-6142)
http://www.squirrelmail.org/security/issue/2006-12-02
* fuctions/mime.php, src/compose.php, src/view_text.php: back-ported fixes
for XSS in HTML filter (CVE-2007-1262)
http://www.squirrelmail.org/security/issue/2007-05-09
-- Leonel Nunez <email address hidden> Tue, 15 May 2007 18:49:35 -0600
squirrelmail (2:1.4.9a-1ubuntu0.1) feisty-security; urgency=low
* SECURITY UPDATE: CSRF and XSS via HTML filter.
* functions/mime.php, src/compose.php, src/view_text.php: Patched in-place
with upstream changes.
* References
http://www.squirrelmail.org/security/issue/2007-05-09
CVE-2007-1262
-- leonel <email address hidden> Fri, 11 May 2007 18:39:34 -0600
| Superseded in gutsy-release |
squirrelmail (2:1.4.10a-1) unstable; urgency=high
* New upstream security release.
- Fixes cross site scripting in the HTML filter [CVE-2007-1262]
- Tweaks SMTP error message display (Closes: #403705).
- Fixes address duplication on reply-all (Closes: #408242).
-- Ubuntu Archive Auto-Sync <email address hidden> Fri, 11 May 2007 08:06:52 +0100
squirrelmail (2:1.4.9a-1) unstable; urgency=high
* New upstream security release.
- Additionally tightens HTML filter for IE <= 5 parsing
absolutely everything and it's horse.
squirrelmail (2:1.4.8-3) unstable; urgency=low
* Add note to README.Debian about server side sorting (Closes: #394286)
and regular_globals not being supported.
* Add IfModule conditionals for register_globals setting in
apache.conf (Closes: #398173).
-- Ubuntu Archive Auto-Sync <email address hidden> Tue, 14 Nov 2006 01:06:31 +0000
squirrelmail (2:1.4.8-2) unstable; urgency=low
* Update Debian patch to display options to cope with the custom
charset plugin. Thanks Tomas Kuliavas, Closes: #385300.
* Suggest php[45]-ldap, Closes: #392306.
* Improve package description.
-- Ubuntu Archive Auto-Sync <email address hidden> Wed, 08 Nov 2006 19:42:38 +0000
| Superseded in dapper-backports |
squirrelmail (2:1.4.8-1~dapper1) dapper-backports; urgency=low * Automated backport upload; no source changes. -- John Dong <email address hidden> Tue, 29 Aug 2006 18:13:38 +0100
squirrelmail (2:1.4.8-1) unstable; urgency=high
* New upstream release
- Includes security fix: variable overwriting in compose.php
by logged-in user [CVE-2006-4019]
- Does not ship SquirrelMail developer's documentation anymore.
* Remove duplicate content from README.locales.
-- Martin Pitt <email address hidden> Thu, 17 Aug 2006 16:34:28 +0100
squirrelmail (2:1.4.7-1) unstable; urgency=low
* New upstream bugfix release.
+ Addresses some low-impact, theoretical or disputed security bugs,
for which the code is tightened just-in-case:
- Possible local file inclusion (Closes: #373731, CVE-2006-2842)
- XSS in search.php (Closes: #375782, CVE-2006-3174)
+ Adds note to db-backend.txt about postgreSQL (Closes: #376605).
* Checked for standards version to 3.7.2, no changes necessary.
* Update maintainer address.
-- Ubuntu Archive Auto-Sync <email address hidden> Thu, 06 Jul 2006 03:03:56 +0100
squirrelmail (2:1.4.6-1) unstable; urgency=high
* New upstream release.
* Includes the following security fixes:
- Fix IMAP command injection in sqimap_mailbox_select
with upstream patch. [CVE-2006-0377] (Closes: #354063)
- Fix possible XSS in MagicHTML, concerning the parsing
of u\rl and comments in styles. Internet Explorer
specific. [CVE-2006-0195] (Closes: #354062)
- Fix possible cross site scripting through the right_main
parameter of webmail.php. This now uses a whitelist of
acceptable values. [CVE-2006-0188] (Closes: #354064, #355424)
squirrelmail (2:1.4.5-2) unstable; urgency=low
[ Jeroen van Wolffelaar ]
* Restore squirrelmail-configure manpage, accidently dropped in -1
* Use debhelper compat level 4
[ Thijs Kinkhorst ]
* Drop obsolete symlink for attachment dir.
* Do not ship upstream README, which contains hardly any information
relevant to Debian. Extend README.Debian a bit. Thanks W. Borgert.
* Add years to copyright statement.
-- Thijs Kinkhorst <email address hidden> Mon, 15 Aug 2005 21:06:00 +0200
| Obsolete in breezy-release |
squirrelmail (2:1.4.4-6sarge1) stable-security; urgency=high
* Non-maintainer upload by the Security Team
* Corrected the patch based on upstream input
[src/options_identities.php, CAN-2005-2095]
-- Martin Schulze <email address hidden> Mon, 11 Jul 2005 15:21:59 +0000
squirrelmail (2:1.4.4-3ubuntu0.1) hoary-security; urgency=high * Security patches cross-ported from Debian Sarge. * Fix several cross-site scripting vulnerabilities [CAN-2005-1769] * Work around arbitrary variable injection with extract() [CAN-2005-2095] -- Matthew Palmer <email address hidden> Sun, 11 Sep 2005 01:11:28 +1000
squirrelmail (2:1.4.4-3) unstable; urgency=low
* Move default_pref config file from /var to /etc, as per Debian policy
(Closes: #293281)
* [JvW] (finally) override two lintian warnings about nonstandard
permissions that are intentional (Closes: #293366)
-- Thijs Kinkhorst <email address hidden> Sun, 6 Feb 2005 21:41:51 +0100
squirrelmail (1:1.5.0-1ubuntu0.1) warty-security; urgency=low
* SECURITY UPDATE: decodeHeader HTML Injection Vulnerability
* functions/mime.php:
- applied vendor patch.
* References:
- CAN-2004-1036
- http://www.securityfocus.com/bid/11653
-- Gerardo Di Giacomo <email address hidden> Sun, 5 Dec 2004 19:40:35 +0000
squirrelmail (1:1.5.0-1) unstable; urgency=low
* New upstream release. Closes #230921.
* RFC3501 compliance for mailbox naming (eg trailing spaces).
Closes: #176590, #215183.
* Adds a squirrelmail symlink in /var/www/. Closes: #229282.
* Adds PHP safe_mode workaround to README.Debian. Closes: #222071.
* Adds daily cron job to clean attachments directory. Closes: #228400.
* Checks for config_default.php before copying in postinst.
Closes: #229737.
-- Sam Johnston <email address hidden> Wed, 4 Feb 2004 01:42:12 +1100
| 1 → 71 of 71 results | First • Previous • Next • Last |
