-
squirrelmail (2:1.4.13-2ubuntu1.6) hardy-security; urgency=low
* SECURITY UPDATE: (LP: #598077)
* The Mail Fetch plugin allows remote authenticated users to bypass firewall
restrictions and use SquirrelMail as a proxy to scan internal networks via
a modified POP3 port number.
- http://squirrelmail.org/security/issue/2010-06-21
- CVE-2010-1637
- Patch taken from upstream svn rev. 13951. Applied inline.
-- Andreas Wenning <email address hidden> Thu, 24 Jun 2010 14:16:06 +0200
-
squirrelmail (2:1.4.13-2ubuntu1.5) hardy-security; urgency=low
* SECURITY UPDATE: (LP: #446838)
* Multiple cross-site request forgery (CSRF) in all
forms submissions
* edited:
src/addrbook_search_html.php,src/addressbook.php,src/compose.php
src/folders_create.php,src/folders_delete.php,src/folders.php,
src/folders_rename_do.php,src/folders_rename_getname.php,
src/folders_subscribe.php,functions/forms.php,
functions/mailbox_display.php,src/move_messages.php,
src/options_highlight.php,src/options_identities.php,
src/options_order.php,src/options.php,src/search.php,
functions/strings.php,src/vcard.php
* Fixes : CVE-2009-2964
- http://www.squirrelmail.org/security/issue/2009-08-12
- patches taken from upstream rev 13818
- patches applied inline
-- Leonel Nunez <email address hidden> Sun, 11 Oct 2009 06:41:56 -0600
-
squirrelmail (2:1.4.13-2ubuntu1.4) hardy-security; urgency=low
* SECURITY UPDATE: (LP: #396306)
* Server-side code injection in map_yp_alias username map. An issue was
fixed that allowed arbitrary server-side code execution when SquirrelMail
was configured to use the example "map_yp_alias" username mapping
functionality.
- Fixes incomplete fix for CVE-2009-1579
- http://squirrelmail.org/security/issue/2009-05-10
- CVE-2009-1381
- Patch taken from upstream svn rev. 13733. Applied inline.
-- Andreas Wenning <email address hidden> Tue, 07 Jul 2009 02:50:06 +0200
-
squirrelmail (2:1.4.13-2ubuntu1.3) hardy-security; urgency=low
* SECURITY UPDATE: (LP: #375513)
* Multiple cross site scripting issues. Two issues were fixed that both
allowed an attacker to run arbitrary script (XSS) on most any
SquirrelMail page by getting the user to click on specially crafted
SquirrelMail links.
- http://squirrelmail.org/security/issue/2009-05-08
- CVE-2009-1578
- Patch taken from upstream svn rev. 13670. Applied inline.
* Cross site scripting issues in decrypt_headers.php. An issue was fixed
wherein input to the contrib/decrypt_headers.php script was not sanitized
and allowed arbitrary script execution upon submission of certain values.
- http://squirrelmail.org/security/issue/2009-05-09
- CVE-2009-1578
- Patch taken from upstream svn rev. 13672. Applied inline.
* Server-side code injection in map_yp_alias username map. An issue was
fixed that allowed arbitrary server-side code execution when SquirrelMail
was configured to use the example "map_yp_alias" username mapping
functionality.
- http://squirrelmail.org/security/issue/2009-05-10
- CVE-2009-1579
- Patch taken from upstream svn rev. 13674. Applied inline.
* Session fixation vulnerability. An issue was fixed that allowed an
attacker to possibly steal user data by hijacking the SquirrelMail
login session.
- http://squirrelmail.org/security/issue/2009-05-11
- CVE-2009-1580
- Patch taken from upstream svn rev. 13676. Applied inline.
* CSS positioning vulnerability. An issue was fixed that allowed phishing
and cross-site scripting (XSS) attacks to be run by surreptitious
placement of content in specially-crafted emails sent to SquirrelMail
users.
- http://squirrelmail.org/security/issue/2009-05-12
- CVE-2009-1581
- Patch taken from upstream svn rev. 13667. Applied inline.
-- Andreas Wenning <email address hidden> Tue, 12 May 2009 21:13:30 +0200
-
squirrelmail (2:1.4.13-2ubuntu1.2) hardy-security; urgency=low
* SECURITY UPDATE: Cookies sent over HTTPS will now be confined to
HTTPS only (cookie secure flag) and more support for the HTTPOnly
cookie attribute. Patch taken from upstream release. (LP: #328938)
- CVE-2008-3663
- http://www.squirrelmail.org/security/issue/2008-09-28
-- Andreas Wenning <email address hidden> Fri, 13 Feb 2009 07:53:14 +0100
-
squirrelmail (2:1.4.13-2ubuntu1.1) hardy-security; urgency=low
* SECURITY UPDATE: cross site scripting issue in the HTML filter
(CVE-2008-2379). LP: #306536.
- functiions/mime.php: from the debian package version 1.4.15-4.
-- Reinhard Tartler <email address hidden> Tue, 09 Dec 2008 14:58:07 +0100
-
squirrelmail (2:1.4.13-2ubuntu1) hardy; urgency=low
* Sync from Debian (LP: #204754)
* README.locales: add paragraph about setting up locales for gettext
(LP: #133845)
* Modify Maintainer value to match the DebianMaintainerField
specification.
squirrelmail (2:1.4.13-2) unstable; urgency=low
* Apply Debian-specific changes that somehow got lost in the
previous upload (Closes: #457597, #457524).
-- Daniel Hahler <email address hidden> Wed, 02 Apr 2008 02:22:42 +0200
-
squirrelmail (2:1.4.13-1) unstable; urgency=low
* New upstream release.
-- Laurent Bigonville <email address hidden> Thu, 20 Dec 2007 10:09:03 +0000
-
squirrelmail (2:1.4.12-1) unstable; urgency=low
* New upstream release.
* Minor packaging cleanups.
-- Ubuntu Archive Auto-Sync <email address hidden> Fri, 07 Dec 2007 09:37:28 +0000
-
squirrelmail (2:1.4.11-2) unstable; urgency=low
* Fix broken attachment handling in PHP4 by applying patch
from upstream.
NOTE: this is only a courtesy to PHP4 users, it must be noted
that Debian does not support PHP4 in current unstable anymore.
(Closes: #444970)
squirrelmail (2:1.4.11-1) unstable; urgency=low
* New upstream release.
* Remove workaround for buglet in dictionaries-common SquirrelMail interface.
-- Ubuntu Archive Auto-Sync <email address hidden> Wed, 24 Oct 2007 07:50:56 +0100
-
squirrelmail (2:1.4.10a-2) unstable; urgency=low
* Make use of new dictionaries-common SquirrelMail interface to
detect the installed squirrelspell dictionaries (Closes: #420877).
* Remove obsolete upgrading code.
* Make sure config files are not closed with '?>' since it's then
too easy to get stray whitespace at the end of the file.
-- Ubuntu Archive Auto-Sync <email address hidden> Fri, 01 Jun 2007 09:11:01 +0100