all PEAR packages to php?-pear-* and all Apache packages to ap13-* or
ap2-* respectively. Add new variables to simplify the Makefile
handling. Add CONFLICTS on the old names. Reset revisions of bumped
packages. ap-php will now depend on the default Apache and PHP version.
All programs using it have an implicit option of the Apache version
as well.
OK from jlam@ and adrianp@.
RECOMMENDED is removed. It becomes ABI_DEPENDS.
BUILDLINK_RECOMMENDED.foo becomes BUILDLINK_ABI_DEPENDS.foo.
BUILDLINK_DEPENDS.foo becomes BUILDLINK_API_DEPENDS.foo.
BUILDLINK_DEPENDS does not change.
IGNORE_RECOMMENDED (which defaulted to "no") becomes USE_ABI_DEPENDS
which defaults to "yes".
Added to obsolete.mk checking for IGNORE_RECOMMENDED.
I did not manually go through and fix any aesthetic tab/spacing issues.
I have tested the above patch on DragonFly building and packaging
subversion and pkglint and their many dependencies.
I have also tested USE_ABI_DEPENDS=no on my NetBSD workstation (where I
have used IGNORE_RECOMMENDED for a long time). I have been an active user
of IGNORE_RECOMMENDED since it was available.
As suggested, I removed the documentation sentences suggesting bumping for
"security" issues.
As discussed on tech-pkg.
I will commit to revbump, pkglint, pkg_install, createbuildlink separately.
Note that if you use wip, it will fail! I will commit to pkgsrc-wip
later (within day).
This release is very important, and we strongly advise everybody to
update to the latest release.
Security Update
===============
This version contains a number of security updates that were brought
to our attention via a number of sources.
- In webmail.php, the right_frame parameter was not properly sanitized
to deal with very lenient browsers, which allowed for cross site
scripting or frame replacing. [CVE-2006-0188]
- In the MagicHTML function, some very obscure constructs were
discovered to be exploitable: 'u\rl' was interpreted as 'url' (privacy
concern), and comments could be inside keywords (allows for cross site
scripting). Both only affect Internet Explorer users. Found by Martijn
Brinkers and Scott Hughes. [CVE-2006-0195]
- The function sqimap_mailbox_select did not strip newlines from the
mailbox parameter, and thereby allowed for IMAP command injection.
Found by Vicente Aguilera. [CVE-2006-0377]
"find foo -exec bar {} \;" while here, the former is faster, but can't
cope with all quoting issues and is also more likely to hit argument
length limits. CONFLICT to ja-squirrelmail.
We are pleased to announce the release of SquirrelMail 1.4.4. This
release is a strongly recommended upgrade due to a number of security
issues that have been resolved since 1.4.3a.
About This Release
------------------
This release contains a number of bug fixes, and security updates. The
list is very long, as this version has been hiding in the trees for a
while. For a full list of the changes, you can see the changelog here:
http://www.squirrelmail.org/changelog.php
A general summary of updates includes a few cross site scripting issues,
and two possible file inclusion issue (one remote, one local). Better
IMAP handling introduced for certain IMAP servers that advertise
LOGINDISABLED, folder handling, and a number of locales issues.
Locales
-------
Shortly after the release of 1.4.3, the locales were broken out of the
main branch into their own branch. This makes the SquirrelMail package
itself a lot smaller, along with allowing administrators to download just
the packages they need. Details on this change can be found in the
ReleaseNotes and the INSTALL files.
There is a cross site scripting issue in the decoding of encoded text
in certain headers. SquirrelMail correctly decodes the specially
crafted header, but doesn't sanitize the decoded strings.
http://article.gmane.org/gmane.mail.squirrelmail.user/21169
Main Changes:
lots of bug fixes, including some critical XSS (cross site scripting) issues.
Some new translations.
Added new preference that determines cursor focus when replying.
Display total number of new messages in newmail-plugin popup window.
Ported charset decoding support functions from SM head. Increases
number of readable charsets.
Fix SquirrelMail to work with PHP5.
Disabled Quick-email-reporting feature in spamcop plugin. (#809452). Admin
can enable it by setting variable in plugins/spamcop/setup.php.
Replaced obsolete 2mbit.com RBL with ahbl.org RBL (#829887).
Added new reply citation to include date and author.
* A complete rewrite of the way we send mail (Deliver-class),
and of the way we parse mail (MIME-bodystructure parsing).
This makes SquirrelMail more reliable and more efficient
at the same time!
* Support for IMAP UID which makes SquirrelMail more reliable.
* Optimizations to code and the number of IMAP calls; SquirrelMail
is now a very scalable webmail solution.
* Support for a wider range of authentication mechanisms.
* Lots of bugfixes, some new features and a couple of UI-tweaks.
This release incorporates some security fixes in relation to XSS
(cross site scripting) code which could allow malicious extraction of
information from the client browser. There is also a fix for the
SquirrelMail 1.2.10 "Double login" problem. This was related to a
session issue, and has been fixed.
have it be automatically included by bsd.pkg.mk if USE_PKGINSTALL is set
to "YES". This enforces the requirement that bsd.pkg.install.mk be
included at the end of a package Makefile. Idea suggested by Julio M.
Merino Vidal <jmmv at menta.net>.
This just tightens up on security a bit more.
Note anyone using plugins may have to check if all their plugins will work
with register_globals off.
(I've been using this on a local squirrelmail box with 1.2.9 for over a
month with no issues)
* HTML cleanup on search and addressbook pages
* Fixes for multiple XXS exploits on the addressbook, search, help, and
options pages
* more accurate error messages on failed login
* HTML table cleanup when viewing attachments
* fix for X-MSMail-Priority conflict bug #600369
* fix for multiple email addresses on the same message line
* fix for "." on a single line in a text attachment bug #598750
* Core code and plugins converted to work with register_globals Off
* fix for reply quoting on resumed drafts
* fix for fgets errors in file_prefs bug #578834
* fix for date format on calendar day view bug #582919
* fix for org. logo width/height values bug #572807
* fix for reading/writing ldap prefs with conf.pl bug #57595
* fix for 'fixed' font style in css bug #571463
* fix for attachments in safe mode bug #585340
* fix for forward attachment bug #585836
* fix for php warning when saving drafts bug #585012
* returned generic_header hook to page_header.php bug #554278
* fix for syntax error in darkness theme bug #576066
* fix for some attachments not being displayed bug #577052
* fix for matching uppercase headers on mailbox display bug #584082
* fix for folder names containing regex characters bug #574889, #578156
* fix for endless loop on raw binary data in email bug #547662
* fix for 'compose as new' link. bug #554886
* fix charset format in the admin plugin. bug #550725
* fix for errant '.' in default_folder_prefix. bug #551310
* fix for folder names with '?' and '*'. bug # 559257, #552180
* added the ability to search without the charset argument. #552288
* Made /noselect node display optional. bug #554988, patch #452178
* Improved support for macosx IMAP server thanks Brian Haun
* Added macosx friendly search, thanks Brian Haun bug #553038
* Fixed word wrap problems when sending mail. bug #552961, #556143
* Added possibility to use multiple compose windows without loss
of attachements.
* Fixed forward message/rfc822 attachments from a search
* Fix SpamCop plugin.
* Fixed send MDN link.
* Fixed dealing with \r\n and \n in smtp.php.
* Fixed to, cc, bcc arrays in message->header
* Speed optimizements in generating message-lists.
* Fixed loss of attachment with html addressbook.
* Fixed saving drafts with attachments
- Bug fixes
- Added POP3 Before SMTP option
- Added a server-side thread sorting option per folder
- Added a server-side sorting global option
- Compose in new window size can be set in Display prefs
- PostgreSQL is now supported for database backed use
- Added user option to sort messages by internal date
- Added option to auto-append sig before reply/forward text
- Filters can be applied to only new mail
- Filtering now happens on folder list refresh
(no more warnings that fills in apache error_log).
Changes since 1.2.4:
- Multiple mailbox list calls cached.
- Added 'View unsafe images' link to the bottom of pages which contain
unsafe images.
- Fixed 'too many close table tags' and various other issues
which meant SM output didn't always validate as clean HTML.
- Added the ability to add special folders through plugins.
- Added an Always compose in a pop-up window option.
- Search page update with ability to save searches and search
all folders at once.
- Made searching on multiple criteria possible, with thanks to Jason Munro
- Fixed 'list all' in addressbook (#506624, thanks to Kurt Yoder)
- Fixed small bugs in db_prefs
- Allowed SquirrelMail to work from within a frame, eg. not using _top
this is configureable. (thanks to Simon Dick)
- Added options to conf.pl to enable automated plugin installation:
./conf.pl --install-plugin <pluginname>. This allows plugins to be
distributed in packages. Conf.pl now also reports when saving fails.
- Attachment hooks now also allow specification of generic rules like
text/* which will be used when no specific rule is available.
- conf.pl can now configure database backed address books and
preferences.
- Version 0.3.7 of SquirrelSpell. Fixes a potential privacy
vulnerability (symlink attack), plus introduces formatting fixes
and javadoc-style comments.
- Bugfix in mailfetch reported by Mateusz Mazur
- Administrator plugin. A web based conf.pl replacement.
- Removed GLOBALS from conf.pl
- HTML messages optimization.
- Added support for requesting read receipts (MDN) and delivery receipts.
- Added the ability to stop users changing their names and email addresses.
- Added signature into multiple identities (Stefan Meier <Stefan.Meier@cimsource.com>)
- Updated user help files to reflect UI chanegs and added functionality.
Changes:
Version 1.2.4 -- 25 January 2002
--------------------------------
- Fixes a nasty remote arbitrary command execution vulnerability
in the spellchecker plugin.
Version 1.2.3 -- 21 January 2002
--------------------------------
- Fixed focus system on pages that contain forms.
- Fixed IMAP code to send different command identifiers as per
section 2.2.1 of RFC 2060.
- Fixed 'sticky priority' so that replies are set to the same
priority as the original message.
- Fixed Printer Friendly to print HTML messages.
- Fixed multiple receivers in Sent mailbox (#500910).
- Disabled prefs caching under PHP 4.1
- Added "Search Memory". Enabling to store up to
9 predefined searchs.
- Increased security in html message.
- Added the possibility to specify system-defined css in order to
allow users to change the font family and size of SM. Making possible to
make it bigger or smaller depending on their screen size. Sysops may add
or remove these system-defined css located in themes/css/
- Fixed a bug appearing on some apache virtual hosts
- Fixed javascript error (#505255)
- Fixed the db_prefs so they work again (#499609, thanks to Simon Dick)
* Collapsible Folders - The folder list can be collapsed at any
parent folder. This makes folder lists with large
hierarchical structures much easier to manage and navigate.
* The Paginator! - This enables quick access to any page in the
message list by simply choosing the page number to view
rather than tediously clicking "next" 50 times.
* Hundreds of UI tweaks - The user interface has been given a
face-lift. The HTML has been largely overhauled, and while
it still has the same general feel, it has been made more
intuitive.
* Drafts - It is now possible to compose a message and save it to
be sent at a later date with the drafts option.
* New Options Page - The options page has been completely
rewritten for several reasons, the main of which was to
allow seamless integration of plugin options and to
provide uniformity throughout the entire section.
* Multiple Identities - It is now possible to create different
identities (home, work, school) that can be chosen upon
sending. Each identity can have its own email address,
full name, and signature.
* Reply Citations - Different types of citations are now possible
when replying to messages.
* Better Attachment Handling - The plugin, attachment_common, has
been fully integrated into the core of SquirrelMail. This
allows inline viewing of several different types of
attachments.
* Integration of Several Plugins - The following plugins have been
put directly into the core. As a result, be sure not to
install these as plugins, as the result may be (at best)
unpredictable: attachment_common, paginator, priority,
printer_friendly, sqclock, xmailer.
* Improved support for newer versions of PHP. Note that you may
have trouble if you are running PHP version 4.0.100
(commonly distributed with Debian 3.0).
* Ability to mark messages as read and unread from the message listing.
* Alternating Colors - The message list now alternates row colors
by default. This presents a much cleaner and easier to
read interface to the user.
This value may be customized in various ways:
PKG_SYSCONFBASE is the main config directory under which all package
configuration files are to be found.
PKG_SYSCONFSUBDIR is the subdirectory of PKG_SYSCONFBASE under which the
configuration files for a particular package may be found.
PKG_SYSCONFDIR.${PKGBASE} overrides the value of ${PKG_SYSCONFDIR} for a
particular package.
Users will typically want to set PKG_SYSCONFBASE to /etc, or accept the
default location of ${PREFIX}/etc.
This obsoletes the use of CONFDIR, which was active for only 6 days, so no
need to have a workaround to still accept old CONFDIR settings.
bsd.pkg.install.mk:
* Remove old DEINSTALL/INSTALL scripts.
* Move some text printed at POST-INSTALL time into the MESSAGE file.
* Adjust rc.d scripts to respect rc.conf settings, so that the
script may be directly copied into /etc/rc.d.
- Respect ${APACHE_SYSCONFDIR} setting.
- Install example squirrelmail.conf Apache config file fragment into
${PREFIX}/share/examples/squirrelmail.
Changes from version 1.0.3 include:
- Reworked validation for each page. It's now standardized in validate.php
- Fixed login bug that resulted from 1.0.5 security updates
- Fixed plugin incompatibilities that were introduced in 1.0.5
- Added more security checking to preference saving/loading
- Updated German translation (thanks to Roland Bauerschmidt <rb@debian.org>)
- Updated Finnish help files
- MAJOR security issues addressed. Please upgrade as soon as possible.
- Downloading attachments should work better due to a tip by Ray Black III.
- Fixed bug with drop-down folder list not containing INBOX
- Added Sweedish help files Teemu Junnila <teejun@vallcom.com>
- Added Italian help files Antonetti Roberto <antonr@piceniaweb.com>
- Fixed some bugs with folder creation
- Security fix for UW IMAP server to disallow folder paths outside of $folder_pr
efix
- Some problems with header encoding/decoding fixed
- Made subject column take up whatever width is available
- Added bcc to html addressbook search
Revision 1.46.2.1:
* UW workaround improved, methinks (1.0 branch)
Fixes a problem when used with imap-uw: 1.0.3 couldn't read folders
in subdirectories.
Apache URL to http://www.domain.com/squirrelmail/ instead of /mail/ to
access squirrelmail. Changes from version 1.0.2:
- Many i18n enhancements/fixes
- Fixed bug with default theme path being set incorrectly
- Fixed problem when sending/forwarding multiple attachments
- Made folder drop-down list consistent in look to the other drop-downs
- Fixed problem where some attachment filenames would not be displayed
- Added Finnish help files by Teemu Junnila <teejun@vallcom.com>
- Updated Norwegian translation
- Updated Brazillian Portuguise translation
- Added a workaround for RedHat's 4.0.4pl1-3 binary package (It's also
the same workaround for Konqueror and other PHP installations?)
- Select All works through the search
- Better escaped string handling from POST variables
- Many more code cleanups and optimizations
- Added Hungarian translation by Teemu Junnila <teejun@vallcom.com>
- Added Icelandic translation by Karl Heid-ar" <karlh@macho.is>
- Updated Taiwan translation
- Updated Sweedish translation
- Updated Finnish translation
version 0.9.3:
- Improved the way sqimap_read_data() is handled
- Sped up "no sorting" even more
- Fixed problems with sending messages
- Fixed some pass-by-reference calls that caused problems with newer PHP
versions
- Fixed bug that didn't display last folder subscribed to
- Removed requirement of PHP 4.0.1 for array_unique() function
- Removed unnecessary echo statements by breaking out of PHP
- Changed evaluation method from using " to ' for speed improvements
- If no plugin array set in config.php, now handled correctly
- If subject is > 55 chars, trims it and puts "..." in message list
- Hundreds of minor changes to remove all verbose PHP warning messages
- Updated config_default.php to include attachment_common plugin (now in
distribution)
- A few minor speed improvements
- Fixed problems in sqimap_read_body(), made it more reliable
- Added French translation of help files by gore K <gore_k@ymca-cepiere.org>
- Added Finnish translation by Teemu Junnila <teejun@vallcom.com>
- Updated Sweedish translation
- Updated Russian translation
Convert most MESSAGE files to new syntax (${VARIABLE} gets replaced,
not @VARIABLE@, nor @@VARIABLE@@).
By default, substitutions are done for LOCALBASE, PKGNAME, PREFIX,
X11BASE, X11PREFIX; additional patterns can be added via MESSAGE_SUBST.
Clean up some packages while I'm there; add RCS tags to most MESSAGEs.
Remove some uninteresting MESSAGEs.
We've been lacking a pkgsrc webmail package for a while. I still haven't
figured out how to package IMP and make PHP4 work with the shared IMAP
module. But in the meantime, here's SquirrelMail, a straightforward
implementation of a webmail gateway to IMAP server implemented completely
in PHP4.
