Note: CVE-2017-7692 is already fixed by 1.4.23pre14605nb1.
- compose_send hook now has $draft flag in hook arguments
- Fixed insufficient sendmail command argument escaping (thanks
to Mitchel Sahertian, Beyond Security/Dawid Golunski and Filippo
Cavallarin for bringing this to our attention). [CVE-2017-7692]
- Upgraded preferences for the delete_move_next plugin. Automatic
user preference updates are included, but note that if your
installation is new, or all user prefs have been converted from
"on"/"off" to 0/1 then you can add the following to SquirrelMail's
config/config_local.php to avoid convertign legacy values over and over:
$do_not_convert_delete_move_next_legacy_preferences = TRUE;
- Added ability to control the display of the "Check Spelling"
button provided by the squirrelspell plugin, which allows
administrators to offer this plugin but keep it out of the way
for users who do not want it. Put sqspell_show_button=0 in
default preferences if it should be hidden by default
PHP 7.0 support should be improved, too.
- Added new "smtp_helo_override" hook; allows plugins to override
the HELO host sent to the SMTP server when sending messages
- Added STARTTLS support for both IMAP and SMTP connections
- Added PDO support for database connections, so no external
database module needs to be installed
Should be fix PR pkg/50197.
Here is changes from previous pkgsrc's snapshot.
Version 1.4.23 - SVN
--------------------
...
- Added Solarized Light and Solarized Dark themes, by Pavneet Arora.
- Added associative edit list option widget, with optional folder
list selector for values
- Added option to use blank spacer instead of security image ("This
image has been removed for security reasons.") for replacing
unsafe images.
- Full date and time is used as "title" (mouseover) text for dates
shown on the message list screen
- Custom Stylesheets are now sorted on the Display Preferences page
- $xtra in the displayHtmlHeader function is now available in the
global scope so that plugins can modify it during the generic_header
hook
- Added some generic client-side (JavaScript) libraries (including
an asynchronous server request mechansim). See the new /scripts
directory (plugin authors can refer to the plugin documentation
for how to use them)
- Added optional JavaScript folder list refresh ("check mail")
mechanisms that try to avoid refreshing if server is not responding -
see the $check_mail_mechanism setting in config/config.php or the
"4. General Options ==> "21. Auto check mail mechanism" setting in
the configuration tool. (If you do not update your configuration,
you will get messages in your logs: "PHP Notice: Undefined variable:
check_mail_mechanism in /path/to/squirrelmail/src/left_main.php on
line 322...")
- Added advanced control over the SSL context used when connecting
to the SMTP and IMAP servers over SSL/TLS (thanks to Emmanuel
Dreyfus). You can take a look at $imap_stream_options and
$smtp_stream_options in config_local.example.php in SquirrelMail
version 1.5.2 for more information. These configuration settings
should work the same under 1.4.23:
http://sourceforge.net/p/squirrelmail/code/HEAD/tree/trunk/squirrelmail/config/config_local.example.php
- Added ability to show login error from the IMAP server instead of
traditional "Unknown user or password incorrect" (thanks to Alain
Williams). See $display_imap_login_error in the configuration
file or "4. General Options ==> 22. Display login error from IMAP"
in the configuration tool.
- Configuration tool now shows the SquirrelMail version
- Added new attachments_top hook to src/read_body.php
- When resuming a draft, correct (from) identity is now pre-selected
- Removed overly-restrictive character limitations on address book
nicknames
- Prevent session lock-up caused by filters plugin trying to move
messages in an account that is over quota
- Added MD5 alternative to directory hash calculation
- Added ability for administrator to control whether or not users
can edit their reply-to address ($edit_reply_to in config.php)
- Added new "login_before_page_header" (boolean) hook; allows
plugins to have more explicit control over login page header
Do it for all packages that
* mention perl, or
* have a directory name starting with p5-*, or
* depend on a package starting with p5-
like last time, for 5.18, where this didn't lead to complaints.
Let me know if you have any this time.
a) refer 'perl' in their Makefile, or
b) have a directory name of p5-*, or
c) have any dependency on any p5-* package
Like last time, where this caused no complaints.
repository. Approved by wiz@.
* Now work well with PHP 5.4 and later.
Version 1.4.23 - SVN
--------------------
- Added capability to issue SEARCH commands in literal format (so that
non-ASCII search terms are handled RFC-correctly).
- Fixed hook name clash: new "smtp_auth" hook added in version 1.4.22
has been renamed to "smtp_authenticate"
- Added SASL PLAIN mechanism for IMAP logins; backported from version
1.5.2.
- Prevent syslog warning in call_user_func_array() call when no
arguments given. Patch from Jean-Philippe Guerard (#3309935).
- Changed the read_body_menu_top hook from concat_hook_function to
do_hook_function (plugin authors please note)
- Always ensure that the Reply-To header is a full email address in
outgoing messages
- Fixed issue with Noselect mailboxes being clickable in folder list
- Made performance improvements in mailbox listing
- Attachment filename extensions changed from ".msg" to ".eml"
- Unified address book searches somewhat: file-backed address books now
search in each field individually; database-backed address books now
search in fields other than first/last name (nickname, email); LDAP-
backed address books now search in common name fields as well as by
email address (cn, sn, givenname, mail)
- You may now enable LDAP-backed address books to be listed (using
the "List all" button on the address search screen accessed via
the "Addresses" button on the compose screen) by adding
"$ldap_abook_allow_listing = TRUE;" (without quotes) to
config/config_local.php (previously, this required editing of a
file).
- Added ability to control browser rendering mode (quirks versus
standards) - see the $browser_rendering_mode setting in
config/config.php or the "4. General Options ==> 19. Browser
rendering mode" setting in the configuration tool (#3240356).
- Added "search_index_before" hook (analog of the "mailbox_index_before"
hook)
- Made performance improvements in security token handling
- Improvements for compatibility with PHP 5.4.
- Added option that allows users to have replies to their own
messages sent to the recipient of the previous message (#3520988).
Version 1.4.22 - 12 July 2011
-----------------------------
- Backported default timezone fix from version 1.5.2; helps mitigate
timezone errors in environments where a default has not been set
by the administrator.
- Fixed system lock-ups caused by a combination of certain rare,
malformed message headers and buggy versions of PHP mbstring
(#3053349).
- Now allow multiple plugins to handle (add links for) a single
attachment MIME type.
- Now allow administrators to disable all plugins or enable just
a select few plugins (overriding the active plugins in the normal
configuration) by setting $temporary_plugins as an empty array
(all disabled) or an array with one or more plugin directory names
in config_local.php.
- Backport fix for call_user_func_array not supporting NULL as empty
array in PHP 5.3.3
- Fixed sqauth_read_password() for plugins on the login_verified hook.
- Added SMTP SASL PLAIN authentication option to configuration tool
(core support for such is not new).
- Gmail doens't support standard search commands; removed sort buttons.
- Forced addition of a file suffix to attachments that lack a filename
(helps forwarded messages avoid spam filters) (thanks to Petr
Kletecka) (#3139004).
- Fixed missing security token in listcommands plugin.
- Added smtp_auth hook (thanks to Emmanuel Dreyfus).
- Made speed enhancements to threaded message display (thanks to Siim
Poder) (#3288123).
- Allow administrators to configure subfolders of user INBOXes to be
treated as special folders by adding $subfolders_of_inbox_are_special
to config_local.php.
- Fixed incorrect display of INBOX subfolders under some configurations.
IMPORTANT: You may need to update your configuration so that
$default_sub_of_inbox is TRUE if it was FALSE (e.g., Courier IMAP users)
and after updating to this version, your special folders are no longer
listed at the top of your folder list. Also, if this change prevents
users from logging in with an error such as "ERROR: Could not complete
request. Query: CREATE "Trash" Reason Given: Invalid mailbox name.",
you will need to correct the user preference values for the problem
folders. You can do so with commands such as the following for file-
based preferences (adjust the data directory location as needed):
find /var/lib/squirrelmail/data/ -name *.pref -exec sed --in-place 's/trash_folder=Trash/trash_folder=INBOX.Trash/g' {} \;
find /var/lib/squirrelmail/data/ -name *.pref -exec sed --in-place 's/trash_folder=Drafts/trash_folder=INBOX.Drafts/g' {} \;
find /var/lib/squirrelmail/data/ -name *.pref -exec sed --in-place 's/trash_folder=Sent/trash_folder=INBOX.Sent/g' {} \;
Or, for database-based preferences:
UPDATE userprefs SET prefval = 'INBOX.Trash' WHERE prefkey = 'trash_folder' AND prefval = 'Trash';
UPDATE userprefs SET prefval = 'INBOX.Drafts' WHERE prefkey = 'draft_folder' AND prefval = 'Drafts';
UPDATE userprefs SET prefval = 'INBOX.Sent' WHERE prefkey = 'sent_folder' AND prefval = 'Sent';
MAKE SURE to back up your user preferences first!
- Optimized message highlighting rules; faster message list display
and faster highlight rules management (thanks to C. Bensend for
extensive effort helping diagnose)
- New Mail plugin no longer removes normal organization title when
putting the number of new messages in the browser title
- Added clickjacking protection (thanks to Asbjorn Thorsen and Geir
Hansen for bringing this to our attention). [CVE-2010-4554]
- Fixed XSS holes in generic options inputs, XSS hole in the SquirrelSpell
plugin, XSS hole in the Index Order page, and added anti-CSRF protection
to the empty trash feature and the Index Order page (thanks to Nicholas
Carlini for finding all these issues). [CVE-2010-4555]
- Fixed XSS problem with unsanitized style tags in messages. [CVE-2011-2023]
- Now allow more than one plugin to control the compose form submit action.
- When sorting by received date, the received date is now shown on the
message list.
- Explicitly disable browser caching for left_main and right_main pages
(#2983134).
- Fix error with SpamCop reporting plugin not being able to send report as
emails (#1795310).
- Fix typo in SpamCop plugin.
- Reduced default time security tokens stay valid from 30 days to 2 days
(reduces chances of session data growing too large)
- Several speed enhancements for recent fixes regarding the display of
encoded subjects, including a fix for messages with invalid subject
encoding (includes #2987016 amongst several other issues reported via
mailing list, etc.) (Many thanks to Zdenek Pytela for the untiring help
diagnosing and testing.)
- Fixed minor vulnerability in Mail Fetch plugin.
[CVE-2010-1637/TEHTRI-SA-2010-009]
- Now properly quote personal part of encoded addresses when replying.
- Now fill in default subject when forwarding as attachment (#2936541).
- Implement header folding that doesn't add extraneous spaces so unfolding
is less ambiguous (#1951776).
- Fixed issues caused by use of PostgreSQL keyword "user" in SquirrelMail's
default preferences database schema (#2943483).
- Fixed attachment filename decoding problems (#2994865).
- Now default search criteria to the TO header when searching the sent folder.
- Fixed literal processing of 8-bit usernames/passwords during login.
[CVE-2010-2813]
Version 1.4.20 - 06 Mar 2010
---------------------------
- Fixed issue with search not using literals correctly (#2846511).
- Fixed issue with returning to search results due to new security token
code.
- Fixed issue with multi-part related messages not showing all attachments
(#2830140).
- Fixed for security token missing in newmail plugin (#2919418).
- Fixed sort in Sent folder to sort by "To" field instead of "From" field
(#2907412).
- Fixed mailto: urls containing + characters. Thanks to Michael Puls II
for the patch.
- Made base URL autodetection more robust; fixes some lighttpd issues
(probably #1741469).
- Encoded From headers are now properly quoted (#2830141).
- Multibyte strings (notably subjects) are now handled correctly (#2824813,
#2925731).
- X-DNS-Prefetch-Control: off header is now sent to browsers to prevent
information leakage when Firefox does DNS prefetching for URLs contained
in emails.
- Added unread links in message view.
- Added the ability to configure Google Mail (Gmail) as the mail server
behind SquirrelMail.
- Added option in display preferences that allows the signature to be
stripped from the original message when replying (#2952876). Thanks to
Sven Strickroth.
* Add DESTDIR support.
* Add more changes from squirrelmail's repositry including
secure token support, hoping early release of real 1.4.20.
Bump PKGREVISION.
* Use case ignore match for detecting encoded header. This is
language independent problem.
* Improve handling of file name of attachment in Japanese environment.
These fixes make squirrelmail usable after remove of japaneses patch.
Bump PKGREVISION.
* Currently, squirrelmail package is brokwn when enable squirrelmail-japanese
option and are/squirrelmail/functions/decode/iso_2022_jp.php was conflicted
between squirrelmail and squirrelmail-decode package.
* squirrelmail-japanese isn't available for squirrelmail-1.4.20-RC2.
Bump PKGREVISION.
- Protect message deletion with security token system.
(Secunia Advisory SA346)
- Removed the shut down DSBL blocklists (#2796734).
- Fixed broken RFC1918 reference in contrib/.htaccess and doc/.htaccess
(#2798839).
- Updated INSTALL doc to remove possible bad system admin typos (#2827153).
- PHP 5.3 deprecates ereg functions (#2820952).
- Filters plugin uses badly formatted literals request (#2805201).
- Provide option for complete removal of usernames and user IP addresses
from message headers, and remove personal data from Message ID seed.
(#880029/847107)
- Implemented page referal verification mechanism.
(Secunia Advisory SA34627)
- Implemented security token system. (Secunia Advisory SA34627)
Approved by Martti Kuparinen.
The security fix to map_yp_alias in 1.4.18 turned out to be incomplete. We
also expierenced some regressions in the updated filter plugin. Both are
addressed in this new release 1.4.19 which contains a few other small fixes
aswell.
If you do not use map_yp_alias or the filters plugin there's no urgent need to
upgrade now if you already installed 1.4.18. If you are still on an older
release than 1.4.18 (or use the mentioned functionality) we do urge you to
upgrade as soon as possible as 1.4.18 and 1.4.19 combined fix some important
security issues. Those using the development branch (1.5.x) should install a
recent SVN snapshot.
The SquirrelMail Team is pleased to announce the release of
SquirrelMail version 1.4.18. The most notable changes for this
version are several security fixes, including a couple XSS exploits, a
session fixation issue, and an obscure but dangerous server-side code
execution hole. However, this version also includes three new
languages and more than a few enhancements to things such as the
filters plugin, the address book system and other things under the
hood. For more complete details, see the ReleaseNotes and ChangeLog
files included in this release (they have moved to the doc/
directory). We advise all users of SquirrelMail software to upgrade.
This changes the buildlink3.mk files to use an include guard for the
recursive include. The use of BUILDLINK_DEPTH, BUILDLINK_DEPENDS,
BUILDLINK_PACKAGES and BUILDLINK_ORDER is handled by a single new
variable BUILDLINK_TREE. Each buildlink3.mk file adds a pair of
enter/exit marker, which can be used to reconstruct the tree and
to determine first level includes. Avoiding := for large variables
(BUILDLINK_ORDER) speeds up parse time as += has linear complexity.
The include guard reduces system time by avoiding reading files over and
over again. For complex packages this reduces both %user and %sys time to
half of the former time.
The SquirrelMail team is happy to announce the release of version 1.4.17. The
most notable change is a security fix that prevents certain specially-crafted
hyperlinks within messages from executing cross-site scripting attacks. For
other details, see the ReleaseNotes file included in this release. We advise
all users of SquirrelMail software to upgrade.
The SquirrelMail team is happy to announce the release 1.4.16. The most
notable change is that cookies are now sent with the secure attribute set for
HTTPS-connections, meaning that they cannot leak to an HTTP-connection on the
same SquirrelMail installation. For details see the included ReleaseNotes. We
advise users that offer their SquirrelMail both over HTTP and HTTPS to
upgrade.
----------------------------
- Fix saving of Read Receipts to Sent folder.
- Converted Romanian (ro_RO) to UTF-8.
- Converted Slovak (sk_SK) to UTF-8.
- Converted Swedish (sv_SE) to UTF-8.
- Added support for Macedonian.
- Don't allow invalid plugin names in conf.pl --install-plugin.
- Fix warning in Printer Friendly due to missing include (#1849101).
- Let configtest.php use optional PEAR dynamic extension loading,
patch by Walter Huijbers (#1833123).
- Fix for IMAP servers that were having problems saving sent messages.
- Fix broken <style> tag parsing for some HTML messages, thanks
Roalt Zijlstra.
- Re-added support for Vietnamese.
- Fixed broken MDN functionality (send read confirmation).
- Converted Norwegian Bokm�l (nb_NO) to UTF-8.
- Converted traditional Chinese (zh_TW) to UTF-8.
- Avoid deprecation notices on get_magic_quotes_* functions.
- Improved Message-ID generation code.
- Added edit list, checkbox, radio group, multiple-select folder
list and multiple-select string list option widget types,
as well as support for the "trailing_text" widget attribute.
- Boolean option widgets are henceforth presented as checkboxes.
- Tidied up fortune plugin to be inline with specifications for plugins.
- Enhanced address book page: added 'Compose to' button, put labels
around address entries tied to checkboxes, improved column spacing,
added hook for plugins that can filter address book listings.
Complements RisuMail team (risumail.jp).
patches to add it). Drop pax from the default USE_TOOLS list.
Make bsdtar the default for those places that wanted gtar to extract
long links etc, as bsdtar can be built of the tree.
(pkgsrc notice: we were using the original, known-to-be-good 1.4.12
distfile so all your servers should be fine)
Due to the package compromise of 1.4.11, and 1.4.12, we are forced to
release 1.4.13 to ensure no confusions. While initial review didn't
uncover a need for concern, several proof of concepts show that the
package alterations introduce a high risk security issue, allowing
remote inclusion of files. These changes would allow a remote user the
ability to execute exploit code on a victim machine, without any user
interaction on the victim's server. This could grant the attacker the
ability to deploy further code on the victim's server.
We *STRONGLY* advise all users of 1.4.11, and 1.4.12 upgrade
immediately.
NOTE: includes a critical bug fix in the attachment handling
- Enabled user selection of address format when adding from address
book during message composition.
- Fixed issue with adding attachments in PHP 4.x environments (#1805471).
- Backport size setting on "newmail" popup window.
- Added a "short_open_tag" configuration test.
- Undefined notice in error message box when no default folder prefix is set.
- Undefined index error when downloading. Possibly caused by using tabs and
opening multiple mailboxes.
- PAGE_NAME might not be defined in all plugins, which might cause a
"not defined" error on session timeouts.
- Fixed outgoing messages to allow addresses such as "0@..." or "000@...",
etc. (#1818398).
- Fixed issue with in-reply-to and reference headers not being retained on
reply (#1810659).
- Revived logout_error hook (#1800015).
- Allow custom session handlers to work correctly (and be defined at the
application level with SquirrelMail).
- Fix off-by-one in bodystructure parsing triggered by servers sending
a body location part (e.g. Sun Java System Messaging Server). Thanks
John Callahan (#1808382).
- Invalid initialization of To: header (#1772893).
- Includes cleanup in include/validate.php.
- Cleanup in multiple files to remove unneeded includes.
- Added sort by size (#812233 and #159997, plus multiple list requests).
Patch provided by Christopher E. Brown.
- Fix bug in sitewide SMTP settings still using authenticated user, rather
than configured settings (#1835942).
- Fixed mailto: functionality.
- Added mailto: link handling when viewing messages.
- Handle PHP's insistence on setting the value to 'deleted' for destroyed
sessions
