ChangLog:
Version 1.4.9a - 3 December 2006
--------------------------------
- Security: Multiple IE cross site scripting issues related to the
widely acceptation of the word expression and url by IE.
- Security: Removing @import when sanitizing html mail.
Version 1.4.9 - 2 December 2006
-------------------------------
- Drop obsolete script plugins/make_archive.pl.
- Fixed Google translate form in translate plugin. Added new language
pairs.
- Added XMAGICTRASH extension tests in configtest utility. Removed code
that handled 'inbox.trash' as special folder in courier (#1354393).
- Allowed moving folders to trash in courier.
- Fix misspelled constant PREG_SPLIT_NI_EMPTY in sqimap_get_message
(#1543573).
- Provide View Unsafe Images link on viewing a text/html attachment.
- Fix variable typo in folders_create.php (#1545316).
- Added Courier IMAP OUTBOX check to configtest utility.
- If mailbox name starts with slash or contains ../, error message is
generated. Safety check for insecure default UW IMAP setup (#1557078).
- Ignore message copy errors when messages are deleted. Allows to delete
messages when quota is exceeded (#614887, #646386, #1446026).
- Fixed unintended literal fetching (#1562271).
- Added global file based address book listing controls. Added line
length configuration option for local_file address book backend
(#1181561). Added address book data integrity checks in local_file
address book backend. Fixed eregi and object notices in local_file
and database address book backends. Added additional address book
field support.
- Fixed variable corruption in configtest utility.
- Checked if configuration file is readable in configuration utility
(#1568355).
- Special mailboxes marked in special_mailbox hook are no longer listed
in folder delete, rename and subscription options.
- Translate plugin: prevent PHP notice when viewing empty message.
- Add CEST and MEST (non-standard) timezone codes for +0200.
- Add <label> to From field in message list.
- Add support for parsing SpamAssassin's X-Spam-Status header (#1589520).
- Fix in bodystructure parser code related to strings ending with an
escape character.
- Added "attachment */*" hook
- Added third parameter $logout_link to logout_error hook that allows
plugin control over login page URI displayed on login error page.
- Security: close cross site scripting vulnerability in draft, compose
and mailto functionality [CVE-2006-6142].
- Security: work around an issue in Internet Explorer that would guess
the mime type of a file based on contents, not Content-Type header.
- Fixed URL for Read Receipts being incorrect in some cases (#1177518).
- Fixed endless loop when trying to parse "From: )(" (#1517867).
- Using is_file() instead of file_exists() in fortune plugin (#1499134).
- Add manual page for conf.pl under contrib.
- Don't allow selecting INBOX as Sent, Draft or Trash folder (#1242346).
and add a new helper target and script, "show-buildlink3", that outputs
a listing of the buildlink3.mk files included as well as the depth at
which they are included.
For example, "make show-buildlink3" in fonts/Xft2 displays:
zlib
fontconfig
iconv
zlib
freetype2
expat
freetype2
Xrender
renderproto
all PEAR packages to php?-pear-* and all Apache packages to ap13-* or
ap2-* respectively. Add new variables to simplify the Makefile
handling. Add CONFLICTS on the old names. Reset revisions of bumped
packages. ap-php will now depend on the default Apache and PHP version.
All programs using it have an implicit option of the Apache version
as well.
OK from jlam@ and adrianp@.
RECOMMENDED is removed. It becomes ABI_DEPENDS.
BUILDLINK_RECOMMENDED.foo becomes BUILDLINK_ABI_DEPENDS.foo.
BUILDLINK_DEPENDS.foo becomes BUILDLINK_API_DEPENDS.foo.
BUILDLINK_DEPENDS does not change.
IGNORE_RECOMMENDED (which defaulted to "no") becomes USE_ABI_DEPENDS
which defaults to "yes".
Added to obsolete.mk checking for IGNORE_RECOMMENDED.
I did not manually go through and fix any aesthetic tab/spacing issues.
I have tested the above patch on DragonFly building and packaging
subversion and pkglint and their many dependencies.
I have also tested USE_ABI_DEPENDS=no on my NetBSD workstation (where I
have used IGNORE_RECOMMENDED for a long time). I have been an active user
of IGNORE_RECOMMENDED since it was available.
As suggested, I removed the documentation sentences suggesting bumping for
"security" issues.
As discussed on tech-pkg.
I will commit to revbump, pkglint, pkg_install, createbuildlink separately.
Note that if you use wip, it will fail! I will commit to pkgsrc-wip
later (within day).
This release is very important, and we strongly advise everybody to
update to the latest release.
Security Update
===============
This version contains a number of security updates that were brought
to our attention via a number of sources.
- In webmail.php, the right_frame parameter was not properly sanitized
to deal with very lenient browsers, which allowed for cross site
scripting or frame replacing. [CVE-2006-0188]
- In the MagicHTML function, some very obscure constructs were
discovered to be exploitable: 'u\rl' was interpreted as 'url' (privacy
concern), and comments could be inside keywords (allows for cross site
scripting). Both only affect Internet Explorer users. Found by Martijn
Brinkers and Scott Hughes. [CVE-2006-0195]
- The function sqimap_mailbox_select did not strip newlines from the
mailbox parameter, and thereby allowed for IMAP command injection.
Found by Vicente Aguilera. [CVE-2006-0377]
"find foo -exec bar {} \;" while here, the former is faster, but can't
cope with all quoting issues and is also more likely to hit argument
length limits. CONFLICT to ja-squirrelmail.
We are pleased to announce the release of SquirrelMail 1.4.4. This
release is a strongly recommended upgrade due to a number of security
issues that have been resolved since 1.4.3a.
About This Release
------------------
This release contains a number of bug fixes, and security updates. The
list is very long, as this version has been hiding in the trees for a
while. For a full list of the changes, you can see the changelog here:
http://www.squirrelmail.org/changelog.php
A general summary of updates includes a few cross site scripting issues,
and two possible file inclusion issue (one remote, one local). Better
IMAP handling introduced for certain IMAP servers that advertise
LOGINDISABLED, folder handling, and a number of locales issues.
Locales
-------
Shortly after the release of 1.4.3, the locales were broken out of the
main branch into their own branch. This makes the SquirrelMail package
itself a lot smaller, along with allowing administrators to download just
the packages they need. Details on this change can be found in the
ReleaseNotes and the INSTALL files.
There is a cross site scripting issue in the decoding of encoded text
in certain headers. SquirrelMail correctly decodes the specially
crafted header, but doesn't sanitize the decoded strings.
http://article.gmane.org/gmane.mail.squirrelmail.user/21169
