squirrelmail (2:1.4.6-1ubuntu0.3) dapper-security; urgency=low * SECURITY UPDATE: Possible cookie theft in src/redirect.php if register_globals is enabled, and malicous site is running in same domain. Patch taken from upstream svn rev 10851. (LP: #348839) - CVE-2006-3665 * SECURITY UPDATE: Possible cross-site scripting (XSS) vulnerability in search.php, when register_globals is enabled. Patch taken from upstream svn rev 11319. (LP: #348839) - CVE-2006-3174 - http://squirrelmail.org/security/issue/2006-06-22 -- Andreas Wenning Thu, 26 Mar 2009 14:21:47 +0100 squirrelmail (2:1.4.6-1ubuntu0.2) dapper-security; urgency=low * SECURITY UPDATE: cross site scripting issue in the HTML filter. Patch taken from upstream release. (LP: #306536) - CVE-2008-2379 - http://www.squirrelmail.org/security/issue/2008-12-04 * SECURITY UPDATE: Cookies sent over HTTPS will now be confined to HTTPS only (cookie secure flag) and more support for the HTTPOnly cookie attribute. Patch taken from upstream release. (LP: #328938) - CVE-2008-3663 - http://www.squirrelmail.org/security/issue/2008-09-28 -- Andreas Wenning Fri, 13 Feb 2009 06:25:43 +0100 squirrelmail (2:1.4.6-1ubuntu0.1) dapper-security; urgency=low * SECURITY UPDATE: XSS and CSRF in various areas, local file inclusion, variable overwriting. * src/compose.php, src/right_main.php, src/login.php, src/mailto.php, src/redirect.php, src/webmail.php, src/mime.php: back-ported fixes for XSS in compose, draft and HTML mail. (CVE-2006-6142) http://www.squirrelmail.org/security/issue/2006-12-02 * fuctions/mime.php, src/compose.php, src/view_text.php: back-ported fixes for XSS in HTML filter (CVE-2007-1262) http://www.squirrelmail.org/security/issue/2007-05-09 * functions/global.php: back-ported fixes for local file inclusion. (CVE-2006-2842) http://www.squirrelmail.org/security/issue/2006-06-01 * functions/auth.php, src/compose.php, src/login.php, src/redirect.php, src/webmail.php: back-ported fixes for variable overwriting. (CVE-2006-4019) http://www.squirrelmail.org/security/issue/2006-08-11 -- Leonel Nunez Wed, 16 May 2007 13:02:10 -0600 squirrelmail (2:1.4.6-1) unstable; urgency=high * New upstream release. * Includes the following security fixes: - Fix IMAP command injection in sqimap_mailbox_select with upstream patch. [CVE-2006-0377] (Closes: #354063) - Fix possible XSS in MagicHTML, concerning the parsing of u\rl and comments in styles. Internet Explorer specific. [CVE-2006-0195] (Closes: #354062) - Fix possible cross site scripting through the right_main parameter of webmail.php. This now uses a whitelist of acceptable values. [CVE-2006-0188] (Closes: #354064, #355424) -- Thijs Kinkhorst Tue, 7 Mar 2006 14:56:06 +0100 squirrelmail (2:1.4.5+1.4.6rc1-1) experimental; urgency=low * Experimental package * New upstream version: 1.4.6 Release Candidate 1 Many bugfixes, amongst which the following Debian bugs: + Works with newest PHP versions (Closes: #321565, #338649). + Fixes line wrapping for unicode characters (Closes: #330372). + Add support for limiting the length of the From address display (Closes: #279682). * Add Depends alternatives for PHP5. * Add Suggests for squirrelmail-decode, the library with charset decoding functions for complex and rare character sets. * Upgrade debhelper compatibility to the recommended level 5. * Add Homepage to package description. * Move package building from the binary-arch to the binary-indep target in debian/rules. -- Thijs Kinkhorst Sat, 10 Dec 2005 18:13:43 +0100 squirrelmail (2:1.4.5-2) unstable; urgency=low [ Jeroen van Wolffelaar ] * Restore squirrelmail-configure manpage, accidently dropped in -1 * Use debhelper compat level 4 [ Thijs Kinkhorst ] * Drop obsolete symlink for attachment dir. * Do not ship upstream README, which contains hardly any information relevant to Debian. Extend README.Debian a bit. Thanks W. Borgert. * Add years to copyright statement. -- Thijs Kinkhorst Mon, 15 Aug 2005 21:06:00 +0200 squirrelmail (2:1.4.5-1) unstable; urgency=low * New upstream release. (Closes: #319531) Many bugfixes, including the following Debian bugs: + Allows to use squirrelspell with PHP safe_mode (Closes: #220156). + Has multiple alternatives for locale names (Closes: #269790). + Option to set citation marker (Closes: #274595). * Dropped a lot of patches incorporated upstream * Add debian/watch file. * If default_pref file does not exist under var, do not attempt to move it to /etc (Closes: #309628). * Fix squirrelspell to read UTF8-encoded dictionary names correctly. (Closes: #311338) * Change Depends on squirrelmail-locales into Recommends; the depends was created to ease woody -> sarge upgrades, now a recommendation is sufficient (Closes: #319382). * Update Standards-Version to 3.6.2, no changes necessary. * Clean up rusty packaging. * Add depends-alternative for libapache-mod-php4, to prevent installs that have apache1 and libapache-mod-php4 but not the php4 meta package from dragging in apache2 (Closes: #320993). -- Thijs Kinkhorst Wed, 3 Aug 2005 20:00:16 +0200 squirrelmail (2:1.4.4-6sarge1) stable-security; urgency=high * Non-maintainer upload by the Security Team * Corrected the patch based on upstream input [src/options_identities.php, CAN-2005-2095] -- Martin Schulze Mon, 11 Jul 2005 15:21:59 +0000 squirrelmail (2:1.4.4-6) stable-security; urgency=high * Security fix, hence high urgency. * Apply patch provided by upstream to fix several cross site scripting flaws [CAN-2005-1769] (Closes: #314374) * Work around arbitrary variable injection via extract() [CAN-2005-2095] (Closes: #317094) -- Thijs Kinkhorst Sat, 09 Jul 2005 11:57:20 +0200 squirrelmail (2:1.4.4-5) unstable; urgency=low * Add Suggests for imapproxy. * Update README.Debian with documentation about the Recommends and Suggests of this package. * Add advice about setting default options for your specific IMAP server. * Move fix for reloading signout.php from there to auth.php, because it broke plug-ins. Patch from upstream CVS. (Closes: #304422) * Correct spelling errors in Debian documentation. * Change "no JavaScript" to "no JavaScript required" in the package description because JavaScript can be used if available but is not depended on. -- Thijs Kinkhorst Sat, 9 Apr 2005 13:35:19 +0200 squirrelmail (2:1.4.4-4) unstable; urgency=low * Make use of dictionaries-common (when available) to auto-detect spell checker settings (Closes: #283948) * Change default recommended spell checker to ispell. -- Thijs Kinkhorst Sat, 26 Mar 2005 15:28:48 +0100 squirrelmail (2:1.4.4-3) unstable; urgency=low * Move default_pref config file from /var to /etc, as per Debian policy (Closes: #293281) * [JvW] (finally) override two lintian warnings about nonstandard permissions that are intentional (Closes: #293366) -- Thijs Kinkhorst Sun, 6 Feb 2005 21:41:51 +0100 squirrelmail (2:1.4.4-2) unstable; urgency=low * Fix configtest.php to accept a non-readable data_dir, which is the default Debian configuration * [JvW] Depend on squirrelmail-locales, to ease upgrades woody->sarge (Closes: #292490) * Extend README.locales with information about the squirrelmail-locales package and add hint that a restart of Apache might be needed * Limit access to configtest.php to just localhost, to prevent information leakage (Closes: #293133) -- Thijs Kinkhorst Tue, 1 Feb 2005 14:26:41 +0100 squirrelmail (2:1.4.4-1) unstable; urgency=high * New upstream version: 1.4.4 + Security: Added hook for Preferences Backend to resolve potential local file inclusion resulting in arbitrary code execution, warranting high urgency [CAN-2005-0075] + Security: Fix potential file inclusion issues in src/webmail.php. [CAN-2005-0103] + Security: Fix possible XSS issues in src/webmail.php. [CAN-2005-0104] * Thijs Kinkhorst: Add missing docs to squirrelmail.docs file (Closes: #289088) Thanks a lot to Thijs Kinkhorst who worked hard to get 1.4.4 released, and helped tremendously with the packaging for Debian -- Jeroen van Wolffelaar Sat, 22 Jan 2005 23:33:16 +0100 squirrelmail (2:1.4.3a+1.4.4rc1-0exp1) experimental; urgency=low * Experimental package * New upstream version: 1.4.4 Release Candidate 1 + Fixes broken theme select box (Closes: #286374) + Fixes wrong German translation (Closes: #282829) + Fixes broken Unicode encoding (Closes: #270626) + Fixes signout error when timed out (Closes: #275941) + Removed several backported patches that are in 1.4.4 now * Locales are not in the squirrelmail package anymore, but a separate package, start to recommend it (squirrelmail-locales) -- Jeroen van Wolffelaar Mon, 3 Jan 2005 00:28:32 +0100 squirrelmail (2:1.4.3a-3) unstable; urgency=high * Fix security issue: a remote attacker can compromise an account by sending a specially-crafted email containing JavaScript in a RFC2047 encoded header [CAN-2004-1036] (Closes: #280591) * Fix spelling mistake in the name of Thijs Kinkhorst in Uploaders -- Jeroen van Wolffelaar Tue, 16 Nov 2004 12:26:43 +0100 squirrelmail (2:1.4.3a-2) unstable; urgency=medium * Put myself as maintainer, and Sam Johnston as co-maintainer. Thijs Kinkhorst will also keep assisting in this package, he's co-maintainer too now. Thanks Sam, for the work you're putting into squirrelmail. * Checked for policy compliance with 3.6.1, no changes were needed, updated Standards-Version * Fix conf.pl detection of magic $domain contents (Closes: #271374) * Default to use /etc/mailname if it exists as default domain, use /etc/hostname only as fallback, as indicated by policy 11.6 (Mail transport, delivery and user agents) * cron.daily now checks whether the to-be-cleaned directory actually exists, and exits gracefully if not (Closes: #272046) * Now really fix the default apache.conf ssl-redirection example, also noted that it's just that, an example, and might not always work (Closes: #267777) -- Jeroen van Wolffelaar Wed, 22 Sep 2004 00:59:48 +0200 squirrelmail (2:1.4.3a-1) unstable; urgency=low * Signed and incremented by maintainer on vacation. Closes: #255752. * Updated SSL RewriteCond directive to resolve loop. Closes: #267777. -- Sam Johnston Tue, 24 Aug 2004 23:27:24 +1000 squirrelmail (2:1.4.3a-0.3) unstable; urgency=low * Non-Maintainer Upload in cooperation with Thijs Kinkhorst * Applied patch from stable CVS that refuses to LOGIN (plaintext IMAP-authentication) if the server advertises that is not supported, and gives an appropriate error message (Closes: #266099) * Don't put a newline in $domain in the default config -- Jeroen van Wolffelaar Thu, 19 Aug 2004 01:08:01 +0200 squirrelmail (2:1.4.3a-0.2) unstable; urgency=medium * Non-Maintainer Upload in cooperation with Thijs Kinkhorst * [TK] Apply simple patch from upstream stable CVS fixing sending of RFC-violating Message-ID's (class/deliver/Deliver.class.php r1.18.2.11 & r1.18.2.12) * Remove symlink in /var/www/ that kept being recreated, updated README.Debian accordingly (Closes: #261102) * Prevent dh_fixperms from resetting special permission of /var/lib/squirrelmail/data/ and /var/spool/squirrelmail/attach/, so that the buggy workaround in postinst can be removed (Closes: #263936) * Suggests php4-pear now (useful for database-backed preferences and addressbooks) -- Jeroen van Wolffelaar Fri, 13 Aug 2004 14:46:25 +0200 squirrelmail (2:1.4.3a-0.1) unstable; urgency=low * Non-Maintainer Upload in cooperation with Thijs Kinkhorst , upstream SquirrelMail developer * Reverted away from the development branch to the stable branch (Closes: #232995) - This re-introduces the translations (Closes: #232944) - Experimental mailbox-tree code is 1.5.x only (Closes: #231687, #233550, also closes: #250411) - imap_general experimental code was buggy in 1.5.0 only (Closes: #246097) - A buggy CRAM-MD5 check was 1.5.0 only too (Closes: #239566) * New upstream * Backport fix that was already in the 1.5.0 package fixing RFC3501 compliance for mailbox naming, keeping #176590 and #215183 closed (by Thijs, he committed it in upstream CVS on the 1.4 branch as functions/imap_mailbox.php 1.172.2.11) * Prefer apache2 and its php4 module in the Depends (Closes: #250303, #251656) * Dropped dependency on php4-pear, and added a proper error when using the preferences/addressbook-in-database feature suggesting to install it * Turn register_globals off for SquirrelMail, rather than on, since this is supported (even recommended) for nowaday's SquirrelMail * Add debhelper tokens to the postinst and postrm, this removes the now needless debconf purge on package purge, and the debconf dependency * On purge, remove user data in /var/{lib,spool}/squirrelmail too * Stop distributing UPGRADE and a duplicate copy of the upstream changelog * In README, tell about README.Debian instead of referring to 'INSTALL' * The README.Debian is more clear about configuring with Apache * Update 'copyright' file with general download location and correct the copyright holder to "The SquirrelMail Project Team". * In index.html, have proper (though still not complete) references to available documents in /usr/share/doc/squirrelmail (Closes: #246722) * Removed bogus 'Closes' line in last changelog entry -- Jeroen van Wolffelaar Tue, 22 Jun 2004 19:37:36 +0200 squirrelmail (1:1.5.0-1) unstable; urgency=low * New upstream release. * RFC3501 compliance for mailbox naming (eg trailing spaces). Closes: #176590, #215183. * Adds a squirrelmail symlink in /var/www/. Closes: #229282. * Adds PHP safe_mode workaround to README.Debian. Closes: #222071. * Adds daily cron job to clean attachments directory. Closes: #228400. * Checks for config_default.php before copying in postinst. Closes: #229737. -- Sam Johnston Wed, 4 Feb 2004 01:42:12 +1100 squirrelmail (1:1.4.2-1) unstable; urgency=medium * New upstream release. Closes: #204058. * Significant improvements over (broken) 1.4.0-1 package. * PHP compatability fixes. Closes: #202368. * conf.pl corrupts theme paths issue resolved. Closes: #175773, #180108, #188441, #190315, #190923, #191028. * Backwards compatible with stripped path themes (previous debs). * Highlighting issue (1.4.0) resolved. Closes: #188631. * Rendering issues with problem emails resolved. Closes: #205572. * Resource utilisation improvements. Closes: #191856, #189602. * README reference to upstream INSTALL document updated. Closes: #173367, 178951. * All known XSS exploits resolved. Closes: #167471. * Folder list refreshes on login. Closes: #165753. * $domain variable set to contents of /etc/hostname. Closes: #198747. * Trims of HTTP_HOST port number for use in SMTP HELO. Closes: #200108. * Fails gracefully when IMAP server unavailable. Closes: #192239. * Recommends rather than depends on spell checker. Closes: #193680. * DirectoryIndex directive added to apache.conf. Closes: #201022. * Plugin config(s) moved to /etc. Closes: #146416. * Properly handles accents and tildes in To:, Subject: etc headers. Closes: #150338, #179166. * No (broken) 'Save' button in printable version. Closes: #185602. * Removes /usr/share/squirrelmail/data iff is is a symbolic link. Closes: #188143. * Resolves policy violation by replacing conf.pl (executable in /etc) with a symlink to /usr/sbin/squirrelmail-configure. Closes: #163995. -- Sam Johnston Mon, 6 Oct 2003 07:44:12 +1000 squirrelmail (1:1.4.0-1) unstable; urgency=low * New upstream release. Closes: #179864, 134237. * Resolves XSS security issues. Closes: #182008. * Resolves default theme login problem. Closes: #174262. * conf.pl cwd calls hardwired. Closes: #173516. * conf.pl no longer breaks existing configs. Closes: #175773. * blank lines no longer removed by compose.php. Closes: #175842. * proto checking more robust. Closes: #178130. * uses /etc/mailname instead of mydomain.com. Closes: #181619, 176777. * added https redirect to example apache.conf. Closes: #172938. * depends on php4-pear. Closes: #173256. * indent problem resolved. Closes: #186506. * no longer creates data symlink, removes existing. Closes: #181537. * default_pref is a conffile - no longer written over. Closes: #178815. -- Sam Johnston Tue, 8 Apr 2003 02:06:40 +1000 squirrelmail (1:1.3.2+1.4.0rc1-1) unstable; urgency=low * New upstream release candidate -- Sam Johnston Thu, 2 Jan 2003 09:03:47 +1100 squirrelmail (1:1.3.2-2) unstable; urgency=high * Fixed cross site scripting problem in read_body.php (BugTraq ID 6302, CAN-2002-1341) -- Sam Johnston Sun, 22 Dec 2002 03:56:23 +1100 squirrelmail (1:1.3.2-1) unstable; urgency=low * New upstream release - tracking development * Removed debconf/wwwconfig scripts. Closes: #164605, #136612, #137165. * Fixed dependencies (php4-cgi httpd). Closes: #152062, #152882. * Japanese patch included upstream. Closes: #159454. * Folder rename issue resolved upstream. Closes: #166297. * display_messages doc root issue resolved upstream. Closes: #165103. -- Sam Johnston Thu, 7 Nov 2002 12:02:23 +1100 squirrelmail (1:1.2.8-1) unstable; urgency=low * New upstream release -- Sam Johnston Mon, 7 Oct 2002 23:37:40 +1000 squirrelmail (1:1.2.7-1) unstable; urgency=low * New upstream release -- Sam Johnston Mon, 24 Jun 2002 01:08:23 +1000 squirrelmail (1:1.2.6-1) unstable; urgency=high * New upstream *SECURITY* release * Resolves local unprivileged exploit. Closes: #144496. * Adds README.locales with information about languages. Closes #143277. * Resolves typo in conf.pl (Save data repeated). Closes: #140506. * Adds russian templates for debconf. Closes #136612, #137165. -- Sam Johnston Tue, 30 Apr 2002 18:53:46 +1000 squirrelmail (1:1.2.5-1) unstable; urgency=low * New upstream release. Closes: #138181. * Fixed typo in debconf template. Closes: #131755. * Installs default config_default.php file on new installations. Closes: #136776. -- Sam Johnston Tue, 19 Mar 2002 01:51:08 +1100 squirrelmail (1:1.2.4-1) unstable; urgency=high * New upstream *SECURITY* release * Fixes remote exploit in squirrelspell plugin. Closes: #130754. -- Sam Johnston Sat, 26 Jan 2002 06:22:30 +1100 squirrelmail (1:1.2.3-2) unstable; urgency=low * Resolves theme path issue (themes work again). Closes: #129406. -- Sam Johnston Thu, 24 Jan 2002 03:46:14 +1100 squirrelmail (1:1.2.3-1) unstable; urgency=medium * New upstream release -- Sam Johnston Wed, 23 Jan 2002 03:12:34 +1100 squirrelmail (1:1.2.2.20020116-1) unstable; urgency=low * New upstream release (tracking CVS due to problems with releases, PHP 4.1 migration, etc.) Closes: #128228. * Fixes typo in the control file (description). Closes: #129350. * Uses php_flags syntax for register_globals workaround. Closes: #128226. * Resolves conf.pl hanging problem by calling db_stop from maintainer scripts when debconf is finished with. Closes: #128142. * Various fixes to keep lintian happy -- Sam Johnston Thu, 17 Jan 2002 02:49:05 +1100 squirrelmail (1:1.2.2-2) unstable; urgency=medium * Added support for apache-ssl. SSL (not necessarily apache-ssl) is recommended for all installations which involve sessions over untrusted networks as passwords are sent in clear text, and message contents may be confidential. Closes: #114545, #115140. * Added preliminary debconf support for selecting webserver type for autoconfiguration (we can set up PHP, and #include the SquirrelMail apache.conf file in most cases, avoiding the need for any manual changes). Closes: #125590. -- Sam Johnston Wed, 2 Jan 2002 17:23:56 +1100 squirrelmail (1:1.2.2-1) unstable; urgency=medium * New upstream release * Resolved problem finding plugins by replacing relative plugin dir references with absolute references. Closes: #115163. * Resolved problem finding themes by removing relative themes dir (unnecessarily included in each theme definition), instead hardcoding it in the php script(s) which reference themes. Closes: #116285. * Resolved conf.pl problems preventing it from being executed from outside the squirrelmail dir by referencing /etc/squirrelmail. Closes: #119859. * Suggests imap-server. Does not depend as many (most?) sites will/ should be running SM on a separate machine. Feedback about this decision welcome. Closes: #114543. * Suggests ispell | aspell as SquirrelSpell is now included in the main distribution. The sqspell config file is now a conffile to prevent overwrites. -- Sam Johnston Wed, 2 Jan 2002 15:20:07 +1100 squirrelmail (1:1.2.0-1) unstable; urgency=low * New upstream release * Plugin detection/symlink problem in conf.pl fixed * Merry Christmas -- Sam Johnston Tue, 25 Dec 2001 18:31:05 +1100 squirrelmail (1.2.0-rc3-2) unstable; urgency=low * Edited apache configuration to resolve 404 errors. There is some discussion upstream about incompatibilities between SM and PHP 4.1.0, including a discussion about get_location returning null so I expect these issues will be resolved by the (christmas day) release of 1.2.0. Closes #125866. -- Sam Johnston Thu, 20 Dec 2001 11:37:00 +1100 squirrelmail (1.2.0-rc3-1) unstable; urgency=low * New upstream release * Fixed up description formatting problem. Closes: #114871 * Removed require_once patches applied in rc2-2. Fixed upstream. * Fixed password parsing problem. Closes: #115225 * Speed improvements and optimisations * Several plugins integrated into the core or added as 'official' * New paginator, rewrite of option pages code, etc. -- Sam Johnston Sun, 16 Dec 2001 23:53:36 +1100 squirrelmail (1.2.0-rc2-3) unstable; urgency=low * Created a fairly intelligent script for packaging up plugins. It goes by the name of smpackage and it lives in the examples directory, for want of a better home. * Uploaded 40-something libsquirrelmail-* plugin packages. Enjoy. -- Sam Johnston Mon, 8 Oct 2001 03:16:24 +1000 squirrelmail (1.2.0-rc2-2) unstable; urgency=low * Resolved problems with redeclaring functions by replacing include()s with require_once()s * Closes: 114531 -- Sam Johnston Fri, 5 Oct 2001 18:18:53 +1000 squirrelmail (1.2.0-rc2-1) unstable; urgency=low * New upstream release -- Sam Johnston Wed, 3 Oct 2001 00:08:20 +1000 squirrelmail (1.0.6-2) unstable; urgency=low * Added support to conf.pl for automated plugin installation and removal -- Sam Johnston Tue, 2 Oct 2001 22:15:25 +1000 squirrelmail (1.0.6-1) unstable; urgency=low * Initial Release * Kudos to Bart Bunting for his initial work on packaging squirrelmail * Closes #86125 -- Sam Johnston Tue, 2 Oct 2001 21:39:10 +1000 vim: et