[pkgsrc/pkgsrc-2018Q1]: pkgsrc/mail/squirrelmail Pullup ticket #...

[spz <spz%pkgsrc.org@localhost>]

details:   https://anonhg.NetBSD.org/pkgsrc/rev/5d24ff9e3da5
branches:  pkgsrc-2018Q1
changeset: 307436:5d24ff9e3da5
user:      spz <spz%pkgsrc.org@localhost>
date:      Sun May 06 11:41:44 2018 +0000
description:
Pullup ticket #5751 - requested by taca
mail/squirrelmail: security update

Revisions pulled up:
- mail/squirrelmail/Makefile                                    1.134
- mail/squirrelmail/distinfo                                    1.70
- mail/squirrelmail/patches/patch-ai                            1.3

-------------------------------------------------------------------
   Module Name: pkgsrc
   Committed By:        taca
   Date:                Mon Apr 30 07:56:55 UTC 2018

   Modified Files:
        pkgsrc/mail/squirrelmail: Makefile distinfo
        pkgsrc/mail/squirrelmail/patches: patch-ai

   Log Message:
   mail/squirrelmail: update to 1.4.23pre14764

   Fix CVE-2018-8741 and more.

     - Added ability (and user preference) to return to message list
       after moving a message
     - Search enhancement: Added ability to search in more than one
       header without having to search the body
     - Add ability for saved drafts to indicate if they are a reply and
       if so, to which message, and mark that message as replied when
       the draft is finally sent
     - Added option to allow returning to the message one had been
       replying to after sending
     - Sanitize user-supplied attachment filenames (thanks to Florian
       Grunow for reporting this issue) [CVE-2018-8741]
     - Allow users who cannot edit their email address but who have
       multiple identities to edit all their identities


   To generate a diff of this commit:
   cvs rdiff -u -r1.133 -r1.134 pkgsrc/mail/squirrelmail/Makefile
   cvs rdiff -u -r1.69 -r1.70 pkgsrc/mail/squirrelmail/distinfo
   cvs rdiff -u -r1.2 -r1.3 pkgsrc/mail/squirrelmail/patches/patch-ai

diffstat:

 mail/squirrelmail/Makefile         |   4 ++--
 mail/squirrelmail/distinfo         |  13 ++++++-------
 mail/squirrelmail/patches/patch-ai |   8 ++++----
 3 files changed, 12 insertions(+), 13 deletions(-)

diffs (57 lines):

diff -r 4bdd5b75e5ba -r 5d24ff9e3da5 mail/squirrelmail/Makefile
--- a/mail/squirrelmail/Makefile        Sun May 06 11:37:36 2018 +0000
+++ b/mail/squirrelmail/Makefile        Sun May 06 11:41:44 2018 +0000
@@ -1,6 +1,6 @@
-# $NetBSD: Makefile,v 1.133 2017/06/21 15:07:03 taca Exp $
+# $NetBSD: Makefile,v 1.133.10.1 2018/05/06 11:41:44 spz Exp $
 
-DISTNAME=      squirrelmail-webmail-1.4.23pre14688
+DISTNAME=      squirrelmail-webmail-1.4.23pre14764
 PKGNAME=       ${DISTNAME:S/-webmail//}
 CATEGORIES=    mail www
 MASTER_SITES=  ${MASTER_SITE_LOCAL}
diff -r 4bdd5b75e5ba -r 5d24ff9e3da5 mail/squirrelmail/distinfo
--- a/mail/squirrelmail/distinfo        Sun May 06 11:37:36 2018 +0000
+++ b/mail/squirrelmail/distinfo        Sun May 06 11:41:44 2018 +0000
@@ -1,11 +1,10 @@
-$NetBSD: distinfo,v 1.69 2017/06/21 15:07:03 taca Exp $
+$NetBSD: distinfo,v 1.69.10.1 2018/05/06 11:41:44 spz Exp $
 
-SHA1 (squirrelmail-webmail-1.4.23pre14688.tar.bz2) = 0b094c86464f0a67948191f8daeb62b35024350b
-RMD160 (squirrelmail-webmail-1.4.23pre14688.tar.bz2) = 3b3d19bcbd0e3c32983707423d91263e3649f26b
-SHA512 (squirrelmail-webmail-1.4.23pre14688.tar.bz2) = ec428f5a77757d29dd0a8f905210e7f9b527e75a549162d9d2ad2ad2fdfed1c9fa4e399433e656065f24a593d76e14c043a34c0c7fffb03943de94505599a1e0
-Size (squirrelmail-webmail-1.4.23pre14688.tar.bz2) = 560901 bytes
+SHA1 (squirrelmail-webmail-1.4.23pre14764.tar.bz2) = 9fd0ddfd393be97373d5b839143285527c3cb9c4
+RMD160 (squirrelmail-webmail-1.4.23pre14764.tar.bz2) = 8b40681f8fa0cc9e25282d1215e6b88c2566c73b
+SHA512 (squirrelmail-webmail-1.4.23pre14764.tar.bz2) = 391d305184d88f4797ffb2203134bebfcd9327de063510155bc295f8edb1609dc2ea6e0f5e6d6f75e92e7fbfd938804aa0f155857c3c82c6a9f72f21b7ebf5a3
+Size (squirrelmail-webmail-1.4.23pre14764.tar.bz2) = 562786 bytes
 SHA1 (patch-aa) = 4ba7ea0a85308816b9dc77c0af3c927359ed1275
 SHA1 (patch-ab) = 30bf68c730f20e817fbe81d18bc2a95899ee3fd0
-SHA1 (patch-ai) = 1c08904ecf074ff3ba7e6042becc0f0771388b9f
+SHA1 (patch-ai) = e1a23673bf19bbbd88b00fb6bab3d6d1c8c11575
 SHA1 (patch-ca) = d2e41316b8ecd97b49842eff548219e40e9b163a
-SHA1 (patch-class_deliver_Deliver__SendMail.class.php) = 0358ce2445fee73261075226e794054d6ada0150
diff -r 4bdd5b75e5ba -r 5d24ff9e3da5 mail/squirrelmail/patches/patch-ai
--- a/mail/squirrelmail/patches/patch-ai        Sun May 06 11:37:36 2018 +0000
+++ b/mail/squirrelmail/patches/patch-ai        Sun May 06 11:41:44 2018 +0000
@@ -1,11 +1,11 @@
-$NetBSD: patch-ai,v 1.2 2010/03/07 03:41:49 taca Exp $
+$NetBSD: patch-ai,v 1.2.68.1 2018/05/06 11:41:44 spz Exp $
 
 * Fix encoding problem of attached filenames; convert to Shift_JIS when
   using Internet Explore in Japanese environment, sigh.
 
---- functions/mime.php.orig    2010-01-30 16:14:53.000000000 +0000
+--- functions/mime.php.orig    2018-01-16 23:36:07.000000000 +0000
 +++ functions/mime.php
-@@ -2564,6 +2564,10 @@ function SendDownloadHeaders($type0, $ty
+@@ -2589,6 +2589,10 @@ function SendDownloadHeaders($type0, $ty
      //set all the Cache Control Headers for IE
      if ($isIE) {
          $filename=rawurlencode($filename);
@@ -15,4 +15,4 @@
 +        }
          header ("Pragma: public");
          header ("Cache-Control: no-store, max-age=0, no-cache, must-revalidate"); // HTTP/1.1
-         header ("Cache-Control: post-check=0, pre-check=0", false);
+         // does nothing - see: https://blogs.msdn.microsoft.com/ieinternals/2009/07/20/internet-explorers-cache-control-extensions/