[pkgsrc/pkgsrc-2007Q1]: pkgsrc/mail/squirrelmail Pullup ticket 2079 - request...

To: pkgsrc-changes-hg%NetBSD.org@localhost
Subject: [pkgsrc/pkgsrc-2007Q1]: pkgsrc/mail/squirrelmail Pullup ticket 2079 - request...
From: ghen <ghen%pkgsrc.org@localhost>
Date: Thu, 14 Oct 2021 04:45:13 +0000

details:   https://anonhg.NetBSD.org/pkgsrc/rev/dab66ee48b32
branches:  pkgsrc-2007Q1
changeset: 527354:dab66ee48b32
user:      ghen <ghen%pkgsrc.org@localhost>
date:      Thu May 10 08:02:30 2007 +0000

description:
Pullup ticket 2079 - requested by martti
security update for squirrelmail

- pkgsrc/mail/squirrelmail/Makefile                     1.83
- pkgsrc/mail/squirrelmail/PLIST                        1.21
- pkgsrc/mail/squirrelmail/distinfo                     1.36
- pkgsrc/mail/squirrelmail/patches/patch-aa             1.13

   Module Name: pkgsrc
   Committed By:        martti
   Date:                Thu May 10 06:48:28 UTC 2007

   Modified Files:
           pkgsrc/mail/squirrelmail: Makefile PLIST distinfo
           pkgsrc/mail/squirrelmail/patches: patch-aa

   Log Message:
   Updated mail/squirrelmail to 1.4.10

   This version, 1.4.10 is a maintenance release, addressing
   the following problems since 1.4.9a:
   - Some security fixes (see below)
   - Small enhancements
   - A collection of bugfixes and stability enhancements
   (see ChangeLog for a full list)

   Security issues
   ===============

   This release addresses security issues found since the release of 1.4.9a:

   There's an ongoing battle to further secure the HTML filter against malicious
   HTML mail and the browsers that accept almost any malformed piece of HTML.

   This release contains fixes for the following:
   - HTML attachments containing "data:" URLs;
   - Internet Explorer in various versions accepts many permutations of HTML
      and JavaScript in many charsets. We now properly canonicalize the incoming
      HTML to us-ascii before applying further filters. IE only.
   - Request forgery through images. It was possible to include "images" in
      HTML mails which were in fact GET requests for the compose.php page sending
      mail. These images are now properly detected, and the compose form will only
      send mail through a POST request.

   Thanks to Mikhail Markin, Tomas Kuliavas and Michael Jordon for reporting
   (parts of) these issues and working with us to get them resolved.

   These are known as CVE-2007-1262. Further details on SquirrelMail
   vulnerabilities can be found at the following address:

      http://www.squirrelmail.org/security/

diffstat:

 mail/squirrelmail/Makefile         |   4 ++--
 mail/squirrelmail/PLIST            |   5 ++---
 mail/squirrelmail/distinfo         |  10 +++++-----
 mail/squirrelmail/patches/patch-aa |  18 +++++++++---------
 4 files changed, 18 insertions(+), 19 deletions(-)

diffs (94 lines):

diff -r 1d3c8ca685e0 -r dab66ee48b32 mail/squirrelmail/Makefile
--- a/mail/squirrelmail/Makefile        Mon May 07 17:36:23 2007 +0000
+++ b/mail/squirrelmail/Makefile        Thu May 10 08:02:30 2007 +0000
@@ -1,6 +1,6 @@
-# $NetBSD: Makefile,v 1.82 2007/03/24 19:21:27 joerg Exp $
+# $NetBSD: Makefile,v 1.82.2.1 2007/05/10 08:02:30 ghen Exp $
 
-DISTNAME=      squirrelmail-1.4.9a
+DISTNAME=      squirrelmail-1.4.10
 CATEGORIES=    mail www
 MASTER_SITES=  ${MASTER_SITE_SOURCEFORGE:=squirrelmail/}
 EXTRACT_SUFX=  .tar.bz2
diff -r 1d3c8ca685e0 -r dab66ee48b32 mail/squirrelmail/PLIST
--- a/mail/squirrelmail/PLIST   Mon May 07 17:36:23 2007 +0000
+++ b/mail/squirrelmail/PLIST   Thu May 10 08:02:30 2007 +0000
@@ -1,4 +1,4 @@
-@comment $NetBSD: PLIST,v 1.20 2006/12/04 13:06:01 obache Exp $
+@comment $NetBSD: PLIST,v 1.20.4.1 2007/05/10 08:02:30 ghen Exp $
 man/man8/squirrelmail-conf.pl.8
 share/examples/squirrelmail/squirrelmail.conf
 share/squirrelmail/AUTHORS
@@ -64,14 +64,13 @@
 share/squirrelmail/doc/ReleaseNotes/1.4/Notes-1.4.7.txt
 share/squirrelmail/doc/ReleaseNotes/1.4/Notes-1.4.8.txt
 share/squirrelmail/doc/ReleaseNotes/1.4/Notes-1.4.9.txt
+share/squirrelmail/doc/ReleaseNotes/1.4/Notes-1.4.9a.txt
 share/squirrelmail/doc/authentication.txt
-share/squirrelmail/doc/db-backend.txt
 share/squirrelmail/doc/ie_ssl.txt
 share/squirrelmail/doc/index.html
 share/squirrelmail/doc/presets.txt
 share/squirrelmail/doc/russian_apache.txt
 share/squirrelmail/doc/security.txt
-share/squirrelmail/doc/themes.txt
 share/squirrelmail/doc/translating.txt
 share/squirrelmail/doc/translating_help.txt
 share/squirrelmail/functions/abook_database.php
diff -r 1d3c8ca685e0 -r dab66ee48b32 mail/squirrelmail/distinfo
--- a/mail/squirrelmail/distinfo        Mon May 07 17:36:23 2007 +0000
+++ b/mail/squirrelmail/distinfo        Thu May 10 08:02:30 2007 +0000
@@ -1,6 +1,6 @@
-$NetBSD: distinfo,v 1.35 2006/12/04 13:06:01 obache Exp $
+$NetBSD: distinfo,v 1.35.4.1 2007/05/10 08:02:30 ghen Exp $
 
-SHA1 (squirrelmail-1.4.9a.tar.bz2) = c9fc139c331cc99aa9bb54886106d2beccdd390a
-RMD160 (squirrelmail-1.4.9a.tar.bz2) = ccb4c0b4d74341862fecc4abe7f1fa63a4535984
-Size (squirrelmail-1.4.9a.tar.bz2) = 481601 bytes
-SHA1 (patch-aa) = 8b2f277985e2b7a723e10c3a1c60bd7bde69086f
+SHA1 (squirrelmail-1.4.10.tar.bz2) = 049d48aebd0adad991e09a2d7ae3509323aeb922
+RMD160 (squirrelmail-1.4.10.tar.bz2) = 550d8a6f9bc67f6c15d97e7af7a6cf62e207bfde
+Size (squirrelmail-1.4.10.tar.bz2) = 484389 bytes
+SHA1 (patch-aa) = 17f0957068ab2dc54871aa3746f58babe46d85cc
diff -r 1d3c8ca685e0 -r dab66ee48b32 mail/squirrelmail/patches/patch-aa
--- a/mail/squirrelmail/patches/patch-aa        Mon May 07 17:36:23 2007 +0000
+++ b/mail/squirrelmail/patches/patch-aa        Thu May 10 08:02:30 2007 +0000
@@ -1,8 +1,8 @@
-$NetBSD: patch-aa,v 1.12 2006/12/04 13:06:01 obache Exp $
+$NetBSD: patch-aa,v 1.12.4.1 2007/05/10 08:02:30 ghen Exp $
 
---- config/config_default.php.orig     2006-10-07 11:58:42.000000000 +0000
-+++ config/config_default.php
-@@ -414,7 +414,7 @@ $default_sub_of_inbox = true;
+--- config/config_default.php.orig     2007-03-04 04:07:59.000000000 +0200
++++ config/config_default.php  2007-05-10 09:21:01.000000000 +0300
+@@ -414,7 +414,7 @@
   * false. (Cyrus works fine whether it's true OR false).
   * @global bool $show_contain_subfolders_option
   */
@@ -11,20 +11,20 @@
  
  /**
   * These next two options set the defaults for the way that the
-@@ -459,7 +459,7 @@ $noselect_fix_enable = false;
-  *   $data_dir = SM_PATH . 'data/';
+@@ -464,7 +464,7 @@
+  *
   * @global string $data_dir
   */
--$data_dir = SM_PATH . 'data/';
+-$data_dir = '/var/local/squirrelmail/data/';
 +$data_dir = '@USER_PREFS_DIR@/';
  
  /**
   * Attachments directory
-@@ -477,7 +477,7 @@ $data_dir = SM_PATH . 'data/';
+@@ -482,7 +482,7 @@
   *    + It should probably be another directory than data_dir.
   * @global string $attachment_dir
   */
--$attachment_dir = $data_dir;
+-$attachment_dir = '/var/local/squirrelmail/attach/';
 +$attachment_dir = '@ATTACHMENTS_DIR@/';
  
  /**

Prev by Date: [pkgsrc/pkgsrc-2007Q1]: pkgsrc/mail/dovecot Pullup ticket 2072 - requested by...
Next by Date: [pkgsrc/pkgsrc-2007Q1]: pkgsrc/www/snownews Pullup ticket 2066 - requested by...
Previous by Thread: [pkgsrc/pkgsrc-2007Q1]: pkgsrc/mail/dovecot Pullup ticket 2072 - requested by...
Next by Thread: [pkgsrc/pkgsrc-2007Q1]: pkgsrc/www/snownews Pullup ticket 2066 - requested by...
Indexes:

Home | Main Index | Thread Index | Old Index