Module Name:	pkgsrc
Committed By:	martti
Date:		Mon Feb 27 07:12:14 UTC 2006

Modified Files:
	pkgsrc/mail/squirrelmail: Makefile PLIST buildlink3.mk distinfo
Removed Files:
	pkgsrc/mail/squirrelmail/patches: patch-ab patch-ac patch-ad patch-ae
	    patch-af patch-ag patch-ah

Log Message:
Updated squirrelmail to 1.4.6

This release is very important, and we strongly advise everybody to
update to the latest release.

Security Update
===============
This version contains a number of security updates that were brought
to our attention via a number of sources.

- In webmail.php, the right_frame parameter was not properly sanitized
  to deal with very lenient browsers, which allowed for cross site
  scripting or frame replacing. [CVE-2006-0188]

- In the MagicHTML function, some very obscure constructs were
  discovered to be exploitable: 'u\rl' was interpreted as 'url' (privacy
  concern), and comments could be inside keywords (allows for cross site
  scripting). Both only affect Internet Explorer users. Found by Martijn
  Brinkers and Scott Hughes. [CVE-2006-0195]

- The function sqimap_mailbox_select did not strip newlines from the
  mailbox parameter, and thereby allowed for IMAP command injection.
  Found by Vicente Aguilera. [CVE-2006-0377]


To generate a diff of this commit:
cvs rdiff -r1.68 -r1.69 pkgsrc/mail/squirrelmail/Makefile
cvs rdiff -r1.16 -r1.17 pkgsrc/mail/squirrelmail/PLIST
cvs rdiff -r1.6 -r1.7 pkgsrc/mail/squirrelmail/buildlink3.mk
cvs rdiff -r1.29 -r1.30 pkgsrc/mail/squirrelmail/distinfo
cvs rdiff -r1.10 -r0 pkgsrc/mail/squirrelmail/patches/patch-ab
cvs rdiff -r1.1 -r0 pkgsrc/mail/squirrelmail/patches/patch-ac \
    pkgsrc/mail/squirrelmail/patches/patch-ad \
    pkgsrc/mail/squirrelmail/patches/patch-ae \
    pkgsrc/mail/squirrelmail/patches/patch-af \
    pkgsrc/mail/squirrelmail/patches/patch-ag \
    pkgsrc/mail/squirrelmail/patches/patch-ah

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.