pkgsrc-changes: CVS commit: [pkgsrc-2007Q1] pkgsrc/mail/squirrelmail

Subject: CVS commit: [pkgsrc-2007Q1] pkgsrc/mail/squirrelmail
To: None <pkgsrc-changes@NetBSD.org>
From: Geert Hendrickx <ghen@netbsd.org>
List: pkgsrc-changes
Date: 05/10/2007 08:02:31
Module Name:	pkgsrc
Committed By:	ghen
Date:		Thu May 10 08:02:31 UTC 2007

Modified Files:
	pkgsrc/mail/squirrelmail [pkgsrc-2007Q1]: Makefile PLIST distinfo
	pkgsrc/mail/squirrelmail/patches [pkgsrc-2007Q1]: patch-aa

Log Message:
Pullup ticket 2079 - requested by martti
security update for squirrelmail

- pkgsrc/mail/squirrelmail/Makefile			1.83
- pkgsrc/mail/squirrelmail/PLIST			1.21
- pkgsrc/mail/squirrelmail/distinfo			1.36
- pkgsrc/mail/squirrelmail/patches/patch-aa		1.13

   Module Name:	pkgsrc
   Committed By:	martti
   Date:		Thu May 10 06:48:28 UTC 2007

   Modified Files:
	   pkgsrc/mail/squirrelmail: Makefile PLIST distinfo
	   pkgsrc/mail/squirrelmail/patches: patch-aa

   Log Message:
   Updated mail/squirrelmail to 1.4.10

   This version, 1.4.10 is a maintenance release, addressing
   the following problems since 1.4.9a:
   - Some security fixes (see below)
   - Small enhancements
   - A collection of bugfixes and stability enhancements
   (see ChangeLog for a full list)

   Security issues
   ===============

   This release addresses security issues found since the release of 1.4.9a:

   There's an ongoing battle to further secure the HTML filter against malicious
   HTML mail and the browsers that accept almost any malformed piece of HTML.

   This release contains fixes for the following:
   - HTML attachments containing "data:" URLs;
   - Internet Explorer in various versions accepts many permutations of HTML
      and JavaScript in many charsets. We now properly canonicalize the incoming
      HTML to us-ascii before applying further filters. IE only.
   - Request forgery through images. It was possible to include "images" in
      HTML mails which were in fact GET requests for the compose.php page sending
      mail. These images are now properly detected, and the compose form will only
      send mail through a POST request.

   Thanks to Mikhail Markin, Tomas Kuliavas and Michael Jordon for reporting
   (parts of) these issues and working with us to get them resolved.

   These are known as CVE-2007-1262. Further details on SquirrelMail
   vulnerabilities can be found at the following address:

      http://www.squirrelmail.org/security/


To generate a diff of this commit:
cvs rdiff -r1.82 -r1.82.2.1 pkgsrc/mail/squirrelmail/Makefile
cvs rdiff -r1.20 -r1.20.4.1 pkgsrc/mail/squirrelmail/PLIST
cvs rdiff -r1.35 -r1.35.4.1 pkgsrc/mail/squirrelmail/distinfo
cvs rdiff -r1.12 -r1.12.4.1 pkgsrc/mail/squirrelmail/patches/patch-aa

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.