http://www.squirrelmail.org/changelog.php the 1.4.7 release of squirrelmail fixes several bugs, at least on of them is considered security-relevant.
*** Bug 135922 has been marked as a duplicate of this bug. ***
http://www.squirrelmail.org/security/issue/2006-06-01 http://secunia.com/advisories/20406/ Description: Junker Broke has reported a vulnerability in Squirrelmail, which can be exploited by malicious people to disclose certain sensitive information. Input passed to the "plugins[]" parameter in functions/plugin.php is not properly sanitised before being used to include files. This can be exploited to include arbitrary files from local resources. Successful exploitation requires that "register_globals" is enabled and "magic_quotes_gpc" is disabled. The vulnerability has been reported in version 1.4.6 and prior. Solution: Apply patch (see vendor advisory). Provided and/or discovered by: Junker Broke Original Advisory: http://www.squirrelmail.org/security/issue/2006-06-01
eradicator please provide fixed ebuilds or tell us if 1.5.X is ready to go stable, thanks
eradicator doesnt respond, someone from net-mail please bump and/or comment
committed squirrelmail-1.4.6-r3 with the mentioned patch above.
Arches please test and mark stable.
x86 done... thanks to Ticho for testing...
ppc stable
amd64 stable
* Applying sec-135921.patch ... * Failed Patch: sec-135921.patch ! * ( /usr/portage/mail-client/squirrelmail/files/sec-135921.patch ) * * Include in your bugreport the contents of: * * /var/tmp/portage/squirrelmail-1.4.6-r3/temp/sec-135921.patch-2795.out Bugzilla gives me an error when trying to attach above file, see it at http://pastebin.com/709062
(In reply to comment #10) > * Applying sec-135921.patch ... > > * Failed Patch: sec-135921.patch ! > * ( /usr/portage/mail-client/squirrelmail/files/sec-135921.patch ) > * > * Include in your bugreport the contents of: > * > * /var/tmp/portage/squirrelmail-1.4.6-r3/temp/sec-135921.patch-2795.out > > > Bugzilla gives me an error when trying to attach above file, see it at > http://pastebin.com/709062 > Thorsten, please comment and post your `emerge --info` in bug #136773
Stable on SPARC.
alpha stable.
time to vote. i vote a full no : who has "register_globals=on" nowadays ? I guess they even don't read any security advisory...
One more NO. No excuse. We're not the Gentoo Security Education Project...
One more NO and closing. Feel free to reopen if you disagree.