Home | Docs | Forums | Lists | Bugs | Planet | Store | GMN | Get Gentoo!
Not eligible to see or edit group visibility for this bug.
View Bug Activity | Format For Printing | XML | Clone This Bug
Subject: [SM-ANNOUNCE] SquirrelMail 1.4.10 Released (fwd) Date: May 9, 2007 11:35:37 AM EDT Hello All, The SquirrelMail Project Team is proud to announce the release of SquirrelMail 1.4.10. This version is a security release. This version, 1.4.10 is a maintenance release, addressing the following problems since 1.4.9a: - Some security fixes (see below) - Small enhancements - A collection of bugfixes and stability enhancements (see ChangeLog for a full list) Security issues =============== This release addresses security issues found since the release of 1.4.9a: There's an ongoing battle to further secure the HTML filter against malicious HTML mail and the browsers that accept almost any malformed piece of HTML. This release contains fixes for the following: - HTML attachments containing "data:" URLs; - Internet Explorer in various versions accepts many permutations of HTML and JavaScript in many charsets. We now properly canonicalize the incoming HTML to us-ascii before applying further filters. IE only. - Request forgery through images. It was possible to include "images" in HTML mails which were in fact GET requests for the compose.php page sending mail. These images are now properly detected, and the compose form will only send mail through a POST request. Thanks to Mikhail Markin, Tomas Kuliavas and Michael Jordon for reporting (parts of) these issues and working with us to get them resolved. These are known as CVE-2007-1262. Further details on SquirrelMail vulnerabilities can be found at the following address: http://www.squirrelmail.org/security/ Package md5sums =============== 1c40402a805ee316c157f7ae71d653d6 squirrelmail-1.4.10.tar.gz 6e3ab93e8c3854ba84a03df256ed0f7d squirrelmail-1.4.10.tar.bz2 0768994841d87fe07bd04df0edb15bea squirrelmail-1.4.10.zip Download at: http://www.squirrelmail.org/download.php Happy SquirrelMailing! -- Thijs Kinkhorst SquirrelMail Project Team ------------------------------------------------------------------------- squirrelmail-announce mailing list List Address: squirrelmail-announce@lists.sourceforge.net List Info: https://lists.sourceforge.net/lists/listinfo/squirrelmail-announce
From: Thijs Kinkhorst <kink@squirrelmail.org> To: squirrelmail-announce@lists.sourceforge.net Cc: squirrelmail-plugins@lists.sourceforge.net, squirrelmail-users@lists.sourceforge.net, squirrelmail-devel@lists.sourceforge.net Date: Thu, 10 May 2007 11:09:07 +0200 Subject: [SM-ANNOUNCE] SquirrelMail 1.4.10 Updated (1.4.10a) Hello All, Shortly after the release of SquirrelMail 1.4.10, a regression in the compose form was discovered. Unfortunately the limited disclosure of security patches does not allow for public testing, so this regression went unnoticed. We're sorry for the inconvenience. If you've already downloaded and installed version 1.4.10, a patch for 1.4.10a is available here: http://www.squirrelmail.org/patches/1.4.10-security/1.4.10-1.4.10a.patch If you've not yet updated to 1.4.10, you can continue straigt on to 1.4.10a. Package md5sums =============== d06c473c83e756493ad8ebe94d8d803b squirrelmail-1.4.10a.tar.gz 298aaa1811b3fb40a803a6f57b22be20 squirrelmail-1.4.10a.tar.bz2 feedb1456d03c4e9723e9b32318aa636 squirrelmail-1.4.10a.zip Download at: http://www.squirrelmail.org/download.php Happy SquirrelMailing! -- Thijs Kinkhorst SquirrelMail Project Team
Installed 1.4.10a, the only changement in the ebuild is the version. And it's working correctly, as far as I can tell.
I'm working on getting 1.4.10a and an updated 1.5.1 with the fixes in portage now...
1.4.10a is in portage now, and archs should start testing it to mark stable. Unfortunately the upstream patch for 1.5.1 doesn't even apply to their 1.5.1 tarball. There are also other issues wrt php-5.2 and sm-1.5.1, so I think I'm just going to snag a cvs snapshot of 1.5.2 to replace 1.5.1-r2. I'll be testing it here over the next day or so before I commit that (which affects ~arch)
Thx Jeremy. Arhces please test and mark stable. Target keywords are: squirrelmail-1.4.10a.ebuild:KEYWORDS="alpha amd64 ppc ppc64 sparc x86"
ppc64 stable
ppc stable
x86 done
I made my own patch for 1.5.1 since upstream's is against some unknown version (ven thought it's reported as 1.5.1) and HEAD is just too unstable to replace it right now... so once 1.4.10a has the target keywords, we're good to go...
amd64 stable
alpha stable
sparc stable.
Time for GLSA vote. I tend to vote NO.
1.5.1-r4 has been added to portage which addresses this bug as well as fixing: CVE-2006-4019 - Gentoo bug #139273 CVE-2006-6142 - Gentoo bug #156949 which were never fixed in 1.5.1!
I'd say no. SM is the middleman here. IE is the one with the security vulnerabilities.
I vote no.
Thx everyone. Closing with NO GLSA.
just for the logs: i'm actually pro-glsa. we issued advisories for less critical XSS issues (keep in mind that squirrelmail may be used as important part of the infrastructure in a company - potentially with IE clients, so we should care about IE even though we are a linux distri). the CSRF: i sure wouldnt want anybody to be able to send emails from my account when i view a malicious email.
Feel free to reopen if you disagree and we'll vote again.
