Comment 1 Jakub Moc (RETIRED) 2006-07-05 02:07:37 UTC

> It includes a minor security fix

Already patched (Bug 135921), no job for security here.

Created attachment 91615 [details, diff]
Squirrelmail 1.4.6-r3 to 1.4.7 ebuild diff

The epatch lines in .ebuild was deleted because 1.4.7 integrates the security fix entirely.

No other changes required, as no plugins were obsoleted when going from 1.4.6 to 1.4.7. No other functionality changes, either, as this is a minor, incremental bug fix release.

Tested in local portage overlay repository by copying 1.4.6-r3 ebuild to 1.4.7, applying the proposed ebuild patch, running ebuild digest on the ebuild, then a normal emerge subversion.

It worked correctly post-installation as well.

ping - the 1.4.7 has not just the backported security-fix, there also some other features/fixes ... plz bump

Comment 4 Stefan Cornelius (RETIRED) 2006-08-09 14:42:24 UTC

indeed, please bump

Comment 5 Tuan Van (RETIRED) 2006-08-09 17:30:28 UTC

I commited 1.4.7 on behalf of net-mail team as eradicator has been MIA.

Thanks,
Tuan

Comment 6 Stefan Cornelius (RETIRED) 2006-08-09 23:14:50 UTC

arches, please test and stable 1.4.7, thank you

Comment 7 Sune Kloppenborg Jeppesen (RETIRED) 2006-08-10 01:33:36 UTC

@jakub: It appears that we didn't fix the following issue mentioned in the changelog:

  - Security: Possible cookie theft in src/redirect.php if
    register_globals is enabled, and malicous site is running
    in same domain.

Comment 8 Joshua Jackson (RETIRED) 2006-08-10 21:43:46 UTC

1.4.7 ate my mail ;) I didn't want it anyways on x86 ^.^;;

Comment 9 Markus Rothe (RETIRED) 2006-08-11 06:08:15 UTC

ppc64 stable

Comment 10 Stefan Cornelius (RETIRED) 2006-08-11 07:38:42 UTC

1.4.8 was released, including yet another security fix. Tuan, could you do some bumping magic again?

Comment 11 Tuan Van (RETIRED) 2006-08-11 09:21:52 UTC

(In reply to comment #10)
> 1.4.8 was released, including yet another security fix. Tuan, could you do some
> bumping magic again?
> 

done. back to you. thanks.

Comment 12 Tobias Scherbaum (RETIRED) 2006-08-11 14:09:59 UTC

1.4.8 ppc stable

Comment 13 Stefan Cornelius (RETIRED) 2006-08-12 02:45:42 UTC

Arches, please test and stable squirrelmail 1.4.8. And lets hope that they dont issue another patch while we try to get this one stable ;)

Comment 14 Andrej Kacian (RETIRED) 2006-08-12 05:35:48 UTC

x86 done

Comment 15 Markus Rothe (RETIRED) 2006-08-12 07:16:38 UTC

ppc64 stable

Comment 16 Jason Wever (RETIRED) 2006-08-12 09:21:22 UTC

As my poppa used to say, the only thing better than one SPARC keyword is five SPARC keywords.

Created attachment 94071 [details]
emerge --info

working fine on amd64 :)

Comment 18 Thomas Cort (RETIRED) 2006-08-12 10:36:54 UTC

amd64 stable.

Comment 19 Thomas Cort (RETIRED) 2006-08-12 20:23:58 UTC

alpha stable.

Comment 20 Raphael Marichez (Falco) (RETIRED) 2006-08-16 01:42:14 UTC

time to vote

CVE-2006-3665 (fixed in 1.4.7) deals with "register_global=on" and i don't want to hear about a glsa for this.


 - Security: Make sure that code only sets those variables that are needed in
    compose and are not already set. Thanks James Bercegay from GulfTech for
    pointing this out. [CVE-2006-4019]

I hardly understand the impact.

I vote no-glsa.

Comment 21 Sune Kloppenborg Jeppesen (RETIRED) 2006-08-19 09:03:31 UTC

Voting a full NO and closing.

Feel free to reopen if you disagree.

Comment 22 Jeremy Huddleston (RETIRED) 2007-05-21 17:17:14 UTC

This was marked as closed but was never fixed for ~arch.  1.5.1-r4 contains the fix.