1.4.7 was released yesterday. 1.4.6-r3 is the current stable version in Portage. It includes a minor security fix, and contains mostly minor bug fixes. No API changes or any major changes were made. The ChangeLog is at: http://www.squirrelmail.org/changelog.php Version bump is requested. Thanks!
> It includes a minor security fix Already patched (Bug 135921), no job for security here.
Created attachment 91615 [details, diff] Squirrelmail 1.4.6-r3 to 1.4.7 ebuild diff The epatch lines in .ebuild was deleted because 1.4.7 integrates the security fix entirely. No other changes required, as no plugins were obsoleted when going from 1.4.6 to 1.4.7. No other functionality changes, either, as this is a minor, incremental bug fix release. Tested in local portage overlay repository by copying 1.4.6-r3 ebuild to 1.4.7, applying the proposed ebuild patch, running ebuild digest on the ebuild, then a normal emerge subversion. It worked correctly post-installation as well.
ping - the 1.4.7 has not just the backported security-fix, there also some other features/fixes ... plz bump
indeed, please bump
I commited 1.4.7 on behalf of net-mail team as eradicator has been MIA. Thanks, Tuan
arches, please test and stable 1.4.7, thank you
@jakub: It appears that we didn't fix the following issue mentioned in the changelog: - Security: Possible cookie theft in src/redirect.php if register_globals is enabled, and malicous site is running in same domain.
1.4.7 ate my mail ;) I didn't want it anyways on x86 ^.^;;
ppc64 stable
1.4.8 was released, including yet another security fix. Tuan, could you do some bumping magic again?
(In reply to comment #10) > 1.4.8 was released, including yet another security fix. Tuan, could you do some > bumping magic again? > done. back to you. thanks.
1.4.8 ppc stable
Arches, please test and stable squirrelmail 1.4.8. And lets hope that they dont issue another patch while we try to get this one stable ;)
x86 done
As my poppa used to say, the only thing better than one SPARC keyword is five SPARC keywords.
Created attachment 94071 [details] emerge --info working fine on amd64 :)
amd64 stable.
alpha stable.
time to vote CVE-2006-3665 (fixed in 1.4.7) deals with "register_global=on" and i don't want to hear about a glsa for this. - Security: Make sure that code only sets those variables that are needed in compose and are not already set. Thanks James Bercegay from GulfTech for pointing this out. [CVE-2006-4019] I hardly understand the impact. I vote no-glsa.
Voting a full NO and closing. Feel free to reopen if you disagree.
This was marked as closed but was never fixed for ~arch. 1.5.1-r4 contains the fix.