Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 123863 - squirrelmail 1.4.6 version bump
Summary: squirrelmail 1.4.6 version bump
Status: RESOLVED DUPLICATE of bug 123781
Alias: None
Product: Gentoo Linux
Classification: Unclassified
Component: New packages (show other bugs)
Hardware: All Linux
: High major (vote)
Assignee: Gentoo Linux bug wranglers
URL: http://www.squirrelmail.org/
Whiteboard:
Keywords:
Depends on:
Blocks:
 
Reported: 2006-02-23 14:44 UTC by coran.fisher@gmail.com
Modified: 2006-02-23 14:47 UTC (History)
0 users

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description coran.fisher@gmail.com 2006-02-23 14:44:18 UTC
contents of release email:
"It is my proud pleasure to announce the final release of SquirrelMail
1.4.6.  

This release is very important, and we strongly advise everybody to
update to the latest release.

Security Update
===============
This version contains a number of security updates that were brought
to our attention via a number of sources.

- In webmail.php, the right_frame parameter was not properly sanitized
  to deal with very lenient browsers, which allowed for cross site
  scripting or frame replacing. [CVE-2006-0188]

- In the MagicHTML function, some very obscure constructs were
  discovered to be exploitable: 'u\rl' was interpreted as 'url' (privacy
  concern), and comments could be inside keywords (allows for cross site
scripting). Both only affect Internet Explorer users. Found by Martijn
  Brinkers and Scott Hughes. [CVE-2006-0195]

- The function sqimap_mailbox_select did not strip newlines from the
  mailbox parameter, and thereby allowed for IMAP command injection.
  Found by Vicente Aguilera. [CVE-2006-0377]

Further details on SquirrelMail vulnerabilities can be found at the
following address:

  http://www.squirrelmail.org/security/

We strongly encourage any persons uncovering Security issues to
contact the SquirrelMail team via security@squirrelmail.org.

In This Release
===============
This release contains mostly bug fixes, including corrections for PHP
behaviour changes in file handling, and some data types. Especially
running SquirrelMail on the most recent PHP versions should be much
improved.

For further information about the changes involved in this release,
please see the ChangeLog and ReleaseNotes files included with the
release.


The latest release can be downloaded from the SquirrelMail website at
http://www.squirrelmail.org/download.php

Happy SquirrelMailing
The SquirrelMail development Team
Comment 1 Jakub Moc (RETIRED) gentoo-dev 2006-02-23 14:47:00 UTC

*** This bug has been marked as a duplicate of 123781 ***