Bug 200073 - Squirrelmail 1.4.7 fixes several issues
Squirrelmail 1.4.7 fixes several issues
Product: Fedora Legacy
Classification: Retired
Component: squirrelmail (Show other bugs)
noarch Linux
medium Severity medium
: ---
: ---
Assigned To: Fedora Legacy Bugs
: 200074 (view as bug list)
Depends On:
  Show dependency treegraph
Reported: 2006-07-25 06:56 EDT by Nils Breunese
Modified: 2007-08-30 16:07 EDT (History)
2 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2007-08-30 16:07:25 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

  None (edit)
Description Nils Breunese 2006-07-25 06:56:22 EDT
Description of problem:

Squirrelmail 1.4.7 was released on July 4th 2006 which contains several fixes:

  - Security: Possible cookie theft in src/redirect.php if
    register_globals is enabled, and malicous site is running
    in same domain.
  - Fixed that loading the options page always loaded the prefs
    initial_value on display, instead of the users' value.
  - Enabled Ukrainian translation after updates by Serhij Dubyk.
  - Fixed from address in case of MDN receipts (patch from Dimitar Pashev).
  - Correct variable typo, causing Bogus sequence in FETCH errors (#1460338).
  - Reduce references header in a smart way to avoid "header too long"
    errors from SMTP servers in really long threads (#1167754, #1465342).
  - Undo extra sanitizing in decodeHeader() function (#1460638).
  - Added workaround for broken OpenBSD 3.8+ setlocale() function (#1427512).
  - Fixed session lockups on large attachment downloads.
  - Fixed bug_report plugin connections to mapped and secured IMAP servers.
  - Fixed possibility to use single quote in provider name (#1475744).
  - Improved error handling for the help pages.
  - Added new color themes by Jeremy Landes, Tammi Maggard and Lucas Austin-Howe
    (#1378332), (#1377567), (#1377529), (#1377528), (#1377527), (#1377526),
    (#1377525), (#1393188).
  - Removed invalid $sendmail_path check in configuration utility.
  - Backported calendar plugin updates from devel branch. Fixed display of 
    multiline events (#1291081) and sanitizing of quotes (#705796). Fixed
    possible calendar corruption, when events contain special formating 
    characters. Moved html sanitizing from backend functions to display 
    code. Removed direct access to $_GET and $_POST variables and 
    simplified form variable processing.
  - Fixed some mailbox caching issues, when messages are deleted or moved 
    not in first mailbox page. Fixed use of mailbox cache in right_main.php 
  - Stop URL parsing, if 8bit symbols or HTML entities are detected (#1356798).
  - Improve recovery when EHLO not supported on legacy SMTP servers
  - Don't move messages when target mailbox matches source mailbox (#1409453).
  - Sanitized IMAP folder names in error_message() function and filters plugin.
  - Take X-Forwarded-Host HTTP header in consideration when constructing
    base_uri for redirects; reduces problems with transparent proxies
  - Don't use trailing delimiter when sqimap_mailbox_create() subscribes
    newly created mailbox.
  - Undefined variable in src/right_main.php.
  - Security: Local file inclusion in functions/plugin.php with
    register_globals enabled, and magic_quotes disabled (reported by Denix
    Solutions). [CVE-2006-2842]
  - Add note to conf.pl / config_default.php to warn users that set
    sensitive passwords in that file to properly secure it.
  - Prevent modifications in advanced identities, when editing of
    identities is disabled.
  - Fix incorrect parsing of From with nested parentheses (#1241506).
  - Tightened code in search.php for disputed security report. We don't
    believe this is exploitable, but the code is tightened anyway.
Comment 1 Matthew Miller 2006-07-25 08:46:54 EDT
*** Bug 200074 has been marked as a duplicate of this bug. ***
Comment 2 Matthew Miller 2006-07-25 08:48:42 EDT
-> Legacy. Thanks!
Comment 3 Nils Breunese 2006-07-25 08:59:52 EDT
I reported this against FC2, but since it's a noarch package it probably 
affects all releases. I didn't know how to set this though, sorry.
Comment 4 Nils Breunese 2006-07-25 09:00:49 EDT
Since FC1 and FC2 will be EOL tomorrow, we can't expect any updated packages 
for those releases?
Comment 5 Matthew Miller 2006-07-25 11:37:29 EDT
Pretty unlikely, yeah. Although perhaps anything reported before the EOL date
oughta get an update; I don't think the policy is clear on that.

Anyway, I'm going to move this to "unspecified" given comment #3.
Comment 6 Nils Breunese 2006-08-11 14:33:09 EDT
1.4.8 was released today:

"The SquirrelMail Project Team is proud to announce the release of SquirrelMail 

This release contains an important security fix where a logged-in user could 
overwrite variables, and a collection of regular bugfixes. Details on all the 
changes in this release can be found in the ChangeLog. 

There's also two patches available against the 1.4.7 release for just the 
security issue: a minimal one (http://www.squirrelmail.org/patches/sqm1.4.7-
expired-post-fix-minimal.patch)  removes the function, because it was broken 
anyway, or more extended one (http://www.squirrelmail.org/patches/sqm1.4.7-
expired-post-fix-full.patch) which fixes the functionality and closes the hole."

Version 1.4.8 - CVS
  - Fixed URL for Read Receipts being incorrect in some cases (#1177518).
  - Fixed endless loop when trying to parse "From: )(" (#1517867).
  - Using is_file() instead of file_exists() in fortune plugin (#1499134).
  - Add manual page for conf.pl under contrib.
  - Don't allow selecting INBOX as Sent, Draft or Trash folder (#1242346).
  - Fixed spamcop web based reporting form (#1519673).
  - Session cookies are turned on, if session.use_cookies is turned off
    in PHP configuration (#1518885).
  - Cleaned whitespace in output buffer when plugins are loaded (#1291209).
  - Removed conf.pl dependency on Perl IO::Socket module. Automatic detection
    of supported authentication mechanisms is disabled, if IO::Socket is not
  - Make the base for the SquirrelMail URL configurable. Adds a new variable
    config_base_location to config.php and a new option to conf.pl. This is
    to prevent problems in installs where our heuristic doesn't work
    correctly (#1521299, #1460675, #1110064, #1000850, #1113791).
  - Fixed mailbox and header sanitizing in src/search.php.
  - Handle IMAP copy errors in filters plugin. Added $handle_errors option
    and boolean return in sqimap_messages_copy() function (#1520437).
  - Improved register_globals=on handling code in order to prevent possible
    variable corruption.
  - Fixed use of $version in config.php file (#1527870).
  - Fixed IMAP folder creation in euc-kr, big5 and gb2312 translations 
  - Configuration utility does not allow 8bit symbols in IMAP folder names
  - Removed HTTP Status header from signout page (#1424748).
  - Added command execution status check in SendMail delivery class (#1374174).
  - Added $sendmail_args configuration option (#1365779).
  - Fixed resuming of compose when session expired while writing, and make
    sure the code only sets those variables that are needed in compose and
    are not already set. Thanks James Bercegay from GulfTech for pointing
    this out.
  - Fixed subscription of new 'noselect' folders (#1315912).
  - Moving the development documentation to the documentation module.
  - Drop dead code in validate.php once used for some old obscure bug.
Comment 7 Warren Togami 2006-08-11 15:29:12 EDT
My plan is to push rawhide's 1.4.8, which contains a large number of language
specific fixes to both RHEL3 and RHEL4 eventually.  I am pushing it to FC5
updates soon.

I know the version upgrade violates Legacy rules, but Legacy may want to
consider an exception for the sake of time and labor limitations, and the fact
that this package will be used pretty much everywhere.

Of course wait a while for it to be tested and verified first.
Comment 8 Jesse Keating 2007-08-30 16:07:25 EDT
Fedora Legacy project has ended.  These will not be fixed by Fedora Legacy.

Note You need to log in before you can comment on or make changes to this bug.