Description of problem: Squirrelmail 1.4.7 was released on July 4th 2006 which contains several fixes: - Security: Possible cookie theft in src/redirect.php if register_globals is enabled, and malicous site is running in same domain. - Fixed that loading the options page always loaded the prefs initial_value on display, instead of the users' value. - Enabled Ukrainian translation after updates by Serhij Dubyk. - Fixed from address in case of MDN receipts (patch from Dimitar Pashev). - Correct variable typo, causing Bogus sequence in FETCH errors (#1460338). - Reduce references header in a smart way to avoid "header too long" errors from SMTP servers in really long threads (#1167754, #1465342). - Undo extra sanitizing in decodeHeader() function (#1460638). - Added workaround for broken OpenBSD 3.8+ setlocale() function (#1427512). - Fixed session lockups on large attachment downloads. - Fixed bug_report plugin connections to mapped and secured IMAP servers. - Fixed possibility to use single quote in provider name (#1475744). - Improved error handling for the help pages. - Added new color themes by Jeremy Landes, Tammi Maggard and Lucas Austin-Howe (#1378332), (#1377567), (#1377529), (#1377528), (#1377527), (#1377526), (#1377525), (#1393188). - Removed invalid $sendmail_path check in configuration utility. - Backported calendar plugin updates from devel branch. Fixed display of multiline events (#1291081) and sanitizing of quotes (#705796). Fixed possible calendar corruption, when events contain special formating characters. Moved html sanitizing from backend functions to display code. Removed direct access to $_GET and $_POST variables and simplified form variable processing. - Fixed some mailbox caching issues, when messages are deleted or moved not in first mailbox page. Fixed use of mailbox cache in right_main.php (#1304408). - Stop URL parsing, if 8bit symbols or HTML entities are detected (#1356798). - Improve recovery when EHLO not supported on legacy SMTP servers (#1031455). - Don't move messages when target mailbox matches source mailbox (#1409453). - Sanitized IMAP folder names in error_message() function and filters plugin. - Take X-Forwarded-Host HTTP header in consideration when constructing base_uri for redirects; reduces problems with transparent proxies (#1488590). - Don't use trailing delimiter when sqimap_mailbox_create() subscribes newly created mailbox. - Undefined variable in src/right_main.php. - Security: Local file inclusion in functions/plugin.php with register_globals enabled, and magic_quotes disabled (reported by Denix Solutions). [CVE-2006-2842] - Add note to conf.pl / config_default.php to warn users that set sensitive passwords in that file to properly secure it. - Prevent modifications in advanced identities, when editing of identities is disabled. - Fix incorrect parsing of From with nested parentheses (#1241506). - Tightened code in search.php for disputed security report. We don't believe this is exploitable, but the code is tightened anyway. [CVE-2006-3174]
*** Bug 200074 has been marked as a duplicate of this bug. ***
-> Legacy. Thanks!
I reported this against FC2, but since it's a noarch package it probably affects all releases. I didn't know how to set this though, sorry.
Since FC1 and FC2 will be EOL tomorrow, we can't expect any updated packages for those releases?
Pretty unlikely, yeah. Although perhaps anything reported before the EOL date oughta get an update; I don't think the policy is clear on that. Anyway, I'm going to move this to "unspecified" given comment #3.
1.4.8 was released today: "The SquirrelMail Project Team is proud to announce the release of SquirrelMail 1.4.8. This release contains an important security fix where a logged-in user could overwrite variables, and a collection of regular bugfixes. Details on all the changes in this release can be found in the ChangeLog. There's also two patches available against the 1.4.7 release for just the security issue: a minimal one (http://www.squirrelmail.org/patches/sqm1.4.7- expired-post-fix-minimal.patch) removes the function, because it was broken anyway, or more extended one (http://www.squirrelmail.org/patches/sqm1.4.7- expired-post-fix-full.patch) which fixes the functionality and closes the hole." Version 1.4.8 - CVS ------------------- - Fixed URL for Read Receipts being incorrect in some cases (#1177518). - Fixed endless loop when trying to parse "From: )(" (#1517867). - Using is_file() instead of file_exists() in fortune plugin (#1499134). - Add manual page for conf.pl under contrib. - Don't allow selecting INBOX as Sent, Draft or Trash folder (#1242346). - Fixed spamcop web based reporting form (#1519673). - Session cookies are turned on, if session.use_cookies is turned off in PHP configuration (#1518885). - Cleaned whitespace in output buffer when plugins are loaded (#1291209). - Removed conf.pl dependency on Perl IO::Socket module. Automatic detection of supported authentication mechanisms is disabled, if IO::Socket is not available. - Make the base for the SquirrelMail URL configurable. Adds a new variable config_base_location to config.php and a new option to conf.pl. This is to prevent problems in installs where our heuristic doesn't work correctly (#1521299, #1460675, #1110064, #1000850, #1113791). - Fixed mailbox and header sanitizing in src/search.php. - Handle IMAP copy errors in filters plugin. Added $handle_errors option and boolean return in sqimap_messages_copy() function (#1520437). - Improved register_globals=on handling code in order to prevent possible variable corruption. - Fixed use of $version in config.php file (#1527870). - Fixed IMAP folder creation in euc-kr, big5 and gb2312 translations (#1005353). - Configuration utility does not allow 8bit symbols in IMAP folder names (#1485501). - Removed HTTP Status header from signout page (#1424748). - Added command execution status check in SendMail delivery class (#1374174). - Added $sendmail_args configuration option (#1365779). - Fixed resuming of compose when session expired while writing, and make sure the code only sets those variables that are needed in compose and are not already set. Thanks James Bercegay from GulfTech for pointing this out. - Fixed subscription of new 'noselect' folders (#1315912). - Moving the development documentation to the documentation module. - Drop dead code in validate.php once used for some old obscure bug.
My plan is to push rawhide's 1.4.8, which contains a large number of language specific fixes to both RHEL3 and RHEL4 eventually. I am pushing it to FC5 updates soon. I know the version upgrade violates Legacy rules, but Legacy may want to consider an exception for the sake of time and labor limitations, and the fact that this package will be used pretty much everywhere. Of course wait a while for it to be tested and verified first.
Fedora Legacy project has ended. These will not be fixed by Fedora Legacy.