Red Hat Bugzilla – Bug 200073
Squirrelmail 1.4.7 fixes several issues
Last modified: 2007-08-30 16:07:25 EDT
Description of problem:
Squirrelmail 1.4.7 was released on July 4th 2006 which contains several fixes:
- Security: Possible cookie theft in src/redirect.php if
register_globals is enabled, and malicous site is running
in same domain.
- Fixed that loading the options page always loaded the prefs
initial_value on display, instead of the users' value.
- Enabled Ukrainian translation after updates by Serhij Dubyk.
- Fixed from address in case of MDN receipts (patch from Dimitar Pashev).
- Correct variable typo, causing Bogus sequence in FETCH errors (#1460338).
- Reduce references header in a smart way to avoid "header too long"
errors from SMTP servers in really long threads (#1167754, #1465342).
- Undo extra sanitizing in decodeHeader() function (#1460638).
- Added workaround for broken OpenBSD 3.8+ setlocale() function (#1427512).
- Fixed session lockups on large attachment downloads.
- Fixed bug_report plugin connections to mapped and secured IMAP servers.
- Fixed possibility to use single quote in provider name (#1475744).
- Improved error handling for the help pages.
- Added new color themes by Jeremy Landes, Tammi Maggard and Lucas Austin-Howe
(#1378332), (#1377567), (#1377529), (#1377528), (#1377527), (#1377526),
- Removed invalid $sendmail_path check in configuration utility.
- Backported calendar plugin updates from devel branch. Fixed display of
multiline events (#1291081) and sanitizing of quotes (#705796). Fixed
possible calendar corruption, when events contain special formating
characters. Moved html sanitizing from backend functions to display
code. Removed direct access to $_GET and $_POST variables and
simplified form variable processing.
- Fixed some mailbox caching issues, when messages are deleted or moved
not in first mailbox page. Fixed use of mailbox cache in right_main.php
- Stop URL parsing, if 8bit symbols or HTML entities are detected (#1356798).
- Improve recovery when EHLO not supported on legacy SMTP servers
- Don't move messages when target mailbox matches source mailbox (#1409453).
- Sanitized IMAP folder names in error_message() function and filters plugin.
- Take X-Forwarded-Host HTTP header in consideration when constructing
base_uri for redirects; reduces problems with transparent proxies
- Don't use trailing delimiter when sqimap_mailbox_create() subscribes
newly created mailbox.
- Undefined variable in src/right_main.php.
- Security: Local file inclusion in functions/plugin.php with
register_globals enabled, and magic_quotes disabled (reported by Denix
- Add note to conf.pl / config_default.php to warn users that set
sensitive passwords in that file to properly secure it.
- Prevent modifications in advanced identities, when editing of
identities is disabled.
- Fix incorrect parsing of From with nested parentheses (#1241506).
- Tightened code in search.php for disputed security report. We don't
believe this is exploitable, but the code is tightened anyway.
*** Bug 200074 has been marked as a duplicate of this bug. ***
-> Legacy. Thanks!
I reported this against FC2, but since it's a noarch package it probably
affects all releases. I didn't know how to set this though, sorry.
Since FC1 and FC2 will be EOL tomorrow, we can't expect any updated packages
for those releases?
Pretty unlikely, yeah. Although perhaps anything reported before the EOL date
oughta get an update; I don't think the policy is clear on that.
Anyway, I'm going to move this to "unspecified" given comment #3.
1.4.8 was released today:
"The SquirrelMail Project Team is proud to announce the release of SquirrelMail
This release contains an important security fix where a logged-in user could
overwrite variables, and a collection of regular bugfixes. Details on all the
changes in this release can be found in the ChangeLog.
There's also two patches available against the 1.4.7 release for just the
security issue: a minimal one (http://www.squirrelmail.org/patches/sqm1.4.7-
expired-post-fix-minimal.patch) removes the function, because it was broken
anyway, or more extended one (http://www.squirrelmail.org/patches/sqm1.4.7-
expired-post-fix-full.patch) which fixes the functionality and closes the hole."
Version 1.4.8 - CVS
- Fixed URL for Read Receipts being incorrect in some cases (#1177518).
- Fixed endless loop when trying to parse "From: )(" (#1517867).
- Using is_file() instead of file_exists() in fortune plugin (#1499134).
- Add manual page for conf.pl under contrib.
- Don't allow selecting INBOX as Sent, Draft or Trash folder (#1242346).
- Fixed spamcop web based reporting form (#1519673).
- Session cookies are turned on, if session.use_cookies is turned off
in PHP configuration (#1518885).
- Cleaned whitespace in output buffer when plugins are loaded (#1291209).
- Removed conf.pl dependency on Perl IO::Socket module. Automatic detection
of supported authentication mechanisms is disabled, if IO::Socket is not
- Make the base for the SquirrelMail URL configurable. Adds a new variable
config_base_location to config.php and a new option to conf.pl. This is
to prevent problems in installs where our heuristic doesn't work
correctly (#1521299, #1460675, #1110064, #1000850, #1113791).
- Fixed mailbox and header sanitizing in src/search.php.
- Handle IMAP copy errors in filters plugin. Added $handle_errors option
and boolean return in sqimap_messages_copy() function (#1520437).
- Improved register_globals=on handling code in order to prevent possible
- Fixed use of $version in config.php file (#1527870).
- Fixed IMAP folder creation in euc-kr, big5 and gb2312 translations
- Configuration utility does not allow 8bit symbols in IMAP folder names
- Removed HTTP Status header from signout page (#1424748).
- Added command execution status check in SendMail delivery class (#1374174).
- Added $sendmail_args configuration option (#1365779).
- Fixed resuming of compose when session expired while writing, and make
sure the code only sets those variables that are needed in compose and
are not already set. Thanks James Bercegay from GulfTech for pointing
- Fixed subscription of new 'noselect' folders (#1315912).
- Moving the development documentation to the documentation module.
- Drop dead code in validate.php once used for some old obscure bug.
My plan is to push rawhide's 1.4.8, which contains a large number of language
specific fixes to both RHEL3 and RHEL4 eventually. I am pushing it to FC5
I know the version upgrade violates Legacy rules, but Legacy may want to
consider an exception for the sake of time and labor limitations, and the fact
that this package will be used pretty much everywhere.
Of course wait a while for it to be tested and verified first.
Fedora Legacy project has ended. These will not be fixed by Fedora Legacy.