Dapper Backports

  1. Bug #115149
  2. Comment #6

Comment 6 for bug 115149

Revision history for this message
Leonel Nunez (leonelnunez) wrote : Re: Request backport for squirrelmail from gutsy to dapper and edgy

debian/changelog since dapper release

squirrelmail (2:1.4.6-1ubuntu0.1) dapper-security; urgency=low

  * SECURITY UPDATE: XSS and CSRF in various areas, local file inclusion,
    variable overwriting.
  * src/compose.php, src/right_main.php, src/login.php, src/mailto.php,
    src/redirect.php, src/webmail.php, src/mime.php: back-ported fixes for
    XSS in compose, draft and HTML mail. (CVE-2006-6142)
    http://www.squirrelmail.org/security/issue/2006-12-02
  * fuctions/mime.php, src/compose.php, src/view_text.php: back-ported fixes
    for XSS in HTML filter (CVE-2007-1262)
    http://www.squirrelmail.org/security/issue/2007-05-09
  * functions/global.php: back-ported fixes for local file inclusion.
    (CVE-2006-2842)
    http://www.squirrelmail.org/security/issue/2006-06-01
  * functions/auth.php, src/compose.php, src/login.php, src/redirect.php,
    src/webmail.php: back-ported fixes for variable overwriting.
    (CVE-2006-4019)
    http://www.squirrelmail.org/security/issue/2006-08-11

 -- Leonel Nunez <email address hidden> Wed, 16 May 2007 13:02:10 -0600

squirrelmail (2:1.4.6-1) unstable; urgency=high

  * New upstream release.
  * Includes the following security fixes:
    - Fix IMAP command injection in sqimap_mailbox_select
      with upstream patch. [CVE-2006-0377] (Closes: #354063)
    - Fix possible XSS in MagicHTML, concerning the parsing
      of u\rl and comments in styles. Internet Explorer
      specific. [CVE-2006-0195] (Closes: #354062)
    - Fix possible cross site scripting through the right_main
      parameter of webmail.php. This now uses a whitelist of
      acceptable values. [CVE-2006-0188] (Closes: #354064, #355424)

 -- Thijs Kinkhorst <email address hidden> Tue, 7 Mar 2006 14:56:06 +0100