Please backport for squirrelmail from gutsy to dapper, edgy, and feisty

Bug #115149 reported by Leonel Nunez
258
Affects Status Importance Assigned to Milestone
Dapper Backports
Fix Released
Wishlist
Unassigned
Edgy Backports
Fix Released
Wishlist
Unassigned
Feisty Backports
Fix Released
Wishlist
Unassigned

Bug Description

Gutsy 2:1.4.10a-2 to Dapper (was 2:1.4.6-1/2:1.4.6-1ubuntu0.1/2:1.4.8-1~dapper1 - previous backport)
Gutsy 2:1.4.10a-2 to Edgy (was 2:1.4.8-1/ 2:1.4.8-1ubuntu0.1)
Gutsy 2:1.4.10a-2 to Feisty (was 2:1.4.9a-1/2:1.4.9a-1ubuntu0.1)

Gutsy 2:1.4.10a-2 has been built, installed, and tested on all three releases.

Debian/changelog since the oldest release above:

squirrelmail (2:1.4.10a-2) unstable; urgency=low

  * Make use of new dictionaries-common SquirrelMail interface to
    detect the installed squirrelspell dictionaries (Closes: #420877).
  * Remove obsolete upgrading code.
  * Make sure config files are not closed with '?>' since it's then
    too easy to get stray whitespace at the end of the file.

 -- Thijs Kinkhorst <email address hidden> Thu, 31 May 2007 19:34:29 +0200

squirrelmail (2:1.4.10a-1) unstable; urgency=high

  * New upstream security release.
    - Fixes cross site scripting in the HTML filter [CVE-2007-1262]
    - Tweaks SMTP error message display (Closes: #403705).
    - Fixes address duplication on reply-all (Closes: #408242).

 -- Thijs Kinkhorst <email address hidden> Thu, 10 May 2007 12:04:48 +0200

squirrelmail (2:1.4.9a-1) unstable; urgency=high

  * New upstream security release.
    - Additionally tightens HTML filter for IE <= 5 parsing
      absolutely everything and its horse.

 -- Thijs Kinkhorst <email address hidden> Mon, 4 Dec 2006 09:18:09 +0100

squirrelmail (2:1.4.9-1) unstable; urgency=high

  * New upstream bugfix release.
    - Includes cross site scripting security fix [CVE-2006-6142].
    - Includes Internet Explorer security issue workaround.
    - Fixes misspelled constant (Closes: #401022)

 -- Thijs Kinkhorst <email address hidden> Sat, 2 Dec 2006 17:35:43 +0100

squirrelmail (2:1.4.8-3) unstable; urgency=low

  * Add note to README.Debian about server side sorting (Closes: #394286)
    and regular_globals not being supported.
  * Add IfModule conditionals for register_globals setting in
    apache.conf (Closes: #398173).

 -- Thijs Kinkhorst <email address hidden> Mon, 13 Nov 2006 16:29:33 +0100

squirrelmail (2:1.4.8-2) unstable; urgency=low

  * Update Debian patch to display options to cope with the custom
    charset plugin. Thanks Tomas Kuliavas, Closes: #385300.
  * Suggest php[45]-ldap, Closes: #392306.
  * Improve package description.

 -- Thijs Kinkhorst <email address hidden> Fri, 20 Oct 2006 16:36:36 +0200

squirrelmail (2:1.4.8-1) unstable; urgency=high

  * New upstream release
    - Includes security fix: variable overwriting in compose.php
      by logged-in user [CVE-2006-4019]
    - Does not ship SquirrelMail developer's documentation anymore.

  * Remove duplicate content from README.locales.

 -- Thijs Kinkhorst <email address hidden> Fri, 11 Aug 2006 13:53:20 +0200

squirrelmail (2:1.4.7-1) unstable; urgency=low

  * New upstream bugfix release.
    + Addresses some low-impact, theoretical or disputed security bugs,
      for which the code is tightened just-in-case:
      - Possible local file inclusion (Closes: #373731, CVE-2006-2842)
      - XSS in search.php (Closes: #375782, CVE-2006-3174)
    + Adds note to db-backend.txt about postgreSQL (Closes: #376605).

  * Checked for standards version to 3.7.2, no changes necessary.
  * Update maintainer address.

 -- Thijs Kinkhorst <email address hidden> Tue, 4 Jul 2006 14:49:23 +0200

Revision history for this message
Scott Kitterman (kitterman) wrote :

Leonel - If you will confirm in this bug that the Gutsy version builds/installs/runs on Dapper/Edgy and add the new debian/changelog entries, I'll approve this.

Revision history for this message
Leonel Nunez (leonelnunez) wrote : Re: [Bug 115149] Re: Request backport for squirrelmail from gutsy to dapper and edgy

> Leonel - If you will confirm in this bug that the Gutsy version
> builds/installs/runs on Dapper/Edgy and add the new debian/changelog
> entries, I'll approve this.
>
> --
> Request backport for squirrelmail from gutsy to dapper and edgy
> https://bugs.launchpad.net/bugs/115149
> You received this bug notification because you are a direct subscriber
> of the bug.
>

Ok I'll do

I've checked squirrelmail versions for dapper edgy and feisty and we are
up to date with security

and.. can we add the backport to Feisty ?

Leonel

Revision history for this message
Leonel Nunez (leonelnunez) wrote : Re: Request backport for squirrelmail from gutsy to dapper and edgy

Builds fine with EDGY pbuilder
installed fine
tested all worked fine

Revision history for this message
Leonel Nunez (leonelnunez) wrote :

Builded with DAPPER pbuilder no errors
installed fine
tested all worked fine

Revision history for this message
Leonel Nunez (leonelnunez) wrote :

Builded installed and tested in Feisty
no problems found

Revision history for this message
Leonel Nunez (leonelnunez) wrote :

debian/changelog since dapper release

squirrelmail (2:1.4.6-1ubuntu0.1) dapper-security; urgency=low

  * SECURITY UPDATE: XSS and CSRF in various areas, local file inclusion,
    variable overwriting.
  * src/compose.php, src/right_main.php, src/login.php, src/mailto.php,
    src/redirect.php, src/webmail.php, src/mime.php: back-ported fixes for
    XSS in compose, draft and HTML mail. (CVE-2006-6142)
    http://www.squirrelmail.org/security/issue/2006-12-02
  * fuctions/mime.php, src/compose.php, src/view_text.php: back-ported fixes
    for XSS in HTML filter (CVE-2007-1262)
    http://www.squirrelmail.org/security/issue/2007-05-09
  * functions/global.php: back-ported fixes for local file inclusion.
    (CVE-2006-2842)
    http://www.squirrelmail.org/security/issue/2006-06-01
  * functions/auth.php, src/compose.php, src/login.php, src/redirect.php,
    src/webmail.php: back-ported fixes for variable overwriting.
    (CVE-2006-4019)
    http://www.squirrelmail.org/security/issue/2006-08-11

 -- Leonel Nunez <email address hidden> Wed, 16 May 2007 13:02:10 -0600

squirrelmail (2:1.4.6-1) unstable; urgency=high

  * New upstream release.
  * Includes the following security fixes:
    - Fix IMAP command injection in sqimap_mailbox_select
      with upstream patch. [CVE-2006-0377] (Closes: #354063)
    - Fix possible XSS in MagicHTML, concerning the parsing
      of u\rl and comments in styles. Internet Explorer
      specific. [CVE-2006-0195] (Closes: #354062)
    - Fix possible cross site scripting through the right_main
      parameter of webmail.php. This now uses a whitelist of
      acceptable values. [CVE-2006-0188] (Closes: #354064, #355424)

 -- Thijs Kinkhorst <email address hidden> Tue, 7 Mar 2006 14:56:06 +0100

description: updated
Changed in dapper-backports:
status: New → In Progress
Changed in edgy-backports:
status: New → In Progress
Changed in feisty-backports:
status: New → In Progress
Changed in dapper-backports:
importance: Undecided → Wishlist
Changed in edgy-backports:
importance: Undecided → Wishlist
Changed in feisty-backports:
importance: Undecided → Wishlist
Revision history for this message
Martin Pitt (pitti) wrote :

 * Trying to backport squirrelmail...
  - <squirrelmail_1.4.10a.orig.tar.gz: downloading from librarian>
  - <squirrelmail_1.4.10a-2.diff.gz: downloading from librarian>
  - <squirrelmail_1.4.10a-2.dsc: downloading from librarian>
I: Extracting squirrelmail_1.4.10a-2.dsc ... done.
I: Building backport of squirrelmail-1.4.10a as 2:1.4.10a-2~dapper1 ... done.

Changed in dapper-backports:
status: In Progress → Fix Released
Revision history for this message
Martin Pitt (pitti) wrote :

 * Trying to backport squirrelmail...
  - <squirrelmail_1.4.10a.orig.tar.gz: downloading from librarian>
  - <squirrelmail_1.4.10a-2.diff.gz: downloading from librarian>
  - <squirrelmail_1.4.10a-2.dsc: downloading from librarian>
I: Extracting squirrelmail_1.4.10a-2.dsc ... done.
I: Building backport of squirrelmail-1.4.10a as 2:1.4.10a-2~edgy1 ... done.

Changed in edgy-backports:
status: In Progress → Fix Released
Revision history for this message
Martin Pitt (pitti) wrote :

 * Trying to backport squirrelmail...
  - <squirrelmail_1.4.10a.orig.tar.gz: downloading from librarian>
  - <squirrelmail_1.4.10a-2.diff.gz: downloading from librarian>
  - <squirrelmail_1.4.10a-2.dsc: downloading from librarian>
I: Extracting squirrelmail_1.4.10a-2.dsc ... done.
I: Building backport of squirrelmail-1.4.10a as 2:1.4.10a-2~feisty1 ... done.

Changed in feisty-backports:
status: In Progress → Fix Released
To post a comment you must log in.
This report contains Public Security information  
Everyone can see this security related information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.