[squirrelmail] Please bring latest security-fix release 1.4.18

Debian Bug report logs - #528528
[squirrelmail] Please bring latest security-fix release 1.4.18

Toggle useless messages

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Philippe Teuwen <phil@teuwen.org>

To: submit@bugs.debian.org

Subject: [squirrelmail] Please bring latest security-fix release 1.4.18

Date: Wed, 13 May 2009 15:03:43 +0200

Package: squirrelmail
Version: 2:1.4.15-4
Severity: normal
Tags: security
X-Debbugs-CC: secure-testing-team@lists.alioth.debian.org

ANNOUNCE: SquirrelMail 1.4.18 Released
May 12, 2009 by Paul Lesniewski
     The SquirrelMail Team is pleased to announce the release of
SquirrelMail version 1.4.18. The most notable changes for this version
are several security fixes, including a couple XSS exploits, a session
fixation issue, and an obscure but dangerous server-side code execution
hole. However, this version also includes three new languages and more
than a few enhancements to things such as the filters plugin, the
address book system and other things under the hood. For more complete
details, see the ReleaseNotes and ChangeLog files included in this
release (they have moved to the doc/ directory). We advise all users of
SquirrelMail software to upgrade. You can download it here.

See also http://www.securityfocus.com/bid/34916/info

--- System information. ---
Architecture: i386
Kernel: Linux 2.6.26-1-486

Debian Release: squeeze/sid
990 testing security.debian.org
990 testing ftp.be.debian.org
500 unstable www.emdebian.org
500 unstable www.debian-multimedia.org
500 unstable sidux.net
500 unstable ftp.be.debian.org
500 unstable debian.jones.dk
500 stable www.debian-multimedia.org
500 stable security.debian.org
1 experimental ftp.be.debian.org

--- Package information. ---
Package's Depends field is empty.

Package's Recommends field is empty.

Package's Suggests field is empty.

Message #10 received at 528528@bugs.debian.org (full text, mbox, reply):

From: Thijs Kinkhorst <thijs@debian.org>

To: Philippe Teuwen <phil@teuwen.org>, 528528@bugs.debian.org

Subject: Re: [Secure-testing-team] Bug#528528: [squirrelmail] Please bring latest security-fix release 1.4.18

Date: Wed, 13 May 2009 17:56:28 +0200

[Message part 1 (text/plain, inline)]

On woansdei 13 Maaie 2009, Philippe Teuwen wrote:
> several security fixes

Thanks for the report. I'm already aware and updates will follow as soon as 
possible.


Thijs

[signature.asc (application/pgp-signature, inline)]

Message #15 received at 528528-close@bugs.debian.org (full text, mbox, reply):

From: Thijs Kinkhorst <thijs@debian.org>

To: 528528-close@bugs.debian.org

Subject: Bug#528528: fixed in squirrelmail 2:1.4.18-1

Date: Wed, 13 May 2009 18:47:15 +0000

Source: squirrelmail
Source-Version: 2:1.4.18-1

We believe that the bug you reported is fixed in the latest version of
squirrelmail, which is due to be installed in the Debian FTP archive:

squirrelmail_1.4.18-1.diff.gz
  to pool/main/s/squirrelmail/squirrelmail_1.4.18-1.diff.gz
squirrelmail_1.4.18-1.dsc
  to pool/main/s/squirrelmail/squirrelmail_1.4.18-1.dsc
squirrelmail_1.4.18-1_all.deb
  to pool/main/s/squirrelmail/squirrelmail_1.4.18-1_all.deb
squirrelmail_1.4.18.orig.tar.gz
  to pool/main/s/squirrelmail/squirrelmail_1.4.18.orig.tar.gz



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 528528@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Thijs Kinkhorst <thijs@debian.org> (supplier of updated squirrelmail package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.8
Date: Wed, 13 May 2009 19:42:57 +0200
Source: squirrelmail
Binary: squirrelmail
Architecture: source all
Version: 2:1.4.18-1
Distribution: unstable
Urgency: high
Maintainer: Jeroen van Wolffelaar <jeroen@wolffelaar.nl>
Changed-By: Thijs Kinkhorst <thijs@debian.org>
Description: 
 squirrelmail - Webmail for nuts
Closes: 508287 523966 527964 528528
Changes: 
 squirrelmail (2:1.4.18-1) unstable; urgency=high
 .
   * New upstream release.
     + Addresses several security issues (closes: #528528):
       CVE-2009-1578, CVE-2009-1579, CVE-2009-1580, CVE-2009-1581.
   * Update to debhelper 7 and policy 3.8.1.
   * Make squirrelmail.cron.daily cope with the administrator
     enabling the hashed dir feature, thanks Marcello Nuccio
     (closes: #508287).
   * Update Recommends and Suggests:
     + Remove all php4-related relations.
     + Add recommends for php5-mcode which speeds up crypto.
     + Suggest php5-recode for some character sets.
     + Recommend plugins: squirrelmail-viewashtml for HTML mail,
       squirrelmail-logger to provide logging.
     (closes: #523966, #527964)
Checksums-Sha1: 
 4996be2987ba4e32e8240537b75f934a247b877f 1496 squirrelmail_1.4.18-1.dsc
 25be33dec86419f07ab8d5b8d41d0e3eed7d2c52 638455 squirrelmail_1.4.18.orig.tar.gz
 c4b238f4757c9df767f7333228e48279207fc09f 20100 squirrelmail_1.4.18-1.diff.gz
 cce53ff4296af5f3a3016322e504368f99366faa 617964 squirrelmail_1.4.18-1_all.deb
Checksums-Sha256: 
 7bd5fcc8a6b7c7456e1c75d513cefa18964aaa717710815449911cbaeb3db28f 1496 squirrelmail_1.4.18-1.dsc
 a92b922206c86018ad23633525ec6b7bce6e084a1b6115bd17347badd4245b47 638455 squirrelmail_1.4.18.orig.tar.gz
 f3a9c0c8edca3dff54d37239f3ec762bb5f89b20dcb40e6ecd645b27ec1a923a 20100 squirrelmail_1.4.18-1.diff.gz
 96d4f7d9031b68072858d900118ad73f705185ab86ba9f267461671f42afc132 617964 squirrelmail_1.4.18-1_all.deb
Files: 
 73c5555f1c49cde328ac1b84ecd3ca46 1496 web optional squirrelmail_1.4.18-1.dsc
 5e870d2f5b57b4b0e42497cb0a0fae5e 638455 web optional squirrelmail_1.4.18.orig.tar.gz
 a33cf1597773c3e8b31f2a0462f7cd69 20100 web optional squirrelmail_1.4.18-1.diff.gz
 f1f1ff654ce139568394e98e6d9895ae 617964 web optional squirrelmail_1.4.18-1_all.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)

iQEcBAEBAgAGBQJKCxJkAAoJECIIoQCMVaAcR7AIAIuSy9OYfW43/oTpr6dc16bm
cWIK5d6/4WA+pF0RQgCG3vNw6QGGQcwKzOnRjyX0rxDtr8RDrF7P+VB9ggw8/Plj
10Ji8/dlTBSDmDUydJWPmQMA5nRUza3h5enZeh/K1NdbSDzU7Iq+tQkXEwuP5X7b
5W1KYN+iC/KXki71hzB7X083X7wUotTexWp/Fo/0OhwvoDprYsuwssv5bYTQDqiT
iK4HEDCr4n9RSq+bLwatl/T0o0SZN09SXGU4g71UYniEVsyKLczwOxAdo526Z/1v
jCv/B6XoRVs/3ufIFv9AD5xt8XEa8mEb/fjBVlqHU4++YaDcqjDsShRgesSGGBo=
=UyMy
-----END PGP SIGNATURE-----

Message #22 received at 528528-submitter@bugs.debian.org (full text, mbox, reply):

From: www-data <www-data@wolffelaar.nl>

To: control@bugs.debian.org, 528528-submitter@bugs.debian.org

Subject: Squirrelmail bugs fixed in revision r387

Date: Tue, 19 May 2009 16:56:02 +0200

# Fixed in r387 by kink
tag 528528 + pending
thanks

These bugs are fixed in revision 387 by kink
and will likely get fixed in the next upload.
Log message:
* Upload to stable-security to address security issues.
  (Closes: #528528)
* CSS positioning vulnerability (CVE-2009-1581).

Message #27 received at 528528@bugs.debian.org (full text, mbox, reply):

From: Kevin Fernandez <kevin@findhost.org>

To: 528528@bugs.debian.org

Subject: 1.4.19

Date: Tue, 26 May 2009 13:59:43 +0200

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Does the debian security update include the fix of squirrelmail 1.4.19?

"The security fix to map_yp_alias in 1.4.18 turned out to be incomplete.
We also experienced some regressions in the updated filter plugin. Both
are addressed in this new release 1.4.19 which contains a few other
small fixes aswell. If you do not use map_yp_alias or the filters plugin
there's no urgent need to upgrade now if you already installed 1.4.18. "

http://squirrelmail.org/index.php
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)

iEYEARECAAYFAkob2a8ACgkQwt4vS/saKMIiggCdE1aoJVTxbpkbu7b354ZNkAvG
gCsAoJOknS0CrvsFePOBHhmgl0dgB5hs
=NVwG
-----END PGP SIGNATURE-----

Message #32 received at 528528@bugs.debian.org (full text, mbox, reply):

From: "Thijs Kinkhorst" <thijs@debian.org>

To: "Kevin Fernandez" <kevin@findhost.org>, 528528@bugs.debian.org

Subject: Re: Bug#528528: 1.4.19

Date: Tue, 26 May 2009 14:52:35 +0200

On Tue, May 26, 2009 13:59, Kevin Fernandez wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
>
> Does the debian security update include the fix of squirrelmail 1.4.19?

Have you read this?
http://lists.debian.org/debian-security-announce/2009/msg00116.html



Thijs

Message #37 received at 528528-close@bugs.debian.org (full text, mbox, reply):

From: Thijs Kinkhorst <thijs@debian.org>

To: 528528-close@bugs.debian.org

Subject: Bug#528528: fixed in squirrelmail 2:1.4.9a-4

Date: Fri, 03 Jul 2009 19:54:12 +0000

Source: squirrelmail
Source-Version: 2:1.4.9a-4

We believe that the bug you reported is fixed in the latest version of
squirrelmail, which is due to be installed in the Debian FTP archive:

squirrelmail_1.4.9a-4.diff.gz
  to pool/main/s/squirrelmail/squirrelmail_1.4.9a-4.diff.gz
squirrelmail_1.4.9a-4.dsc
  to pool/main/s/squirrelmail/squirrelmail_1.4.9a-4.dsc
squirrelmail_1.4.9a-4_all.deb
  to pool/main/s/squirrelmail/squirrelmail_1.4.9a-4_all.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 528528@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Thijs Kinkhorst <thijs@debian.org> (supplier of updated squirrelmail package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.7
Date: Tue, 19 May 2009 17:27:23 +0200
Source: squirrelmail
Binary: squirrelmail
Architecture: source all
Version: 2:1.4.9a-4
Distribution: oldstable-security
Urgency: high
Maintainer: Jeroen van Wolffelaar <jeroen@wolffelaar.nl>
Changed-By: Thijs Kinkhorst <thijs@debian.org>
Description: 
 squirrelmail - Webmail for nuts
Closes: 528528
Changes: 
 squirrelmail (2:1.4.9a-4) oldstable-security; urgency=high
 .
   * Upload to oldstable-security to address security issues.
     (Closes: #528528)
   * Cross site scripting in using PHP_SELF (CVE-2009-1578).
     Also fix decrypt_headers, even though we don't ship that.
   * Code execution in map_yp_alias, not enabled by default
     (CVE-2009-1579).
   * Session fixation issue (CVE-2009-1580).
   * CSS positioning vulnerability (CVE-2009-1581).
Files: 
 c3b30d221d83b84f3da9d05d143aa950 1021 web optional squirrelmail_1.4.9a-4.dsc
 1ac9a374320a25feb8702c481f07f69d 27710 web optional squirrelmail_1.4.9a-4.diff.gz
 67c67fb13e4dc98739aab5264a4438c4 593578 web optional squirrelmail_1.4.9a-4_all.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)

iQEcBAEBAgAGBQJKEtcGAAoJECIIoQCMVaAcHMwH/1G+gHl55kMFep68iDDOMawV
h8S3I74pCK1Wv6lZ2QDASmDznJ8D1L7RI6a48scsZhk0dfSzooOQYzYE8Srvh+hp
nMUxFkwZEOzIyEXO1RM8BHKutksn5cco1slYK6XWezHHOqlCB+G9ZFifM+BcxUQd
HIA04yW89JaOavYxIL7bgKV5kok5m4zS/a1ETZP3OlrSsUGM6OjCuo8pKBjlBokR
y4tmFANdhPMYQHalaec1CSwnHMOENrlC5tFRXNsoPQfz4Ns34jvskofTAK7NiY1W
LIyiBdM3qCw6kN4BYAR3/q+dmEiU1WOv7Zbi/iRliUuXtn/2SiFq8c4et3OQh4c=
=ouAK
-----END PGP SIGNATURE-----

Send a report that this bug log contains spam.