pkgsrc-Changes-HG archive
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]
[pkgsrc/trunk]: pkgsrc/mail/squirrelmail Update squirrelmail to 1.4.23pre14688.
details: https://anonhg.NetBSD.org/pkgsrc/rev/590636dea91c
branches: trunk
changeset: 364194:590636dea91c
user: taca <taca%pkgsrc.org@localhost>
date: Wed Jun 21 15:07:03 2017 +0000
description:
Update squirrelmail to 1.4.23pre14688.
Note: CVE-2017-7692 is already fixed by 1.4.23pre14605nb1.
- compose_send hook now has $draft flag in hook arguments
- Fixed insufficient sendmail command argument escaping (thanks
to Mitchel Sahertian, Beyond Security/Dawid Golunski and Filippo
Cavallarin for bringing this to our attention). [CVE-2017-7692]
- Upgraded preferences for the delete_move_next plugin. Automatic
user preference updates are included, but note that if your
installation is new, or all user prefs have been converted from
"on"/"off" to 0/1 then you can add the following to SquirrelMail's
config/config_local.php to avoid convertign legacy values over and over:
$do_not_convert_delete_move_next_legacy_preferences = TRUE;
- Added ability to control the display of the "Check Spelling"
button provided by the squirrelspell plugin, which allows
administrators to offer this plugin but keep it out of the way
for users who do not want it. Put sqspell_show_button=0 in
default preferences if it should be hidden by default
diffstat:
mail/squirrelmail/Makefile | 5 +-
mail/squirrelmail/PLIST | 3 +-
mail/squirrelmail/distinfo | 10 ++--
mail/squirrelmail/patches/patch-class_deliver_Deliver__SendMail.class.php | 23 ----------
4 files changed, 9 insertions(+), 32 deletions(-)
diffs (75 lines):
diff -r 2146b5a22212 -r 590636dea91c mail/squirrelmail/Makefile
--- a/mail/squirrelmail/Makefile Wed Jun 21 14:51:10 2017 +0000
+++ b/mail/squirrelmail/Makefile Wed Jun 21 15:07:03 2017 +0000
@@ -1,7 +1,6 @@
-# $NetBSD: Makefile,v 1.132 2017/04/19 17:10:18 maya Exp $
+# $NetBSD: Makefile,v 1.133 2017/06/21 15:07:03 taca Exp $
-DISTNAME= squirrelmail-webmail-1.4.23pre14605
-PKGREVISION= 1
+DISTNAME= squirrelmail-webmail-1.4.23pre14688
PKGNAME= ${DISTNAME:S/-webmail//}
CATEGORIES= mail www
MASTER_SITES= ${MASTER_SITE_LOCAL}
diff -r 2146b5a22212 -r 590636dea91c mail/squirrelmail/PLIST
--- a/mail/squirrelmail/PLIST Wed Jun 21 14:51:10 2017 +0000
+++ b/mail/squirrelmail/PLIST Wed Jun 21 15:07:03 2017 +0000
@@ -1,4 +1,4 @@
-@comment $NetBSD: PLIST,v 1.40 2015/09/06 12:04:12 taca Exp $
+@comment $NetBSD: PLIST,v 1.41 2017/06/21 15:07:03 taca Exp $
man/man8/squirrelmail-conf.pl.8
share/examples/squirrelmail/data/.htaccess
share/examples/squirrelmail/data/index.php
@@ -325,6 +325,7 @@
share/squirrelmail/plugins/squirrelspell/js/init.js
share/squirrelmail/plugins/squirrelspell/modules/.htaccess
share/squirrelmail/plugins/squirrelspell/modules/WHATISTHIS
+share/squirrelmail/plugins/squirrelspell/modules/change_main_options.mod
share/squirrelmail/plugins/squirrelspell/modules/check_me.mod
share/squirrelmail/plugins/squirrelspell/modules/crypto.mod
share/squirrelmail/plugins/squirrelspell/modules/crypto_badkey.mod
diff -r 2146b5a22212 -r 590636dea91c mail/squirrelmail/distinfo
--- a/mail/squirrelmail/distinfo Wed Jun 21 14:51:10 2017 +0000
+++ b/mail/squirrelmail/distinfo Wed Jun 21 15:07:03 2017 +0000
@@ -1,9 +1,9 @@
-$NetBSD: distinfo,v 1.68 2017/04/19 17:10:18 maya Exp $
+$NetBSD: distinfo,v 1.69 2017/06/21 15:07:03 taca Exp $
-SHA1 (squirrelmail-webmail-1.4.23pre14605.tar.bz2) = b0301f777ac5e71b08cd8d718358ce0f3417a21d
-RMD160 (squirrelmail-webmail-1.4.23pre14605.tar.bz2) = ee9c4d6bd6975f0134797cfc383821368a140542
-SHA512 (squirrelmail-webmail-1.4.23pre14605.tar.bz2) = f884e324c4f89469ef92e0edb16e83930bdcb73d17df659425972a786cd1449531ab40bf4ea5a17fdc97bcfd8a4c26fc80ca68bad2ae54502236dc5b0456967b
-Size (squirrelmail-webmail-1.4.23pre14605.tar.bz2) = 558045 bytes
+SHA1 (squirrelmail-webmail-1.4.23pre14688.tar.bz2) = 0b094c86464f0a67948191f8daeb62b35024350b
+RMD160 (squirrelmail-webmail-1.4.23pre14688.tar.bz2) = 3b3d19bcbd0e3c32983707423d91263e3649f26b
+SHA512 (squirrelmail-webmail-1.4.23pre14688.tar.bz2) = ec428f5a77757d29dd0a8f905210e7f9b527e75a549162d9d2ad2ad2fdfed1c9fa4e399433e656065f24a593d76e14c043a34c0c7fffb03943de94505599a1e0
+Size (squirrelmail-webmail-1.4.23pre14688.tar.bz2) = 560901 bytes
SHA1 (patch-aa) = 4ba7ea0a85308816b9dc77c0af3c927359ed1275
SHA1 (patch-ab) = 30bf68c730f20e817fbe81d18bc2a95899ee3fd0
SHA1 (patch-ai) = 1c08904ecf074ff3ba7e6042becc0f0771388b9f
diff -r 2146b5a22212 -r 590636dea91c mail/squirrelmail/patches/patch-class_deliver_Deliver__SendMail.class.php
--- a/mail/squirrelmail/patches/patch-class_deliver_Deliver__SendMail.class.php Wed Jun 21 14:51:10 2017 +0000
+++ /dev/null Thu Jan 01 00:00:00 1970 +0000
@@ -1,23 +0,0 @@
-$NetBSD: patch-class_deliver_Deliver__SendMail.class.php,v 1.1 2017/04/19 17:10:18 maya Exp $
-
-Patch CVE-2017-7692 by separately escaping $envelopefrom
-concatenating it with a space before escaping allows for injecting command
-parameters.
-
-From Filippo Cavallarin
-https://www.wearesegment.com/research/Squirrelmail-Remote-Code-Execution.html
-
---- class/deliver/Deliver_SendMail.class.php.orig 2016-01-01 20:04:30.000000000 +0000
-+++ class/deliver/Deliver_SendMail.class.php
-@@ -95,9 +95,9 @@ class Deliver_SendMail extends Deliver {
- $envelopefrom = trim($from->mailbox.'@'.$from->host);
- $envelopefrom = str_replace(array("\0","\n"),array('',''),$envelopefrom);
- // save executed command for future reference
-- $this->sendmail_command = "$sendmail_path $this->sendmail_args -f$envelopefrom";
-+ $this->sendmail_command = escapeshellcmd("$sendmail_path $this->sendmail_args -f") . escapeshellarg($envelopefrom);
- // open process handle for writing
-- $stream = popen(escapeshellcmd($this->sendmail_command), "w");
-+ $stream = popen($this->sendmail_command, "w");
- return $stream;
- }
-
Home |
Main Index |
Thread Index |
Old Index