Hanno Böck has posted patches for XSS and PHP issues: http://openwall.com/lists/oss-security/2018/07/26/2
CC: (none) => mageiaWhiteboard: (none) => MGA6TOO
You're the registered maintainer, David ;-)
CC: (none) => marja11Assignee: bugsquad => luigiwalser
@David: I've had a look into the fixes. Do you still use squirrelmail? From my perspektive, I would say, we can apply these changes.
Hi Marc. I don't think I've used it in 16 years. You can apply the fixes if you don't mind.
Assignee: luigiwalser => mageia
Suggested advisory: ======================== Updated squirrelmail packages fix XSS-security vulnerability: It was discovered that some special tags have not been filtered accordingly which can be used for an XSS-attack. References: https://sourceforge.net/p/squirrelmail/bugs/2831/ ======================== Updated packages in core/updates_testing: ======================== squirrelmail-1.4.22-15.2.mga6 squirrelmail-poutils-1.4.22-15.2.mga6 squirrelmail-cyrus-1.4.22-15.2.mga6 squirrelmail-ar-1.4.22-15.2.mga6 squirrelmail-bg-1.4.22-15.2.mga6 squirrelmail-bn-india-1.4.22-15.2.mga6 squirrelmail-bn-bangladesh-1.4.22-15.2.mga6 squirrelmail-ca-1.4.22-15.2.mga6 squirrelmail-cs-1.4.22-15.2.mga6 squirrelmail-cy-1.4.22-15.2.mga6 squirrelmail-da-1.4.22-15.2.mga6 squirrelmail-de-1.4.22-15.2.mga6 squirrelmail-el-1.4.22-15.2.mga6 squirrelmail-es-1.4.22-15.2.mga6 squirrelmail-et-1.4.22-15.2.mga6 squirrelmail-eu-1.4.22-15.2.mga6 squirrelmail-fa-1.4.22-15.2.mga6 squirrelmail-fi-1.4.22-15.2.mga6 squirrelmail-fo-1.4.22-15.2.mga6 squirrelmail-fr-1.4.22-15.2.mga6 squirrelmail-fy-1.4.22-15.2.mga6 squirrelmail-he-1.4.22-15.2.mga6 squirrelmail-hr-1.4.22-15.2.mga6 squirrelmail-hu-1.4.22-15.2.mga6 squirrelmail-id-1.4.22-15.2.mga6 squirrelmail-is-1.4.22-15.2.mga6 squirrelmail-it-1.4.22-15.2.mga6 squirrelmail-ja-1.4.22-15.2.mga6 squirrelmail-ko-1.4.22-15.2.mga6 squirrelmail-lt-1.4.22-15.2.mga6 squirrelmail-ms-1.4.22-15.2.mga6 squirrelmail-nb-1.4.22-15.2.mga6 squirrelmail-nl-1.4.22-15.2.mga6 squirrelmail-nn-1.4.22-15.2.mga6 squirrelmail-pl-1.4.22-15.2.mga6 squirrelmail-pt-1.4.22-15.2.mga6 squirrelmail-ro-1.4.22-15.2.mga6 squirrelmail-ru-1.4.22-15.2.mga6 squirrelmail-sk-1.4.22-15.2.mga6 squirrelmail-sl-1.4.22-15.2.mga6 squirrelmail-sr-1.4.22-15.2.mga6 squirrelmail-sv-1.4.22-15.2.mga6 squirrelmail-tr-1.4.22-15.2.mga6 squirrelmail-ug-1.4.22-15.2.mga6 squirrelmail-uk-1.4.22-15.2.mga6 squirrelmail-vi-1.4.22-15.2.mga6 squirrelmail-zh_CN-1.4.22-15.2.mga6 squirrelmail-zh_TW-1.4.22-15.2.mga6 squirrelmail-ka-1.4.22-15.2.mga6 squirrelmail-km-1.4.22-15.2.mga6 squirrelmail-lv-1.4.22-15.2.mga6 squirrelmail-mk-1.4.22-15.2.mga6 squirrelmail-ta-1.4.22-15.2.mga6 Source RPMs: squirrelmail-1.4.22-15.2.mga6.src.rpm
Assignee: mageia => qa-bugs
CC: (none) => tmbWhiteboard: MGA6TOO => (none)Version: Cauldron => 6
MGA6-32 MATE in Dutch on IBM Thinkpad R50e At installation I expected that selecting squirrelmail this would draw in the nl language pack automatically as other packages do. I had to do it manually, but even then squirrelmail displays in pure English. Googling learned me that I had to change the Display preferences in the squirrelmail "Options" page. Followed Brian'lead in bug 22793 Comment 6. Created an additional user squitest on the system, initiated the folders and files on this and my regular user as shown, and I have been able to send and reply mail between these two users. OK for me.
CC: (none) => herman.viaeneWhiteboard: (none) => MGA6-32-OKKeywords: (none) => has_procedure
mga6-64 xfce in US English on VBOX Installed as per instructions in bug 22793 Comment 6. created new user and Emailed back and forth in local host. Working as far as I can tell.
Whiteboard: MGA6-32-OK => MGA6-32-OK MGA6-64-OKCC: (none) => brtians1
With OKs in both arches, this looks good to go to me. Validating. Suggested advisory in comment 4.
CC: (none) => andrewsfarm, sysadmin-bugsKeywords: (none) => validated_update
Keywords: (none) => advisory
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2018-0357.html
Status: NEW => RESOLVEDResolution: (none) => FIXED
These got CVE-2018-1495[0-5]: https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/CVXTYMZ35IC5KPNMAE6BWAQWURMX7KZO/
Summary: squirrelmail several new XSS security issues => squirrelmail several new XSS security issues (CVE-2018-1495[0-5])
@David: there is only some development in svn, but no real releases! I suggest switching to an updated svn version (at least for mga7) and maybe drop this package for mga8.
I think we already have the latest security fixes, but it would make sense to update to the same svn snapshot that Fedora did (in Cauldron). I appreciate your help in maintaining this one. Since we lost our roundcubemail maintainer, this has actually been our only maintained webmail package.
since roundcube is php too, I can maintain this. Squirrel is very simple. Roundcube is a more modern mail frontend.
I know squirrelmail is not very active, but I guess enough people out there still care about it with these security issues getting fixed. The only remaining concern is whether it continues to work with new versions of PHP. I guess we'll see.