Hanno Böck has posted patches for XSS and PHP issues:
You're the registered maintainer, David ;-)
@David: I've had a look into the fixes. Do you still use squirrelmail?
From my perspektive, I would say, we can apply these changes.
Hi Marc. I don't think I've used it in 16 years. You can apply the fixes if you don't mind.
Updated squirrelmail packages fix XSS-security vulnerability:
It was discovered that some special tags have not been filtered accordingly which can be used for an XSS-attack.
Updated packages in core/updates_testing:
MGA6-32 MATE in Dutch on IBM Thinkpad R50e
At installation I expected that selecting squirrelmail this would draw in the nl language pack automatically as other packages do. I had to do it manually, but even then squirrelmail displays in pure English.
Googling learned me that I had to change the Display preferences in the squirrelmail "Options" page.
Followed Brian'lead in bug 22793 Comment 6.
Created an additional user squitest on the system, initiated the folders and files on this and my regular user as shown, and I have been able to send and reply mail between these two users.
OK for me.
mga6-64 xfce in US English on VBOX
Installed as per instructions in bug 22793 Comment 6.
created new user and Emailed back and forth in local host.
Working as far as I can tell.
With OKs in both arches, this looks good to go to me. Validating. Suggested advisory in comment 4.
An update for this issue has been pushed to the Mageia Updates repository.
These got CVE-2018-1495[0-5]:
squirrelmail several new XSS security issues =>
squirrelmail several new XSS security issues (CVE-2018-1495[0-5])
@David: there is only some development in svn, but no real releases! I suggest switching to an updated svn version (at least for mga7) and maybe drop this package for mga8.
I think we already have the latest security fixes, but it would make sense to update to the same svn snapshot that Fedora did (in Cauldron). I appreciate your help in maintaining this one. Since we lost our roundcubemail maintainer, this has actually been our only maintained webmail package.
since roundcube is php too, I can maintain this. Squirrel is very simple. Roundcube is a more modern mail frontend.
I know squirrelmail is not very active, but I guess enough people out there still care about it with these security issues getting fixed. The only remaining concern is whether it continues to work with new versions of PHP. I guess we'll see.