Content-Transfer-Encoding: 7bit
Content-Type: multipart/mixed; boundary="_----------=_152507501549430"
MIME-Version: 1.0
Date: Mon, 30 Apr 2018 07:56:55 +0000
From: "Takahiro Kambe" <taca@netbsd.org>
Subject: CVS commit: pkgsrc/mail/squirrelmail
To: pkgsrc-changes@NetBSD.org
Reply-To: taca@netbsd.org
Message-Id: <20180430075655.E8E87FBEC@cvs.NetBSD.org>
Sender: pkgsrc-changes-owner@NetBSD.org
Precedence: bulk

This is a multi-part message in MIME format.

--_----------=_152507501549430
Content-Disposition: inline
Content-Transfer-Encoding: 8bit
Content-Type: text/plain; charset="US-ASCII"

Module Name:	pkgsrc
Committed By:	taca
Date:		Mon Apr 30 07:56:55 UTC 2018

Modified Files:
	pkgsrc/mail/squirrelmail: Makefile distinfo
	pkgsrc/mail/squirrelmail/patches: patch-ai

Log Message:
mail/squirrelmail: update to 1.4.23pre14764

Fix CVE-2018-8741 and more.

  - Added ability (and user preference) to return to message list
    after moving a message
  - Search enhancement: Added ability to search in more than one
    header without having to search the body
  - Add ability for saved drafts to indicate if they are a reply and
    if so, to which message, and mark that message as replied when
    the draft is finally sent
  - Added option to allow returning to the message one had been
    replying to after sending
  - Sanitize user-supplied attachment filenames (thanks to Florian
    Grunow for reporting this issue) [CVE-2018-8741]
  - Allow users who cannot edit their email address but who have
    multiple identities to edit all their identities


To generate a diff of this commit:
cvs rdiff -u -r1.133 -r1.134 pkgsrc/mail/squirrelmail/Makefile
cvs rdiff -u -r1.69 -r1.70 pkgsrc/mail/squirrelmail/distinfo
cvs rdiff -u -r1.2 -r1.3 pkgsrc/mail/squirrelmail/patches/patch-ai

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.


--_----------=_152507501549430
Content-Disposition: inline
Content-Length: 3649
Content-Transfer-Encoding: binary
Content-Type: text/x-diff; charset=us-ascii

Modified files:

Index: pkgsrc/mail/squirrelmail/Makefile
diff -u pkgsrc/mail/squirrelmail/Makefile:1.133 pkgsrc/mail/squirrelmail/Makefile:1.134
--- pkgsrc/mail/squirrelmail/Makefile:1.133	Wed Jun 21 15:07:03 2017
+++ pkgsrc/mail/squirrelmail/Makefile	Mon Apr 30 07:56:55 2018
@@ -1,6 +1,6 @@
-# $NetBSD: Makefile,v 1.133 2017/06/21 15:07:03 taca Exp $
+# $NetBSD: Makefile,v 1.134 2018/04/30 07:56:55 taca Exp $
 
-DISTNAME=	squirrelmail-webmail-1.4.23pre14688
+DISTNAME=	squirrelmail-webmail-1.4.23pre14764
 PKGNAME=	${DISTNAME:S/-webmail//}
 CATEGORIES=	mail www
 MASTER_SITES=	${MASTER_SITE_LOCAL}

Index: pkgsrc/mail/squirrelmail/distinfo
diff -u pkgsrc/mail/squirrelmail/distinfo:1.69 pkgsrc/mail/squirrelmail/distinfo:1.70
--- pkgsrc/mail/squirrelmail/distinfo:1.69	Wed Jun 21 15:07:03 2017
+++ pkgsrc/mail/squirrelmail/distinfo	Mon Apr 30 07:56:55 2018
@@ -1,11 +1,10 @@
-$NetBSD: distinfo,v 1.69 2017/06/21 15:07:03 taca Exp $
+$NetBSD: distinfo,v 1.70 2018/04/30 07:56:55 taca Exp $
 
-SHA1 (squirrelmail-webmail-1.4.23pre14688.tar.bz2) = 0b094c86464f0a67948191f8daeb62b35024350b
-RMD160 (squirrelmail-webmail-1.4.23pre14688.tar.bz2) = 3b3d19bcbd0e3c32983707423d91263e3649f26b
-SHA512 (squirrelmail-webmail-1.4.23pre14688.tar.bz2) = ec428f5a77757d29dd0a8f905210e7f9b527e75a549162d9d2ad2ad2fdfed1c9fa4e399433e656065f24a593d76e14c043a34c0c7fffb03943de94505599a1e0
-Size (squirrelmail-webmail-1.4.23pre14688.tar.bz2) = 560901 bytes
+SHA1 (squirrelmail-webmail-1.4.23pre14764.tar.bz2) = 9fd0ddfd393be97373d5b839143285527c3cb9c4
+RMD160 (squirrelmail-webmail-1.4.23pre14764.tar.bz2) = 8b40681f8fa0cc9e25282d1215e6b88c2566c73b
+SHA512 (squirrelmail-webmail-1.4.23pre14764.tar.bz2) = 391d305184d88f4797ffb2203134bebfcd9327de063510155bc295f8edb1609dc2ea6e0f5e6d6f75e92e7fbfd938804aa0f155857c3c82c6a9f72f21b7ebf5a3
+Size (squirrelmail-webmail-1.4.23pre14764.tar.bz2) = 562786 bytes
 SHA1 (patch-aa) = 4ba7ea0a85308816b9dc77c0af3c927359ed1275
 SHA1 (patch-ab) = 30bf68c730f20e817fbe81d18bc2a95899ee3fd0
-SHA1 (patch-ai) = 1c08904ecf074ff3ba7e6042becc0f0771388b9f
+SHA1 (patch-ai) = e1a23673bf19bbbd88b00fb6bab3d6d1c8c11575
 SHA1 (patch-ca) = d2e41316b8ecd97b49842eff548219e40e9b163a
-SHA1 (patch-class_deliver_Deliver__SendMail.class.php) = 0358ce2445fee73261075226e794054d6ada0150

Index: pkgsrc/mail/squirrelmail/patches/patch-ai
diff -u pkgsrc/mail/squirrelmail/patches/patch-ai:1.2 pkgsrc/mail/squirrelmail/patches/patch-ai:1.3
--- pkgsrc/mail/squirrelmail/patches/patch-ai:1.2	Sun Mar  7 03:41:49 2010
+++ pkgsrc/mail/squirrelmail/patches/patch-ai	Mon Apr 30 07:56:55 2018
@@ -1,11 +1,11 @@
-$NetBSD: patch-ai,v 1.2 2010/03/07 03:41:49 taca Exp $
+$NetBSD: patch-ai,v 1.3 2018/04/30 07:56:55 taca Exp $
 
 * Fix encoding problem of attached filenames; convert to Shift_JIS when
   using Internet Explore in Japanese environment, sigh.
 
---- functions/mime.php.orig	2010-01-30 16:14:53.000000000 +0000
+--- functions/mime.php.orig	2018-01-16 23:36:07.000000000 +0000
 +++ functions/mime.php
-@@ -2564,6 +2564,10 @@ function SendDownloadHeaders($type0, $ty
+@@ -2589,6 +2589,10 @@ function SendDownloadHeaders($type0, $ty
      //set all the Cache Control Headers for IE
      if ($isIE) {
          $filename=rawurlencode($filename);
@@ -15,4 +15,4 @@ $NetBSD: patch-ai,v 1.2 2010/03/07 03:41
 +        }
          header ("Pragma: public");
          header ("Cache-Control: no-store, max-age=0, no-cache, must-revalidate"); // HTTP/1.1
-         header ("Cache-Control: post-check=0, pre-check=0", false);
+         // does nothing - see: https://blogs.msdn.microsoft.com/ieinternals/2009/07/20/internet-explorers-cache-control-extensions/


--_----------=_152507501549430--