Bug 226831

Summary: [PATCH] mail/squirrelmail: update to patch security flaw in attachment processing
Product: Ports & Packages Reporter: Jesse Smith <jsmith>
Component: Individual Port(s)Assignee: Mathieu Arnold <mat>
Status: Closed FIXED    
Severity: Affects Some People CC: uzsolt
Priority: --- Flags: uzsolt: maintainer-feedback+
uzsolt: merge-quarterly?
Version: Latest   
Hardware: Any   
OS: Any   
Attachments:
Description Flags
Update and security fix for squirrelmail
none
Update to 20180404, fix CVE uzsolt: maintainer-approval+

Description Jesse Smith 2018-03-21 17:46:46 UTC 
Created attachment 191714 [details]
Update and security fix for squirrelmail

The Squirrelmail (mail/squirrelmail) port contains a security flaw which could allow users to access files on the server's file system. See CVE-2018-8741 discussed here: http://www.openwall.com/lists/oss-security/2018/03/17/2

The attached patch updates the Squirrelmail port to address the security hole. Basically it just includes the new patch provided by Openwall and bumps the port's revision number.
Comment 1 Zsolt Udvari freebsd_committer freebsd_triage 2018-03-21 17:55:13 UTC 
I think this patch is correct. Thanks for your work!
Comment 2 Jesse Smith 2018-03-21 18:16:13 UTC 
(In reply to Zsolt Udvari from comment #1)

My pleasure. I've now tested the patched package on two servers and it's working ok for me.
Comment 3 Zsolt Udvari freebsd_committer freebsd_triage 2018-04-04 07:38:26 UTC 
Created attachment 192200 [details]
Update to 20180404, fix CVE

The squirrelmail codebase is updated, see https://sourceforge.net/p/squirrelmail/code/14751 .
Comment 4 Zsolt Udvari freebsd_committer freebsd_triage 2018-04-04 07:39:29 UTC 
Comment on attachment 191714 [details]
Update and security fix for squirrelmail

The newer patch obsoletes this.
Comment 5 commit-hook freebsd_committer freebsd_triage 2018-05-03 12:43:05 UTC 
A commit references this bug:

Author: mat
Date: Thu May  3 12:42:48 UTC 2018
New revision: 468923
URL: https://svnweb.freebsd.org/changeset/ports/468923

Log:
  Update to 20180404.

  PR:		226831
  Submitted by:	maintainer
  MFH:		2018Q2
  Security:	CVE-2018-8741
  Sponsored by:	Absolight

Changes:
  head/mail/squirrelmail/Makefile
  head/mail/squirrelmail/distinfo
Comment 6 commit-hook freebsd_committer freebsd_triage 2018-05-07 10:48:10 UTC 
A commit references this bug:

Author: mat
Date: Mon May  7 10:47:30 UTC 2018
New revision: 469283
URL: https://svnweb.freebsd.org/changeset/ports/469283

Log:
  MFH: r468923

  Update to 20180404.

  PR:		226831
  Submitted by:	maintainer
  Security:	CVE-2018-8741
  Sponsored by:	Absolight

Changes:
_U  branches/2018Q2/
  branches/2018Q2/mail/squirrelmail/Makefile
  branches/2018Q2/mail/squirrelmail/distinfo