Your message dated Thu, 28 Dec 2006 17:52:00 +0100
with message-id <[EMAIL PROTECTED]>
and subject line vpopmail removed
has caused the attached Bug report to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what I am
talking about this indicates a serious mail system misconfiguration
somewhere. Please contact me immediately.)
Debian bug tracking system administrator
(administrator, Debian Bugs database)
--- Begin Message ---
package: vpopmail-bin
severity: grave
This package still contains an SQL Injection vulnerabilty that was fixed
in an upstream version on 30-Jun-04.
In all, five new upstream versions were released after 5.4.4 which
contain numerous fixes. Most importantly, upstream version 5.4.6
released on 30-Jun-04 fixes the SQL Injection security vulnerability
(Bugtraq ID 10990 <http://www.securityfocus.com/bid/10990/info/>).
The changelog for the five new upstream versions are presented here for
your consideration:
5.4.5 released 25-Jun-04
5.4.6 released 30-Jun-04 -- fixes SQL Injection vulerability
5.4.7 released 23-Sep-04
5.4.8 - released 12-Nov-04
5.4.9 - released 26-Dec-04
The last entry in the Debian changelog for this package is dated 10-Jun-04.
5.4.9 - released 26-Dec-04
Jeremy Kister
- Makefile.am: fix install problem on Solaris. Some .h files
weren't being installed correctly.
Charles Boening
- Fix logging in PostgreSQL.
- Change ENABLE_{MY|PG}SQL_LOGGING to ENABLE_SQL_LOGGING.
- Replace --enable-{my|pg}sql-logging with --enable-sql-logging
in configure options.
Tom Collins
- Tweaking of Charles Boening's changes.
- vchkpw: Fix problem in md5.h causing segfault in SMTP AUTH on
amd64. [964843, 958799]
- vpopmail.h: Add new error and flag defines from 5.5 series.
- vchkpw: log webmail connections as 'vchkpw-webmail'.
- vpopmail.c: fix problem related to sending SIGHUP to qmail-send.
Original problem could cause "Signal 1 caught by ps" error.
5.4.8 - released 12-Nov-2004
Rick Widmer
- vadddomain: Check for existing domain before prompting for
password.
- vdeldomain: Fix uninitialized variable warning.
Tom Collins
- Fix problems with valias code in vmysql.c and vpgsql.c. Storing
aliases in Postgres should work now, and it should fix problems
with processing Maildir valias entries in vdelivermail. [985011,
1024706, 1033801]
- Fix bug in vmoddomlimits that wiped out the Domain Quota
when editing default limits.
- Change columns in Postgres valias table to varchar from char.
See README.pgsql for instructions on fixing existing tables.
- vmoduser: update maildirsize instead of just deleting it when
modifying quota.
- vchkpw: classify POP/IMAP connections from select IPs (defaults
to 127.0.0.1) as webmail and check NO_WEBMAIL user flag instead
of NO_POP and NO_IMAP.
- Update qmail-smtpd-auth patch in contrib to latest (0.5.6).
- Update README.quotas with note about domain quotas not working.
- vpopmail.c: remove unused sys/varargs.h include.
- vdominfo: fix broken -a option.
- vdominfo: better display of real name for alias domains. [981335]
- vpopmail.c: Improved maildir_to_email() function. [953439]
Gentoo Port
- Integrate vuserinfo patch to fix the -a option and to display
the comment/gecos field (used for "real name").
5.4.7 - released 23-Sep-04
Michael Bowe
- Mention in README.mysql that is is possible to create mailboxes
by inserting entries directly into the MySQL table.
Tom Collins
- Don't try to delete dir-control for domain unless users-big-dir
is enabled.
- Verify user exists before trying to set quota in vsetuserquota().
[984698]
- Update cdb/Makefile so you can 'make install' without doing
'make' first.
- Fix size comparisons to MAX_PW_X (should be ">", not ">=").
- Fix possible buffer overflows in vsybase.c.
- Have vconvert reset dir_control and increment it for each user
added when converting from cdb to MySQL.
- If crypt() doesn't support MD5 passwords, fall back to using
a valid, non-MD5 salt even if MD5 passwords are enabled.
- Fix format string vuln. in vactivedir.c (thanks D4rk Eagle).
- Added comment to vqmaillocal.c mentioning that it isn't
maintained and probably doesn't work. Makefile no longer
installs vqmaillocal.
5.4.6 - released 30-Jun-04
[backport from 5.5.0]
- Consolidate table creation code in vmysql.c and vpgsql.c.
- Increase SQL_BUF_SIZE from 600 to 2048 for Oracle, Postgres
and Sybase.
- Multiple fixes to vpgsql.c related to freeing PGresults and
attempting to access NULL PGresults when reporting errors.
* These changes address SQL Injection vulnerability documented in
* Bugtraq ID 10990 <http://www.securityfocus.com/bid/10990/info/>
- Add qnprintf() to vpopmail.c for escaping strings in SQL queries.
- Use qnprintf() when building queries in vmysql.c, vpgsql.c,
voracle.pc, and vsybase.c.
5.4.5 - released 25-Jun-04
fernando (at) telemacro (dot) com (dot) br
- Patch for vpgsql.c fixes bug with Postgres and roaming users
(POP before SMTP). [895501]
Françoi Wautier
- Fix method used to open database in vauth_open_update of
vmysql.c. [967994, 946983]
Pit Palme
- Show 'delete' as valid option to vdelivermail in docs. [951245]
rstml
- Hide error message during POP3 auth with Postgres. [915485]
Tom Collins
- Fix `vuserinfo -l` output, based on Bill Shupp's patch
(moved code to a single function call). [961742]
--- End Message ---
--- Begin Message ---
vpopmail has been removed because it "is buggy and appears
unmaintained".
--
Martin Michlmayr
http://www.cyrius.com/
--- End Message ---
