package: vpopmail-bin
severity: grave
This package still contains an SQL Injection vulnerabilty that was fixed
in an upstream version on 30-Jun-04.
In all, five new upstream versions were released after 5.4.4 which
contain numerous fixes. Most importantly, upstream version 5.4.6
released on 30-Jun-04 fixes the SQL Injection security vulnerability
(Bugtraq ID 10990 http://www.securityfocus.com/bid/10990/info/).
The changelog for the five new upstream versions are presented here for
your consideration:
5.4.5 released 25-Jun-04
5.4.6 released 30-Jun-04 -- fixes SQL Injection vulerability
5.4.7 released 23-Sep-04
5.4.8 - released 12-Nov-04
5.4.9 - released 26-Dec-04
The last entry in the Debian changelog for this package is dated 10-Jun-04.
5.4.9 - released 26-Dec-04
Jeremy Kister
- Makefile.am: fix install problem on Solaris. Some .h files
weren't being installed correctly.
Charles Boening
- Fix logging in PostgreSQL.
- Change ENABLE_{MY|PG}SQL_LOGGING to ENABLE_SQL_LOGGING.
- Replace --enable-{my|pg}sql-logging with --enable-sql-logging
in configure options.
Tom Collins
- Tweaking of Charles Boening's changes.
- vchkpw: Fix problem in md5.h causing segfault in SMTP AUTH on
amd64. [964843, 958799]
- vpopmail.h: Add new error and flag defines from 5.5 series.
- vchkpw: log webmail connections as 'vchkpw-webmail'.
- vpopmail.c: fix problem related to sending SIGHUP to qmail-send.
Original problem could cause Signal 1 caught by ps error.
5.4.8 - released 12-Nov-2004
Rick Widmer
- vadddomain: Check for existing domain before prompting for
password.
- vdeldomain: Fix uninitialized variable warning.
Tom Collins
- Fix problems with valias code in vmysql.c and vpgsql.c. Storing
aliases in Postgres should work now, and it should fix problems
with processing Maildir valias entries in vdelivermail. [985011,
1024706, 1033801]
- Fix bug in vmoddomlimits that wiped out the Domain Quota
when editing default limits.
- Change columns in Postgres valias table to varchar from char.
See README.pgsql for instructions on fixing existing tables.
- vmoduser: update maildirsize instead of just deleting it when
modifying quota.
- vchkpw: classify POP/IMAP connections from select IPs (defaults
to 127.0.0.1) as webmail and check NO_WEBMAIL user flag instead
of NO_POP and NO_IMAP.
- Update qmail-smtpd-auth patch in contrib to latest (0.5.6).
- Update README.quotas with note about domain quotas not working.
- vpopmail.c: remove unused sys/varargs.h include.
- vdominfo: fix broken -a option.
- vdominfo: better display of real name for alias domains. [981335]
- vpopmail.c: Improved maildir_to_email() function. [953439]
Gentoo Port
- Integrate vuserinfo patch to fix the -a option and to display
the comment/gecos field (used for real name).
5.4.7 - released 23-Sep-04
Michael Bowe
- Mention in README.mysql that is is possible to create mailboxes
by inserting entries directly into the MySQL table.
Tom Collins
- Don't try to delete dir-control for domain unless users-big-dir
is enabled.
- Verify user exists before trying to set quota in vsetuserquota().
[984698]
- Update cdb/Makefile so you can 'make install' without doing
'make' first.
- Fix size comparisons to MAX_PW_X (should be , not =).
- Fix possible buffer overflows in vsybase.c.
- Have vconvert reset dir_control and increment it for each user
added when converting from cdb to MySQL.
- If crypt() doesn't support MD5 passwords, fall back to using
a valid, non-MD5 salt even if MD5 passwords are enabled.
- Fix format string vuln. in vactivedir.c (thanks D4rk Eagle).
- Added comment to vqmaillocal.c mentioning that it isn't
maintained and probably doesn't work. Makefile no longer
installs vqmaillocal.
5.4.6 - released 30-Jun-04
[backport from 5.5.0]
- Consolidate table creation code in vmysql.c and vpgsql.c.
- Increase SQL_BUF_SIZE from 600 to 2048 for Oracle, Postgres
and Sybase.
- Multiple fixes to vpgsql.c related to freeing PGresults and
attempting to access NULL PGresults when reporting errors.
* These changes address SQL Injection vulnerability documented in
* Bugtraq ID 10990 http://www.securityfocus.com/bid/10990/info/
- Add qnprintf() to vpopmail.c for escaping strings in SQL queries.
- Use qnprintf() when building queries in vmysql.c, vpgsql.c,
voracle.pc, and vsybase.c.
5.4.5 - released 25-Jun-04
fernando (at) telemacro (dot) com (dot) br
- Patch for vpgsql.c fixes bug with Postgres and roaming users
(POP before SMTP). [895501]
Françoi Wautier
- Fix method used to open database in vauth_open_update of
vmysql.c. [967994, 946983]
Pit Palme
- Show 'delete' as valid option to vdelivermail in docs. [951245]