[Bug 446838] Re: Multiple cross-site request forgery (CSRF) vulnerabilities in SquirrelMail 1.4.19 and earlier
** Changed in: squirrelmail (Ubuntu Dapper) Status: Incomplete => Won't Fix -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/446838 Title: Multiple cross-site request forgery (CSRF) vulnerabilities in SquirrelMail 1.4.19 and earlier To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/squirrelmail/+bug/446838/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 446838] Re: Multiple cross-site request forgery (CSRF) vulnerabilities in SquirrelMail 1.4.19 and earlier
** Tags added: patch patch-needswork -- Multiple cross-site request forgery (CSRF) vulnerabilities in SquirrelMail 1.4.19 and earlier https://bugs.launchpad.net/bugs/446838 You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 446838] Re: Multiple cross-site request forgery (CSRF) vulnerabilities in SquirrelMail 1.4.19 and earlier
Unsubscribing ubuntu-security-sponsors. Based on earlier comments, the Dapper patch needs more work and testing. Leonel, please resubscribe ubuntu-security-sponsors and set the status to 'NEW' when the changes are complete. Thanks! -- Multiple cross-site request forgery (CSRF) vulnerabilities in SquirrelMail 1.4.19 and earlier https://bugs.launchpad.net/bugs/446838 You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 446838] Re: Multiple cross-site request forgery (CSRF) vulnerabilities in SquirrelMail 1.4.19 and earlier
Since all momentum was lost on this bug wrt intrepid and jaunty, I rechecked the debdiff between hardy and intrepid and hardy and jaunty and there are only whitespace changes. Being in universe and no bugs were filed against the hardy update, I am copying this over now. ** Tags removed: verification-needed ** Changed in: squirrelmail (Ubuntu Dapper) Assignee: (unassigned) => Leonel Nunez (leonelnunez) -- Multiple cross-site request forgery (CSRF) vulnerabilities in SquirrelMail 1.4.19 and earlier https://bugs.launchpad.net/bugs/446838 You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 446838] Re: Multiple cross-site request forgery (CSRF) vulnerabilities in SquirrelMail 1.4.19 and earlier
This bug was fixed in the package squirrelmail - 2:1.4.15-4ubuntu0.3 --- squirrelmail (2:1.4.15-4ubuntu0.3) jaunty-security; urgency=low * SECURITY UPDATE: (LP: #446838) * Multiple cross-site request forgery (CSRF) in all forms submissions * edited: src/addrbook_search_html.php,src/addressbook.php,src/compose.php src/folders_create.php,src/folders_delete.php,src/folders.php, src/folders_rename_do.php,src/folders_rename_getname.php, src/folders_subscribe.php,functions/forms.php, functions/mailbox_display.php,src/move_messages.php, src/options_highlight.php,src/options_identities.php, src/options_order.php,src/options.php,src/search.php, functions/strings.php,src/vcard.php * Fixes : CVE-2009-2964 - http://www.squirrelmail.org/security/issue/2009-08-12 - patches taken from upstream rev 13818 - patches applied inline -- Leonel NunezSat, 10 Oct 2009 19:30:41 -0600 -- Multiple cross-site request forgery (CSRF) vulnerabilities in SquirrelMail 1.4.19 and earlier https://bugs.launchpad.net/bugs/446838 You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 446838] Re: Multiple cross-site request forgery (CSRF) vulnerabilities in SquirrelMail 1.4.19 and earlier
This bug was fixed in the package squirrelmail - 2:1.4.15-3ubuntu0.4 --- squirrelmail (2:1.4.15-3ubuntu0.4) intrepid-security; urgency=low * SECURITY UPDATE: (LP: #446838) * Multiple cross-site request forgery (CSRF) in all forms submissions * edited: src/addrbook_search_html.php,src/addressbook.php,src/compose.php src/folders_create.php,src/folders_delete.php,src/folders.php, src/folders_rename_do.php,src/folders_rename_getname.php, src/folders_subscribe.php,functions/forms.php, functions/mailbox_display.php,src/move_messages.php, src/options_highlight.php,src/options_identities.php, src/options_order.php,src/options.php,src/search.php, functions/strings.php,src/vcard.php * Fixes : CVE-2009-2964 - http://www.squirrelmail.org/security/issue/2009-08-12 - patches taken from upstream rev 13818 - patches applied inline -- Leonel NunezSun, 11 Oct 2009 21:33:16 -0600 ** Changed in: squirrelmail (Ubuntu Intrepid) Status: Fix Committed => Fix Released ** Changed in: squirrelmail (Ubuntu Jaunty) Status: Fix Committed => Fix Released -- Multiple cross-site request forgery (CSRF) vulnerabilities in SquirrelMail 1.4.19 and earlier https://bugs.launchpad.net/bugs/446838 You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 446838] Re: Multiple cross-site request forgery (CSRF) vulnerabilities in SquirrelMail 1.4.19 and earlier
Hardy and Karmic copied. Leaving the verification-needed tag for Intrepid and Jaunty. Can someone please test Jaunty and Intrepid? -- Multiple cross-site request forgery (CSRF) vulnerabilities in SquirrelMail 1.4.19 and earlier https://bugs.launchpad.net/bugs/446838 You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 446838] Re: Multiple cross-site request forgery (CSRF) vulnerabilities in SquirrelMail 1.4.19 and earlier
This bug was fixed in the package squirrelmail - 2:1.4.13-2ubuntu1.5 --- squirrelmail (2:1.4.13-2ubuntu1.5) hardy-security; urgency=low * SECURITY UPDATE: (LP: #446838) * Multiple cross-site request forgery (CSRF) in all forms submissions * edited: src/addrbook_search_html.php,src/addressbook.php,src/compose.php src/folders_create.php,src/folders_delete.php,src/folders.php, src/folders_rename_do.php,src/folders_rename_getname.php, src/folders_subscribe.php,functions/forms.php, functions/mailbox_display.php,src/move_messages.php, src/options_highlight.php,src/options_identities.php, src/options_order.php,src/options.php,src/search.php, functions/strings.php,src/vcard.php * Fixes : CVE-2009-2964 - http://www.squirrelmail.org/security/issue/2009-08-12 - patches taken from upstream rev 13818 - patches applied inline -- Leonel NunezSun, 11 Oct 2009 06:41:56 -0600 -- Multiple cross-site request forgery (CSRF) vulnerabilities in SquirrelMail 1.4.19 and earlier https://bugs.launchpad.net/bugs/446838 You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 446838] Re: Multiple cross-site request forgery (CSRF) vulnerabilities in SquirrelMail 1.4.19 and earlier
This bug was fixed in the package squirrelmail - 2:1.4.19-1ubuntu0.1 --- squirrelmail (2:1.4.19-1ubuntu0.1) karmic-security; urgency=low * SECURITY UPDATE: (LP: #446838) * Multiple cross-site request forgery (CSRF) in all forms submissions * edited: src/addrbook_search_html.php,src/addressbook.php,src/compose.php src/folders_create.php,src/folders_delete.php,src/folders.php, src/folders_rename_do.php,src/folders_rename_getname.php, src/folders_subscribe.php,functions/forms.php, functions/mailbox_display.php,src/move_messages.php, src/options_highlight.php,src/options_identities.php, src/options_order.php,src/options.php,src/search.php, functions/strings.php,src/vcard.php * Fixes : CVE-2009-2964 - http://www.squirrelmail.org/security/issue/2009-08-12 - patches taken from upstream rev 13818 - patches applied inline -- Leonel NunezSun, 11 Oct 2009 19:18:52 -0600 ** Changed in: squirrelmail (Ubuntu Karmic) Status: Fix Committed => Fix Released ** Changed in: squirrelmail (Ubuntu Hardy) Status: Fix Committed => Fix Released -- Multiple cross-site request forgery (CSRF) vulnerabilities in SquirrelMail 1.4.19 and earlier https://bugs.launchpad.net/bugs/446838 You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 446838] Re: Multiple cross-site request forgery (CSRF) vulnerabilities in SquirrelMail 1.4.19 and earlier
I can confirm that squirrelmail appears to be working from karmic- proposed. ** Changed in: squirrelmail (Ubuntu Hardy) Status: Confirmed => Fix Committed -- Multiple cross-site request forgery (CSRF) vulnerabilities in SquirrelMail 1.4.19 and earlier https://bugs.launchpad.net/bugs/446838 You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 446838] Re: Multiple cross-site request forgery (CSRF) vulnerabilities in SquirrelMail 1.4.19 and earlier
Can now confirm that the Hardy package is working. ** Changed in: squirrelmail (Ubuntu Hardy) Status: Incomplete => Confirmed -- Multiple cross-site request forgery (CSRF) vulnerabilities in SquirrelMail 1.4.19 and earlier https://bugs.launchpad.net/bugs/446838 You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 446838] Re: Multiple cross-site request forgery (CSRF) vulnerabilities in SquirrelMail 1.4.19 and earlier
Can someone comment on whether these packages fix the problem and still generally work? These packages cannot be copied to -security until people verify they work for each release. -- Multiple cross-site request forgery (CSRF) vulnerabilities in SquirrelMail 1.4.19 and earlier https://bugs.launchpad.net/bugs/446838 You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 446838] Re: Multiple cross-site request forgery (CSRF) vulnerabilities in SquirrelMail 1.4.19 and earlier
Stian, can you give more information, including versions and what "does not work" for you? ** Changed in: squirrelmail (Ubuntu Hardy) Status: Fix Committed => Incomplete -- Multiple cross-site request forgery (CSRF) vulnerabilities in SquirrelMail 1.4.19 and earlier https://bugs.launchpad.net/bugs/446838 You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 446838] Re: Multiple cross-site request forgery (CSRF) vulnerabilities in SquirrelMail 1.4.19 and earlier
** Branch linked: lp:ubuntu/hardy-proposed/squirrelmail ** Branch linked: lp:ubuntu/intrepid-proposed/squirrelmail ** Branch linked: lp:ubuntu/jaunty-proposed/squirrelmail ** Branch linked: lp:ubuntu/karmic-proposed/squirrelmail -- Multiple cross-site request forgery (CSRF) vulnerabilities in SquirrelMail 1.4.19 and earlier https://bugs.launchpad.net/bugs/446838 You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 446838] Re: Multiple cross-site request forgery (CSRF) vulnerabilities in SquirrelMail 1.4.19 and earlier
the patch to hardy seem that it does not work. -- Multiple cross-site request forgery (CSRF) vulnerabilities in SquirrelMail 1.4.19 and earlier https://bugs.launchpad.net/bugs/446838 You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 446838] Re: Multiple cross-site request forgery (CSRF) vulnerabilities in SquirrelMail 1.4.19 and earlier
Leonel, for karmic I needed to update the distribution to karmic- security and adjust the version to use ubuntu0.1. At this point, the packages in -proposed need to be tested and commented on here. This bug will follow the standard https://wiki.ubuntu.com/StableReleaseUpdates from this point forward. -- Multiple cross-site request forgery (CSRF) vulnerabilities in SquirrelMail 1.4.19 and earlier https://bugs.launchpad.net/bugs/446838 You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 446838] Re: Multiple cross-site request forgery (CSRF) vulnerabilities in SquirrelMail 1.4.19 and earlier
Pocket copied squirrelmail on Karmic to proposed. Please test and give feedback here. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Thank you in advance! ** Changed in: squirrelmail (Ubuntu Karmic) Status: In Progress => Fix Committed -- Multiple cross-site request forgery (CSRF) vulnerabilities in SquirrelMail 1.4.19 and earlier https://bugs.launchpad.net/bugs/446838 You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 446838] Re: Multiple cross-site request forgery (CSRF) vulnerabilities in SquirrelMail 1.4.19 and earlier
Karmic uploaded to https://launchpad.net/~ubuntu-security- proposed/+archive/ppa/+packages. ** Changed in: squirrelmail (Ubuntu Karmic) Status: Confirmed => In Progress -- Multiple cross-site request forgery (CSRF) vulnerabilities in SquirrelMail 1.4.19 and earlier https://bugs.launchpad.net/bugs/446838 You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 446838] Re: Multiple cross-site request forgery (CSRF) vulnerabilities in SquirrelMail 1.4.19 and earlier
ACK'd ** Changed in: squirrelmail (Ubuntu Karmic) Assignee: Leonel Nunez (leonelnunez) => (unassigned) -- Multiple cross-site request forgery (CSRF) vulnerabilities in SquirrelMail 1.4.19 and earlier https://bugs.launchpad.net/bugs/446838 You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 446838] Re: Multiple cross-site request forgery (CSRF) vulnerabilities in SquirrelMail 1.4.19 and earlier
ACK'd ** Changed in: squirrelmail (Ubuntu Karmic) Status: New => Confirmed -- Multiple cross-site request forgery (CSRF) vulnerabilities in SquirrelMail 1.4.19 and earlier https://bugs.launchpad.net/bugs/446838 You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
Re: [Bug 446838] Re: Multiple cross-site request forgery (CSRF) vulnerabilities in SquirrelMail 1.4.19 and earlier
> Leonel, you get to be the first person to take part in the new > https://wiki.ubuntu.com/SecurityTeam/SponsorsQueue process. > > -- > Multiple cross-site request forgery (CSRF) vulnerabilities in SquirrelMail > 1.4.19 and earlier > https://bugs.launchpad.net/bugs/446838 > You received this bug notification because you are a direct subscriber > of the bug. > Great ! What's next ?? -- Leonel Nunez http://enelserver.com http://enelserver.com/leonel/ -- Multiple cross-site request forgery (CSRF) vulnerabilities in SquirrelMail 1.4.19 and earlier https://bugs.launchpad.net/bugs/446838 You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 446838] Re: Multiple cross-site request forgery (CSRF) vulnerabilities in SquirrelMail 1.4.19 and earlier
new karmic debdiff with the missing parts added ** Attachment added: "Karmic DebDiff" http://launchpadlibrarian.net/36706271/sqkarmic.debdiff ** Changed in: squirrelmail (Ubuntu Karmic) Status: Incomplete => New -- Multiple cross-site request forgery (CSRF) vulnerabilities in SquirrelMail 1.4.19 and earlier https://bugs.launchpad.net/bugs/446838 You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 446838] Re: Multiple cross-site request forgery (CSRF) vulnerabilities in SquirrelMail 1.4.19 and earlier
To ubuntu-sru: if this passes the verification process, please also pocket copy to -security. Thanks! -- Multiple cross-site request forgery (CSRF) vulnerabilities in SquirrelMail 1.4.19 and earlier https://bugs.launchpad.net/bugs/446838 You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 446838] Re: Multiple cross-site request forgery (CSRF) vulnerabilities in SquirrelMail 1.4.19 and earlier
Pasted a little too much in that last comment... The packages are ready to test now. -- Multiple cross-site request forgery (CSRF) vulnerabilities in SquirrelMail 1.4.19 and earlier https://bugs.launchpad.net/bugs/446838 You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 446838] Re: Multiple cross-site request forgery (CSRF) vulnerabilities in SquirrelMail 1.4.19 and earlier
Pocket copied squirrelmail for Hardy - Jaunty to proposed. The package will build now and be available in a few hours. Please test and give feedback here. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Thank you in advance! ** Changed in: squirrelmail (Ubuntu Hardy) Status: In Progress => Fix Committed ** Changed in: squirrelmail (Ubuntu Intrepid) Status: In Progress => Fix Committed ** Changed in: squirrelmail (Ubuntu Jaunty) Status: In Progress => Fix Committed ** Tags removed: security-verification ** Tags added: verification-needed -- Multiple cross-site request forgery (CSRF) vulnerabilities in SquirrelMail 1.4.19 and earlier https://bugs.launchpad.net/bugs/446838 You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 446838] Re: Multiple cross-site request forgery (CSRF) vulnerabilities in SquirrelMail 1.4.19 and earlier
Because this is a large patch, I am going to have it go through -proposed for wider testing. I'll update the bug accordingly after it finishes building in the ubuntu-security-proposed PPA. -- Multiple cross-site request forgery (CSRF) vulnerabilities in SquirrelMail 1.4.19 and earlier https://bugs.launchpad.net/bugs/446838 You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 446838] Re: Multiple cross-site request forgery (CSRF) vulnerabilities in SquirrelMail 1.4.19 and earlier
Hardy - Jaunty uploaded to https://launchpad.net/~ubuntu-security- proposed/+archive/ppa/+packages. ** Changed in: squirrelmail (Ubuntu Intrepid) Status: Confirmed => In Progress ** Changed in: squirrelmail (Ubuntu Jaunty) Status: Confirmed => In Progress ** Changed in: squirrelmail (Ubuntu Hardy) Status: Confirmed => In Progress -- Multiple cross-site request forgery (CSRF) vulnerabilities in SquirrelMail 1.4.19 and earlier https://bugs.launchpad.net/bugs/446838 You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 446838] Re: Multiple cross-site request forgery (CSRF) vulnerabilities in SquirrelMail 1.4.19 and earlier
The karmic debdiff is missing a portion of the patch to src/compose.php. Please review the whole patch, and when ready, attach a new debdiff to this bug and set the Karmic task to 'New'. Thanks! ** Changed in: squirrelmail (Ubuntu Karmic) Status: In Progress => Incomplete ** Changed in: squirrelmail (Ubuntu Karmic) Assignee: (unassigned) => Leonel Nunez (leonelnunez) -- Multiple cross-site request forgery (CSRF) vulnerabilities in SquirrelMail 1.4.19 and earlier https://bugs.launchpad.net/bugs/446838 You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 446838] Re: Multiple cross-site request forgery (CSRF) vulnerabilities in SquirrelMail 1.4.19 and earlier
Jaunty ACK'd ** Changed in: squirrelmail (Ubuntu Jaunty) Status: In Progress => Confirmed ** Tags added: security-verification -- Multiple cross-site request forgery (CSRF) vulnerabilities in SquirrelMail 1.4.19 and earlier https://bugs.launchpad.net/bugs/446838 You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 446838] Re: Multiple cross-site request forgery (CSRF) vulnerabilities in SquirrelMail 1.4.19 and earlier
Intrepid ACK'd ** Changed in: squirrelmail (Ubuntu Intrepid) Status: In Progress => Confirmed -- Multiple cross-site request forgery (CSRF) vulnerabilities in SquirrelMail 1.4.19 and earlier https://bugs.launchpad.net/bugs/446838 You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 446838] Re: Multiple cross-site request forgery (CSRF) vulnerabilities in SquirrelMail 1.4.19 and earlier
Hardy ACK'd ** Changed in: squirrelmail (Ubuntu Hardy) Status: In Progress => Confirmed -- Multiple cross-site request forgery (CSRF) vulnerabilities in SquirrelMail 1.4.19 and earlier https://bugs.launchpad.net/bugs/446838 You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 446838] Re: Multiple cross-site request forgery (CSRF) vulnerabilities in SquirrelMail 1.4.19 and earlier
Leonel, you get to be the first person to take part in the new https://wiki.ubuntu.com/SecurityTeam/SponsorsQueue process. -- Multiple cross-site request forgery (CSRF) vulnerabilities in SquirrelMail 1.4.19 and earlier https://bugs.launchpad.net/bugs/446838 You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 446838] Re: Multiple cross-site request forgery (CSRF) vulnerabilities in SquirrelMail 1.4.19 and earlier
** Changed in: squirrelmail (Ubuntu Lucid) Status: Fix Released => Fix Committed ** Changed in: squirrelmail (Ubuntu Lucid) Status: Fix Committed => Fix Released -- Multiple cross-site request forgery (CSRF) vulnerabilities in SquirrelMail 1.4.19 and earlier https://bugs.launchpad.net/bugs/446838 You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 446838] Re: Multiple cross-site request forgery (CSRF) vulnerabilities in SquirrelMail 1.4.19 and earlier
After patched builded and created the package Tested the packages for some hours on a test server and no problems where found or regressions where found The dapper version I could not apply 2 patches ** Changed in: squirrelmail (Ubuntu Dapper) Status: Incomplete => In Progress ** Changed in: squirrelmail (Ubuntu Hardy) Status: Incomplete => In Progress ** Changed in: squirrelmail (Ubuntu Intrepid) Status: Incomplete => In Progress ** Changed in: squirrelmail (Ubuntu Jaunty) Status: Incomplete => In Progress ** Changed in: squirrelmail (Ubuntu Karmic) Status: Incomplete => In Progress ** Changed in: squirrelmail (Ubuntu Dapper) Status: In Progress => Incomplete -- Multiple cross-site request forgery (CSRF) vulnerabilities in SquirrelMail 1.4.19 and earlier https://bugs.launchpad.net/bugs/446838 You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 446838] Re: Multiple cross-site request forgery (CSRF) vulnerabilities in SquirrelMail 1.4.19 and earlier
Leonel, Thanks for the debdiffs and your hard work on this! Can you please detail the testing performed as Marc requested? Once this is done we can process your debdiffs. Marking Incomplete for now; please set back to 'In Progress' after you detail your testing. Thanks again! ** Also affects: squirrelmail (Ubuntu Hardy) Importance: Undecided Status: New ** Also affects: squirrelmail (Ubuntu Lucid) Importance: Undecided Status: In Progress ** Also affects: squirrelmail (Ubuntu Karmic) Importance: Undecided Status: New ** Also affects: squirrelmail (Ubuntu Dapper) Importance: Undecided Status: New ** Also affects: squirrelmail (Ubuntu Jaunty) Importance: Undecided Status: New ** Also affects: squirrelmail (Ubuntu Intrepid) Importance: Undecided Status: New ** Changed in: squirrelmail (Ubuntu Lucid) Status: In Progress => Fix Released ** Changed in: squirrelmail (Ubuntu Lucid) Importance: Undecided => High ** Changed in: squirrelmail (Ubuntu Dapper) Status: New => Incomplete ** Changed in: squirrelmail (Ubuntu Dapper) Importance: Undecided => High ** Changed in: squirrelmail (Ubuntu Hardy) Status: New => Incomplete ** Changed in: squirrelmail (Ubuntu Hardy) Importance: Undecided => High ** Changed in: squirrelmail (Ubuntu Intrepid) Status: New => Incomplete ** Changed in: squirrelmail (Ubuntu Intrepid) Importance: Undecided => High ** Changed in: squirrelmail (Ubuntu Jaunty) Status: New => Incomplete ** Changed in: squirrelmail (Ubuntu Jaunty) Importance: Undecided => High ** Changed in: squirrelmail (Ubuntu Karmic) Status: New => Incomplete ** Changed in: squirrelmail (Ubuntu Karmic) Importance: Undecided => High -- Multiple cross-site request forgery (CSRF) vulnerabilities in SquirrelMail 1.4.19 and earlier https://bugs.launchpad.net/bugs/446838 You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 446838] Re: Multiple cross-site request forgery (CSRF) vulnerabilities in SquirrelMail 1.4.19 and earlier
Thanks for the debdiffs. The patch is quite big, please describe the testing that was performed on each release. ** Changed in: squirrelmail (Ubuntu) Assignee: Marc Deslauriers (mdeslaur) => (unassigned) -- Multiple cross-site request forgery (CSRF) vulnerabilities in SquirrelMail 1.4.19 and earlier https://bugs.launchpad.net/bugs/446838 You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 446838] Re: Multiple cross-site request forgery (CSRF) vulnerabilities in SquirrelMail 1.4.19 and earlier
** Changed in: squirrelmail (Ubuntu) Status: Confirmed => In Progress ** Changed in: squirrelmail (Ubuntu) Assignee: Leonel Nunez (leonelnunez) => Marc Deslauriers (mdeslaur) -- Multiple cross-site request forgery (CSRF) vulnerabilities in SquirrelMail 1.4.19 and earlier https://bugs.launchpad.net/bugs/446838 You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 446838] Re: Multiple cross-site request forgery (CSRF) vulnerabilities in SquirrelMail 1.4.19 and earlier
Dapper debdiff package builds , installs and worked fine. The patches to search.php line 240, has no place to patch. http://squirrelmail.svn.sourceforge.net/viewvc/squirrelmail/branches/SM-1_4-STABLE/squirrelmail/src/search.php?r1=13818&r2=13817&pathrev=13818 and compose.php line 1032 introduces an error when reply,reply all, or forward messages. leaved this line unpatched http://squirrelmail.svn.sourceforge.net/viewvc/squirrelmail/branches/SM-1_4-STABLE/squirrelmail/src/compose.php?r1=13818&r2=13817&pathrev=13818 ** Attachment added: "Dapper DebDiff" http://launchpadlibrarian.net/33547315/dapper.debdiff -- Multiple cross-site request forgery (CSRF) vulnerabilities in SquirrelMail 1.4.19 and earlier https://bugs.launchpad.net/bugs/446838 You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 446838] Re: Multiple cross-site request forgery (CSRF) vulnerabilities in SquirrelMail 1.4.19 and earlier
intrepid debdiff package builds,installs and works ** Attachment added: "intrepid debdiff" http://launchpadlibrarian.net/33474349/intrepid.debdiff -- Multiple cross-site request forgery (CSRF) vulnerabilities in SquirrelMail 1.4.19 and earlier https://bugs.launchpad.net/bugs/446838 You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 446838] Re: Multiple cross-site request forgery (CSRF) vulnerabilities in SquirrelMail 1.4.19 and earlier
karmic debdiff, package builds installs and works fine. ** Attachment added: "karmic debdiff" http://launchpadlibrarian.net/33470770/karmic.debdiff -- Multiple cross-site request forgery (CSRF) vulnerabilities in SquirrelMail 1.4.19 and earlier https://bugs.launchpad.net/bugs/446838 You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 446838] Re: Multiple cross-site request forgery (CSRF) vulnerabilities in SquirrelMail 1.4.19 and earlier
Hardy DebDiff , package builds installs and works .. ** Attachment added: "hardy deb diff" http://launchpadlibrarian.net/33445659/hardy.debdiff -- Multiple cross-site request forgery (CSRF) vulnerabilities in SquirrelMail 1.4.19 and earlier https://bugs.launchpad.net/bugs/446838 You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 446838] Re: Multiple cross-site request forgery (CSRF) vulnerabilities in SquirrelMail 1.4.19 and earlier
jaunty debdiff, package builds installs and works .. Working on the intrepid,hardy,dapper I guess I must include Karmic too? ** Attachment added: "Jaunty Debdiff" http://launchpadlibrarian.net/33428968/sqjaunty.debdiff -- Multiple cross-site request forgery (CSRF) vulnerabilities in SquirrelMail 1.4.19 and earlier https://bugs.launchpad.net/bugs/446838 You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 446838] Re: Multiple cross-site request forgery (CSRF) vulnerabilities in SquirrelMail 1.4.19 and earlier
It's a long patch .. working on it ** Changed in: squirrelmail (Ubuntu) Assignee: (unassigned) => Leonel Nunez (leonelnunez) -- Multiple cross-site request forgery (CSRF) vulnerabilities in SquirrelMail 1.4.19 and earlier https://bugs.launchpad.net/bugs/446838 You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 446838] Re: Multiple cross-site request forgery (CSRF) vulnerabilities in SquirrelMail 1.4.19 and earlier
Thank you for using Ubuntu and taking the time to report a bug. This package is in universe and is community supported. If you are able, perhaps you could prepare debdiffs to fix this by following https://wiki.ubuntu.com/SecurityUpdateProcedures. ** Visibility changed to: Public ** Changed in: squirrelmail (Ubuntu) Status: New => Confirmed -- Multiple cross-site request forgery (CSRF) vulnerabilities in SquirrelMail 1.4.19 and earlier https://bugs.launchpad.net/bugs/446838 You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs