From dfce8fcec67bf7d756908cb15d143294fb986479 Mon Sep 17 00:00:00 2001
From: kink <kink@7612ce4b-ef26-0410-bec9-ea0150e637f0>
Date: Mon, 30 Jan 2006 10:08:38 +0000
Subject: [PATCH 1/1] document cve's

git-svn-id: https://svn.code.sf.net/p/squirrelmail/code/trunk/squirrelmail@10614 7612ce4b-ef26-0410-bec9-ea0150e637f0
---
 ChangeLog    | 7 +++++--
 ReleaseNotes | 3 +++
 2 files changed, 8 insertions(+), 2 deletions(-)

diff --git a/ChangeLog b/ChangeLog
index a6d37438..6acfc9ab 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -511,14 +511,17 @@ Version 1.5.1 -- CVS
   - Fixed character wrapping/encoding issues in Japanese translation (#1377622). 
     Issue is specific to sqBodyWrap() and string function wrappers introduced in 
     1.5.1.
-  - MagicHTML fix for comments in styles.
+  - Security: MagicHTML fix for comments in styles which allowed
+    for cross site scripting when using Internet Explorer
+    [CVE-2006-0195].
   - Added 'mail' and 'sn' attributes to address book LDAP backend search
     expression (#1368154).
   - Added mailbox caching code by Michael Long.
   - Prevent output of whitespace during plugin activation. Fixes possible 
     attachment corruption by incorrectly coded plugins.
   - Fixed data sanitizing in calendar plugin (#1291081)(#705796).
-  - Prohibit imap injection attempts (reported by Vicente Aguilera)
+  - Security: Prohibit imap injection attempts (reported by Vicente Aguilera)
+    [CVE-2006-0377].
   - Don't move messages in sqimap_msgs_list_move() function call, when target
     mailbox is same as source mailbox. Adds fifth argument to 
     sqimap_msgs_list_move() function. Fixes possible issues on MacOS Cyrus
diff --git a/ReleaseNotes b/ReleaseNotes
index 3863ea32..bbb0d15d 100644
--- a/ReleaseNotes
+++ b/ReleaseNotes
@@ -64,6 +64,9 @@ release:
  CVE-2005-0104 - Possible XSS issues in src/webmail.php.
  CVE-2005-1769 - Several cross site scripting (XSS) attacks.
  CVE-2005-2095 - Extraction of all POST variables in advanced identity code.
+ CVE-2006-0188 - Possible XSS through right_frame parameter in webmail.php.
+ CVE-2006-0195 - Possible XSS in MagicHTML, IE only.
+ CVE-2006-0377 - IMAP injection in sqimap_mailbox_select mailbox parameter.
 
 If you use SquirrelMail 1.5.0, you should upgrade to 1.5.1 or downgrade to latest
 stable SquirrelMail version.
-- 
2.25.1