File _patchinfo of Package patchinfo.6390

<patchinfo incident="6390">
  <issue id="1024211" tracker="bnc">VUL-0: CVE-2017-5930: PostfixAdmin allows to delete protected aliases</issue>
  <issue id="2017-5930" tracker="cve" />
  <category>security</category>
  <rating>moderate</rating>
  <packager>cboltz</packager>
  <description>
postfixadmin was updated to 3.0.2 to fix the following issues:

- PostfixAdmin 3.0.2:
  - SECURITY: don't allow to delete protected aliases (CVE-2017-5930, boo#1024211)
  - fix VacationHandler for PostgreSQL
  - AliasHandler: restrict mailbox subquery to allowed and specified domains
    to improve performance on setups with lots of mailboxes
  - allow switching between dovecot:* password schemes while still accepting
    passwords hashed using the previous dovecot:* scheme
  - FetchmailHandler: use a valid date as default for 'date'
  - fix date formatting in non-english languages when using PostgreSQL
  - various small fixes

- PostfixAdmin 3.0:
  - add sqlite backend option
  - add configurable smtp helo (CONF["smtp_client"])
  - new translation: ro (Romanian)
  - language update: tw, cs, de
  - fix escaping in gen_show_status() (could be used to DOS list-virtual by
    creating a mail address with special chars)
  - add CSRF protection for POST requests
  - list.tpl: base edit/editactive/delete links in list.tpl on $RAW_item to
    avoid double escaping, and fix some corner cases
  - fix db_quota_text() for postgresql (concat() vs. ||)
  - change default date for 'created' and 'updated' columns from 0000-00-00
    (which causes problems with MySQL strict mode) to 2000-01-01
  - allow punicode even in TLDs
  - update Smarty to 3.1.29
  - add checks to login.php and cli to ensure database layout is up to date
  - whitelist '-1' as valid value for postfixadmin-cli
  - don't stripslashes() the password in pacrypt
  - various small bugfixes
</description>
  <summary>Security update for postfixadmin</summary>
</patchinfo>