Re: FWD: Squirrelmail XSS + SQL security bug?

To: "Thijs Kinkhorst" <lists@kinkhorst.com>
Cc: "Jeroen van Wolffelaar" <jeroen@wolffelaar.nl>, squirrelmail@packages.debian.org, debian-security@lists.debian.org, debian-qa@lists.debian.org, kink@squirrelmail.org
Subject: Re: FWD: Squirrelmail XSS + SQL security bug?
From: Roman Medina-Heigl Hernandez <roman@rs-labs.com>
Date: Thu, 29 Jul 2004 11:27:55 +0200
Message-id: <[🔎] 067gg0h3c3tdi9464rh00fuj4kg267j6s4@4ax.com>
In-reply-to: <[🔎] 34439.131.211.225.133.1090520903.squirrel@131.211.225.133>
References: <[🔎] 20040705190523.GB32748@pgw.dmz> <[🔎] 20040705203845.GC1881@alcor.net> <[🔎] 20040706031511.GC4351@pgw.dmz> <[🔎] 29565.194.224.100.28.1089103726.squirrel@194.224.100.28> <[🔎] 20040706092809.GH9109@A-Eskwadraat.nl> <[🔎] 42315.194.224.100.28.1089110841.squirrel@194.224.100.28> <[🔎] 20040706152433.GK9109@A-Eskwadraat.nl> <[🔎] 34439.131.211.225.133.1090520903.squirrel@131.211.225.133>

Hi all. Sorry for my late response. I'm on vacation. Comments inline.

On Thu, 22 Jul 2004 20:28:23 +0200 (CEST), you wrote:

>About security fixes in the SquirrelMail code; SquirrelMail does not (contrary to Roman's standpoint) adhere to a obscurity-policy but in stead openly discloses any security fix in our code. In the changelog and in the announcement of the recent 1.4.3 release it's clearly stated that this closes a security hole. If the Debian project wants to we can of course notify them if we patch something but it is principally their responsibility to monitor our lists, announcements and bugtraq.

I practically agree but I think SquirrelMail's site should have a
"security" section where security announcements could be placed. I
don't like to mix a changelog (which is usually more
development-oriented) with security advisories. In the later anyone
could easily check which version is or not vulnerable to a given or
several bugs in a clear way. Thus I don't consider a changelog to be
sufficient to be considered as "open disclose" compliant. Also, in SM
web version 1.4.3 was announced as security fix in the news section
(which is good), but again news are being rotated and sooner or later
the announcement will disappear (and you're mixing news of different
nature with security stuff). This was (and is) my standpoint.

 Saludos,
 --Roman

--
PGP Fingerprint:
09BB EFCD 21ED 4E79 25FB  29E1 E47F 8A7D EAD5 6742
[Key ID: 0xEAD56742. Available at KeyServ]

Reply to:

Follow-Ups:
- Re: FWD: Squirrelmail XSS + SQL security bug?
  - From: Matt Zimmerman <mdz@debian.org>

References:
- FWD: Squirrelmail XSS + SQL security bug?
  - From: adam-debian-security@gmi.com
- Re: FWD: Squirrelmail XSS + SQL security bug?
  - From: Matt Zimmerman <mdz@debian.org>
- Re: FWD: Squirrelmail XSS + SQL security bug?
  - From: Adam Morley <adam-debian-security@gmi.com>
- Re: FWD: Squirrelmail XSS + SQL security bug?
  - From: Román Medina <roman@rs-labs.com>
- Re: FWD: Squirrelmail XSS + SQL security bug?
  - From: Jeroen van Wolffelaar <jeroen@wolffelaar.nl>
- Re: FWD: Squirrelmail XSS + SQL security bug?
  - From: Román Medina <roman@rs-labs.com>
- Re: FWD: Squirrelmail XSS + SQL security bug?
  - From: Jeroen van Wolffelaar <jeroen@wolffelaar.nl>
- Re: FWD: Squirrelmail XSS + SQL security bug?
  - From: "Thijs Kinkhorst" <lists@kinkhorst.com>

Prev by Date: Re: JULY 6th Lead Training 3 tips for working leads
Next by Date: Re: [SECURITY] [DSA 532-1] New libapache-mod-ssl packages fix multiple vulnerabilities
Previous by thread: Squirrelmail maint+security (Was: Re: FWD: Squirrelmail XSS + SQL security bug?)
Next by thread: Re: FWD: Squirrelmail XSS + SQL security bug?
Index(es):
- Date
- Thread