[sowood.co.uk #1151] Re: [sowood.co.uk #1150] AutoReply: [SECURITY] [DSA 662-1] New squirrelmail package fixes several vulnerabilities

To: kev@sowood.co.uk, debian-security@lists.debian.org
Subject: [sowood.co.uk #1151] Re: [sowood.co.uk #1150] AutoReply: [SECURITY] [DSA 662-1] New squirrelmail package fixes several vulnerabilities
From: "Tomasz Papszun via RT" <abel@support.sowood.co.uk>
Date: Wed, 2 Feb 2005 16:28:57 +0000 (GMT)
Message-id: <rt-1151-5240.13.1886249225098@sowood.co.uk>
Reply-to: abel@support.sowood.co.uk
In-reply-to: <rt-1151@sowood.co.uk>

On Tue, 01 Feb 2005 at 15:20:36 +0000, Abel wrote:
> This message has been automatically generated in response to the creation of a ticket regarding: "[SECURITY] [DSA 662-1] New squirrelmail package fixes several vulnerabilities"
> 
> There is no need to reply to this message right now. Your ticket has been
> assigned an ID of [sowood.co.uk #1150].
> 
> Please include the string [sowood.co.uk #1150]
> in the subject line of all future correspondence about this issue. You can do
> this by replying to this message.
> 
> Thank you,
> 
> abel@support.sowood.co.uk
> 
> -------------------------------------------------------------------------
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> 
> - --------------------------------------------------------------------------
> Debian Security Advisory DSA 662-1                     security@debian.org
> http://www.debian.org/security/                             Martin Schulze
> February 1st, 2005                      http://www.debian.org/security/faq
> - --------------------------------------------------------------------------
> 
> Package        : squirrelmail
> Vulnerability  : several
> Problem-Type   : remote
> Debian-specific: no
> CVE ID         : CAN-2005-0104 CAN-2005-0152
> Debian Bug     : 292714
> 
> Several vulnerabilities have been discovered in Squirrelmail, a
> commonly used webmail system.  The Common Vulnerabilities and
> Exposures project identifies the following problems:
> 
> CAN-2005-0104
> 
>     Upstream developers noticed that an unsanitised variable could
>     lead to cross site scripting.
> 
> CAN-2005-0152
> 
>     Grant Hollingworth discovered that under certain circumstances URL
>     manipulation could lead to the execution of arbitrary code with
>     the privileges of www-data.  This problem only exists in version
>     1.2.6 of Squirrelmail.
> 
> For the stable distribution (woody) these problems have been fixed in
> version 1.2.6-2.
> 
> For the unstable distribution (sid) the problem that affects unstable
> has been fixed in version 1.4.4-1.
> 
> We recommend that you upgrade your squirrelmail package.
> 
> 
> Upgrade Instructions
> - --------------------
> 
> wget url
>         will fetch the file for you
> dpkg -i file.deb
>         will install the referenced file.
> 
> If you are using the apt-get package manager, use the line for
> sources.list as given below:
> 
> apt-get update
>         will update the internal database
> apt-get upgrade
>         will install corrected packages
> 
> You may use an automated update by adding the resources from the
> footer to the proper configuration.
> 
> 
> Debian GNU/Linux 3.0 alias woody
> - --------------------------------
> 
>   Source archives:
> 
>     http://security.debian.org/pool/updates/main/s/squirrelmail/squirrelmail_1.2.6-2.dsc
>       Size/MD5 checksum:      646 4900cffd3e5d45735f65c21476efc806
>     http://security.debian.org/pool/updates/main/s/squirrelmail/squirrelmail_1.2.6-2.diff.gz
>       Size/MD5 checksum:    21204 4614ece547701e83d640b5740bb59d51
>     http://security.debian.org/pool/updates/main/s/squirrelmail/squirrelmail_1.2.6.orig.tar.gz
>       Size/MD5 checksum:  1856087 be9e6be1de8d3dd818185d596b41a7f1
> 
>   Architecture independent components:
> 
>     http://security.debian.org/pool/updates/main/s/squirrelmail/squirrelmail_1.2.6-2_all.deb
>       Size/MD5 checksum:  1840668 2d23a6986ab2862bb1acd160b5a2919c
> 
> 
>   These files will probably be moved into the stable distribution on
>   its next update.
> 
> - ---------------------------------------------------------------------------------
> For apt-get: deb http://security.debian.org/ stable/updates main
> For dpkg-ftp: ftp://security.debian.org/debian-security dists/stable/updates/main
> Mailing list: debian-security-announce@lists.debian.org
> Package info: `apt-cache show <pkg>' and http://packages.debian.org/<pkg>
> 
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.2.5 (GNU/Linux)
> 
> iD8DBQFB/5XHW5ql+IAeqTIRAkpkAKCe9RF1LswG8hauggRbypCgsGxfygCeK10Z
> F2TH29V21YfxpuF3gCLIDxE=
> =KEhs
> -----END PGP SIGNATURE-----
> 
> 
> -- 
> To UNSUBSCRIBE, email to debian-security-announce-REQUEST@lists.debian.org
> with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
> 
> 
> 
> -- 
> To UNSUBSCRIBE, email to debian-security-REQUEST@lists.debian.org
> with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
> 


Please stop sending automated replies to Debian mailing lists.

-- 
 Tomasz Papszun   SysAdm @ TP S.A. Lodz, Poland  | And it's only
 tomek@lodz.tpsa.pl http://www.lodz.tpsa.pl/iso/ | ones and zeros.
 tomek@clamav.net   http://www.ClamAV.net/   A GPL virus scanner

Reply to:

Prev by Date: Re: Empty Release.gpg files and Debian Archive key for 2005
Next by Date: [sowood.co.uk #1151] Re: [sowood.co.uk #1150] AutoReply: [SECURITY] [DSA 662-1] New squirrelmail package fixes several vulnerabilities
Previous by thread: Re: Empty Release.gpg files and Debian Archive key for 2005
Next by thread: [sowood.co.uk #1151] Re: [sowood.co.uk #1150] AutoReply: [SECURITY] [DSA 662-1] New squirrelmail package fixes several vulnerabilities
Index(es):
- Date
- Thread