Squirrelmail archive compromission and version 1.4.9a-2 (in etch)

To: debian-security@lists.debian.org
Subject: Squirrelmail archive compromission and version 1.4.9a-2 (in etch)
From: Emmanuel Halbwachs <Emmanuel.Halbwachs@obspm.fr>
Date: Mon, 17 Dec 2007 17:52:02 +0100
Message-id: <[🔎] 20071217165202.GT3954@sioling.obspm.fr>

Hello everybody,

We run squirrelmail as our production webmail for ~ 1k users.

Now we can see that the squirrelmail team has discovered that 1.4.11
have also been compromised.

A colleague on another list points out the fact that they have removed
from the download archive all versions from 1.4.9 to 1.4.12.

If there is suspicion on 1.4.9, I guess we can suspect the version
currently in etch.

Can somebody (maybe Thijs Kinkhorst who is a Debian Developper and
apparently member of the squirrelmail team) enlight us on this subject,
please?

TIA,


-- 
Emmanuel Halbwachs
Resp. Réseau/Sécurité                    Observatoire de Paris-Meudon
tel      : (+33)1 45 07 75 54                   5 Place Jules Janssen
fax      : (+33)1 45 07 76 13                    F 92195 MEUDON CEDEX

Reply to:

Follow-Ups:
- Re: Squirrelmail archive compromission and version 1.4.9a-2 (in etch)
  - From: Nico Golde <debian-security+ml@ngolde.de>

Prev by Date: PCI vulnerability scan - PHP4 on Sarge
Next by Date: Re: large campus network ... sugestions
Previous by thread: Re: PCI vulnerability scan - PHP4 on Sarge
Next by thread: Re: Squirrelmail archive compromission and version 1.4.9a-2 (in etch)
Index(es):
- Date
- Thread