[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

[SECURITY] [DSA 662-2] New squirrelmail package fixes regression

Hash: SHA1

- --------------------------------------------------------------------------
Debian Security Advisory DSA 662-2                     security@debian.org
http://www.debian.org/security/                             Martin Schulze
March 14th, 2005                        http://www.debian.org/security/faq
- --------------------------------------------------------------------------

Package        : squirrelmail
Vulnerability  : several
Problem-Type   : remote
Debian-specific: no
CVE ID         : CAN-2005-0104 CAN-2005-0152
Debian Bug     : 292714 295836

Andrew Archibald discovered that the last update to squirrelmail which
was intended to fix several problems caused a regression which got
exposed when the user hits a session timeout.  For completeness below
is the original advisory text:

  Several vulnerabilities have been discovered in Squirrelmail, a
  commonly used webmail system.  The Common Vulnerabilities and
  Exposures project identifies the following problems:


      Upstream developers noticed that an unsanitised variable could
      lead to cross site scripting.


      Grant Hollingworth discovered that under certain circumstances URL
      manipulation could lead to the execution of arbitrary code with
      the privileges of www-data.  This problem only exists in version
      1.2.6 of Squirrelmail.

For the stable distribution (woody) these problems have been fixed in
version 1.2.6-3.

The correction in the unstable distribution (sid) is not affected by
this regression.

We recommend that you upgrade your squirrelmail package.

Upgrade Instructions
- --------------------

wget url
        will fetch the file for you
dpkg -i file.deb
        will install the referenced file.

If you are using the apt-get package manager, use the line for
sources.list as given below:

apt-get update
        will update the internal database
apt-get upgrade
        will install corrected packages

You may use an automated update by adding the resources from the
footer to the proper configuration.

Debian GNU/Linux 3.0 alias woody
- --------------------------------

  Source archives:

      Size/MD5 checksum:      646 1de7e6666fccf9bec33415a8f087aec6
      Size/MD5 checksum:    21411 ec0e038ffe18e2035fccac02eb31ba21
      Size/MD5 checksum:  1856087 be9e6be1de8d3dd818185d596b41a7f1

  Architecture independent components:

      Size/MD5 checksum:  1840798 13cfdb962ff49d27edee7ec6686a8265

  These files will probably be moved into the stable distribution on
  its next update.

- ---------------------------------------------------------------------------------
For apt-get: deb http://security.debian.org/ stable/updates main
For dpkg-ftp: ftp://security.debian.org/debian-security dists/stable/updates/main
Mailing list: debian-security-announce@lists.debian.org
Package info: `apt-cache show <pkg>' and http://packages.debian.org/<pkg>

Version: GnuPG v1.4.0 (GNU/Linux)


Reply to: