FWD: Squirrelmail XSS + SQL security bug?
Long ago and far away, I sent this message to security@, and a small amount of conversation occured, but I never heard back from Sam Johnston or Matt Zimmerman (the two parties present in the discussion in addition to myself), and I've sent a total of two messages since then to no avail. I'm guessing they are both quite busy and unable to get to it, so I thought I would ask here in case the discussion occured elsewhere and I missed it.
Effectively, I'm questioning the version of squirrelmail included with woody, as it is quite old, and theoretically contains vulnerabilities. I'd like to know whether it is indeed audited separate from the current, "secure" version of squirrelmail, as I maintain the current version instead of the Debian version --- because the debian version supposedly contains some of the security bugs.
----- Forwarded message from Adam Morley <firstname.lastname@example.org> -----
Date: Sat, 22 May 2004 08:13:48 -0700
From: Adam Morley <email@example.com>
Subject: Squirrelmail XSS + SQL security bug?
I noticed recently that squirrelmail released a new version to fix a few bugs in its code base:
But I haven't seen anything from Debian --- and I'm wondering where exactly I should ask the question, "Is Debian's squirrelmail vulnerable to this?" I noticed a debian-security, but its listed as a "Developer" mailing list on lists.debian.org, and -user doesn't seem like a place I should go for security information (or is it?).
I read the FAQ, but that wasn't helpful in this case (or maybe I'm missing something!) --- it strikes me that it was not immediately obvious to me, a new user of Debian, where to go to find out about a possible security problem, that may or may not affect Debian. Am I to always assume the Security Team will never "miss" a security update? Or is there a forum where this should be directed?
Thanks in advance,
----- End forwarded message -----