[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: FWD: Squirrelmail XSS + SQL security bug?

On Mon, Jul 05, 2004 at 12:05:23PM -0700, adam-debian-security@gmi.com wrote:

> Long ago and far away, I sent this message to security@, and a small
> amount of conversation occured, but I never heard back from Sam Johnston
> or Matt Zimmerman (the two parties present in the discussion in addition
> to myself), and I've sent a total of two messages since then to no avail.
> I'm guessing they are both quite busy and unable to get to it, so I
> thought I would ask here in case the discussion occured elsewhere and I
> missed it.

You did receive responses.  In fact, I have in front of me right now at a
copy of a message from you where you quote _both_ my reply and Sam
Johnston's.  What would you hope to gain by misrepresenting the situation?

> Effectively, I'm questioning the version of squirrelmail included with
> woody, as it is quite old, and theoretically contains vulnerabilities.

Debian's stable release is quite old, and there is nothing that the Security
Team can do about that.  Let's confine our discussion to vulnerabilities.

> I'd like to know whether it is indeed audited separate from the current,
> "secure" version of squirrelmail, as I maintain the current version
> instead of the Debian version --- because the debian version supposedly
> contains some of the security bugs.

Refer to DSA 191-1, DSA 191-2 and DSA 220-1 for examples of past bugs fixed
in the squirrelmail package in woody.  Let me assure you, it is no pleasure
to support a project like squirrelmail, where new cross-site scripting bugs
are discovered on a regular basis (the past three release announcements
mention XSS bugs), and at least one of the upstream developers (Marc Groot
Koercamp) demonstrates outright hostility toward the Security Team's efforts
to support squirrelmail for Debian users.

It is very time-consuming work to assess these vulnerabilities and backport
fixes for them.  When the upstream developers refuse to provide details of
the vulnerabilities, and instead try to force a new upstream release on us,
this creates _much_ more work for the security team, who are already
overloaded volunteers.  The fact that the squirrelmail 1.4.3 release turned
out to have a critical bug which caused it to be recalled by the developers
further emphasizes the problems with upstream's security procedures.

If anyone can provide precise details of the vulnerabilities fixed in
1.4.3-RC1, 1.4.3 and 1.4.3a (yes, all three are said to have contained some
unknown number of security fixes to unknown parts of the code), or convince
squirrelmail upstream to provide such details, then that would provide some
hope for its support in Debian stable.

 - mdz

Reply to: