[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: FWD: Squirrelmail XSS + SQL security bug?



I've done a squirrelmail NMU in fruitful cooperation with one of the
upstream squirrelmail maintainers, former stable release manager Thijs
Kinkhorst, who happens to also be a personal friend of mine.

I'm forwarding this conversation to him, in the hope that he can comment
on it. Since he is a Debian user himself, I'm sure he understands our
situation, but of course, I don't know how much time he'd like to
allocate for the 1.2.x branch that's in woody now -- don't count on
anything.

Meanwhile, I guess it'd be useful to have specific references to
issues... Adam, do you have them? Anyway, I'll ask Thijs about the 1.4.x
issues, and get back to it (in private if there are unsolved issues
involved).

--Jeroen

On Mon, Jul 05, 2004 at 01:38:45PM -0700, Matt Zimmerman wrote:
> On Mon, Jul 05, 2004 at 12:05:23PM -0700, adam-debian-security@gmi.com wrote:
> 
(...)
> 
> > Effectively, I'm questioning the version of squirrelmail included with
> > woody, as it is quite old, and theoretically contains vulnerabilities.
> 
> Debian's stable release is quite old, and there is nothing that the Security
> Team can do about that.  Let's confine our discussion to vulnerabilities.
> 
> > I'd like to know whether it is indeed audited separate from the current,
> > "secure" version of squirrelmail, as I maintain the current version
> > instead of the Debian version --- because the debian version supposedly
> > contains some of the security bugs.
> 
> Refer to DSA 191-1, DSA 191-2 and DSA 220-1 for examples of past bugs fixed
> in the squirrelmail package in woody.  Let me assure you, it is no pleasure
> to support a project like squirrelmail, where new cross-site scripting bugs
> are discovered on a regular basis (the past three release announcements
> mention XSS bugs), and at least one of the upstream developers (Marc Groot
> Koercamp) demonstrates outright hostility toward the Security Team's efforts
> to support squirrelmail for Debian users.
> 
> It is very time-consuming work to assess these vulnerabilities and backport
> fixes for them.  When the upstream developers refuse to provide details of
> the vulnerabilities, and instead try to force a new upstream release on us,
> this creates _much_ more work for the security team, who are already
> overloaded volunteers.  The fact that the squirrelmail 1.4.3 release turned
> out to have a critical bug which caused it to be recalled by the developers
> further emphasizes the problems with upstream's security procedures.
> 
> If anyone can provide precise details of the vulnerabilities fixed in
> 1.4.3-RC1, 1.4.3 and 1.4.3a (yes, all three are said to have contained some
> unknown number of security fixes to unknown parts of the code), or convince
> squirrelmail upstream to provide such details, then that would provide some
> hope for its support in Debian stable.
> 
> -- 
>  - mdz
> 
> 
> -- 
> To UNSUBSCRIBE, email to debian-security-REQUEST@lists.debian.org
> with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
> 

-- 
Jeroen van Wolffelaar
Jeroen@wolffelaar.nl (also for Jabber & MSN; ICQ: 33944357)
http://Jeroen.A-Eskwadraat.nl



Reply to: