Re: FWD: Squirrelmail XSS + SQL security bug?
On Mon, 05 Jul 2004, Matt Zimmerman wrote:
> Refer to DSA 191-1, DSA 191-2 and DSA 220-1 for examples of past bugs fixed
> in the squirrelmail package in woody. Let me assure you, it is no pleasure
> to support a project like squirrelmail, where new cross-site scripting bugs
> are discovered on a regular basis (the past three release announcements
> mention XSS bugs), and at least one of the upstream developers (Marc Groot
> Koercamp) demonstrates outright hostility toward the Security Team's efforts
> to support squirrelmail for Debian users.
> It is very time-consuming work to assess these vulnerabilities and backport
> fixes for them. When the upstream developers refuse to provide details of
> the vulnerabilities, and instead try to force a new upstream release on us,
> this creates _much_ more work for the security team, who are already
> overloaded volunteers. The fact that the squirrelmail 1.4.3 release turned
> out to have a critical bug which caused it to be recalled by the developers
> further emphasizes the problems with upstream's security procedures.
> If anyone can provide precise details of the vulnerabilities fixed in
> 1.4.3-RC1, 1.4.3 and 1.4.3a (yes, all three are said to have contained some
> unknown number of security fixes to unknown parts of the code), or convince
> squirrelmail upstream to provide such details, then that would provide some
> hope for its support in Debian stable.
Isn't this enough reason to demote squirrelmail to an "unstable-only"
package? I use it everywhere, and it will be an extereme hindrance to me,
but we have to be realistic on these issues...
"One disk to rule them all, One disk to find them. One disk to bring
them all and in the darkness grind them. In the Land of Redmond
where the shadows lie." -- The Silicon Valley Tarot