Re: FWD: Squirrelmail XSS + SQL security bug?
- To: Roman Medina-Heigl Hernandez <firstname.lastname@example.org>
- Cc: Thijs Kinkhorst <email@example.com>, Jeroen van Wolffelaar <firstname.lastname@example.org>, email@example.com, firstname.lastname@example.org, email@example.com, firstname.lastname@example.org
- Subject: Re: FWD: Squirrelmail XSS + SQL security bug?
- From: Matt Zimmerman <email@example.com>
- Date: Sat, 31 Jul 2004 21:53:25 -0700
- Message-id: <20040801045325.GD4156@alcor.net>
- Mail-followup-to: Roman Medina-Heigl Hernandez <firstname.lastname@example.org>, Thijs Kinkhorst <email@example.com>, Jeroen van Wolffelaar <firstname.lastname@example.org>, email@example.com, firstname.lastname@example.org, email@example.com, firstname.lastname@example.org
- In-reply-to: <email@example.com>
- References: <20040705190523.GB32748@pgw.dmz> <20040705203845.GC1881@alcor.net> <20040706031511.GC4351@pgw.dmz> <firstname.lastname@example.org> <20040706092809.GH9109@A-Eskwadraat.nl> <email@example.com> <20040706152433.GK9109@A-Eskwadraat.nl> <firstname.lastname@example.org> <email@example.com>
On Thu, Jul 29, 2004 at 11:27:55AM +0200, Roman Medina-Heigl Hernandez wrote:
> On Thu, 22 Jul 2004 20:28:23 +0200 (CEST), you wrote:
> >About security fixes in the SquirrelMail code; SquirrelMail does not
> >(contrary to Roman's standpoint) adhere to a obscurity-policy but in
> >stead openly discloses any security fix in our code. In the changelog and
> >in the announcement of the recent 1.4.3 release it's clearly stated that
> >this closes a security hole. If the Debian project wants to we can of
> >course notify them if we patch something but it is principally their
> >responsibility to monitor our lists, announcements and bugtraq.
The Debian security team cannot monitor the mailing lists for every project
in Debian: there are literally thousands. We rely on channels which are
explicitly devoted to the dissemination of security announcements (e.g.,
BUGTRAQ), and communication through the Debian package maintainer (who
should follow the relevant mailing lists for the project).
I do not think I have ever seen a security announcement from the
Squirrelmail project on a public mailing list.