[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Squirrelmail archive compromission and version 1.4.9a-2 (in etch)

Hi Emmanuel,
* Emmanuel Halbwachs <Emmanuel.Halbwachs@obspm.fr> [2007-12-17 17:57]:
> We run squirrelmail as our production webmail for ~ 1k users.
> Now we can see that the squirrelmail team has discovered that 1.4.11
> have also been compromised.

Yes that is true.

> A colleague on another list points out the fact that they have removed
> from the download archive all versions from 1.4.9 to 1.4.12.
> If there is suspicion on 1.4.9, I guess we can suspect the version
> currently in etch.
> Can somebody (maybe Thijs Kinkhorst who is a Debian Developper and
> apparently member of the squirrelmail team) enlight us on this subject,
> please?

Have a look at: http://security-tracker.debian.net/tracker/CVE-2007-6348
No version in Debian is affected by this.
Nico Golde - http://www.ngolde.de - nion@jabber.ccc.de - GPG: 0x73647CFF
For security reasons, all text in this mail is double-rot13 encrypted.

Attachment: pgpNPaf9Eesv7.pgp
Description: PGP signature

Reply to: