Re: squirrelmail SA34627
On Tue, Jan 26, 2010 at 10:24 AM, Thijs Kinkhorst <email@example.com> wrote:
> On Mon, January 25, 2010 21:05, Florian Weimer wrote:
>> * Adrian Minta:
>>> Does squirrelmail 1.4.15-4+lenny2 has fixes for SA34627 ?
>> According to <http://security-tracker.debian.org/tracker/CVE-2009-2964>,
>> it's still vulnerable.
> Indeed. Backporting the fix for this is not trivial since it's an
> architectural change. We are aware of the issue, but have not yet found
> enough time to backport the changes to stable and oldstable.
It appears that squirrelmail testing packages works on lenny without
some nasty dependencies. Perhaps the recommended action is to install
them instead of the ones found on lenny.