Fedora Legacy Test Update Notification: squirrelmail

Marc Deslauriers marcdeslauriers at videotron.ca
Thu Feb 24 03:57:38 UTC 2005 

---------------------------------------------------------------------
Fedora Legacy Test Update Notification
FEDORALEGACY-2005-2424
Bugzilla https://bugzilla.fedora.us/show_bug.cgi?id=2424
2005-02-23
---------------------------------------------------------------------

Name        : squirrelmail
Versions    : rh9: squirrelmail-1.4.3-0.f0.9.3.legacy
Versions    : fc1: squirrelmail-1.4.3-0.f1.1.2.legacy
Summary     : SquirrelMail webmail client
Description :
SquirrelMail is a standards-based webmail package written in PHP4. It
includes built-in pure PHP support for the IMAP and SMTP protocols, and
all pages render in pure HTML 4.0 (with no Javascript) for maximum
compatibility across browsers.  It has very few requirements and is very
easy to configure and install. SquirrelMail has a all the functionality
you would want from an email client, including strong MIME support,
address books, and folder manipulation.

---------------------------------------------------------------------
Update Information:

An updated SquirrelMail package that fixes a cross-site scripting
vulnerability is now available.

SquirrelMail is a webmail package written in PHP.

A cross-site scripting bug has been found in SquirrelMail. This issue
could allow an attacker to send a mail with a carefully crafted header,
which could result in causing the victim's machine to execute a
malicious script. The Common Vulnerabilities and Exposures project has
assigned the name CAN-2004-1036 to this issue.

Jimmy Conner discovered a missing variable initialization in
Squirrelmail. This flaw could allow potential insecure file inclusions
on servers where the PHP setting "register_globals" is set to "On". This
is not a default or recommended setting. The Common Vulnerabilities and
Exposures project (cve.mitre.org) has assigned the name CAN-2005-0075 to
this issue.

A URL sanitisation bug was found in Squirrelmail. This flaw could allow
a cross site scripting attack when loading the URL for the sidebar. The
Common Vulnerabilities and Exposures project (cve.mitre.org) has
assigned the name CAN-2005-0103 to this issue.

A missing variable initialization bug was found in Squirrelmail. This
flaw could allow a cross site scripting attack. The Common
Vulnerabilities and Exposures project (cve.mitre.org) has assigned the
name CAN-2005-0104 to this issue.

Users of Squirrelmail are advised to upgrade to this updated package,
which contains backported patches to correct these issues.

---------------------------------------------------------------------
Changelogs

rh9:
* Wed Feb 16 2005 Marc Deslauriers <marcdeslauriers at videotron.ca> 
1.4.3-0.f0.9.3.legacy
- Applied patches for CAN-2005-0075, CAN-2005-0103, CAN-2005-0104

* Tue Nov 30 2004 Rob Myers <rob.myers at gtri.gatech.edu> 
1.4.3-0.f0.9.2.legacy
- apply patch for CAN-2004-1036 (FL #2290)

fc1:
* Wed Feb 16 2005 Marc Deslauriers <marcdeslauriers at videotron.ca> 
1.4.3-0.f1.1.2.legacy
- Applied patches for CAN-2005-0075, CAN-2005-0103, CAN-2005-0104

* Tue Nov 30 2004 Rob Myers <rob.myers at gtri.gatech.edu> 
1.4.3-0.f1.1.1.legacy
- apply patch for CAN-2004-1036 (FL #2290)

---------------------------------------------------------------------
This update can be downloaded from:
   http://download.fedoralegacy.org/
(sha1sums)

rh9:
3196c12423fef52a83ad5e4636f7b74793c8e63e 
redhat/9/updates-testing/i386/squirrelmail-1.4.3-0.f0.9.3.legacy.noarch.rpm
7a07ddaffdf6cb57a5990839ad17e4f27d29eaf7 
redhat/9/updates-testing/SRPMS/squirrelmail-1.4.3-0.f0.9.3.legacy.src.rpm

fc1:
fee964ec13662fc69361810ed6a4a4d3f2c16196 
fedora/1/updates-testing/i386/squirrelmail-1.4.3-0.f1.1.2.legacy.noarch.rpm
3e0b6ab9bfb4b83c05de5d7ba3749e464ee2329d 
fedora/1/updates-testing/SRPMS/squirrelmail-1.4.3-0.f1.1.2.legacy.src.rpm

---------------------------------------------------------------------

Please test and comment in bugzilla.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 256 bytes
Desc: OpenPGP digital signature
URL: <http://listman.redhat.com/archives/fedora-legacy-list/attachments/20050223/6f71c4ea/attachment.sig>

More information about the fedora-legacy-list mailing list