squirrelmail 1.4.11 and 1.4.12 are compromised
shrek-m at gmx.de
shrek-m at gmx.de
Sat Dec 15 12:50:03 UTC 2007
Kevin Kofler schrieb:
> shrek-m <at> gmx.de <shrek-m <at> gmx.de> writes:
>
>> nice to see that
>> 1.4.13 f8 is complete
>> 1.4.13 f9 (rawhide) is complete
>> http://koji.fedoraproject.org/koji/packageinfo?packageID=473
>>
>> please push them asap to updates.
>>
>
> Look closer at the announcements, they have been compromised post-release, and
> fairly recently (around December 8), the 1.4.11 in F8 was packaged much
> earlier, so it should be safe.
>
> Kevin Kofler
1.4.12-only 20071213 "the modifications to the code should have little
to no impact at this time."
vs.
1.4.13 20071214 "While initial review didn't uncover a need for
concern, several proof of concepts show that the package alterations
introduce a high risk security issue, allowing remote inclusion of
files. These changes would allow a remote user the ability to execute
exploit code on a victim machine, without any user interaction on the
victim's server. This could grant the attacker the ability to deploy
further code on the victim's server. [...]
We *STRONGLY* advise all users of 1.4.11, and 1.4.12 upgrade immediately."
kk: 1.4.11 "so it should be safe" [you mean between 20071208 - 20071213] vs.
sqm: 1.4.13 "we are forced to release 1.4.13 to ensure no confusions"
squirrelmail-1.4.11-1.fc8.src.rpm 27-Oct-2007 04:54 3.1M
squirrelmail-1.4.11-2.fc8.src.rpm 19-Nov-2007 14:25 3.1M
http://koji.fedoraproject.org/koji/buildinfo?buildID=28156
Changelog
* Fri Dec 14 2007 Kevin Fenzi <kevin at tummy.com> - 1.4.13-1
- upgrade to new upstream 1.4.13
- note that this package was never vulnerable to CVE-2007-6348
- drop upsteamed patch.
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2007-6348
SquirrelMail 1.4.11 and 1.4.12, as distributed on www.squirrelmail.org
>>before<< 20071213, has been externally modified
--
shrek-m
More information about the fedora-test-list
mailing list