--------------------------------------------------------------------- Fedora Legacy Test Update Notification FEDORALEGACY-2005-2424 Bugzilla https://bugzilla.fedora.us/show_bug.cgi?id=2424 2005-02-23 ---------------------------------------------------------------------
Name : squirrelmail Versions : rh9: squirrelmail-1.4.3-0.f0.9.3.legacy Versions : fc1: squirrelmail-1.4.3-0.f1.1.2.legacy Summary : SquirrelMail webmail client Description : SquirrelMail is a standards-based webmail package written in PHP4. It includes built-in pure PHP support for the IMAP and SMTP protocols, and all pages render in pure HTML 4.0 (with no Javascript) for maximum compatibility across browsers. It has very few requirements and is very easy to configure and install. SquirrelMail has a all the functionality you would want from an email client, including strong MIME support, address books, and folder manipulation.
--------------------------------------------------------------------- Update Information:
An updated SquirrelMail package that fixes a cross-site scripting vulnerability is now available.
SquirrelMail is a webmail package written in PHP.
A cross-site scripting bug has been found in SquirrelMail. This issue could allow an attacker to send a mail with a carefully crafted header, which could result in causing the victim's machine to execute a malicious script. The Common Vulnerabilities and Exposures project has assigned the name CAN-2004-1036 to this issue.
Jimmy Conner discovered a missing variable initialization in Squirrelmail. This flaw could allow potential insecure file inclusions on servers where the PHP setting "register_globals" is set to "On". This is not a default or recommended setting. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2005-0075 to this issue.
A URL sanitisation bug was found in Squirrelmail. This flaw could allow a cross site scripting attack when loading the URL for the sidebar. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2005-0103 to this issue.
A missing variable initialization bug was found in Squirrelmail. This flaw could allow a cross site scripting attack. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2005-0104 to this issue.
Users of Squirrelmail are advised to upgrade to this updated package, which contains backported patches to correct these issues.
--------------------------------------------------------------------- Changelogs
rh9:
* Wed Feb 16 2005 Marc Deslauriers <marcdeslauriers@xxxxxxxxxxxx> 1.4.3-0.f0.9.3.legacy
- Applied patches for CAN-2005-0075, CAN-2005-0103, CAN-2005-0104
* Tue Nov 30 2004 Rob Myers <rob.myers@xxxxxxxxxxxxxxx> 1.4.3-0.f0.9.2.legacy
- apply patch for CAN-2004-1036 (FL #2290)
fc1:
* Wed Feb 16 2005 Marc Deslauriers <marcdeslauriers@xxxxxxxxxxxx> 1.4.3-0.f1.1.2.legacy
- Applied patches for CAN-2005-0075, CAN-2005-0103, CAN-2005-0104
* Tue Nov 30 2004 Rob Myers <rob.myers@xxxxxxxxxxxxxxx> 1.4.3-0.f1.1.1.legacy
- apply patch for CAN-2004-1036 (FL #2290)
--------------------------------------------------------------------- This update can be downloaded from: http://download.fedoralegacy.org/ (sha1sums)
rh9:
3196c12423fef52a83ad5e4636f7b74793c8e63e redhat/9/updates-testing/i386/squirrelmail-1.4.3-0.f0.9.3.legacy.noarch.rpm
7a07ddaffdf6cb57a5990839ad17e4f27d29eaf7 redhat/9/updates-testing/SRPMS/squirrelmail-1.4.3-0.f0.9.3.legacy.src.rpm
fc1:
fee964ec13662fc69361810ed6a4a4d3f2c16196 fedora/1/updates-testing/i386/squirrelmail-1.4.3-0.f1.1.2.legacy.noarch.rpm
3e0b6ab9bfb4b83c05de5d7ba3749e464ee2329d fedora/1/updates-testing/SRPMS/squirrelmail-1.4.3-0.f1.1.2.legacy.src.rpm
---------------------------------------------------------------------
Please test and comment in bugzilla.
Attachment:
signature.asc
Description: OpenPGP digital signature
-- fedora-legacy-list@xxxxxxxxxx http://www.redhat.com/mailman/listinfo/fedora-legacy-list
