-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 - -------------------------------------------------------------------------- Debian Security Advisory DSA 988-1 security@xxxxxxxxxx http://www.debian.org/security/ Moritz Muehlenhoff March 8th, 2006 http://www.debian.org/security/faq - -------------------------------------------------------------------------- Package : squirrelmail Vulnerability : several Problem-Type : remote Debian-specific: no CVE IDs : CVE-2006-0377 CVE-2006-0195 CVE-2006-0188 Debian Bug : 354062 354063 354064 355424 Several vulnerabilities have been discovered in Squirrelmail, a commonly used webmail system. The Common Vulnerabilities and Exposures project identifies the following problems: CVE-2006-0188 Martijn Brinkers and Ben Maurer found a flaw in webmail.php that allows remote attackers to inject arbitrary web pages into the right frame via a URL in the right_frame parameter. CVE-2006-0195 Martijn Brinkers and Scott Hughes discovered an interpretation conflict in the MagicHTML filter that allows remote attackers to conduct cross-site scripting (XSS) attacks via style sheet specifiers with invalid (1) "/*" and "*/" comments, or (2) slashes inside the "url" keyword, which is processed by some web browsers including Internet Explorer. CVE-2006-0377 Vicente Aguilera of Internet Security Auditors, S.L. discovered a CRLF injection vulnerability, which allows remote attackers to inject arbitrary IMAP commands via newline characters in the mailbox parameter of the sqimap_mailbox_select command, aka "IMAP injection." There's no known way to exploit this yet. For the old stable distribution (woody) these problems have been fixed in version 1.2.6-5. For the stable distribution (sarge) these problems have been fixed in version 2:1.4.4-8. For the unstable distribution (sid) these problems have been fixed in version 2:1.4.6-1. We recommend that you upgrade your squirrelmail package. Upgrade Instructions - -------------------- wget url will fetch the file for you dpkg -i file.deb will install the referenced file. If you are using the apt-get package manager, use the line for sources.list as given below: apt-get update will update the internal database apt-get upgrade will install corrected packages You may use an automated update by adding the resources from the footer to the proper configuration. Debian GNU/Linux 3.0 alias woody - -------------------------------- Source archives: http://security.debian.org/pool/updates/main/s/squirrelmail/squirrelmail_1.2.6-5.dsc Size/MD5 checksum: 582 07fe8ca983ec4bf8a3355a91c79c9d78 http://security.debian.org/pool/updates/main/s/squirrelmail/squirrelmail_1.2.6-5.diff.gz Size/MD5 checksum: 24884 a65726611c8f71274582b353e309a9a1 http://security.debian.org/pool/updates/main/s/squirrelmail/squirrelmail_1.2.6.orig.tar.gz Size/MD5 checksum: 1856087 be9e6be1de8d3dd818185d596b41a7f1 Architecture independent components: http://security.debian.org/pool/updates/main/s/squirrelmail/squirrelmail_1.2.6-5_all.deb Size/MD5 checksum: 1841716 1d246bc2ffe2323e2503202bfc147d9c Debian GNU/Linux 3.1 alias sarge - -------------------------------- Source archives: http://security.debian.org/pool/updates/main/s/squirrelmail/squirrelmail_1.4.4-8.dsc Size/MD5 checksum: 678 140546ee9c0534419ddcaf3c7e632110 http://security.debian.org/pool/updates/main/s/squirrelmail/squirrelmail_1.4.4-8.diff.gz Size/MD5 checksum: 24654 15ddd8f4db234006a1ac290087640dfc http://security.debian.org/pool/updates/main/s/squirrelmail/squirrelmail_1.4.4.orig.tar.gz Size/MD5 checksum: 575871 f50548b6f4f24d28afb5e6048977f4da Architecture independent components: http://security.debian.org/pool/updates/main/s/squirrelmail/squirrelmail_1.4.4-8_all.deb Size/MD5 checksum: 570472 2087dcea05cd5e1c4033f15cf120761a These files will probably be moved into the stable distribution on its next update. - --------------------------------------------------------------------------------- For apt-get: deb http://security.debian.org/ stable/updates main For dpkg-ftp: ftp://security.debian.org/debian-security dists/stable/updates/main Mailing list: debian-security-announce@xxxxxxxxxxxxxxxx Package info: `apt-cache show <pkg>' and http://packages.debian.org/<pkg> -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.2 (GNU/Linux) iD8DBQFEDwjQXm3vHE4uyloRAscVAKCyv3+cvvLFTKbm5g6990SbA4bFvACgvLYp lzjOQcMuNHAWx6Vd73rNZ5A= =MqDQ -----END PGP SIGNATURE-----
