Kevin Kofler schrieb: > shrek-m <at> gmx.de <shrek-m <at> gmx.de> writes: > >> nice to see that >> 1.4.13 f8 is complete >> 1.4.13 f9 (rawhide) is complete >> http://koji.fedoraproject.org/koji/packageinfo?packageID=473 >> >> please push them asap to updates. >> > > Look closer at the announcements, they have been compromised post-release, and > fairly recently (around December 8), the 1.4.11 in F8 was packaged much > earlier, so it should be safe. > > Kevin Kofler 1.4.12-only 20071213 "the modifications to the code should have little to no impact at this time." vs. 1.4.13 20071214 "While initial review didn't uncover a need for concern, several proof of concepts show that the package alterations introduce a high risk security issue, allowing remote inclusion of files. These changes would allow a remote user the ability to execute exploit code on a victim machine, without any user interaction on the victim's server. This could grant the attacker the ability to deploy further code on the victim's server. [...] We *STRONGLY* advise all users of 1.4.11, and 1.4.12 upgrade immediately." kk: 1.4.11 "so it should be safe" [you mean between 20071208 - 20071213] vs. sqm: 1.4.13 "we are forced to release 1.4.13 to ensure no confusions" squirrelmail-1.4.11-1.fc8.src.rpm 27-Oct-2007 04:54 3.1M squirrelmail-1.4.11-2.fc8.src.rpm 19-Nov-2007 14:25 3.1M http://koji.fedoraproject.org/koji/buildinfo?buildID=28156 Changelog * Fri Dec 14 2007 Kevin Fenzi <kevin@xxxxxxxxx> - 1.4.13-1 - upgrade to new upstream 1.4.13 - note that this package was never vulnerable to CVE-2007-6348 - drop upsteamed patch. http://nvd.nist.gov/nvd.cfm?cvename=CVE-2007-6348 SquirrelMail 1.4.11 and 1.4.12, as distributed on www.squirrelmail.org >>before<< 20071213, has been externally modified -- shrek-m -- fedora-test-list mailing list fedora-test-list@xxxxxxxxxx To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-test-list
