Re: squirrelmail 1.4.11 and 1.4.12 are compromised

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Kevin Kofler schrieb:
> shrek-m <at> gmx.de <shrek-m <at> gmx.de> writes:
>   
>> nice to see that
>> 1.4.13 f8 is complete
>> 1.4.13 f9 (rawhide) is complete
>> http://koji.fedoraproject.org/koji/packageinfo?packageID=473
>>
>> please push them asap to updates.
>>     
>
> Look closer at the announcements, they have been compromised post-release, and 
> fairly recently (around December 8), the 1.4.11 in F8 was packaged much 
> earlier, so it should be safe.
>
>         Kevin Kofler

1.4.12-only  20071213 "the modifications to the code should have little
to no impact at this time."
vs.
1.4.13  20071214  "While initial review didn't uncover a need for
concern, several proof of concepts show that the package alterations
introduce a high risk security issue, allowing remote inclusion of
files. These changes would allow a remote user the ability to execute
exploit code on a victim machine, without any user interaction on the
victim's server. This could grant the attacker the ability to deploy
further code on the victim's server. [...]
We *STRONGLY* advise all users of 1.4.11, and 1.4.12 upgrade immediately."



kk: 1.4.11 "so it should be safe" [you mean between 20071208 - 20071213] vs.
sqm: 1.4.13 "we are forced to release 1.4.13 to ensure no confusions"


squirrelmail-1.4.11-1.fc8.src.rpm  27-Oct-2007 04:54  3.1M
squirrelmail-1.4.11-2.fc8.src.rpm  19-Nov-2007 14:25  3.1M


http://koji.fedoraproject.org/koji/buildinfo?buildID=28156
Changelog
* Fri Dec 14 2007 Kevin Fenzi <kevin@xxxxxxxxx> - 1.4.13-1
- upgrade to new upstream 1.4.13
- note that this package was never vulnerable to CVE-2007-6348
- drop upsteamed patch.


http://nvd.nist.gov/nvd.cfm?cvename=CVE-2007-6348
SquirrelMail 1.4.11 and 1.4.12, as distributed on www.squirrelmail.org 
>>before<<  20071213, has been externally modified


-- 
shrek-m

-- 
fedora-test-list mailing list
fedora-test-list@xxxxxxxxxx
To unsubscribe: 
https://www.redhat.com/mailman/listinfo/fedora-test-list

[Index of Archives]     [Fedora Desktop]     [Fedora SELinux]     [Photo Sharing]     [Yosemite Forum]     [KDE Users]

  Powered by Linux