[PLDSA 6-1] New squirrelmail packages fix cross site scripting bugs

Krzysiek Taraszka dzimi at pld.org.pl
Sat Jan 4 14:46:51 CET 2003


- --------------------------------------------------------------------------
PLD Security Advisory PLDSA 6-1                        security at pld.org.pl
http://www.pld.org.pl/security/                          PLD Security Team
04 January 2003 			http://www.pld.org.pl/security/faq
- --------------------------------------------------------------------------

Package        : squirrelmail-1.2.9-1		
Vulnerability  : cross site scripting
Problem-Type   : remote
PLD-specific   : no
BugTraq ID     : 5949

Several cross site scripting vulnerabilities have been found in
squirrelmail, a feature-rich webmail package written in PHP4.  The
Common Vulnerabilities and Exposures (CVE) project identified the
following vulnerabilities:

1. CAN-2002-1131: User input is not always sanitized so execution of
   arbitrary code on a client computer is possible.  This can happen
   after following a malicious URL or by viewing a malicious
   addressbook entry.

2. CAN-2002-1132: Another problem could make it possible for an
   attacker to gain sensitive information under some conditions.
   When a malformed argument is appended to a link, an error page
   will be generated which contains the absolute pathname of the
   script.  However, this information is available through the
   Contents file of the distribution anyway.

The above problems have been fixed in version 1.2.10-1 for the
current stable distribution (ra).

We recommend that you upgrade your squirrelmail packages.

wget -c url
	will fetch the file for you
rpm -Uhv file(s)*.rpm
        will upgrade the referenced file.

If you are using "poldek" - the package manager, use the line as given below
for upgrade packages

poldek --update
        will update the internal database
poldek --upgrade 'squirrelmail*'
        will install corrected packages

If you are using "apt" - the package manager, use the line as given below
for upgrade packages

apt-get update
        will update the internal database
apt-get upgrade 'squirrelmail*'
        will install corrected packages

PLD Linux 1.0 alias ra
- --------------------

  Source archives:

ftp://ftp.pld.org.pl/dists/ra/updates/security/SRPMS/squirrelmail-1.2.10-1.src.rpm
       MD5 checksum: ce85d46bc7f34555870ad2d589fc9024

  I386 Architecture components:

ftp://ftp.pld.org.pl/dists/ra/updates/security/i386/squirrelmail-1.2.10-1.i386.rpm
       MD5 checksum: 277724118c626db296359743ed29eeac

ftp://ftp.pld.org.pl/dists/ra/updates/security/i386/squirrelmail-ispell-1.2.10-1.i386.rpm
       MD5 checksum: b1de8e8d04417e4750bc1e2e4ab4f3e8

ftp://ftp.pld.org.pl/dists/ra/updates/security/i386/squirrelmail-mail_fwd-1.2.10-1.i386.rpm
       MD5 checksum: cce0ce20150da437c4f0abe1c8b8b92f

ftp://ftp.pld.org.pl/dists/ra/updates/security/i386/squirrelmail-mailfetch-1.2.10-1.i386.rpm
       MD5 checksum: ae1fff54a112da532e826963a216d112

ftp://ftp.pld.org.pl/dists/ra/updates/security/i386/squirrelmail-newmail-1.2.10-1.i386.rpm
       MD5 checksum: 533a057f7d752bc4b02bdb1f9e021022


  I586 Architecture components:

ftp://ftp.pld.org.pl/dists/ra/updates/security/i586/squirrelmail-1.2.10-1.i586.rpm
       MD5 checksum: a76fac661545ef10b2b39d42274bbebb

ftp://ftp.pld.org.pl/dists/ra/updates/security/i586/squirrelmail-ispell-1.2.10-1.i586.rpm
       MD5 checksum: 946200b19145c5ce5acffe24bd99ffb0

ftp://ftp.pld.org.pl/dists/ra/updates/security/i586/squirrelmail-mail_fwd-1.2.10-1.i586.rpm
       MD5 checksum: a1e29cbee0ab13aa11ea821f022c0316

ftp://ftp.pld.org.pl/dists/ra/updates/security/i586/squirrelmail-mailfetch-1.2.10-1.i586.rpm
       MD5 checksum: 5286b9fe0742314e4c895328f2356246

ftp://ftp.pld.org.pl/dists/ra/updates/security/i586/squirrelmail-newmail-1.2.10-1.i586.rpm
       MD5 checksum: 85355606b4f642cbacd8fc86b7c0fb69


  I686 Architecture components:

ftp://ftp.pld.org.pl/dists/ra/updates/security/i686/squirrelmail-1.2.10-1.i686.rpm
       MD5 checksum: b71a2e943f069be85e125480531fc246

ftp://ftp.pld.org.pl/dists/ra/updates/security/i686/squirrelmail-ispell-1.2.10-1.i686.rpm
       MD5 checksum: df55071720fff5a62c9bd2fd343ff585

ftp://ftp.pld.org.pl/dists/ra/updates/security/i686/squirrelmail-mail_fwd-1.2.10-1.i686.rpm
       MD5 checksum: 75193011e7f6961b91f6d15345aff258

ftp://ftp.pld.org.pl/dists/ra/updates/security/i686/squirrelmail-mailfetch-1.2.10-1.i686.rpm
       MD5 checksum: 47cb065b8fb29072c4e469ddfdd24f45

ftp://ftp.pld.org.pl/dists/ra/updates/security/i686/squirrelmail-newmail-1.2.10-1.i686.rpm
       MD5 checksum: d799e3f6835bdd0a13dcadeb819dea3b


  PowerPC Architecture components:

ftp://ftp.pld.org.pl/dists/ra/updates/security/ppc/squirrelmail-1.2.10-1.ppc.rpm
       MD5 checksum: 3c6062224f9db9c83e49e456fb299949

ftp://ftp.pld.org.pl/dists/ra/updates/security/ppc/squirrelmail-ispell-1.2.10-1.ppc.rpm
       MD5 checksum: a6ecce54f8339c02f62a83afff86cdbb

ftp://ftp.pld.org.pl/dists/ra/updates/security/ppc/squirrelmail-mail_fwd-1.2.10-1.ppc.rpm
       MD5 checksum: 40440e0276ca0b38fc66e02e549a2035

ftp://ftp.pld.org.pl/dists/ra/updates/security/ppc/squirrelmail-mailfetch-1.2.10-1.ppc.rpm
       MD5 checksum: 38a8411bc5e8d1429388787b57e4554a

ftp://ftp.pld.org.pl/dists/ra/updates/security/ppc/squirrelmail-newmail-1.2.10-1.ppc.rpm
       MD5 checksum: ba57f3d0391d62b031fc9156edf75471


-
--------------------------------------------------------------------------------
-
If you are using poldek add this line to poldek.conf.
If you are using apt-get add this line to sources.list.

For i386 architecture
poldek:         source = ra-updates-security ftp://ftp.pld.org.pl/dists/ra/updates/security/i386/
apt-get:        rpm ftp://ftp.pld.org.pl/dists ra/apt/i386 base updates-security
For i586 architecture
poldek:         source = ra-updates-security ftp://ftp.pld.org.pl/dists/ra/updates/security/i586/
apt-get:        rpm ftp://ftp.pld.org.pl/dists ra/apt/i586 base updates-security
For i686 architecture
poldek:         source = ra-updates-security ftp://ftp.pld.org.pl/dists/ra/updates/security/i686/
apt-get:        rpm ftp://ftp.pld.org.pl/dists ra/apt/i686 base updates-security
For ppc architecture
poldek:         source = ra-updates-security ftp://ftp.pld.org.pl/dists/ra/updates/security/ppc/
apt-get:        rpm ftp://ftp.pld.org.pl/dists ra/apt/ppc base updates-security



More information about the pld-security-announce mailing list