Debian Security Advisory
DSA-662-2 squirrelmail -- several vulnerabilities
- Date Reported:
- 14 Mar 2005
- Affected Packages:
- squirrelmail
- Vulnerable:
- Yes
- Security database references:
- In the Debian bugtracking system: Bug 292714, Bug 295836.
In Mitre's CVE dictionary: CVE-2005-0104, CVE-2005-0152. - More information:
-
Andrew Archibald discovered that the last update to squirrelmail which was intended to fix several problems caused a regression which got exposed when the user hits a session timeout. For completeness below is the original advisory text:
Several vulnerabilities have been discovered in Squirrelmail, a commonly used webmail system. The Common Vulnerabilities and Exposures project identifies the following problems:
- CAN-2005-0104
Upstream developers noticed that an unsanitised variable could lead to cross site scripting.
- CAN-2005-0152
Grant Hollingworth discovered that under certain circumstances URL manipulation could lead to the execution of arbitrary code with the privileges of www-data. This problem only exists in version 1.2.6 of Squirrelmail.
For the stable distribution (woody) these problems have been fixed in version 1.2.6-3.
For the unstable distribution (sid) the problem that affects unstable has been fixed in version 1.4.4-1.
We recommend that you upgrade your squirrelmail package.
- CAN-2005-0104
- Fixed in:
-
Debian GNU/Linux 3.0 (woody)
- Source:
- http://security.debian.org/pool/updates/main/s/squirrelmail/squirrelmail_1.2.6-3.dsc
- http://security.debian.org/pool/updates/main/s/squirrelmail/squirrelmail_1.2.6-3.diff.gz
- http://security.debian.org/pool/updates/main/s/squirrelmail/squirrelmail_1.2.6.orig.tar.gz
- http://security.debian.org/pool/updates/main/s/squirrelmail/squirrelmail_1.2.6-3.diff.gz
- Architecture-independent component:
- http://security.debian.org/pool/updates/main/s/squirrelmail/squirrelmail_1.2.6-3_all.deb
MD5 checksums of the listed files are available in the original advisory.
MD5 checksums of the listed files are available in the revised advisory.