First Last Prev Next    No search results available      Search page      Enter new bug
Bug#: 201323
Alias:
Product:
Component:
Status: RESOLVED
Resolution: FIXED
Assigned To: Jeremy Huddleston (RETIRED) <eradicator@gentoo.org>
Hardware:
OS:
Version:
Priority:
Severity:
Reporter: Timo <tv@rz-zw.fh-kl.de>
Add CC:
CC:
Remove selected CCs
URL:
Summary:
Status Whiteboard:
Keywords:

Filename Description Type Creator Created Size Actions
Create a New Attachment (proposed patch, testcase, etc.) View All

Bug 201323 depends on: Show dependency tree
Bug 201323 blocks:
Votes: 0    Show votes for this bug    Vote for this bug

Additional Comments: (this is where you put emerge --info)


Not eligible to see or edit group visibility for this bug.






View Bug Activity   |   Format For Printing   |   XML   |   Clone This Bug

Description:   Opened: 2007-12-05 06:06 0000 
From: Jon Angliss <jon@squirrelmail.org>
Subject: [SM-ANNOUNCE] RELEASE: SquirrelMail 1.4.12


Hello All,

It's my pleasure to announce the release of SquirrelMail 1.4.12.  This
release is a bug fix release, including a critical bug in the handling
of attachments.

The latest release can be downloaded from the SquirrelMail website at
http://www.squirrelmail.org/download.php

Package md5sums
===============
ea5e750797628c9f0f247009f8ae0e14  squirrelmail-1.4.12.tar.bz2
d17c1d9f1ee3dde2c1c21a22fc4f9d0e  squirrelmail-1.4.12.tar.gz
3f6514939ea1ebf69f6f8c92781886ab  squirrelmail-1.4.12.zip

--
Happy SquirrelMailing!
The SquirrelMail development team

------- Comment #1 From Jeremy Huddleston (RETIRED) 2007-12-13 19:24:22 0000 ------- 
I should have the new version up this weekend

------- Comment #2 From Rajiv Aaron Manglani 2007-12-14 20:35:39 0000 ------- 
From:   jon@squirrelmail.org
Subject: [SM-ANNOUNCE] ANNOUNCE: SquirrelMail 1.4.13 Released
Date: December 14, 2007 1:59:08 PM EST
To:   squirrelmail-announce@lists.sourceforge.net
Security: Signed

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

All,

Due to the package compromise of 1.4.11, and 1.4.12, we are forced to
release 1.4.13 to ensure no confusions. While initial review didn't
uncover a need for concern, several proof of concepts show that the
package alterations introduce a high risk security issue, allowing
remote inclusion of files. These changes would allow a remote user the
ability to execute exploit code on a victim machine, without any user
interaction on the victim's server. This could grant the attacker the
ability to deploy further code on the victim's server.

We *STRONGLY* advise all users of 1.4.11, and 1.4.12 upgrade
immediately.

Package MD5s
============
1a1bdad6245aaabcdd23d9402acb388e  squirrelmail-1.4.13.tar.bz2
51ddd67a7ff9272f5a6e1da0b9dfbf18  squirrelmail-1.4.13.tar.gz
ed8871a693cc57d5a0d511f7b89f8781  squirrelmail-1.4.13.zip

We apologies for the inconvenience this may have caused.

- --
Happy SquirrelMailing!
The SquirrelMail Development Team
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.7 (MingW32)

iD8DBQFHYtKBK4PoFPj9H3MRAjiUAKDxM5V8J6vLEUAn7dfiIa1HYwKIWQCfYTbA
3nk8LOfqcBHfZ3IvEOXoOCo=
=USb7
-----END PGP SIGNATURE-----

------- Comment #3 From Timo 2007-12-14 20:39:19 0000 ------- 
Hi,

it was reported on the SM mailing list that the source package of 1.4.11 and
1.4.12 seem to have been modified. See this:

Date: Fri, 14 Dec 2007 12:59:08 -0600
From: Jon Angliss <jon@squirrelmail.org>
To: SquirrelMail - Announce <squirrelmail-announce@lists.sourceforge.net>
Subject: [SM-ANNOUNCE] ANNOUNCE: SquirrelMail 1.4.13 Released

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

All,

Due to the package compromise of 1.4.11, and 1.4.12, we are forced to
release 1.4.13 to ensure no confusions. While initial review didn't
uncover a need for concern, several proof of concepts show that the
package alterations introduce a high risk security issue, allowing
remote inclusion of files. These changes would allow a remote user the
ability to execute exploit code on a victim machine, without any user
interaction on the victim's server. This could grant the attacker the
ability to deploy further code on the victim's server.

We *STRONGLY* advise all users of 1.4.11, and 1.4.12 upgrade
immediately.

Package MD5s
============
1a1bdad6245aaabcdd23d9402acb388e  squirrelmail-1.4.13.tar.bz2
51ddd67a7ff9272f5a6e1da0b9dfbf18  squirrelmail-1.4.13.tar.gz
ed8871a693cc57d5a0d511f7b89f8781  squirrelmail-1.4.13.zip

We apologies for the inconvenience this may have caused.

- --
Happy SquirrelMailing!
The SquirrelMail Development Team
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.7 (MingW32)

iD8DBQFHYtKBK4PoFPj9H3MRAjiUAKDxM5V8J6vLEUAn7dfiIa1HYwKIWQCfYTbA
3nk8LOfqcBHfZ3IvEOXoOCo=
=USb7
-----END PGP SIGNATURE-----

Would be better to update right to 1.4.13 as the email says.

------- Comment #4 From Robert Buchholz 2007-12-14 21:21:35 0000 ------- 
As for security being in CC here: This does not affect Gentoo, as the checksum
distributed on our rsync mirrors and the file on our distfiles mirrors is
original and the mirroring happened before the file compromise:

486fb27a6ab306088603163160dbc8ca  squirrelmail-1.4.11.tar.bz2

The only way this could hit Gentoo users is when they cannot contact Gentoo
mirrors and get a compromised copy from an outdated Sourceforge mirror. That
would not cross the user's checksum verification though.

------- Comment #5 From Jeremy Huddleston (RETIRED) 2007-12-18 17:05:32 0000 ------- 
In portage.
First Last Prev Next    No search results available      Search page      Enter new bug