Bug 201323 - mail-client/squirrelmail-1.4.13 version bump
|
Bug#:
201323
|
Product: Gentoo Linux
|
Version: unspecified
|
Platform: All
|
|
OS/Version: Linux
|
Status: RESOLVED
|
Severity: normal
|
Priority: P2
|
|
Resolution: FIXED
|
Assigned To: eradicator@gentoo.org
|
Reported By: tv@rz-zw.fh-kl.de
|
|
Component: Ebuilds
|
|
|
URL:
|
|
Summary: mail-client/squirrelmail-1.4.13 version bump
|
|
Keywords:
|
|
Status Whiteboard:
|
|
Opened: 2007-12-05 06:06 0000
|
From: Jon Angliss <jon@squirrelmail.org>
Subject: [SM-ANNOUNCE] RELEASE: SquirrelMail 1.4.12
Hello All,
It's my pleasure to announce the release of SquirrelMail 1.4.12. This
release is a bug fix release, including a critical bug in the handling
of attachments.
The latest release can be downloaded from the SquirrelMail website at
http://www.squirrelmail.org/download.php
Package md5sums
===============
ea5e750797628c9f0f247009f8ae0e14 squirrelmail-1.4.12.tar.bz2
d17c1d9f1ee3dde2c1c21a22fc4f9d0e squirrelmail-1.4.12.tar.gz
3f6514939ea1ebf69f6f8c92781886ab squirrelmail-1.4.12.zip
--
Happy SquirrelMailing!
The SquirrelMail development team
I should have the new version up this weekend
From: jon@squirrelmail.org
Subject: [SM-ANNOUNCE] ANNOUNCE: SquirrelMail 1.4.13 Released
Date: December 14, 2007 1:59:08 PM EST
To: squirrelmail-announce@lists.sourceforge.net
Security: Signed
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
All,
Due to the package compromise of 1.4.11, and 1.4.12, we are forced to
release 1.4.13 to ensure no confusions. While initial review didn't
uncover a need for concern, several proof of concepts show that the
package alterations introduce a high risk security issue, allowing
remote inclusion of files. These changes would allow a remote user the
ability to execute exploit code on a victim machine, without any user
interaction on the victim's server. This could grant the attacker the
ability to deploy further code on the victim's server.
We *STRONGLY* advise all users of 1.4.11, and 1.4.12 upgrade
immediately.
Package MD5s
============
1a1bdad6245aaabcdd23d9402acb388e squirrelmail-1.4.13.tar.bz2
51ddd67a7ff9272f5a6e1da0b9dfbf18 squirrelmail-1.4.13.tar.gz
ed8871a693cc57d5a0d511f7b89f8781 squirrelmail-1.4.13.zip
We apologies for the inconvenience this may have caused.
- --
Happy SquirrelMailing!
The SquirrelMail Development Team
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.7 (MingW32)
iD8DBQFHYtKBK4PoFPj9H3MRAjiUAKDxM5V8J6vLEUAn7dfiIa1HYwKIWQCfYTbA
3nk8LOfqcBHfZ3IvEOXoOCo=
=USb7
-----END PGP SIGNATURE-----
Hi,
it was reported on the SM mailing list that the source package of 1.4.11 and
1.4.12 seem to have been modified. See this:
Date: Fri, 14 Dec 2007 12:59:08 -0600
From: Jon Angliss <jon@squirrelmail.org>
To: SquirrelMail - Announce <squirrelmail-announce@lists.sourceforge.net>
Subject: [SM-ANNOUNCE] ANNOUNCE: SquirrelMail 1.4.13 Released
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
All,
Due to the package compromise of 1.4.11, and 1.4.12, we are forced to
release 1.4.13 to ensure no confusions. While initial review didn't
uncover a need for concern, several proof of concepts show that the
package alterations introduce a high risk security issue, allowing
remote inclusion of files. These changes would allow a remote user the
ability to execute exploit code on a victim machine, without any user
interaction on the victim's server. This could grant the attacker the
ability to deploy further code on the victim's server.
We *STRONGLY* advise all users of 1.4.11, and 1.4.12 upgrade
immediately.
Package MD5s
============
1a1bdad6245aaabcdd23d9402acb388e squirrelmail-1.4.13.tar.bz2
51ddd67a7ff9272f5a6e1da0b9dfbf18 squirrelmail-1.4.13.tar.gz
ed8871a693cc57d5a0d511f7b89f8781 squirrelmail-1.4.13.zip
We apologies for the inconvenience this may have caused.
- --
Happy SquirrelMailing!
The SquirrelMail Development Team
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.7 (MingW32)
iD8DBQFHYtKBK4PoFPj9H3MRAjiUAKDxM5V8J6vLEUAn7dfiIa1HYwKIWQCfYTbA
3nk8LOfqcBHfZ3IvEOXoOCo=
=USb7
-----END PGP SIGNATURE-----
Would be better to update right to 1.4.13 as the email says.
As for security being in CC here: This does not affect Gentoo, as the checksum
distributed on our rsync mirrors and the file on our distfiles mirrors is
original and the mirroring happened before the file compromise:
486fb27a6ab306088603163160dbc8ca squirrelmail-1.4.11.tar.bz2
The only way this could hit Gentoo users is when they cannot contact Gentoo
mirrors and get a compromised copy from an outdated Sourceforge mirror. That
would not cross the user's checksum verification though.
