CVE-2009-1578: Multiple XSS vunlerabilities in (1) functions/global.php and (2) contrib/decrypt_headers.php. CVE-2009-1579: Remote arbitrary command injection in functions/imap_general.php "when SquirrelMail was configured to use the example "map_yp_alias" username mapping functionality". CVE-2009-1580: Session fixation vulnerability CVE-2009-1581: XSS via CSS positioning parameters in functions/mime.php.
Remedy: Update to 1.4.18.
(In reply to comment #1) > Remedy: Update to 1.4.18. > did so. Candidate for stabilization: =mail-client/squirrelmail-1.4.18
Arches, please test and mark stable: =mail-client/squirrelmail-1.4.18 Target keywords : "alpha amd64 ppc ppc64 sparc x86"
!!! dodoc: AUTHORS does not exist !!! dodoc: COPYING does not exist !!! dodoc: ChangeLog does not exist !!! dodoc: INSTALL does not exist !!! dodoc: ReleaseNotes does not exist !!! dodoc: UPGRADE does not exist
x86 stable
amd64 stable
Stable on alpha.
CVE-2009-1578 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-1578): Multiple cross-site scripting (XSS) vulnerabilities in SquirrelMail before 1.4.18 allow remote attackers to inject arbitrary web script or HTML via vectors involving (1) certain encrypted strings in e-mail headers, related to contrib/decrypt_headers.php; (2) PHP_SELF; and (3) the query string (aka QUERY_STRING). CVE-2009-1579 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-1579): The map_yp_alias function in functions/imap_general.php in SquirrelMail before 1.4.18 allows remote attackers to execute arbitrary commands via shell metacharacters in a username string that is used by the ypmatch program. CVE-2009-1580 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-1580): Session fixation vulnerability in SquirrelMail before 1.4.18 allows remote attackers to hijack web sessions via a crafted cookie. CVE-2009-1581 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-1581): functions/mime.php in SquirrelMail before 1.4.18 does not protect the application's content from Cascading Style Sheets (CSS) positioning in HTML e-mail messages, which allows remote attackers to spoof the user interface, and conduct cross-site scripting (XSS) and phishing attacks, via a crafted message.
(In reply to comment #4) > !!! dodoc: AUTHORS does not exist > !!! dodoc: COPYING does not exist > !!! dodoc: ChangeLog does not exist > !!! dodoc: INSTALL does not exist > !!! dodoc: ReleaseNotes does not exist > !!! dodoc: UPGRADE does not exist > fixed
Done by josejx for ppc and ppc64.
sparc stable
and 1.4.17 removed. ready for glsa.
GLSA 201001-08, thanks everyone.