Comment 1 Jeremy Huddleston (RETIRED) 2007-12-13 19:24:22 UTC

I should have the new version up this weekend

Comment 2 Rajiv Aaron Manglani (RETIRED) 2007-12-14 20:35:39 UTC

From:   jon@squirrelmail.org
Subject: [SM-ANNOUNCE] ANNOUNCE: SquirrelMail 1.4.13 Released
Date: December 14, 2007 1:59:08 PM EST
To:   squirrelmail-announce@lists.sourceforge.net
Security: Signed

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

All,

Due to the package compromise of 1.4.11, and 1.4.12, we are forced to
release 1.4.13 to ensure no confusions. While initial review didn't
uncover a need for concern, several proof of concepts show that the
package alterations introduce a high risk security issue, allowing
remote inclusion of files. These changes would allow a remote user the
ability to execute exploit code on a victim machine, without any user
interaction on the victim's server. This could grant the attacker the
ability to deploy further code on the victim's server.

We *STRONGLY* advise all users of 1.4.11, and 1.4.12 upgrade
immediately.

Package MD5s
============
1a1bdad6245aaabcdd23d9402acb388e  squirrelmail-1.4.13.tar.bz2
51ddd67a7ff9272f5a6e1da0b9dfbf18  squirrelmail-1.4.13.tar.gz
ed8871a693cc57d5a0d511f7b89f8781  squirrelmail-1.4.13.zip

We apologies for the inconvenience this may have caused.

- --
Happy SquirrelMailing!
The SquirrelMail Development Team
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.7 (MingW32)

iD8DBQFHYtKBK4PoFPj9H3MRAjiUAKDxM5V8J6vLEUAn7dfiIa1HYwKIWQCfYTbA
3nk8LOfqcBHfZ3IvEOXoOCo=
=USb7
-----END PGP SIGNATURE-----

Hi,

it was reported on the SM mailing list that the source package of 1.4.11 and 1.4.12 seem to have been modified. See this:

Date: Fri, 14 Dec 2007 12:59:08 -0600
From: Jon Angliss <jon@squirrelmail.org>
To: SquirrelMail - Announce <squirrelmail-announce@lists.sourceforge.net>
Subject: [SM-ANNOUNCE] ANNOUNCE: SquirrelMail 1.4.13 Released

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

All,

Due to the package compromise of 1.4.11, and 1.4.12, we are forced to
release 1.4.13 to ensure no confusions. While initial review didn't
uncover a need for concern, several proof of concepts show that the
package alterations introduce a high risk security issue, allowing
remote inclusion of files. These changes would allow a remote user the
ability to execute exploit code on a victim machine, without any user
interaction on the victim's server. This could grant the attacker the
ability to deploy further code on the victim's server.

We *STRONGLY* advise all users of 1.4.11, and 1.4.12 upgrade
immediately.

Package MD5s
============
1a1bdad6245aaabcdd23d9402acb388e  squirrelmail-1.4.13.tar.bz2
51ddd67a7ff9272f5a6e1da0b9dfbf18  squirrelmail-1.4.13.tar.gz
ed8871a693cc57d5a0d511f7b89f8781  squirrelmail-1.4.13.zip

We apologies for the inconvenience this may have caused.

- --
Happy SquirrelMailing!
The SquirrelMail Development Team
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.7 (MingW32)

iD8DBQFHYtKBK4PoFPj9H3MRAjiUAKDxM5V8J6vLEUAn7dfiIa1HYwKIWQCfYTbA
3nk8LOfqcBHfZ3IvEOXoOCo=
=USb7
-----END PGP SIGNATURE-----

Would be better to update right to 1.4.13 as the email says.

Comment 4 Robert Buchholz (RETIRED) 2007-12-14 21:21:35 UTC

As for security being in CC here: This does not affect Gentoo, as the checksum distributed on our rsync mirrors and the file on our distfiles mirrors is original and the mirroring happened before the file compromise:

486fb27a6ab306088603163160dbc8ca  squirrelmail-1.4.11.tar.bz2

The only way this could hit Gentoo users is when they cannot contact Gentoo mirrors and get a compromised copy from an outdated Sourceforge mirror. That would not cross the user's checksum verification though.

Comment 5 Jeremy Huddleston (RETIRED) 2007-12-18 17:05:32 UTC

In portage.