The Red Hat Security Response Team discovered that the fix for CVE-2009-1579 applied in 1.4.18 was incomplete. 1.4.19 will be released today with a complete patch.
ANNOUNCE: SquirrelMail 1.4.19 Released May 21, 2009 by Thijs Kinkhorst The security fix to map_yp_alias in 1.4.18 turned out to be incomplete. We also experienced some regressions in the updated filter plugin. Both are addressed in this new release 1.4.19 which contains a few other small fixes aswell. If you do not use map_yp_alias or the filters plugin there's no urgent need to upgrade now if you already installed 1.4.18.
1.4.19 is in CVS. Candidate for stabilization: =mail-client/squirrelmail-1.4.19
CVE-2009-1381 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-1381): The map_yp_alias function in functions/imap_general.php in SquirrelMail before 1.4.19-1 on Debian GNU/Linux, and possibly other operating systems and versions, allows remote attackers to execute arbitrary commands via shell metacharacters in a username string that is used by the ypmatch program. NOTE: this issue exists because of an incomplete fix for CVE-2009-1579.
Arches, please test and mark stable: =mail-client/squirrelmail-1.4.19 Target keywords : "alpha amd64 ppc ppc64 sparc x86"
amd64/x86 stable
sparc stable
ppc64 done
ppc done
Stable on alpha.
GLSA request filed.
GLSA 201001-08, thanks everyone.