The SquirrelMail Team is pleased to announce the release of SquirrelMail version 1.4.21. This is primarily a maintenance release which addresses a smattering of small issues and adds some fine-tuning of recent changes. It also closes two relatively low-risk security issues. Before this release, for environments with highly active users, the number of security tokens could have bloated user session (and preference) files to an unacceptable size, hurting overall responsiveness. This release scales back the default validity period of security tokens from 30 days to two days, which should fix this problem in most cases. The administrator is always free to change this value by specifying $max_token_age_days in config/config_local.php. There are also fixes for minor issues related to header folding, faster and more resilient display of encoded subjects, quoting of encoded addresses upon reply, provision of a subject when using forward-as-attachment, and a few other tidbits. This release also includes fixes for two low-risk vulnerabilities. The first, CVE-2010-1637, allows authenticated users to use the Mail Fetch plugin as a network/port/DNS scanner. The second, CVE-2010-2813, poses a denial-of-service risk when passwords containing 8-bit characters are used to log in. While we characterize these issues as fairly low risk, it is nevertheless recommended that users of previous versions of SquirrelMail upgrade at their earliest convenience. Reproducible: Always
Renaming squirrelmail-1.4.20.ebuild works.
Routing security bug to security.
CVE-2009-2964 has been already covered: see bug #281580. However CVE-2010-2813 must be taken care of. A version bump is necessary and it seems to be straightforward.
CVE-2010-2813 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-2813): functions/imap_general.php in SquirrelMail before 1.4.21 does not properly handle 8-bit characters in passwords, which allows remote attackers to cause a denial of service (disk consumption) by making many IMAP login attempts with different usernames, leading to the creation of many preferences files.
Can someone please finally fix this? There is nothing to do as to copy the .20 ebuild to .21, runs fine here (x86) since some weeks.
CVE-2009-2964 was handled in 281580 already.
(In reply to comment #6) > CVE-2009-2964 was handled in 281580 already. > What about CVE-2010-2813?
(In reply to comment #7) > What about CVE-2010-2813? That is handled in *this* bug, see the Summary. :) Since multiple people have said that a rename works... +*squirrelmail-1.4.21 (23 Sep 2010) + + 23 Sep 2010; Jeremy Olexa <darkside@gentoo.org> + +squirrelmail-1.4.21.ebuild: + (non maintainer commit) Version bump for security bug 329863
*PING* to net-mail.
Pong? Security's turn to call for stabilization?
Whoops, too many tabs open, looking failure. Arches, please test and mark stable: =mail-client/squirrelmail-1.4.21 Target keywords : "alpha amd64 ppc ppc64 sparc x86"
amd64 ok
x86 done. Thanks everyone.
amd64 done. Thanks Agostino
ppc done
ppc64 done
alpha/sparc stable
GLSA Vote: no
GLSA vote: NO, too. Closing noglsa.