SquirrelMail is affected by a critical Remote Code Execution vulnerability which stems from insufficient escaping of user-supplied data when SquirrelMail has been configured with Sendmail as the main transport. An authenticated attacker may be able to exploit the vulnerability to execute arbitrary commands on the target and compromise the remote system.
Is anyone maintaining SquirrelMail anymore? Or should we drop the package from Distro?
Email sent to gentoo-dev to see if anyone wants to maintain it. Original Email to the net-mail team inquiring about this package on 4/14/17.
Created attachment 471494 [details] squirrelmail-1.4.23_pre20170502.ebuild new ebuild for latest stable I have attached an ebuild which appears to install cleanly, it is my understanding that it should no longer be vulnerable.
(In reply to Chris Henhawke from comment #3) > Created attachment 471494 [details] > squirrelmail-1.4.23_pre20170502.ebuild new ebuild for latest stable > > I have attached an ebuild which appears to install cleanly, it is my > understanding that it should no longer be vulnerable. Chris,Squirrelmail currently has no maintainer. We are about to drop it from the tree. Are you interested in becoming a proxy maintainer for it?
(In reply to Yury German from comment #4) > Chris,Squirrelmail currently has no maintainer. We are about to drop it from > the tree. Are you interested in becoming a proxy maintainer for it? While I do use the package, and it would be sad to see it go, I don't think I would be able to maintain it for the distro. My apologies.
# Thomas Deutschmann <whissi@gentoo.org> (17 May 2017) # Unpatched security vulnerability per bug #616700 # Removal in 30 days. mail-client/squirrelmail
Should send an e-mail to the gentoo-proxy-maint list to see if anyone there wants to step up.
(In reply to Philippe Chaintreuil from comment #7) > Should send an e-mail to the gentoo-proxy-maint list to see if anyone there > wants to step up. This was already sent to gentoo-dev list. No one wanted to pick up on it, in 30 days.
Seems to be active development going on http://snapshots.squirrelmail.org/ . Given the level of activity, I don't mind proxying for this if the submitted ebuild is ok for a Pull-Request. Giving it 7 days from post, if you can hold out for that long, blueknight? Will pm you on IRC for ACK :)
I can help! Need squirrelmail in Gentoo... how do we get the ebuild back in?
If someone is truly interested in maintaining this (and just talking about it every 2 weeks), feel free to take it via proxy-maint [1]. Note that there's already bug #621234 where someone requested maintaining it but it hasn't progressed at all. Also note that the existing ebuild won't do, and you will be requested to fix the QA issues with it (e.g. missing error handling). [1]:https://wiki.gentoo.org/wiki/Project:Proxy_Maintainers commit d229371435c05ea46d79bd2172c69887888e9634 Author: Michał Górny <mgorny@gentoo.org> AuthorDate: Sat Jul 1 11:09:49 2017 Commit: Michał Górny <mgorny@gentoo.org> CommitDate: Sat Jul 1 11:19:48 2017 mail-client/squirrelmail: Remove last-rited pkg, #611422
This issue was resolved and addressed in GLSA 201709-13 at https://security.gentoo.org/glsa/201709-13 by GLSA coordinator Aaron Bauman (b-man).
