Summary: | <mail-client/squirrelmail-1.4.18: Multiple vulnerabilities (CVE-2009-{1578,1579,1580,1581}) | ||
---|---|---|---|
Product: | Gentoo Security | Reporter: | Alex Legler (RETIRED) <a3li> |
Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
Status: | RESOLVED FIXED | ||
Severity: | major | CC: | moixa, net-mail+disabled |
Priority: | High | ||
Version: | unspecified | ||
Hardware: | All | ||
OS: | Linux | ||
URL: | http://www.squirrelmail.org/security/ | ||
Whiteboard: | C1 [glsa] | ||
Package list: | Runtime testing required: | --- |
Description
Alex Legler (RETIRED)
2009-05-12 16:15:52 UTC
Remedy: Update to 1.4.18. (In reply to comment #1) > Remedy: Update to 1.4.18. > did so. Candidate for stabilization: =mail-client/squirrelmail-1.4.18 Arches, please test and mark stable: =mail-client/squirrelmail-1.4.18 Target keywords : "alpha amd64 ppc ppc64 sparc x86" !!! dodoc: AUTHORS does not exist !!! dodoc: COPYING does not exist !!! dodoc: ChangeLog does not exist !!! dodoc: INSTALL does not exist !!! dodoc: ReleaseNotes does not exist !!! dodoc: UPGRADE does not exist x86 stable amd64 stable Stable on alpha. CVE-2009-1578 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-1578): Multiple cross-site scripting (XSS) vulnerabilities in SquirrelMail before 1.4.18 allow remote attackers to inject arbitrary web script or HTML via vectors involving (1) certain encrypted strings in e-mail headers, related to contrib/decrypt_headers.php; (2) PHP_SELF; and (3) the query string (aka QUERY_STRING). CVE-2009-1579 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-1579): The map_yp_alias function in functions/imap_general.php in SquirrelMail before 1.4.18 allows remote attackers to execute arbitrary commands via shell metacharacters in a username string that is used by the ypmatch program. CVE-2009-1580 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-1580): Session fixation vulnerability in SquirrelMail before 1.4.18 allows remote attackers to hijack web sessions via a crafted cookie. CVE-2009-1581 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-1581): functions/mime.php in SquirrelMail before 1.4.18 does not protect the application's content from Cascading Style Sheets (CSS) positioning in HTML e-mail messages, which allows remote attackers to spoof the user interface, and conduct cross-site scripting (XSS) and phishing attacks, via a crafted message. (In reply to comment #4) > !!! dodoc: AUTHORS does not exist > !!! dodoc: COPYING does not exist > !!! dodoc: ChangeLog does not exist > !!! dodoc: INSTALL does not exist > !!! dodoc: ReleaseNotes does not exist > !!! dodoc: UPGRADE does not exist > fixed Done by josejx for ppc and ppc64. sparc stable and 1.4.17 removed. ready for glsa. GLSA 201001-08, thanks everyone. |