Summary: | mail-client/squirrelmail <1.4.19 Fix for CVE-2009-1579 was incomplete (CVE-2009-1381) | ||
---|---|---|---|
Product: | Gentoo Security | Reporter: | Robert Buchholz (RETIRED) <rbu> |
Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
Status: | RESOLVED FIXED | ||
Severity: | major | CC: | net-mail+disabled |
Priority: | High | ||
Version: | unspecified | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | C1 [glsa] | ||
Package list: | Runtime testing required: | --- |
Description
Robert Buchholz (RETIRED)
2009-05-21 07:53:43 UTC
ANNOUNCE: SquirrelMail 1.4.19 Released May 21, 2009 by Thijs Kinkhorst The security fix to map_yp_alias in 1.4.18 turned out to be incomplete. We also experienced some regressions in the updated filter plugin. Both are addressed in this new release 1.4.19 which contains a few other small fixes aswell. If you do not use map_yp_alias or the filters plugin there's no urgent need to upgrade now if you already installed 1.4.18. 1.4.19 is in CVS. Candidate for stabilization: =mail-client/squirrelmail-1.4.19 CVE-2009-1381 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-1381): The map_yp_alias function in functions/imap_general.php in SquirrelMail before 1.4.19-1 on Debian GNU/Linux, and possibly other operating systems and versions, allows remote attackers to execute arbitrary commands via shell metacharacters in a username string that is used by the ypmatch program. NOTE: this issue exists because of an incomplete fix for CVE-2009-1579. Arches, please test and mark stable: =mail-client/squirrelmail-1.4.19 Target keywords : "alpha amd64 ppc ppc64 sparc x86" amd64/x86 stable sparc stable ppc64 done ppc done Stable on alpha. GLSA request filed. GLSA 201001-08, thanks everyone. |