Summary: | <mail-client/squirrelmail-1.4.20: CSRF vulnerability (CVE-2009-2964) | ||||||
---|---|---|---|---|---|---|---|
Product: | Gentoo Security | Reporter: | Tobias Heinlein (RETIRED) <keytoaster> | ||||
Component: | Vulnerabilities | Assignee: | Gentoo Security <security> | ||||
Status: | RESOLVED FIXED | ||||||
Severity: | minor | CC: | aespiritu, djfarid, forza, net-mail+disabled, ua_gentoo_bugzilla | ||||
Priority: | High | ||||||
Version: | unspecified | ||||||
Hardware: | All | ||||||
OS: | Linux | ||||||
URL: | http://secunia.com/advisories/34627/ | ||||||
Whiteboard: | B4 [noglsa] | ||||||
Package list: | Runtime testing required: | --- | |||||
Attachments: |
|
Description
Tobias Heinlein (RETIRED)
2009-08-15 12:52:40 UTC
net-mail, please bump. *** Bug 281541 has been marked as a duplicate of this bug. *** (In reply to comment #1) > net-mail, please bump. > I'd like to wait for 1.4.20 and to not commit a release candidate. CVE-2009-2964 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-2964): Multiple cross-site request forgery (CSRF) vulnerabilities in SquirrelMail 1.4.19 and earlier allow remote attackers to hijack the authentication of unspecified victims via features such as send message and change preferences, related to (1) functions/mailbox_display.php, (2) src/addrbook_search_html.php, (3) src/addressbook.php, (4) src/compose.php, (5) src/folders.php, (6) src/folders_create.php, (7) src/folders_delete.php, (8) src/folders_rename_do.php, (9) src/folders_rename_getname.php, (10) src/folders_subscribe.php, (11) src/move_messages.php, (12) src/options.php, (13) src/options_highlight.php, (14) src/options_identities.php, (15) src/options_order.php, (16) src/search.php, and (17) src/vcard.php. There are still only -rc versions out. (In reply to comment #3) > I'd like to wait for 1.4.20 and to not commit a release candidate. 1.4.20 is out finally. http://downloads.sourceforge.net/project/squirrelmail/stable/1.4.20/squirrelmail-1.4.20.tar.gz?use_mirror=garr Created attachment 224067 [details]
squirrelmail-1.4.20 ebuild
Ebuild for version 1.4.20 with minimum necesaary changes from squirrelmail-1.4.19.ebuild
(In reply to comment #6) > (In reply to comment #3) > > I'd like to wait for 1.4.20 and to not commit a release candidate. > > 1.4.20 is out finally. > http://downloads.sourceforge.net/project/squirrelmail/stable/1.4.20/squirrelmail-1.4.20.tar.gz?use_mirror=garr > (In reply to comment #6) > (In reply to comment #3) I probe the latest version 1.4.20 and still have the same problems > > I'd like to wait for 1.4.20 and to not commit a release candidate. > > 1.4.20 is out finally. > http://downloads.sourceforge.net/project/squirrelmail/stable/1.4.20/squirrelmail-1.4.20.tar.gz?use_mirror=garr > IMHO this should hit the tree asap because of the discussed security issues. Is there anything holding it back? The new version has been out for over a month now. The new 1.4.20 should really hit the tree. Where are you kind developers of gentoo? :-) From squirrelmail.org: "Due to the security fixes included in our last two release candidate packages, we advise all users of SquirrelMail versions 1.4.19 and below to upgrade." Maintainers seem to be MIA. I bumped it on behalf of security. +*squirrelmail-1.4.20 (04 May 2010) + + 04 May 2010; Tobias Heinlein <keytoaster@gentoo.org> + +squirrelmail-1.4.20.ebuild: + Version bump, patch by Eray Aslan <eray.aslan@caf.com.tr>, security bug + 281580 + Arches, please test and mark stable: =mail-client/squirrelmail-1.4.20 Target keywords : "alpha amd64 ppc ppc64 sparc x86" Tests passed successful on x86, looks good to go here. Tests passed successful on amd64, looks good to go here. x86 stable, thanks Andreas alpha/sparc stable ppc64 done Marked ppc stable. amd64 stable, all arches done. XSS, closing noglsa. |