Summary: | <mail-client/squirrelmail-1.4.21 XSS vulnerability (CVE-2010-2813) | ||
---|---|---|---|
Product: | Gentoo Security | Reporter: | Eray Aslan <eras> |
Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
Status: | RESOLVED FIXED | ||
Severity: | normal | CC: | atoth, eike, net-mail+disabled |
Priority: | High | ||
Version: | unspecified | ||
Hardware: | All | ||
OS: | Linux | ||
URL: | http://squirrelmail.org/index.php | ||
Whiteboard: | B4 [noglsa] | ||
Package list: | Runtime testing required: | --- |
Description
Eray Aslan
2010-07-26 06:02:19 UTC
Renaming squirrelmail-1.4.20.ebuild works. Routing security bug to security. CVE-2009-2964 has been already covered: see bug #281580. However CVE-2010-2813 must be taken care of. A version bump is necessary and it seems to be straightforward. CVE-2010-2813 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-2813): functions/imap_general.php in SquirrelMail before 1.4.21 does not properly handle 8-bit characters in passwords, which allows remote attackers to cause a denial of service (disk consumption) by making many IMAP login attempts with different usernames, leading to the creation of many preferences files. Can someone please finally fix this? There is nothing to do as to copy the .20 ebuild to .21, runs fine here (x86) since some weeks. CVE-2009-2964 was handled in 281580 already. (In reply to comment #6) > CVE-2009-2964 was handled in 281580 already. > What about CVE-2010-2813? (In reply to comment #7) > What about CVE-2010-2813? That is handled in *this* bug, see the Summary. :) Since multiple people have said that a rename works... +*squirrelmail-1.4.21 (23 Sep 2010) + + 23 Sep 2010; Jeremy Olexa <darkside@gentoo.org> + +squirrelmail-1.4.21.ebuild: + (non maintainer commit) Version bump for security bug 329863 *PING* to net-mail. Pong? Security's turn to call for stabilization? Whoops, too many tabs open, looking failure. Arches, please test and mark stable: =mail-client/squirrelmail-1.4.21 Target keywords : "alpha amd64 ppc ppc64 sparc x86" amd64 ok x86 done. Thanks everyone. amd64 done. Thanks Agostino ppc done ppc64 done alpha/sparc stable GLSA Vote: no GLSA vote: NO, too. Closing noglsa. |