http://www.securityfocus.com/bid/16756/discuss SquirrelMail Multiple Cross-Site Scripting and IMAP Injection Vulnerabilities SquirrelMail is susceptible to multiple cross-site scripting and IMAP-injection vulnerabilities. These issues are due to the application's failure to properly sanitize user-supplied input. An attacker may leverage any of the cross-site scripting issues to have arbitrary script code executed in the browser of an unsuspecting user in the context of the affected site. This may facilitate the theft of cookie-based authentication credentials as well as other attacks. An attacker may leverage the IMAP-injection issue to execute arbitrary IMAP commands on the configured IMAP server. This may aid attackers in further attacks as well as allow them to exploit latent vulnerabilities in the IMAP server. An exploit is not required to carry out these attacks. Solution: The vendor has committed fixes to the SquirrelMail CVS repository. Snapshots of the current development version are available from the vendor. For further information on obtaining fixed versions, contact the vendor. http://www.squirrelmail.org/changelog.php says: Version 1.4.6 - CVS ------------------- - Security: MagicHTML fix for comments in styles which allowed for cross site scripting when using Internet Explorer (reported by Scott Hughes) [CVE-2006-0195]. - Multi-line encoded headers were being deleted (#1394667). - Security: Prohibit IMAP injection attempts (reported by Vicente Aguilera) [CVE-2006-0377]. - Handle unsollicited responses inside SORT responses properly. - Security: Fix possible cross site scripting through the right_main parameter of webmail.php. This now uses a whitelist of acceptable values. [CVE-2006-0188] - Removed invalid STARTTLS check from configtest.php script. - Added Georgian language support.
erdicator please provide updated ebuilds, thx
From: kink@squirrelmail.org Subject: [SM-ANNOUNCE] SquirrelMail 1.4.6 Released Date: February 23, 2006 5:01:59 PM EST To: squirrelmail-announce@lists.sourceforge.net Hello All, It is my proud pleasure to announce the final release of SquirrelMail 1.4.6. This release is very important, and we strongly advise everybody to update to the latest release. Security Update =============== This version contains a number of security updates that were brought to our attention via a number of sources. - In webmail.php, the right_frame parameter was not properly sanitized to deal with very lenient browsers, which allowed for cross site scripting or frame replacing. [CVE-2006-0188] - In the MagicHTML function, some very obscure constructs were discovered to be exploitable: 'u\rl' was interpreted as 'url' (privacy concern), and comments could be inside keywords (allows for cross site scripting). Both only affect Internet Explorer users. Found by Martijn Brinkers and Scott Hughes. [CVE-2006-0195] - The function sqimap_mailbox_select did not strip newlines from the mailbox parameter, and thereby allowed for IMAP command injection. Found by Vicente Aguilera. [CVE-2006-0377] Further details on SquirrelMail vulnerabilities can be found at the following address: http://www.squirrelmail.org/security/ We strongly encourage any persons uncovering Security issues to contact the SquirrelMail team via security@squirrelmail.org. In This Release =============== This release contains mostly bug fixes, including corrections for PHP behaviour changes in file handling, and some data types. Especially running SquirrelMail on the most recent PHP versions should be much improved. For further information about the changes involved in this release, please see the ChangeLog and ReleaseNotes files included with the release. The latest release can be downloaded from the SquirrelMail website at http://www.squirrelmail.org/download.php Happy SquirrelMailing The SquirrelMail development Team
*** Bug 123863 has been marked as a duplicate of this bug. ***
*** Bug 123893 has been marked as a duplicate of this bug. ***
net-mail, eradicator: please bump to 1.4.6
*** Bug 124162 has been marked as a duplicate of this bug. ***
eradicator ( primary maintainer ) is not listed in dev.g.o/devaway, so I will wait for another day or two.
It's in portage. alpha, ppc, and x86 need to mark stable.
Looks like you forgot to commit ...
It's in portage: alpha,ppc,x86 please test and mark 1.4.6 stable
ppc stable
x86 and alpha, could you please test and mark stable or are there any problems?
Done for alpha and x86, sorry for the delay.
GLSA 200603-09 Thanks everybody.