Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 270671 (CVE-2009-1381) - mail-client/squirrelmail <1.4.19 Fix for CVE-2009-1579 was incomplete (CVE-2009-1381)
Summary: mail-client/squirrelmail <1.4.19 Fix for CVE-2009-1579 was incomplete (CVE-20...
Alias: CVE-2009-1381
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: High major (vote)
Assignee: Gentoo Security
Whiteboard: C1 [glsa]
Depends on:
Reported: 2009-05-21 07:53 UTC by Robert Buchholz (RETIRED)
Modified: 2010-01-13 22:16 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---


Note You need to log in before you can comment on or make changes to this bug.
Description Robert Buchholz (RETIRED) gentoo-dev 2009-05-21 07:53:43 UTC
The Red Hat Security Response Team discovered that the fix for CVE-2009-1579 applied in 1.4.18 was incomplete. 1.4.19 will be released today with a complete patch.
Comment 1 Robert Buchholz (RETIRED) gentoo-dev 2009-05-21 19:03:57 UTC
ANNOUNCE: SquirrelMail 1.4.19 Released
May 21, 2009 by Thijs Kinkhorst
 	The security fix to map_yp_alias in 1.4.18 turned out to be incomplete. We also experienced some regressions in the updated filter plugin. Both are addressed in this new release 1.4.19 which contains a few other small fixes aswell. If you do not use map_yp_alias or the filters plugin there's no urgent need to upgrade now if you already installed 1.4.18. 
Comment 2 Tobias Scherbaum (RETIRED) gentoo-dev 2009-05-22 11:56:37 UTC
1.4.19 is in CVS.

Candidate for stabilization:

Comment 3 Alex Legler (RETIRED) archtester Gentoo Infrastructure gentoo-dev Security 2009-05-24 17:08:09 UTC
CVE-2009-1381 (
  The map_yp_alias function in functions/imap_general.php in
  SquirrelMail before 1.4.19-1 on Debian GNU/Linux, and possibly other
  operating systems and versions, allows remote attackers to execute
  arbitrary commands via shell metacharacters in a username string that
  is used by the ypmatch program.  NOTE: this issue exists because of
  an incomplete fix for CVE-2009-1579.
Comment 4 Alex Legler (RETIRED) archtester Gentoo Infrastructure gentoo-dev Security 2009-05-24 17:12:11 UTC
Arches, please test and mark stable:
Target keywords : "alpha amd64 ppc ppc64 sparc x86"
Comment 5 Markus Meier gentoo-dev 2009-05-24 20:16:09 UTC
amd64/x86 stable
Comment 6 Tiago Cunha (RETIRED) gentoo-dev 2009-05-24 20:53:07 UTC
sparc stable
Comment 7 Brent Baude (RETIRED) gentoo-dev 2009-05-25 16:01:36 UTC
ppc64 done
Comment 8 Brent Baude (RETIRED) gentoo-dev 2009-05-25 16:01:43 UTC
ppc done
Comment 9 Tobias Klausmann (RETIRED) gentoo-dev 2009-06-02 17:26:05 UTC
Stable on alpha.
Comment 10 Tobias Heinlein (RETIRED) gentoo-dev 2009-06-03 18:19:14 UTC
GLSA request filed.
Comment 11 Stefan Behte (RETIRED) gentoo-dev Security 2010-01-13 22:16:21 UTC
GLSA 201001-08, thanks everyone.