The Red Hat Security Response Team discovered that the fix for CVE-2009-1579 applied in 1.4.18 was incomplete. 1.4.19 will be released today with a complete patch.
ANNOUNCE: SquirrelMail 1.4.19 Released
May 21, 2009 by Thijs Kinkhorst
The security fix to map_yp_alias in 1.4.18 turned out to be incomplete. We also experienced some regressions in the updated filter plugin. Both are addressed in this new release 1.4.19 which contains a few other small fixes aswell. If you do not use map_yp_alias or the filters plugin there's no urgent need to upgrade now if you already installed 1.4.18.
1.4.19 is in CVS.
Candidate for stabilization:
The map_yp_alias function in functions/imap_general.php in
SquirrelMail before 1.4.19-1 on Debian GNU/Linux, and possibly other
operating systems and versions, allows remote attackers to execute
arbitrary commands via shell metacharacters in a username string that
is used by the ypmatch program. NOTE: this issue exists because of
an incomplete fix for CVE-2009-1579.
Arches, please test and mark stable:
Target keywords : "alpha amd64 ppc ppc64 sparc x86"
Stable on alpha.
GLSA request filed.
GLSA 201001-08, thanks everyone.