From secunia: A vulnerability has been discovered in SquirrelMail, which can be exploited by malicious people to conduct cross-site request forgery attacks. The application allows users to perform certain actions via HTTP requests without performing any validation checks to verify the requests. This can be exploited to e.g. change user preferences, delete emails, and potentially send emails when a logged-in user visits a malicious web page. The vulnerabilities are confirmed in version 1.4.17. Other versions may also be affected.
net-mail, please bump.
*** Bug 281541 has been marked as a duplicate of this bug. ***
(In reply to comment #1) > net-mail, please bump. > I'd like to wait for 1.4.20 and to not commit a release candidate.
CVE-2009-2964 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-2964): Multiple cross-site request forgery (CSRF) vulnerabilities in SquirrelMail 1.4.19 and earlier allow remote attackers to hijack the authentication of unspecified victims via features such as send message and change preferences, related to (1) functions/mailbox_display.php, (2) src/addrbook_search_html.php, (3) src/addressbook.php, (4) src/compose.php, (5) src/folders.php, (6) src/folders_create.php, (7) src/folders_delete.php, (8) src/folders_rename_do.php, (9) src/folders_rename_getname.php, (10) src/folders_subscribe.php, (11) src/move_messages.php, (12) src/options.php, (13) src/options_highlight.php, (14) src/options_identities.php, (15) src/options_order.php, (16) src/search.php, and (17) src/vcard.php.
There are still only -rc versions out.
(In reply to comment #3) > I'd like to wait for 1.4.20 and to not commit a release candidate. 1.4.20 is out finally. http://downloads.sourceforge.net/project/squirrelmail/stable/1.4.20/squirrelmail-1.4.20.tar.gz?use_mirror=garr
Created attachment 224067 [details] squirrelmail-1.4.20 ebuild Ebuild for version 1.4.20 with minimum necesaary changes from squirrelmail-1.4.19.ebuild
(In reply to comment #6) > (In reply to comment #3) > > I'd like to wait for 1.4.20 and to not commit a release candidate. > > 1.4.20 is out finally. > http://downloads.sourceforge.net/project/squirrelmail/stable/1.4.20/squirrelmail-1.4.20.tar.gz?use_mirror=garr > (In reply to comment #6) > (In reply to comment #3) I probe the latest version 1.4.20 and still have the same problems > > I'd like to wait for 1.4.20 and to not commit a release candidate. > > 1.4.20 is out finally. > http://downloads.sourceforge.net/project/squirrelmail/stable/1.4.20/squirrelmail-1.4.20.tar.gz?use_mirror=garr >
IMHO this should hit the tree asap because of the discussed security issues. Is there anything holding it back? The new version has been out for over a month now.
The new 1.4.20 should really hit the tree. Where are you kind developers of gentoo? :-) From squirrelmail.org: "Due to the security fixes included in our last two release candidate packages, we advise all users of SquirrelMail versions 1.4.19 and below to upgrade."
Maintainers seem to be MIA. I bumped it on behalf of security. +*squirrelmail-1.4.20 (04 May 2010) + + 04 May 2010; Tobias Heinlein <keytoaster@gentoo.org> + +squirrelmail-1.4.20.ebuild: + Version bump, patch by Eray Aslan <eray.aslan@caf.com.tr>, security bug + 281580 +
Arches, please test and mark stable: =mail-client/squirrelmail-1.4.20 Target keywords : "alpha amd64 ppc ppc64 sparc x86"
Tests passed successful on x86, looks good to go here.
Tests passed successful on amd64, looks good to go here.
x86 stable, thanks Andreas
alpha/sparc stable
ppc64 done
Marked ppc stable.
amd64 stable, all arches done.
XSS, closing noglsa.
