The SquirrelMail Team is pleased to announce the release of
SquirrelMail version 1.4.21. This is primarily a maintenance release
which addresses a smattering of small issues and adds some fine-tuning
of recent changes. It also closes two relatively low-risk security
Before this release, for environments with highly active users, the
number of security tokens could have bloated user session (and
preference) files to an unacceptable size, hurting overall
responsiveness. This release scales back the default validity period
of security tokens from 30 days to two days, which should fix this
problem in most cases. The administrator is always free to change
this value by specifying $max_token_age_days in
There are also fixes for minor issues related to header folding,
faster and more resilient display of encoded subjects, quoting of
encoded addresses upon reply, provision of a subject when using
forward-as-attachment, and a few other tidbits.
This release also includes fixes for two low-risk vulnerabilities.
The first, CVE-2010-1637, allows authenticated users to use the Mail
Fetch plugin as a network/port/DNS scanner. The second,
CVE-2010-2813, poses a denial-of-service risk when passwords
containing 8-bit characters are used to log in. While we characterize
these issues as fairly low risk, it is nevertheless recommended that
users of previous versions of SquirrelMail upgrade at their earliest
Renaming squirrelmail-1.4.20.ebuild works.
Routing security bug to security.
CVE-2009-2964 has been already covered: see bug #281580.
However CVE-2010-2813 must be taken care of.
A version bump is necessary and it seems to be straightforward.
functions/imap_general.php in SquirrelMail before 1.4.21 does not
properly handle 8-bit characters in passwords, which allows remote
attackers to cause a denial of service (disk consumption) by making
many IMAP login attempts with different usernames, leading to the
creation of many preferences files.
Can someone please finally fix this? There is nothing to do as to copy the .20 ebuild to .21, runs fine here (x86) since some weeks.
CVE-2009-2964 was handled in 281580 already.
(In reply to comment #6)
> CVE-2009-2964 was handled in 281580 already.
What about CVE-2010-2813?
(In reply to comment #7)
> What about CVE-2010-2813?
That is handled in *this* bug, see the Summary. :)
Since multiple people have said that a rename works...
+*squirrelmail-1.4.21 (23 Sep 2010)
+ 23 Sep 2010; Jeremy Olexa <email@example.com>
+ (non maintainer commit) Version bump for security bug 329863
*PING* to net-mail.
Pong? Security's turn to call for stabilization?
Whoops, too many tabs open, looking failure.
Arches, please test and mark stable:
Target keywords : "alpha amd64 ppc ppc64 sparc x86"
x86 done. Thanks everyone.
amd64 done. Thanks Agostino
GLSA Vote: no
GLSA vote: NO, too. Closing noglsa.