AW: [SECURITY] [DSA 662-2] New squirrelmail package fixes regress ion
Hi,
das Problem betrifft mich nicht, da ich Squirrelmail 1.4 einsetze. Aber trozdem Danke.
Gruß
Stefan
> -----Ursprüngliche Nachricht-----
> Von: joey@infodrom.org [mailto:joey@infodrom.org]
> Gesendet: Montag, 14. März 2005 15:58
> An: debian-security-announce@lists.debian.org
> Betreff: [SECURITY] [DSA 662-2] New squirrelmail package
> fixes regression
>
>
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> -
> --------------------------------------------------------------
> ------------
> Debian Security Advisory DSA 662-2
> security@debian.org
> http://www.debian.org/security/
> Martin Schulze
> March 14th, 2005
> http://www.debian.org/security/faq
> -
> --------------------------------------------------------------
> ------------
>
> Package : squirrelmail
> Vulnerability : several
> Problem-Type : remote
> Debian-specific: no
> CVE ID : CAN-2005-0104 CAN-2005-0152
> Debian Bug : 292714 295836
>
> Andrew Archibald discovered that the last update to
> squirrelmail which was intended to fix several problems
> caused a regression which got exposed when the user hits a
> session timeout. For completeness below is the original
> advisory text:
>
> Several vulnerabilities have been discovered in Squirrelmail, a
> commonly used webmail system. The Common Vulnerabilities and
> Exposures project identifies the following problems:
>
> CAN-2005-0104
>
> Upstream developers noticed that an unsanitised variable could
> lead to cross site scripting.
>
> CAN-2005-0152
>
> Grant Hollingworth discovered that under certain
> circumstances URL
> manipulation could lead to the execution of arbitrary code with
> the privileges of www-data. This problem only exists in version
> 1.2.6 of Squirrelmail.
>
> For the stable distribution (woody) these problems have been
> fixed in version 1.2.6-3.
>
> The correction in the unstable distribution (sid) is not
> affected by this regression.
>
> We recommend that you upgrade your squirrelmail package.
>
>
> Upgrade Instructions
> - --------------------
>
> wget url
> will fetch the file for you
> dpkg -i file.deb
> will install the referenced file.
>
> If you are using the apt-get package manager, use the line
> for sources.list as given below:
>
> apt-get update
> will update the internal database
> apt-get upgrade
> will install corrected packages
>
> You may use an automated update by adding the resources from
> the footer to the proper configuration.
>
>
> Debian GNU/Linux 3.0 alias woody
> - --------------------------------
>
> Source archives:
>
http://security.debian.org/pool/updates/main/s/squirrelmail/squirrelmail_1.2.6-3.dsc
Size/MD5 checksum: 646 1de7e6666fccf9bec33415a8f087aec6
http://security.debian.org/pool/updates/main/s/squirrelmail/squirrelmail_1.2.6-3.diff.gz
Size/MD5 checksum: 21411 ec0e038ffe18e2035fccac02eb31ba21
http://security.debian.org/pool/updates/main/s/squirrelmail/squirrelmail_1.2.6.orig.tar.gz
Size/MD5 checksum: 1856087 be9e6be1de8d3dd818185d596b41a7f1
Architecture independent components:
http://security.debian.org/pool/updates/main/s/squirrelmail/squirrelmail_1.2.6-3_all.deb
Size/MD5 checksum: 1840798 13cfdb962ff49d27edee7ec6686a8265
These files will probably be moved into the stable distribution on
its next update.
- ---------------------------------------------------------------------------------
For apt-get: deb http://security.debian.org/ stable/updates main For dpkg-ftp: ftp://security.debian.org/debian-security dists/stable/updates/main Mailing list: debian-security-announce@lists.debian.org
Package info: `apt-cache show <pkg>' and http://packages.debian.org/<pkg>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.0 (GNU/Linux)
iD8DBQFCNZ6AW5ql+IAeqTIRAu4yAKCbVNK+myICY/ooPKdI+BuO9ivBswCfW4g9
kNx9jofzZc+8KNPmErFj2vg=
=XFij
-----END PGP SIGNATURE-----
--
To UNSUBSCRIBE, email to debian-security-announce-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
Reply to: