Debian Security Advisory
DSA-756-1 squirrelmail -- several vulnerabilities
- Date Reported:
- 13 Jul 2005
- Affected Packages:
- squirrelmail
- Vulnerable:
- Yes
- Security database references:
- In the Debian bugtracking system: Bug 314374, Bug 317094.
In Mitre's CVE dictionary: CVE-2005-1769, CVE-2005-2095. - More information:
-
Several vulnerabilities have been discovered in Squirrelmail, a commonly used webmail system. The Common Vulnerabilities and Exposures project identifies the following problems:
- CAN-2005-1769
Martijn Brinkers discovered cross-site scripting vulnerabilities that allow remote attackers to inject arbitrary web script or HTML in the URL and e-mail messages.
- CAN-2005-2095
James Bercegay of GulfTech Security discovered a vulnerability in the variable handling which could lead to attackers altering other people's preferences and possibly reading them, writing files at any location writable for www-data and cross site scripting.
For the old stable distribution (woody) these problems have been fixed in version 1.2.6-4.
For the stable distribution (sarge) these problems have been fixed in version 1.4.4-6sarge1.
For the unstable distribution (sid) these problems have been fixed in version 1.4.4-6sarge1.
We recommend that you upgrade your squirrelmail package.
- CAN-2005-1769
- Fixed in:
-
Debian GNU/Linux 3.0 (woody)
- Source:
- http://security.debian.org/pool/updates/main/s/squirrelmail/squirrelmail_1.2.6-4.dsc
- http://security.debian.org/pool/updates/main/s/squirrelmail/squirrelmail_1.2.6-4.diff.gz
- http://security.debian.org/pool/updates/main/s/squirrelmail/squirrelmail_1.2.6.orig.tar.gz
- http://security.debian.org/pool/updates/main/s/squirrelmail/squirrelmail_1.2.6-4.diff.gz
- Architecture-independent component:
- http://security.debian.org/pool/updates/main/s/squirrelmail/squirrelmail_1.2.6-4_all.deb
Debian GNU/Linux 3.1 (sarge)
- Source:
- http://security.debian.org/pool/updates/main/s/squirrelmail/squirrelmail_1.4.4-6sarge1.dsc
- http://security.debian.org/pool/updates/main/s/squirrelmail/squirrelmail_1.4.4-6sarge1.diff.gz
- http://security.debian.org/pool/updates/main/s/squirrelmail/squirrelmail_1.4.4.orig.tar.gz
- http://security.debian.org/pool/updates/main/s/squirrelmail/squirrelmail_1.4.4-6sarge1.diff.gz
- Architecture-independent component:
- http://security.debian.org/pool/updates/main/s/squirrelmail/squirrelmail_1.4.4-6sarge1_all.deb
MD5 checksums of the listed files are available in the original advisory.