Debian Security Advisory
DSA-2291-1 squirrelmail -- various vulnerabilities
- Date Reported:
- 08 Aug 2011
- Affected Packages:
- Security database references:
- In Mitre's CVE dictionary: CVE-2010-4554, CVE-2010-4555, CVE-2011-2023, CVE-2011-2752, CVE-2011-2753.
- More information:
Various vulnerabilities have been found in SquirrelMail, a webmail application. The Common Vulnerabilities and Exposures project identifies the following vulnerabilities:
SquirrelMail did not prevent page rendering inside a third-party HTML frame, which makes it easier for remote attackers to conduct clickjacking attacks via a crafted web site.
Multiple small bugs in SquirrelMail allowed an attacker to inject malicious script into various pages or alter the contents of user preferences.
It was possible to inject arbitrary web script or HTML via a crafted STYLE element in an HTML part of an e-mail message.
For the oldstable distribution (lenny), these problems have been fixed in version 1.4.15-4+lenny5.
For the stable distribution (squeeze), these problems have been fixed in version 1.4.21-2.
For the testing (wheezy) and unstable distribution (sid), these problems have been fixed in version 1.4.22-1.
We recommend that you upgrade your squirrelmail packages.