[Bug 115149] Re: Request backport for squirrelmail from gutsy to dapper and edgy

Leonel Nunez leonel at enelserver.com
Mon Jul 16 03:36:35 BST 2007


debian/changelog  since dapper release


squirrelmail (2:1.4.6-1ubuntu0.1) dapper-security; urgency=low

  * SECURITY UPDATE: XSS and CSRF in various areas, local file inclusion,
    variable overwriting.
  * src/compose.php, src/right_main.php, src/login.php, src/mailto.php,
    src/redirect.php, src/webmail.php, src/mime.php: back-ported fixes for
    XSS in compose, draft and HTML mail. (CVE-2006-6142)
    http://www.squirrelmail.org/security/issue/2006-12-02
  * fuctions/mime.php, src/compose.php, src/view_text.php: back-ported fixes
    for XSS in HTML filter (CVE-2007-1262)
    http://www.squirrelmail.org/security/issue/2007-05-09
  * functions/global.php: back-ported fixes for local file inclusion.
    (CVE-2006-2842)
    http://www.squirrelmail.org/security/issue/2006-06-01
  * functions/auth.php, src/compose.php, src/login.php, src/redirect.php,
    src/webmail.php: back-ported fixes for variable overwriting.
    (CVE-2006-4019)
    http://www.squirrelmail.org/security/issue/2006-08-11

 -- Leonel Nunez <leonel at enelserver.com>  Wed, 16 May 2007 13:02:10
-0600

squirrelmail (2:1.4.6-1) unstable; urgency=high

  * New upstream release.
  * Includes the following security fixes:
    - Fix IMAP command injection in sqimap_mailbox_select
      with upstream patch. [CVE-2006-0377] (Closes: #354063)
    - Fix possible XSS in MagicHTML, concerning the parsing
      of u\rl and comments in styles. Internet Explorer
      specific. [CVE-2006-0195] (Closes: #354062)
    - Fix possible cross site scripting through the right_main
      parameter of webmail.php. This now uses a whitelist of
      acceptable values. [CVE-2006-0188] (Closes: #354064, #355424)


 -- Thijs Kinkhorst <kink at squirrelmail.org>  Tue,  7 Mar 2006 14:56:06 +0100

** CVE added: http://www.cve.mitre.org/cgi-
bin/cvename.cgi?name=2006-0188

** CVE added: http://www.cve.mitre.org/cgi-
bin/cvename.cgi?name=2006-0195

** CVE added: http://www.cve.mitre.org/cgi-
bin/cvename.cgi?name=2006-0377

** CVE added: http://www.cve.mitre.org/cgi-
bin/cvename.cgi?name=2006-2842

** CVE added: http://www.cve.mitre.org/cgi-
bin/cvename.cgi?name=2006-4019

** CVE added: http://www.cve.mitre.org/cgi-
bin/cvename.cgi?name=2006-6142

** CVE added: http://www.cve.mitre.org/cgi-
bin/cvename.cgi?name=2007-1262

-- 
Request backport for squirrelmail from gutsy to dapper  and edgy
https://bugs.launchpad.net/bugs/115149
You received this bug notification because you are a member of Ubuntu
Backporters, which is a direct subscriber.



More information about the ubuntu-backports mailing list