[Bug 375513] Re: Multiple CVEs for Squirrelmail <1.4.17

Launchpad Bug Tracker 375513 at bugs.launchpad.net
Tue Jun 2 17:39:22 UTC 2009 

This bug was fixed in the package squirrelmail - 2:1.4.13-2ubuntu1.3

---------------
squirrelmail (2:1.4.13-2ubuntu1.3) hardy-security; urgency=low

  * SECURITY UPDATE: (LP: #375513)
  * Multiple cross site scripting issues. Two issues were fixed that both
    allowed an attacker to run arbitrary script (XSS) on most any
    SquirrelMail page by getting the user to click on specially crafted
    SquirrelMail links.
    - http://squirrelmail.org/security/issue/2009-05-08
    - CVE-2009-1578
    - Patch taken from upstream svn rev. 13670. Applied inline.
  * Cross site scripting issues in decrypt_headers.php. An issue was fixed
    wherein input to the contrib/decrypt_headers.php script was not sanitized
    and allowed arbitrary script execution upon submission of certain values.
    - http://squirrelmail.org/security/issue/2009-05-09
    - CVE-2009-1578
    - Patch taken from upstream svn rev. 13672. Applied inline.
  * Server-side code injection in map_yp_alias username map. An issue was
    fixed that allowed arbitrary server-side code execution when SquirrelMail
    was configured to use the example "map_yp_alias" username mapping
    functionality.
    - http://squirrelmail.org/security/issue/2009-05-10
    - CVE-2009-1579
    - Patch taken from upstream svn rev. 13674. Applied inline.
  * Session fixation vulnerability. An issue was fixed that allowed an
    attacker to possibly steal user data by hijacking the SquirrelMail
    login session.
    - http://squirrelmail.org/security/issue/2009-05-11
    - CVE-2009-1580
    - Patch taken from upstream svn rev. 13676. Applied inline.
  * CSS positioning vulnerability. An issue was fixed that allowed phishing
    and cross-site scripting (XSS) attacks to be run by surreptitious
    placement of content in specially-crafted emails sent to SquirrelMail
    users.
    - http://squirrelmail.org/security/issue/2009-05-12
    - CVE-2009-1581
    - Patch taken from upstream svn rev. 13667. Applied inline.

 -- Andreas Wenning <awen at awen.dk>   Tue, 12 May 2009 21:13:30 +0200

** Changed in: squirrelmail (Ubuntu Hardy)
       Status: Fix Committed => Fix Released

** Changed in: squirrelmail (Ubuntu Intrepid)
       Status: Fix Committed => Fix Released

-- 
Multiple CVEs for Squirrelmail  <1.4.17
https://bugs.launchpad.net/bugs/375513
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.

-- 
ubuntu-bugs mailing list
ubuntu-bugs at lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

More information about the universe-bugs mailing list