[<prev] [next>] [day] [month] [year] [list]
Message-Id: <E1M416m-0006iH-Se@titan.mandriva.com>
Date: Wed, 13 May 2009 01:10:00 +0200
From: security@...driva.com
To: full-disclosure@...ts.grok.org.uk
Subject: [ MDVSA-2009:110 ] squirrelmail
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
_______________________________________________________________________
Mandriva Linux Security Advisory MDVSA-2009:110
http://www.mandriva.com/security/
_______________________________________________________________________
Package : squirrelmail
Date : May 12, 2009
Affected: Corporate 4.0
_______________________________________________________________________
Problem Description:
Multiple vulnerabilities has been identified and corrected in
squirrelmail:
Two issues were fixed that both allowed an attacker to run arbitrary
script (XSS) on most any SquirrelMail page by getting the user to
click on specially crafted SquirrelMail links (CVE-2009-1578).
An issue was fixed wherein input to the contrib/decrypt_headers.php
script was not sanitized and allowed arbitrary script execution upon
submission of certain values (CVE-2009-1578).
An issue was fixed that allowed arbitrary server-side code execution
when SquirrelMail was configured to use the example map_yp_alias
username mapping functionality (CVE-2009-1579).
An issue was fixed that allowed an attacker to possibly steal user
data by hijacking the SquirrelMail login session. (CVE-2009-1580).
An issue was fixed that allowed phishing and cross-site scripting
(XSS) attacks to be run by surreptitious placement of content in
specially-crafted emails sent to SquirrelMail users (CVE-2009-1581).
Additionally many of the bundled plugins has been upgraded. Basically
this is a syncronization with the latest squirrelmail package found
in Mandriva Cooker. The rpm changelog will reveal all the changes
(rpm -q --changelog squirrelmail).
The updated packages have been upgraded to the latest version of
squirrelmail to prevent this.
_______________________________________________________________________
References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1578
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1579
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1580
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1581
_______________________________________________________________________
Updated Packages:
Corporate 4.0:
d8e8e8560b8b5cf89bb06dbda75033ef corporate/4.0/i586/squirrelmail-1.4.18-0.1.20060mlcs4.noarch.rpm
0ba6c8b99d8ccac0df0d3e90a7d70f47 corporate/4.0/i586/squirrelmail-ar-1.4.18-0.1.20060mlcs4.noarch.rpm
54b0bb74cba4da1dffdf0dc044de0986 corporate/4.0/i586/squirrelmail-bg-1.4.18-0.1.20060mlcs4.noarch.rpm
fe1cfa4f6317fd8e295e0265be5da46b corporate/4.0/i586/squirrelmail-bn-1.4.18-0.1.20060mlcs4.noarch.rpm
46835353a19ca7e290ee0f538dc1cfec corporate/4.0/i586/squirrelmail-ca-1.4.18-0.1.20060mlcs4.noarch.rpm
786fcdba5121c48523b856cf3ff2c7a2 corporate/4.0/i586/squirrelmail-cs-1.4.18-0.1.20060mlcs4.noarch.rpm
a792847e8d14f3249700e6779d2abbf1 corporate/4.0/i586/squirrelmail-cy-1.4.18-0.1.20060mlcs4.noarch.rpm
b539efa2ba48b7b20f7c5e095fd43286 corporate/4.0/i586/squirrelmail-cyrus-1.4.18-0.1.20060mlcs4.noarch.rpm
a57030df0e927b18ff0d40d745400cec corporate/4.0/i586/squirrelmail-da-1.4.18-0.1.20060mlcs4.noarch.rpm
3d97a69708fef53af1c525c39c093b07 corporate/4.0/i586/squirrelmail-de-1.4.18-0.1.20060mlcs4.noarch.rpm
98441c32e477f087e78782a37e15ff4c corporate/4.0/i586/squirrelmail-el-1.4.18-0.1.20060mlcs4.noarch.rpm
98b2e8b09c82a5ebc00047683bc6b20b corporate/4.0/i586/squirrelmail-en-1.4.18-0.1.20060mlcs4.noarch.rpm
af04c8fd5c883b91959969d29c3af0cb corporate/4.0/i586/squirrelmail-es-1.4.18-0.1.20060mlcs4.noarch.rpm
7e2d7a7bbab015d551b058352b21162c corporate/4.0/i586/squirrelmail-et-1.4.18-0.1.20060mlcs4.noarch.rpm
e3b34eb6311c4ee45b3e39285cc547f4 corporate/4.0/i586/squirrelmail-eu-1.4.18-0.1.20060mlcs4.noarch.rpm
8f4b2e47224cd83b244745b11f7cda9f corporate/4.0/i586/squirrelmail-fa-1.4.18-0.1.20060mlcs4.noarch.rpm
fa7b77a672e5afa5e09b771d1ead14ff corporate/4.0/i586/squirrelmail-fi-1.4.18-0.1.20060mlcs4.noarch.rpm
cb03089c1d10100f95b51e9345cc276b corporate/4.0/i586/squirrelmail-fo-1.4.18-0.1.20060mlcs4.noarch.rpm
bb4bbb512b376271caff2ab4677a47e9 corporate/4.0/i586/squirrelmail-fr-1.4.18-0.1.20060mlcs4.noarch.rpm
2dcc5aee1f396884ea1f74c22b12c33a corporate/4.0/i586/squirrelmail-fy-1.4.18-0.1.20060mlcs4.noarch.rpm
b87f520a511a53315ac9e1d594b7e3b9 corporate/4.0/i586/squirrelmail-he-1.4.18-0.1.20060mlcs4.noarch.rpm
4fdce8e38907de080ed1e1b76ef1d738 corporate/4.0/i586/squirrelmail-hr-1.4.18-0.1.20060mlcs4.noarch.rpm
0033224ec4127bd3768ec8b04b8de062 corporate/4.0/i586/squirrelmail-hu-1.4.18-0.1.20060mlcs4.noarch.rpm
18abc4c3cef94dc46cf26f33c3810e01 corporate/4.0/i586/squirrelmail-id-1.4.18-0.1.20060mlcs4.noarch.rpm
53c1d4d450cfa0c73e146aadf151d98b corporate/4.0/i586/squirrelmail-is-1.4.18-0.1.20060mlcs4.noarch.rpm
aff35aa1c9e1e1e5be59b51b24ed1dbd corporate/4.0/i586/squirrelmail-it-1.4.18-0.1.20060mlcs4.noarch.rpm
c1b86cbcf1f7060fa760f58cd10862b6 corporate/4.0/i586/squirrelmail-ja-1.4.18-0.1.20060mlcs4.noarch.rpm
dd889c369ce6880478f594b5fbdb2bed corporate/4.0/i586/squirrelmail-ka-1.4.18-0.1.20060mlcs4.noarch.rpm
7f7f23c4354b9b586eb53d4a6662578d corporate/4.0/i586/squirrelmail-ko-1.4.18-0.1.20060mlcs4.noarch.rpm
7ef00ea3edaa930bbbbb3029ef0cd483 corporate/4.0/i586/squirrelmail-lt-1.4.18-0.1.20060mlcs4.noarch.rpm
2e290b9724563cdfaef6077b7e4d2404 corporate/4.0/i586/squirrelmail-ms-1.4.18-0.1.20060mlcs4.noarch.rpm
d2e83840bb4c30d4d5a8c3e2445c4866 corporate/4.0/i586/squirrelmail-nb-1.4.18-0.1.20060mlcs4.noarch.rpm
c3400f8c12162f3e625eb4333aca6269 corporate/4.0/i586/squirrelmail-nl-1.4.18-0.1.20060mlcs4.noarch.rpm
a4df4067f08adbf6f4645e7e0204a66f corporate/4.0/i586/squirrelmail-nn-1.4.18-0.1.20060mlcs4.noarch.rpm
4af182f66a0bc66a3df4ac85a2366c71 corporate/4.0/i586/squirrelmail-pl-1.4.18-0.1.20060mlcs4.noarch.rpm
be322cd83156490966e1a9a546fec7a5 corporate/4.0/i586/squirrelmail-poutils-1.4.18-0.1.20060mlcs4.noarch.rpm
7c604c320705c107d00888de6df2531a corporate/4.0/i586/squirrelmail-pt-1.4.18-0.1.20060mlcs4.noarch.rpm
8835fcddd28bd9bce91bae8f89214a66 corporate/4.0/i586/squirrelmail-ro-1.4.18-0.1.20060mlcs4.noarch.rpm
faa71dda2dd7dd2aebc3b64feccd9b60 corporate/4.0/i586/squirrelmail-ru-1.4.18-0.1.20060mlcs4.noarch.rpm
be7210a088ee2a9473a01cf020041291 corporate/4.0/i586/squirrelmail-sk-1.4.18-0.1.20060mlcs4.noarch.rpm
88c8e74238c41d3cee2eb5ed592ab4f3 corporate/4.0/i586/squirrelmail-sl-1.4.18-0.1.20060mlcs4.noarch.rpm
b0979772171542783998eedba64e6f65 corporate/4.0/i586/squirrelmail-sr-1.4.18-0.1.20060mlcs4.noarch.rpm
4f66d88d87725ff3af94589b42de62e2 corporate/4.0/i586/squirrelmail-sv-1.4.18-0.1.20060mlcs4.noarch.rpm
a6dd2a4308464c4a1671e97903432149 corporate/4.0/i586/squirrelmail-th-1.4.18-0.1.20060mlcs4.noarch.rpm
e183c600779db301dd94240c1006833b corporate/4.0/i586/squirrelmail-tr-1.4.18-0.1.20060mlcs4.noarch.rpm
64c9cda07ccfde2387d77eaff2e99d13 corporate/4.0/i586/squirrelmail-ug-1.4.18-0.1.20060mlcs4.noarch.rpm
dabb27edcf029498991e9f396422e5e3 corporate/4.0/i586/squirrelmail-uk-1.4.18-0.1.20060mlcs4.noarch.rpm
88fcde6cd52d9dbe4c96f5410c9cdfd4 corporate/4.0/i586/squirrelmail-vi-1.4.18-0.1.20060mlcs4.noarch.rpm
3b990fe5c878e16b2021634fbef588aa corporate/4.0/i586/squirrelmail-zh_CN-1.4.18-0.1.20060mlcs4.noarch.rpm
c3ff953563b24c0e8246272d3dc84545 corporate/4.0/i586/squirrelmail-zh_TW-1.4.18-0.1.20060mlcs4.noarch.rpm
2b54d7cc703b418576918d90d3d4432d corporate/4.0/SRPMS/squirrelmail-1.4.18-0.1.20060mlcs4.src.rpm
Corporate 4.0/X86_64:
433b77767d50f8346c5a616bf6c37ea2 corporate/4.0/x86_64/squirrelmail-1.4.18-0.1.20060mlcs4.noarch.rpm
26a33e2dda348016b78eb1c32d154952 corporate/4.0/x86_64/squirrelmail-ar-1.4.18-0.1.20060mlcs4.noarch.rpm
51ca0e83e805a042b988807e8b1a55c1 corporate/4.0/x86_64/squirrelmail-bg-1.4.18-0.1.20060mlcs4.noarch.rpm
b6d5c2acd0a54be834c21123be20ccbc corporate/4.0/x86_64/squirrelmail-bn-1.4.18-0.1.20060mlcs4.noarch.rpm
c73dc29350d2218f4a8379d5ad43dc32 corporate/4.0/x86_64/squirrelmail-ca-1.4.18-0.1.20060mlcs4.noarch.rpm
9641ed777f9d0aae1a6278e1eb125ebf corporate/4.0/x86_64/squirrelmail-cs-1.4.18-0.1.20060mlcs4.noarch.rpm
215ad01fb29c693fec6fec4cc0ff307a corporate/4.0/x86_64/squirrelmail-cy-1.4.18-0.1.20060mlcs4.noarch.rpm
c269ea6df090c0fc0d75ca4c7e262d54 corporate/4.0/x86_64/squirrelmail-cyrus-1.4.18-0.1.20060mlcs4.noarch.rpm
763e673dc24adcd1653211f8fb0fe6e0 corporate/4.0/x86_64/squirrelmail-da-1.4.18-0.1.20060mlcs4.noarch.rpm
b410626dcc1ad28322bc85afad65f8ac corporate/4.0/x86_64/squirrelmail-de-1.4.18-0.1.20060mlcs4.noarch.rpm
f6a62db321be2288b9f495ae2814a438 corporate/4.0/x86_64/squirrelmail-el-1.4.18-0.1.20060mlcs4.noarch.rpm
316eb97651c2c1a49efea3983b53c439 corporate/4.0/x86_64/squirrelmail-en-1.4.18-0.1.20060mlcs4.noarch.rpm
1bc2e0fb21a7324c10b135ccd516d585 corporate/4.0/x86_64/squirrelmail-es-1.4.18-0.1.20060mlcs4.noarch.rpm
96386f72703a22f104409aa4718ef0f5 corporate/4.0/x86_64/squirrelmail-et-1.4.18-0.1.20060mlcs4.noarch.rpm
6923952a68a66762bfaa4a9619642c01 corporate/4.0/x86_64/squirrelmail-eu-1.4.18-0.1.20060mlcs4.noarch.rpm
978805a5ae2da3e0511ea54f0acb3273 corporate/4.0/x86_64/squirrelmail-fa-1.4.18-0.1.20060mlcs4.noarch.rpm
9f7925ac87f879d7f1fe5cebc33edf5d corporate/4.0/x86_64/squirrelmail-fi-1.4.18-0.1.20060mlcs4.noarch.rpm
4d159c46967e426da5a8350780c97146 corporate/4.0/x86_64/squirrelmail-fo-1.4.18-0.1.20060mlcs4.noarch.rpm
8555c7977a29a63ef56e39a18594396c corporate/4.0/x86_64/squirrelmail-fr-1.4.18-0.1.20060mlcs4.noarch.rpm
eb14ed59d6ca55b903c312aec98cbb04 corporate/4.0/x86_64/squirrelmail-fy-1.4.18-0.1.20060mlcs4.noarch.rpm
35426fbeca91dd6d36111ce0117ab8e6 corporate/4.0/x86_64/squirrelmail-he-1.4.18-0.1.20060mlcs4.noarch.rpm
a298bd3ce7d892066c86bddf207689f1 corporate/4.0/x86_64/squirrelmail-hr-1.4.18-0.1.20060mlcs4.noarch.rpm
657c49dc5e8e53a5610e24d4767517b0 corporate/4.0/x86_64/squirrelmail-hu-1.4.18-0.1.20060mlcs4.noarch.rpm
8ad488461ae8c982e69491aabbd15115 corporate/4.0/x86_64/squirrelmail-id-1.4.18-0.1.20060mlcs4.noarch.rpm
4a32ee4464c6fbc0c8a142da0fa506ad corporate/4.0/x86_64/squirrelmail-is-1.4.18-0.1.20060mlcs4.noarch.rpm
3f1b8c7da67999601e9e1eaaa47f4839 corporate/4.0/x86_64/squirrelmail-it-1.4.18-0.1.20060mlcs4.noarch.rpm
650d8271a74d939af54cc930eac0a6be corporate/4.0/x86_64/squirrelmail-ja-1.4.18-0.1.20060mlcs4.noarch.rpm
bd4bb44415013aa1e7ba189bae0740c9 corporate/4.0/x86_64/squirrelmail-ka-1.4.18-0.1.20060mlcs4.noarch.rpm
b5a43940b104900b60a916778901128c corporate/4.0/x86_64/squirrelmail-ko-1.4.18-0.1.20060mlcs4.noarch.rpm
3ac9259e6f1ab8028e6cc3699a800534 corporate/4.0/x86_64/squirrelmail-lt-1.4.18-0.1.20060mlcs4.noarch.rpm
ae422f5869b23da06795517f46d39ca0 corporate/4.0/x86_64/squirrelmail-ms-1.4.18-0.1.20060mlcs4.noarch.rpm
a5c298865d6cea53ea04e3672f780581 corporate/4.0/x86_64/squirrelmail-nb-1.4.18-0.1.20060mlcs4.noarch.rpm
32adde69f7693c4f8e3655c676de2111 corporate/4.0/x86_64/squirrelmail-nl-1.4.18-0.1.20060mlcs4.noarch.rpm
5423fb5f6a21041058293207025185f6 corporate/4.0/x86_64/squirrelmail-nn-1.4.18-0.1.20060mlcs4.noarch.rpm
62fb5a9fa032c67067ca91a68bb2bba1 corporate/4.0/x86_64/squirrelmail-pl-1.4.18-0.1.20060mlcs4.noarch.rpm
9fcd278d4aefee3f0862a4d77ca0c83b corporate/4.0/x86_64/squirrelmail-poutils-1.4.18-0.1.20060mlcs4.noarch.rpm
b215defbe454e8e228ca4e985ab994a0 corporate/4.0/x86_64/squirrelmail-pt-1.4.18-0.1.20060mlcs4.noarch.rpm
1a48db345473823edb70d89669cea0b7 corporate/4.0/x86_64/squirrelmail-ro-1.4.18-0.1.20060mlcs4.noarch.rpm
9e05871e2006613bf9336ed142607a1b corporate/4.0/x86_64/squirrelmail-ru-1.4.18-0.1.20060mlcs4.noarch.rpm
c434553549f5cf0228d7e9004900b469 corporate/4.0/x86_64/squirrelmail-sk-1.4.18-0.1.20060mlcs4.noarch.rpm
8ab1c97df6777152033328c3bebdb39b corporate/4.0/x86_64/squirrelmail-sl-1.4.18-0.1.20060mlcs4.noarch.rpm
2987e7b4a7d30e4f783c1276abe52690 corporate/4.0/x86_64/squirrelmail-sr-1.4.18-0.1.20060mlcs4.noarch.rpm
b5a050b41662ba0aca81d6cec644acdc corporate/4.0/x86_64/squirrelmail-sv-1.4.18-0.1.20060mlcs4.noarch.rpm
525b72de2e17ccc3ea2734503d643bc6 corporate/4.0/x86_64/squirrelmail-th-1.4.18-0.1.20060mlcs4.noarch.rpm
f679385f3d809513d49bdd292e48eac6 corporate/4.0/x86_64/squirrelmail-tr-1.4.18-0.1.20060mlcs4.noarch.rpm
8137527b2d022475d03d3df47ebf466c corporate/4.0/x86_64/squirrelmail-ug-1.4.18-0.1.20060mlcs4.noarch.rpm
0f4fb23a47835c098c1f590ebc29fb2b corporate/4.0/x86_64/squirrelmail-uk-1.4.18-0.1.20060mlcs4.noarch.rpm
5ea1cd5f19f8672bdc7f5ca3fc1d2209 corporate/4.0/x86_64/squirrelmail-vi-1.4.18-0.1.20060mlcs4.noarch.rpm
31ac87a5c439d15d51c545bdbd73bb02 corporate/4.0/x86_64/squirrelmail-zh_CN-1.4.18-0.1.20060mlcs4.noarch.rpm
3f6464ee203709d39ff1dc2912ead586 corporate/4.0/x86_64/squirrelmail-zh_TW-1.4.18-0.1.20060mlcs4.noarch.rpm
2b54d7cc703b418576918d90d3d4432d corporate/4.0/SRPMS/squirrelmail-1.4.18-0.1.20060mlcs4.src.rpm
_______________________________________________________________________
To upgrade automatically use MandrivaUpdate or urpmi. The verification
of md5 checksums and GPG signatures is performed automatically for you.
All packages are signed by Mandriva for security. You can obtain the
GPG public key of the Mandriva Security Team by executing:
gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98
You can view other update advisories for Mandriva Linux at:
http://www.mandriva.com/security/advisories
If you want to report vulnerabilities, please contact
security_(at)_mandriva.com
_______________________________________________________________________
Type Bits/KeyID Date User ID
pub 1024D/22458A98 2000-07-10 Mandriva Security Team
<security*mandriva.com>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
iD8DBQFKCdcEmqjQ0CJFipgRAkYWAKCjNlcOP2von8aLzdwC/UjWdH3mJACePW7i
s0bXxM7J1FKwpNPJvigZ11A=
=O+8B
-----END PGP SIGNATURE-----
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists