lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-Id: <E1M416m-0006iH-Se@titan.mandriva.com>
Date: Wed, 13 May 2009 01:10:00 +0200
From: security@...driva.com
To: full-disclosure@...ts.grok.org.uk
Subject: [ MDVSA-2009:110 ] squirrelmail


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

 _______________________________________________________________________

 Mandriva Linux Security Advisory                         MDVSA-2009:110
 http://www.mandriva.com/security/
 _______________________________________________________________________

 Package : squirrelmail
 Date    : May 12, 2009
 Affected: Corporate 4.0
 _______________________________________________________________________

 Problem Description:

 Multiple vulnerabilities has been identified and corrected in
 squirrelmail:
 
 Two issues were fixed that both allowed an attacker to run arbitrary
 script (XSS) on most any SquirrelMail page by getting the user to
 click on specially crafted SquirrelMail links (CVE-2009-1578).
 
 An issue was fixed wherein input to the contrib/decrypt_headers.php
 script was not sanitized and allowed arbitrary script execution upon
 submission of certain values (CVE-2009-1578).
 
 An issue was fixed that allowed arbitrary server-side code execution
 when SquirrelMail was configured to use the example map_yp_alias
 username mapping functionality (CVE-2009-1579).
 
 An issue was fixed that allowed an attacker to possibly steal user
 data by hijacking the SquirrelMail login session.   (CVE-2009-1580).
 
 An issue was fixed that allowed phishing and cross-site scripting
 (XSS) attacks to be run by surreptitious placement of content in
 specially-crafted emails sent to SquirrelMail users (CVE-2009-1581).
 
 Additionally many of the bundled plugins has been upgraded. Basically
 this is a syncronization with the latest squirrelmail package found
 in Mandriva Cooker. The rpm changelog will reveal all the changes
 (rpm -q --changelog squirrelmail).
 
 The updated packages have been upgraded to the latest version of
 squirrelmail to prevent this.
 _______________________________________________________________________

 References:

 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1578
 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1579
 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1580
 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1581
 _______________________________________________________________________

 Updated Packages:

 Corporate 4.0:
 d8e8e8560b8b5cf89bb06dbda75033ef  corporate/4.0/i586/squirrelmail-1.4.18-0.1.20060mlcs4.noarch.rpm
 0ba6c8b99d8ccac0df0d3e90a7d70f47  corporate/4.0/i586/squirrelmail-ar-1.4.18-0.1.20060mlcs4.noarch.rpm
 54b0bb74cba4da1dffdf0dc044de0986  corporate/4.0/i586/squirrelmail-bg-1.4.18-0.1.20060mlcs4.noarch.rpm
 fe1cfa4f6317fd8e295e0265be5da46b  corporate/4.0/i586/squirrelmail-bn-1.4.18-0.1.20060mlcs4.noarch.rpm
 46835353a19ca7e290ee0f538dc1cfec  corporate/4.0/i586/squirrelmail-ca-1.4.18-0.1.20060mlcs4.noarch.rpm
 786fcdba5121c48523b856cf3ff2c7a2  corporate/4.0/i586/squirrelmail-cs-1.4.18-0.1.20060mlcs4.noarch.rpm
 a792847e8d14f3249700e6779d2abbf1  corporate/4.0/i586/squirrelmail-cy-1.4.18-0.1.20060mlcs4.noarch.rpm
 b539efa2ba48b7b20f7c5e095fd43286  corporate/4.0/i586/squirrelmail-cyrus-1.4.18-0.1.20060mlcs4.noarch.rpm
 a57030df0e927b18ff0d40d745400cec  corporate/4.0/i586/squirrelmail-da-1.4.18-0.1.20060mlcs4.noarch.rpm
 3d97a69708fef53af1c525c39c093b07  corporate/4.0/i586/squirrelmail-de-1.4.18-0.1.20060mlcs4.noarch.rpm
 98441c32e477f087e78782a37e15ff4c  corporate/4.0/i586/squirrelmail-el-1.4.18-0.1.20060mlcs4.noarch.rpm
 98b2e8b09c82a5ebc00047683bc6b20b  corporate/4.0/i586/squirrelmail-en-1.4.18-0.1.20060mlcs4.noarch.rpm
 af04c8fd5c883b91959969d29c3af0cb  corporate/4.0/i586/squirrelmail-es-1.4.18-0.1.20060mlcs4.noarch.rpm
 7e2d7a7bbab015d551b058352b21162c  corporate/4.0/i586/squirrelmail-et-1.4.18-0.1.20060mlcs4.noarch.rpm
 e3b34eb6311c4ee45b3e39285cc547f4  corporate/4.0/i586/squirrelmail-eu-1.4.18-0.1.20060mlcs4.noarch.rpm
 8f4b2e47224cd83b244745b11f7cda9f  corporate/4.0/i586/squirrelmail-fa-1.4.18-0.1.20060mlcs4.noarch.rpm
 fa7b77a672e5afa5e09b771d1ead14ff  corporate/4.0/i586/squirrelmail-fi-1.4.18-0.1.20060mlcs4.noarch.rpm
 cb03089c1d10100f95b51e9345cc276b  corporate/4.0/i586/squirrelmail-fo-1.4.18-0.1.20060mlcs4.noarch.rpm
 bb4bbb512b376271caff2ab4677a47e9  corporate/4.0/i586/squirrelmail-fr-1.4.18-0.1.20060mlcs4.noarch.rpm
 2dcc5aee1f396884ea1f74c22b12c33a  corporate/4.0/i586/squirrelmail-fy-1.4.18-0.1.20060mlcs4.noarch.rpm
 b87f520a511a53315ac9e1d594b7e3b9  corporate/4.0/i586/squirrelmail-he-1.4.18-0.1.20060mlcs4.noarch.rpm
 4fdce8e38907de080ed1e1b76ef1d738  corporate/4.0/i586/squirrelmail-hr-1.4.18-0.1.20060mlcs4.noarch.rpm
 0033224ec4127bd3768ec8b04b8de062  corporate/4.0/i586/squirrelmail-hu-1.4.18-0.1.20060mlcs4.noarch.rpm
 18abc4c3cef94dc46cf26f33c3810e01  corporate/4.0/i586/squirrelmail-id-1.4.18-0.1.20060mlcs4.noarch.rpm
 53c1d4d450cfa0c73e146aadf151d98b  corporate/4.0/i586/squirrelmail-is-1.4.18-0.1.20060mlcs4.noarch.rpm
 aff35aa1c9e1e1e5be59b51b24ed1dbd  corporate/4.0/i586/squirrelmail-it-1.4.18-0.1.20060mlcs4.noarch.rpm
 c1b86cbcf1f7060fa760f58cd10862b6  corporate/4.0/i586/squirrelmail-ja-1.4.18-0.1.20060mlcs4.noarch.rpm
 dd889c369ce6880478f594b5fbdb2bed  corporate/4.0/i586/squirrelmail-ka-1.4.18-0.1.20060mlcs4.noarch.rpm
 7f7f23c4354b9b586eb53d4a6662578d  corporate/4.0/i586/squirrelmail-ko-1.4.18-0.1.20060mlcs4.noarch.rpm
 7ef00ea3edaa930bbbbb3029ef0cd483  corporate/4.0/i586/squirrelmail-lt-1.4.18-0.1.20060mlcs4.noarch.rpm
 2e290b9724563cdfaef6077b7e4d2404  corporate/4.0/i586/squirrelmail-ms-1.4.18-0.1.20060mlcs4.noarch.rpm
 d2e83840bb4c30d4d5a8c3e2445c4866  corporate/4.0/i586/squirrelmail-nb-1.4.18-0.1.20060mlcs4.noarch.rpm
 c3400f8c12162f3e625eb4333aca6269  corporate/4.0/i586/squirrelmail-nl-1.4.18-0.1.20060mlcs4.noarch.rpm
 a4df4067f08adbf6f4645e7e0204a66f  corporate/4.0/i586/squirrelmail-nn-1.4.18-0.1.20060mlcs4.noarch.rpm
 4af182f66a0bc66a3df4ac85a2366c71  corporate/4.0/i586/squirrelmail-pl-1.4.18-0.1.20060mlcs4.noarch.rpm
 be322cd83156490966e1a9a546fec7a5  corporate/4.0/i586/squirrelmail-poutils-1.4.18-0.1.20060mlcs4.noarch.rpm
 7c604c320705c107d00888de6df2531a  corporate/4.0/i586/squirrelmail-pt-1.4.18-0.1.20060mlcs4.noarch.rpm
 8835fcddd28bd9bce91bae8f89214a66  corporate/4.0/i586/squirrelmail-ro-1.4.18-0.1.20060mlcs4.noarch.rpm
 faa71dda2dd7dd2aebc3b64feccd9b60  corporate/4.0/i586/squirrelmail-ru-1.4.18-0.1.20060mlcs4.noarch.rpm
 be7210a088ee2a9473a01cf020041291  corporate/4.0/i586/squirrelmail-sk-1.4.18-0.1.20060mlcs4.noarch.rpm
 88c8e74238c41d3cee2eb5ed592ab4f3  corporate/4.0/i586/squirrelmail-sl-1.4.18-0.1.20060mlcs4.noarch.rpm
 b0979772171542783998eedba64e6f65  corporate/4.0/i586/squirrelmail-sr-1.4.18-0.1.20060mlcs4.noarch.rpm
 4f66d88d87725ff3af94589b42de62e2  corporate/4.0/i586/squirrelmail-sv-1.4.18-0.1.20060mlcs4.noarch.rpm
 a6dd2a4308464c4a1671e97903432149  corporate/4.0/i586/squirrelmail-th-1.4.18-0.1.20060mlcs4.noarch.rpm
 e183c600779db301dd94240c1006833b  corporate/4.0/i586/squirrelmail-tr-1.4.18-0.1.20060mlcs4.noarch.rpm
 64c9cda07ccfde2387d77eaff2e99d13  corporate/4.0/i586/squirrelmail-ug-1.4.18-0.1.20060mlcs4.noarch.rpm
 dabb27edcf029498991e9f396422e5e3  corporate/4.0/i586/squirrelmail-uk-1.4.18-0.1.20060mlcs4.noarch.rpm
 88fcde6cd52d9dbe4c96f5410c9cdfd4  corporate/4.0/i586/squirrelmail-vi-1.4.18-0.1.20060mlcs4.noarch.rpm
 3b990fe5c878e16b2021634fbef588aa  corporate/4.0/i586/squirrelmail-zh_CN-1.4.18-0.1.20060mlcs4.noarch.rpm
 c3ff953563b24c0e8246272d3dc84545  corporate/4.0/i586/squirrelmail-zh_TW-1.4.18-0.1.20060mlcs4.noarch.rpm 
 2b54d7cc703b418576918d90d3d4432d  corporate/4.0/SRPMS/squirrelmail-1.4.18-0.1.20060mlcs4.src.rpm

 Corporate 4.0/X86_64:
 433b77767d50f8346c5a616bf6c37ea2  corporate/4.0/x86_64/squirrelmail-1.4.18-0.1.20060mlcs4.noarch.rpm
 26a33e2dda348016b78eb1c32d154952  corporate/4.0/x86_64/squirrelmail-ar-1.4.18-0.1.20060mlcs4.noarch.rpm
 51ca0e83e805a042b988807e8b1a55c1  corporate/4.0/x86_64/squirrelmail-bg-1.4.18-0.1.20060mlcs4.noarch.rpm
 b6d5c2acd0a54be834c21123be20ccbc  corporate/4.0/x86_64/squirrelmail-bn-1.4.18-0.1.20060mlcs4.noarch.rpm
 c73dc29350d2218f4a8379d5ad43dc32  corporate/4.0/x86_64/squirrelmail-ca-1.4.18-0.1.20060mlcs4.noarch.rpm
 9641ed777f9d0aae1a6278e1eb125ebf  corporate/4.0/x86_64/squirrelmail-cs-1.4.18-0.1.20060mlcs4.noarch.rpm
 215ad01fb29c693fec6fec4cc0ff307a  corporate/4.0/x86_64/squirrelmail-cy-1.4.18-0.1.20060mlcs4.noarch.rpm
 c269ea6df090c0fc0d75ca4c7e262d54  corporate/4.0/x86_64/squirrelmail-cyrus-1.4.18-0.1.20060mlcs4.noarch.rpm
 763e673dc24adcd1653211f8fb0fe6e0  corporate/4.0/x86_64/squirrelmail-da-1.4.18-0.1.20060mlcs4.noarch.rpm
 b410626dcc1ad28322bc85afad65f8ac  corporate/4.0/x86_64/squirrelmail-de-1.4.18-0.1.20060mlcs4.noarch.rpm
 f6a62db321be2288b9f495ae2814a438  corporate/4.0/x86_64/squirrelmail-el-1.4.18-0.1.20060mlcs4.noarch.rpm
 316eb97651c2c1a49efea3983b53c439  corporate/4.0/x86_64/squirrelmail-en-1.4.18-0.1.20060mlcs4.noarch.rpm
 1bc2e0fb21a7324c10b135ccd516d585  corporate/4.0/x86_64/squirrelmail-es-1.4.18-0.1.20060mlcs4.noarch.rpm
 96386f72703a22f104409aa4718ef0f5  corporate/4.0/x86_64/squirrelmail-et-1.4.18-0.1.20060mlcs4.noarch.rpm
 6923952a68a66762bfaa4a9619642c01  corporate/4.0/x86_64/squirrelmail-eu-1.4.18-0.1.20060mlcs4.noarch.rpm
 978805a5ae2da3e0511ea54f0acb3273  corporate/4.0/x86_64/squirrelmail-fa-1.4.18-0.1.20060mlcs4.noarch.rpm
 9f7925ac87f879d7f1fe5cebc33edf5d  corporate/4.0/x86_64/squirrelmail-fi-1.4.18-0.1.20060mlcs4.noarch.rpm
 4d159c46967e426da5a8350780c97146  corporate/4.0/x86_64/squirrelmail-fo-1.4.18-0.1.20060mlcs4.noarch.rpm
 8555c7977a29a63ef56e39a18594396c  corporate/4.0/x86_64/squirrelmail-fr-1.4.18-0.1.20060mlcs4.noarch.rpm
 eb14ed59d6ca55b903c312aec98cbb04  corporate/4.0/x86_64/squirrelmail-fy-1.4.18-0.1.20060mlcs4.noarch.rpm
 35426fbeca91dd6d36111ce0117ab8e6  corporate/4.0/x86_64/squirrelmail-he-1.4.18-0.1.20060mlcs4.noarch.rpm
 a298bd3ce7d892066c86bddf207689f1  corporate/4.0/x86_64/squirrelmail-hr-1.4.18-0.1.20060mlcs4.noarch.rpm
 657c49dc5e8e53a5610e24d4767517b0  corporate/4.0/x86_64/squirrelmail-hu-1.4.18-0.1.20060mlcs4.noarch.rpm
 8ad488461ae8c982e69491aabbd15115  corporate/4.0/x86_64/squirrelmail-id-1.4.18-0.1.20060mlcs4.noarch.rpm
 4a32ee4464c6fbc0c8a142da0fa506ad  corporate/4.0/x86_64/squirrelmail-is-1.4.18-0.1.20060mlcs4.noarch.rpm
 3f1b8c7da67999601e9e1eaaa47f4839  corporate/4.0/x86_64/squirrelmail-it-1.4.18-0.1.20060mlcs4.noarch.rpm
 650d8271a74d939af54cc930eac0a6be  corporate/4.0/x86_64/squirrelmail-ja-1.4.18-0.1.20060mlcs4.noarch.rpm
 bd4bb44415013aa1e7ba189bae0740c9  corporate/4.0/x86_64/squirrelmail-ka-1.4.18-0.1.20060mlcs4.noarch.rpm
 b5a43940b104900b60a916778901128c  corporate/4.0/x86_64/squirrelmail-ko-1.4.18-0.1.20060mlcs4.noarch.rpm
 3ac9259e6f1ab8028e6cc3699a800534  corporate/4.0/x86_64/squirrelmail-lt-1.4.18-0.1.20060mlcs4.noarch.rpm
 ae422f5869b23da06795517f46d39ca0  corporate/4.0/x86_64/squirrelmail-ms-1.4.18-0.1.20060mlcs4.noarch.rpm
 a5c298865d6cea53ea04e3672f780581  corporate/4.0/x86_64/squirrelmail-nb-1.4.18-0.1.20060mlcs4.noarch.rpm
 32adde69f7693c4f8e3655c676de2111  corporate/4.0/x86_64/squirrelmail-nl-1.4.18-0.1.20060mlcs4.noarch.rpm
 5423fb5f6a21041058293207025185f6  corporate/4.0/x86_64/squirrelmail-nn-1.4.18-0.1.20060mlcs4.noarch.rpm
 62fb5a9fa032c67067ca91a68bb2bba1  corporate/4.0/x86_64/squirrelmail-pl-1.4.18-0.1.20060mlcs4.noarch.rpm
 9fcd278d4aefee3f0862a4d77ca0c83b  corporate/4.0/x86_64/squirrelmail-poutils-1.4.18-0.1.20060mlcs4.noarch.rpm
 b215defbe454e8e228ca4e985ab994a0  corporate/4.0/x86_64/squirrelmail-pt-1.4.18-0.1.20060mlcs4.noarch.rpm
 1a48db345473823edb70d89669cea0b7  corporate/4.0/x86_64/squirrelmail-ro-1.4.18-0.1.20060mlcs4.noarch.rpm
 9e05871e2006613bf9336ed142607a1b  corporate/4.0/x86_64/squirrelmail-ru-1.4.18-0.1.20060mlcs4.noarch.rpm
 c434553549f5cf0228d7e9004900b469  corporate/4.0/x86_64/squirrelmail-sk-1.4.18-0.1.20060mlcs4.noarch.rpm
 8ab1c97df6777152033328c3bebdb39b  corporate/4.0/x86_64/squirrelmail-sl-1.4.18-0.1.20060mlcs4.noarch.rpm
 2987e7b4a7d30e4f783c1276abe52690  corporate/4.0/x86_64/squirrelmail-sr-1.4.18-0.1.20060mlcs4.noarch.rpm
 b5a050b41662ba0aca81d6cec644acdc  corporate/4.0/x86_64/squirrelmail-sv-1.4.18-0.1.20060mlcs4.noarch.rpm
 525b72de2e17ccc3ea2734503d643bc6  corporate/4.0/x86_64/squirrelmail-th-1.4.18-0.1.20060mlcs4.noarch.rpm
 f679385f3d809513d49bdd292e48eac6  corporate/4.0/x86_64/squirrelmail-tr-1.4.18-0.1.20060mlcs4.noarch.rpm
 8137527b2d022475d03d3df47ebf466c  corporate/4.0/x86_64/squirrelmail-ug-1.4.18-0.1.20060mlcs4.noarch.rpm
 0f4fb23a47835c098c1f590ebc29fb2b  corporate/4.0/x86_64/squirrelmail-uk-1.4.18-0.1.20060mlcs4.noarch.rpm
 5ea1cd5f19f8672bdc7f5ca3fc1d2209  corporate/4.0/x86_64/squirrelmail-vi-1.4.18-0.1.20060mlcs4.noarch.rpm
 31ac87a5c439d15d51c545bdbd73bb02  corporate/4.0/x86_64/squirrelmail-zh_CN-1.4.18-0.1.20060mlcs4.noarch.rpm
 3f6464ee203709d39ff1dc2912ead586  corporate/4.0/x86_64/squirrelmail-zh_TW-1.4.18-0.1.20060mlcs4.noarch.rpm 
 2b54d7cc703b418576918d90d3d4432d  corporate/4.0/SRPMS/squirrelmail-1.4.18-0.1.20060mlcs4.src.rpm
 _______________________________________________________________________

 To upgrade automatically use MandrivaUpdate or urpmi.  The verification
 of md5 checksums and GPG signatures is performed automatically for you.

 All packages are signed by Mandriva for security.  You can obtain the
 GPG public key of the Mandriva Security Team by executing:

  gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98

 You can view other update advisories for Mandriva Linux at:

  http://www.mandriva.com/security/advisories

 If you want to report vulnerabilities, please contact

  security_(at)_mandriva.com
 _______________________________________________________________________

 Type Bits/KeyID     Date       User ID
 pub  1024D/22458A98 2000-07-10 Mandriva Security Team
  <security*mandriva.com>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)

iD8DBQFKCdcEmqjQ0CJFipgRAkYWAKCjNlcOP2von8aLzdwC/UjWdH3mJACePW7i
s0bXxM7J1FKwpNPJvigZ11A=
=O+8B
-----END PGP SIGNATURE-----

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ