1. Forum
  2. Usenet
  3. LINUX.DEBIAN.ANNOUNCE.SEC

  • [SECURITY] [DSA 2291-1] squirrelmail security update

    From Thijs Kinkhorst@1:229/2 to All on Mon Aug 8 13:30:02 2011
    From: [email protected]

    -----BEGIN PGP SIGNED MESSAGE-----
    Hash: SHA1

    - ------------------------------------------------------------------------- Debian Security Advisory DSA-2291-1 [email protected] http://www.debian.org/security/ Thijs Kinkhorst August 8, 2011 http://www.debian.org/security/faq
    - -------------------------------------------------------------------------

    Package : squirrelmail
    Vulnerability : various
    Problem type : remote
    Debian-specific: no
    CVE ID : CVE-2010-4554 CVE-2010-4555 CVE-2011-2023
    CVE-2011-2752 CVE-2011-2753

    Various vulnerabilities have been found in SquirrelMail, a webmail
    application. The Common Vulnerabilities and Exposures project
    identifies the following vulnerabilities:

    CVE-2010-4554

    SquirrelMail did not prevent page rendering inside a third-party
    HTML frame, which makes it easier for remote attackers to conduct
    clickjacking attacks via a crafted web site.

    CVE-2010-4555, CVE-2011-2752, CVE-2011-2753

    Multiple small bugs in SquirrelMail allowed an attacker to inject
    malicious script into various pages or alter the contents of user
    preferences.

    CVE-2011-2023

    It was possible to inject arbitrary web script or HTML via a
    crafted STYLE element in an HTML part of an e-mail message.

    For the oldstable distribution (lenny), this problem has been fixed in
    version 1.4.15-4+lenny5.

    For the stable distribution (squeeze), this problem has been fixed in
    version 1.4.21-2.

    For the testing (wheezy) and unstable distribution (sid), these problems
    have been fixed in version 1.4.22-1.

    We recommend that you upgrade your squirrelmail packages.

    Further information about Debian Security Advisories, how to apply
    these updates to your system and frequently asked questions can be
    found at: http://www.debian.org/security/

    Mailing list: [email protected]
    -----BEGIN PGP SIGNATURE-----
    Version: GnuPG v1.4.10 (GNU/Linux)

    iQEcBAEBAgAGBQJOP8dOAAoJEOxfUAG2iX573ToIAJVLzhwWU8KliB9Hfq/HNJbU kBB8Ke85Sw8b7liMMgVHjfmIZq7W+NcOBd1bYdTIp8gs6ATHLqNoSpi/o0SekofY DN6M9kqxbT76PzqJRGX+tIdMo53tdyje3rorJWfWwgxmHc/tcV4A7P+tac/wPING d0rKvjN9LSezyVxhHSuQvmSGa8oaI7H7N+pOnerkVayMpsgXua9qUKZIXZUtFQk/ duPwtyuRjOin28imnn+KxHVF+EeMB5LeVpi7OHs90aUNtl7PWAyZ3VxxlBV++QRt oXOVwqRSOYBHT0ybEgAQWYsrWfkPlyHzYEBySu4uV7EX70pSrdXWLCTvCR0I7H4=
    =jrIt
    -----END PGP SIGNATURE-----


    --
    To UNSUBSCRIBE, email to [email protected]
    with a subject of "unsubscribe". Trouble? Contact [email protected] Archive: http://lists.debian.org/[email protected]

    --- SoupGate-Win32 v1.05
    * Origin: you cannot sedate... all the things you hate (1:229/2)