Report forwarded to debian-bugs-dist@lists.debian.org, team@security.debian.org, Sam Johnston <samj@aos.net.au>: Bug#257973; Package squirrelmail.
(full text, mbox, link).
Acknowledgement sent to Jeroen van Wolffelaar <jeroen@wolffelaar.nl>:
New Bug report received and forwarded. Copy sent to team@security.debian.org, Sam Johnston <samj@aos.net.au>.
(full text, mbox, link).
From: Jeroen van Wolffelaar <jeroen@wolffelaar.nl>
To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: squirrelmail: RS-2004-1 'old' issues
Date: Wed, 7 Jul 2004 00:54:19 +0200
Package: squirrelmail
Version: 1:1.2.6-1.3
Severity: grave
Tags: woody security
Justification: user security hole
RS-2004-1[1] discusses some XSS issues fixed in 1.2.11 vs 1.2.6. Those
are not yet fixed in woody. This would require a general examination of
the 1.2.x diff I'm afraid.
--Jeroen
[1] http://www.rs-labs.com/adv/RS-Labs-Advisory-2004-1.txt
--
Jeroen van Wolffelaar
jeroen@wolffelaar.nl
http://jeroen.A-Eskwadraat.nl
Information forwarded to debian-bugs-dist@lists.debian.org, Sam Johnston <samj@aos.net.au>: Bug#257973; Package squirrelmail.
(full text, mbox, link).
Acknowledgement sent to Matt Zimmerman <mdz@debian.org>:
Extra info received and forwarded to list. Copy sent to Sam Johnston <samj@aos.net.au>.
(full text, mbox, link).
On Wed, Jul 07, 2004 at 12:54:19AM +0200, Jeroen van Wolffelaar wrote:
> Package: squirrelmail
> Version: 1:1.2.6-1.3
> Severity: grave
> Tags: woody security
> Justification: user security hole
>
> RS-2004-1[1] discusses some XSS issues fixed in 1.2.11 vs 1.2.6. Those
> are not yet fixed in woody. This would require a general examination of
> the 1.2.x diff I'm afraid.
>
> --Jeroen
>
> [1] http://www.rs-labs.com/adv/RS-Labs-Advisory-2004-1.txt
This is different from CAN-2002-1341, which was fixed in DSA-220?
--
- mdz
Information forwarded to debian-bugs-dist@lists.debian.org, Sam Johnston <samj@aos.net.au>: Bug#257973; Package squirrelmail.
(full text, mbox, link).
Acknowledgement sent to Jeroen van Wolffelaar <jeroen@wolffelaar.nl>:
Extra info received and forwarded to list. Copy sent to Sam Johnston <samj@aos.net.au>.
(full text, mbox, link).
On Tue, Jul 06, 2004 at 05:45:28PM -0700, Matt Zimmerman wrote:
> On Wed, Jul 07, 2004 at 12:54:19AM +0200, Jeroen van Wolffelaar wrote:
>
> > Package: squirrelmail
> > Version: 1:1.2.6-1.3
> > Severity: grave
> > Tags: woody security
> > Justification: user security hole
> >
> > RS-2004-1[1] discusses some XSS issues fixed in 1.2.11 vs 1.2.6. Those
> > are not yet fixed in woody. This would require a general examination of
> > the 1.2.x diff I'm afraid.
> >
> > --Jeroen
> >
> > [1] http://www.rs-labs.com/adv/RS-Labs-Advisory-2004-1.txt
>
> This is different from CAN-2002-1341, which was fixed in DSA-220?
Yes, I verified that the example that is quoted in RS-2004-1, showing
$mailer without quoting. So, there were at least some additional issues.
It is quite safe to assume that example isn't the only thing, and then
you have the period 'last 1.2.x release -> 1.4.2', which also might have
had fixes without CAN's.
--Jeroen
--
Jeroen van Wolffelaar
Jeroen@wolffelaar.nl (also for Jabber & MSN; ICQ: 33944357)
http://Jeroen.A-Eskwadraat.nl
Information forwarded to debian-bugs-dist@lists.debian.org, Sam Johnston <samj@aos.net.au>: Bug#257973; Package squirrelmail.
(full text, mbox, link).
Acknowledgement sent to Matt Zimmerman <mdz@debian.org>:
Extra info received and forwarded to list. Copy sent to Sam Johnston <samj@aos.net.au>.
(full text, mbox, link).
Steven,
We're trying to straighten out the situation with squirrelmail, where there
seem to be a number of unidentified vulnerabilities. Here is one for which
there does not appear to be a candidate yet.
----- Forwarded message from Jeroen van Wolffelaar <jeroen@wolffelaar.nl> -----
Date: Wed, 7 Jul 2004 13:03:26 +0200
From: Jeroen van Wolffelaar <jeroen@wolffelaar.nl>
To: Matt Zimmerman <mdz@debian.org>
Cc: Jeroen van Wolffelaar <jeroen@wolffelaar.nl>, 257973@bugs.debian.org
Subject: Re: Bug#257973: squirrelmail: RS-2004-1 'old' issues
On Tue, Jul 06, 2004 at 05:45:28PM -0700, Matt Zimmerman wrote:
> On Wed, Jul 07, 2004 at 12:54:19AM +0200, Jeroen van Wolffelaar wrote:
>
> > Package: squirrelmail
> > Version: 1:1.2.6-1.3
> > Severity: grave
> > Tags: woody security
> > Justification: user security hole
> >
> > RS-2004-1[1] discusses some XSS issues fixed in 1.2.11 vs 1.2.6. Those
> > are not yet fixed in woody. This would require a general examination of
> > the 1.2.x diff I'm afraid.
> >
> > --Jeroen
> >
> > [1] http://www.rs-labs.com/adv/RS-Labs-Advisory-2004-1.txt
>
> This is different from CAN-2002-1341, which was fixed in DSA-220?
Yes, I verified that the example that is quoted in RS-2004-1, showing
$mailer without quoting. So, there were at least some additional issues.
It is quite safe to assume that example isn't the only thing, and then
you have the period 'last 1.2.x release -> 1.4.2', which also might have
had fixes without CAN's.
--Jeroen
--
Jeroen van Wolffelaar
Jeroen@wolffelaar.nl (also for Jabber & MSN; ICQ: 33944357)
http://Jeroen.A-Eskwadraat.nl
----- End forwarded message -----
--
- mdz
Information forwarded to debian-bugs-dist@lists.debian.org, Sam Johnston <samj@aos.net.au>: Bug#257973; Package squirrelmail.
(full text, mbox, link).
Acknowledgement sent to "Steven M. Christey" <coley@mitre.org>:
Extra info received and forwarded to list. Copy sent to Sam Johnston <samj@aos.net.au>.
(full text, mbox, link).
Changed Bug title.
Request was from Jeroen van Wolffelaar <jeroen@wolffelaar.nl>
to control@bugs.debian.org.
(full text, mbox, link).
Owner recorded as Jeroen van Wolffelaar <jeroen@wolffelaar.nl>.
Request was from "www.wolffelaar.nl" <www-data@wolffelaar.nl>
to control@bugs.debian.org.
(full text, mbox, link).
Tags added: pending
Request was from "www.wolffelaar.nl" <www-data@wolffelaar.nl>
to control@bugs.debian.org.
(full text, mbox, link).
Message sent on to Jeroen van Wolffelaar <jeroen@wolffelaar.nl>:
Bug#257973.
(full text, mbox, link).
To: control@bugs.debian.org, 257973-submitter@bugs.debian.org
Subject: Squirrelmail bugs fixed in revision r31
Date: Fri, 30 Jul 2004 23:52:43 +0200
package squirrelmail
# Fixed in r31 by kink
owner 257973 Jeroen van Wolffelaar <jeroen@wolffelaar.nl>
tag 257973 + pending
thanks
These bugs are fixed in revision 31 by kink
and will likely get fixed in the next upload.
Log message:
[CAN-2004-0639] Backport fixes multiple XSS issues found between 1.2.6 and
1.2.12, some exploitable by incoming email (Closes: #257973)
(Thijs)
Tags added: fixed
Request was from Jeroen van Wolffelaar <jeroen@wolffelaar.nl>
to control@bugs.debian.org.
(full text, mbox, link).
Reply sent to Jeroen van Wolffelaar <jeroen@wolffelaar.nl>:
You have taken responsibility.
(full text, mbox, link).
Notification sent to Jeroen van Wolffelaar <jeroen@wolffelaar.nl>:
Bug acknowledged by developer.
(full text, mbox, link).
From: Jeroen van Wolffelaar <jeroen@wolffelaar.nl>
To: 257961-done@bugs.debian.org, 257972-done@bugs.debian.org,
257973-done@bugs.debian.org
Subject: Resolved in 1:1.2.6-1.4
Date: Tue, 21 Sep 2004 15:58:45 +0200
These security issues were resolved in the 1:1.2.6-1.4 security upload.
I'm closing the bugs now, since Sam Johnston and I agreed to maintain
squirrelmail together.
--Jeroen
--
Jeroen van Wolffelaar
Jeroen@wolffelaar.nl (also for Jabber & MSN; ICQ: 33944357)
http://Jeroen.A-Eskwadraat.nl
Debbugs is free software and licensed under the terms of the GNU General
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.