Debian Bug report logs - #314374
SquirrelMail cross site scripting vulnerabilities [CAN-2005-1769]]

version graph

Package: squirrelmail; Maintainer for squirrelmail is Jeroen van Wolffelaar <jeroen@wolffelaar.nl>; Source for squirrelmail is src:squirrelmail.

Reported by: Thijs Kinkhorst <thijs@debian.org>

Date: Wed, 15 Jun 2005 23:18:04 UTC

Severity: grave

Tags: fixed-upstream, patch, security

Found in versions 1.4.4-5, 2:1.4.4-5

Fixed in version squirrelmail/2:1.4.4-6

Done: Thijs Kinkhorst <kink@squirrelmail.org>

Bug is archived. No further changes may be made.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox


Report forwarded to debian-bugs-dist@lists.debian.org, Jeroen van Wolffelaar <jeroen@wolffelaar.nl>:
Bug#314374; Package squirrelmail. Full text and rfc822 format available.

Acknowledgement sent to Thijs Kinkhorst <kink@squirrelmail.org>:
New Bug report received and forwarded. Copy sent to Jeroen van Wolffelaar <jeroen@wolffelaar.nl>. Full text and rfc822 format available.

Message #5 received at submit@bugs.debian.org (full text, mbox):

From: Thijs Kinkhorst <kink@squirrelmail.org>
To: submit@bugs.debian.org
Subject: SquirrelMail cross site scripting vulnerabilities [CAN-2005-1769]]
Date: Thu, 16 Jun 2005 01:15:28 +0200
[Message part 1 (text/plain, inline)]
Package: squirrelmail
Version: 1.4.4-5
Tags: security fixed-upstream patch

> Several cross site scripting (XSS) vulnerabilties have been discovered
> in SquirrelMail versions 1.4.0 - 1.4.4. These have been addressed in a
> patch that can be found at [1]. We advise all our users to apply this
> patch. We're also releasing SquirrelMail 1.4.5 release candidate 1
> today. We expect version 1.4.5 to be out within two weeks from
> now.
> 
> [1] http://prdownloads.sourceforge.net/squirrelmail/sqm-144-xss.patch

We're working on this. An updated package for sarge / etch / sid has
been prepared and will be tested.

Backporting to woody is not trivial (the code is more than 4 years old),
but we'll do a best effort.


Thijs
[signature.asc (application/pgp-signature, inline)]

Severity set to `grave'. Request was from Thijs Kinkhorst <kink@squirrelmail.org> to control@bugs.debian.org. Full text and rfc822 format available.

Information forwarded to debian-bugs-dist@lists.debian.org, Jeroen van Wolffelaar <jeroen@wolffelaar.nl>:
Bug#314374; Package squirrelmail. Full text and rfc822 format available.

Acknowledgement sent to Thijs Kinkhorst <kink@squirrelmail.org>:
Extra info received and forwarded to list. Copy sent to Jeroen van Wolffelaar <jeroen@wolffelaar.nl>. Full text and rfc822 format available.

Message #12 received at 314374@bugs.debian.org (full text, mbox):

From: Thijs Kinkhorst <kink@squirrelmail.org>
To: 314374@bugs.debian.org
Subject: Re: SquirrelMail cross site scripting vulnerabilities [CAN-2005-1769]
Date: Wed, 22 Jun 2005 10:19:14 +0200
[Message part 1 (text/plain, inline)]
> We're working on this. An updated package for sarge / etch / sid has
> been prepared and will be tested.
>
> Backporting to woody is not trivial (the code is more than 4 years old),
> but we'll do a best effort.

The patches have been applied or backported for both
stable/testing/unstable (same version) aswell as oldstable. It now is
awaiting review/testing by the other maintainer (Jeroen) and if that
turns up no problems they can be released.


Thijs
[signature.asc (application/pgp-signature, attachment)]

Information forwarded to debian-bugs-dist@lists.debian.org, Jeroen van Wolffelaar <jeroen@wolffelaar.nl>:
Bug#314374; Package squirrelmail. Full text and rfc822 format available.

Acknowledgement sent to "Thijs Kinkhorst" <kink@squirrelmail.org>:
Extra info received and forwarded to list. Copy sent to Jeroen van Wolffelaar <jeroen@wolffelaar.nl>. Full text and rfc822 format available.

Message #17 received at 314374@bugs.debian.org (full text, mbox):

From: "Thijs Kinkhorst" <kink@squirrelmail.org>
To: 314374@bugs.debian.org
Subject: Re: Bug#314374: SquirrelMail cross site scripting vulnerabilities [CAN-2005-1769]
Date: Fri, 1 Jul 2005 09:55:55 +0200 (CEST)
Hello,

Update: A new vulnerability has been discovered in squirrelmail. We'll
release one advisory for this one and the new one (to be announced soon).


Thijs




Tags added: pending Request was from "www.wolffelaar.nl" <www-data@wolffelaar.nl> to control@bugs.debian.org. Full text and rfc822 format available.

Message sent on to Thijs Kinkhorst <kink@squirrelmail.org>:
Bug#314374. Full text and rfc822 format available.

Message #22 received at 314374-submitter@bugs.debian.org (full text, mbox):

From: "www.wolffelaar.nl" <www-data@wolffelaar.nl>
To: control@bugs.debian.org, 314374-submitter@bugs.debian.org
Subject: Squirrelmail bugs fixed in revision r162
Date: Sat, 09 Jul 2005 12:00:22 +0200
# Fixed in r162 by jeroen
tag 314374 + pending
thanks

These bugs are fixed in revision 162 by jeroen
and will likely get fixed in the next upload.
Log message:
Note the bug number associated with CAN-2005-1769 in the changelog
(Closes: #314374)






Reply sent to Thijs Kinkhorst <kink@squirrelmail.org>:
You have taken responsibility. Full text and rfc822 format available.

Notification sent to Thijs Kinkhorst <kink@squirrelmail.org>:
Bug acknowledged by developer. Full text and rfc822 format available.

Message #27 received at 314374-close@bugs.debian.org (full text, mbox):

From: Thijs Kinkhorst <kink@squirrelmail.org>
To: 314374-close@bugs.debian.org
Subject: Bug#314374: fixed in squirrelmail 2:1.4.4-6
Date: Wed, 13 Jul 2005 13:32:43 -0400
Source: squirrelmail
Source-Version: 2:1.4.4-6

We believe that the bug you reported is fixed in the latest version of
squirrelmail, which is due to be installed in the Debian FTP archive:

squirrelmail_1.4.4-6.diff.gz
  to pool/main/s/squirrelmail/squirrelmail_1.4.4-6.diff.gz
squirrelmail_1.4.4-6.dsc
  to pool/main/s/squirrelmail/squirrelmail_1.4.4-6.dsc
squirrelmail_1.4.4-6_all.deb
  to pool/main/s/squirrelmail/squirrelmail_1.4.4-6_all.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 314374@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Thijs Kinkhorst <kink@squirrelmail.org> (supplier of updated squirrelmail package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.7
Date: Sat, 09 Jul 2005 11:57:20 +0200
Source: squirrelmail
Binary: squirrelmail
Architecture: source all
Version: 2:1.4.4-6
Distribution: stable-security
Urgency: high
Maintainer: Jeroen van Wolffelaar <jeroen@wolffelaar.nl>
Changed-By: Thijs Kinkhorst <kink@squirrelmail.org>
Description: 
 squirrelmail - Webmail for nuts
Closes: 314374 317094
Changes: 
 squirrelmail (2:1.4.4-6) stable-security; urgency=high
 .
   * Security fix, hence high urgency.
   * Apply patch provided by upstream to fix several cross site scripting
     flaws [CAN-2005-1769] (Closes: #314374)
   * Work around arbitrary variable injection via extract() [CAN-2005-2095]
     (Closes: #317094)
Files: 
 efd67c242cc9fb591e3ee8456825331d 742 web optional squirrelmail_1.4.4-6.dsc
 30e06c1a6282a0abff142ccbe1b36a0c 23108 web optional squirrelmail_1.4.4-6.diff.gz
 50da6f9a18fe90e5760eb18c3255296c 569772 web optional squirrelmail_1.4.4-6_all.deb
 f50548b6f4f24d28afb5e6048977f4da 575871 web optional squirrelmail_1.4.4.orig.tar.gz

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (GNU/Linux)

iD8DBQFC0PONW5ql+IAeqTIRArItAJ9ShE4w3upcklKW/dyKcDguCWlMQQCeJdIn
NBlWhi8HRSys8Qbr7Fv0jow=
=JzPZ
-----END PGP SIGNATURE-----




Bug marked as found in version 2:1.4.4-5. Request was from Thijs Kinkhorst <kink@squirrelmail.org> to control@bugs.debian.org. Full text and rfc822 format available.

Changed Bug submitter from Thijs Kinkhorst <kink@squirrelmail.org> to Thijs Kinkhorst <thijs@debian.org>. Request was from Thijs Kinkhorst <thijs@debian.org> to control@bugs.debian.org. Full text and rfc822 format available.

Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Tue, 26 Jun 2007 12:56:18 GMT) Full text and rfc822 format available.

Send a report that this bug log contains spam.


Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Fri Apr 18 06:02:28 2014; Machine Name: buxtehude.debian.org

Debian Bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.