Debian Bug report logs - #327727
SqWebMail HTML Emails Script Insertion Vulnerability [CAN-2005-2769]

version graph

Package: sqwebmail; Maintainer for sqwebmail is Stefan Hornburg (Racke) <racke@linuxia.de>; Source for sqwebmail is src:courier.

Reported by: Joey Hess <joeyh@debian.org>

Date: Sun, 11 Sep 2005 18:33:04 UTC

Severity: serious

Tags: security

Found in version sqwebmail/0.47-8

Fixed in version courier/0.47-9

Done: Stefan Hornburg (Racke) <racke@linuxia.de>

Bug is archived. No further changes may be made.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox


Report forwarded to debian-bugs-dist@lists.debian.org, Debian Security Team <team@security.debian.org>, Stefan Hornburg (Racke) <racke@linuxia.de>:
Bug#327727; Package sqwebmail. Full text and rfc822 format available.

Acknowledgement sent to Joey Hess <joeyh@debian.org>:
New Bug report received and forwarded. Copy sent to Debian Security Team <team@security.debian.org>, Stefan Hornburg (Racke) <racke@linuxia.de>. Full text and rfc822 format available.

Message #5 received at submit@bugs.debian.org (full text, mbox):

From: Joey Hess <joeyh@debian.org>
To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: SqWebMail HTML Emails Script Insertion Vulnerability [CAN-2005-2769]
Date: Sun, 11 Sep 2005 14:18:11 -0400
[Message part 1 (text/plain, inline)]
Package: sqwebmail
Severity: serious
Version: 0.47-8
Tags: security

Another cross site scripting bug has been found in sqwebmail. Note that
this is different from #327181.

http://lists.grok.org.uk/pipermail/full-disclosure/2005-August/036622.html

This is CAN-2005-2769.

-- System Information:
Debian Release: testing/unstable
  APT prefers unstable
  APT policy: (500, 'unstable'), (1, 'experimental')
Architecture: i386 (i686)
Shell:  /bin/sh linked to /bin/bash
Kernel: Linux 2.4.27
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)

-- 
see shy jo
[signature.asc (application/pgp-signature, inline)]

Information forwarded to debian-bugs-dist@lists.debian.org, Stefan Hornburg (Racke) <racke@linuxia.de>:
Bug#327727; Package sqwebmail. Full text and rfc822 format available.

Acknowledgement sent to Stefan Hornburg <racke@linuxia.de>:
Extra info received and forwarded to list. Copy sent to Stefan Hornburg (Racke) <racke@linuxia.de>. Full text and rfc822 format available.

Message #10 received at 327727@bugs.debian.org (full text, mbox):

From: Stefan Hornburg <racke@linuxia.de>
To: Joey Hess <joeyh@debian.org>, 327727@bugs.debian.org
Cc: racke@linuxia.de
Subject: Re: Bug#327727: SqWebMail HTML Emails Script Insertion Vulnerability [CAN-2005-2769]
Date: Mon, 12 Sep 2005 09:37:44 +0200
On Sun, 11 Sep 2005 14:18:11 -0400
Joey Hess <joeyh@debian.org> wrote:

> Package: sqwebmail
> Severity: serious
> Version: 0.47-8
> Tags: security
> 
> Another cross site scripting bug has been found in sqwebmail. Note that
> this is different from #327181.

Yes, #327181 is the more advanced one.
> 
> http://lists.grok.org.uk/pipermail/full-disclosure/2005-August/036622.html
> 
> This is CAN-2005-2769.

AFAICT the upstream patch works for both problems, the problem described
in this bug has been tested with a patched version. 

This is also stated in your source:

http://lists.grok.org.uk/pipermail/full-disclosure/2005-August/036622.html

Bye
	Racke


-- 
LinuXia Systems => http://www.linuxia.de/
Expert Interchange Consulting and System Administration
ICDEVGROUP => http://www.icdevgroup.org/
Interchange Development Team




Reply sent to Stefan Hornburg (Racke) <racke@linuxia.de>:
You have taken responsibility. Full text and rfc822 format available.

Notification sent to Joey Hess <joeyh@debian.org>:
Bug acknowledged by developer. Full text and rfc822 format available.

Message #15 received at 327727-close@bugs.debian.org (full text, mbox):

From: Stefan Hornburg (Racke) <racke@linuxia.de>
To: 327727-close@bugs.debian.org
Subject: Bug#327727: fixed in courier 0.47-9
Date: Mon, 12 Sep 2005 08:32:08 -0700
Source: courier
Source-Version: 0.47-9

We believe that the bug you reported is fixed in the latest version of
courier, which is due to be installed in the Debian FTP archive:

courier-authdaemon_0.47-9_i386.deb
  to pool/main/c/courier/courier-authdaemon_0.47-9_i386.deb
courier-authmysql_0.47-9_i386.deb
  to pool/main/c/courier/courier-authmysql_0.47-9_i386.deb
courier-authpostgresql_0.47-9_i386.deb
  to pool/main/c/courier/courier-authpostgresql_0.47-9_i386.deb
courier-base_0.47-9_i386.deb
  to pool/main/c/courier/courier-base_0.47-9_i386.deb
courier-doc_0.47-9_all.deb
  to pool/main/c/courier/courier-doc_0.47-9_all.deb
courier-faxmail_0.47-9_i386.deb
  to pool/main/c/courier/courier-faxmail_0.47-9_i386.deb
courier-imap-ssl_3.0.8-9_i386.deb
  to pool/main/c/courier/courier-imap-ssl_3.0.8-9_i386.deb
courier-imap_3.0.8-9_i386.deb
  to pool/main/c/courier/courier-imap_3.0.8-9_i386.deb
courier-ldap_0.47-9_i386.deb
  to pool/main/c/courier/courier-ldap_0.47-9_i386.deb
courier-maildrop_0.47-9_i386.deb
  to pool/main/c/courier/courier-maildrop_0.47-9_i386.deb
courier-mlm_0.47-9_i386.deb
  to pool/main/c/courier/courier-mlm_0.47-9_i386.deb
courier-mta-ssl_0.47-9_i386.deb
  to pool/main/c/courier/courier-mta-ssl_0.47-9_i386.deb
courier-mta_0.47-9_i386.deb
  to pool/main/c/courier/courier-mta_0.47-9_i386.deb
courier-pcp_0.47-9_i386.deb
  to pool/main/c/courier/courier-pcp_0.47-9_i386.deb
courier-pop-ssl_0.47-9_i386.deb
  to pool/main/c/courier/courier-pop-ssl_0.47-9_i386.deb
courier-pop_0.47-9_i386.deb
  to pool/main/c/courier/courier-pop_0.47-9_i386.deb
courier-ssl_0.47-9_i386.deb
  to pool/main/c/courier/courier-ssl_0.47-9_i386.deb
courier-webadmin_0.47-9_i386.deb
  to pool/main/c/courier/courier-webadmin_0.47-9_i386.deb
courier_0.47-9.diff.gz
  to pool/main/c/courier/courier_0.47-9.diff.gz
courier_0.47-9.dsc
  to pool/main/c/courier/courier_0.47-9.dsc
sqwebmail_0.47-9_i386.deb
  to pool/main/c/courier/sqwebmail_0.47-9_i386.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 327727@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Stefan Hornburg (Racke) <racke@linuxia.de> (supplier of updated courier package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.7
Date: Mon, 12 Sep 2005 16:29:35 +0200
Source: courier
Binary: courier-authpostgresql courier-ldap courier-faxmail courier-pcp courier-authmysql courier-imap courier-authdaemon courier-base sqwebmail courier-ssl courier-pop courier-mta courier-webadmin courier-imap-ssl courier-doc courier-mlm courier-maildrop courier-mta-ssl courier-pop-ssl
Architecture: source i386 all
Version: 0.47-9
Distribution: unstable
Urgency: high
Maintainer: Stefan Hornburg (Racke) <racke@linuxia.de>
Changed-By: Stefan Hornburg (Racke) <racke@linuxia.de>
Description: 
 courier-authdaemon - Courier Mail Server - Authentication daemon
 courier-authmysql - Courier Mail Server - MySQL authentication
 courier-authpostgresql - Courier Mail Server - PostgreSQL Authentication
 courier-base - Courier Mail Server - Base system
 courier-doc - Courier Mail Server - Additional documentation
 courier-faxmail - Courier Mail Server - Faxmail gateway
 courier-imap - Courier Mail Server - IMAP server
 courier-imap-ssl - Courier Mail Server - IMAP over SSL
 courier-ldap - Courier Mail Server - LDAP support
 courier-maildrop - Courier Mail Server - Mail delivery agent
 courier-mlm - Courier Mail Server - Mailing list manager
 courier-mta - Courier Mail Server - ESMTP daemon
 courier-mta-ssl - Courier Mail Server - ESMTP over SSL
 courier-pcp - Courier Mail Server - PCP server
 courier-pop - Courier Mail Server - POP3 server
 courier-pop-ssl - Courier Mail Server - POP3 over SSL
 courier-ssl - Courier Mail Server - SSL/TLS Support
 courier-webadmin - Courier Mail Server - Web-based administration frontend
 sqwebmail  - Courier Mail Server - Webmail server
Closes: 327162 327181 327727
Changes: 
 courier (0.47-9) unstable; urgency=high
 .
   * applied extended patch for cross-side scripting issues in sqwebmail
     to filter out certain MSIE-only scripting constructs (Closes: #327181,
     thanks to Martin Schulze <joey@infodrom.org> for the original report),
     also fixes the issue described in [CAN-2005-2769] (Closes: #327727)
   * fix FTBFS due to changed behaviour of find binary (Closes: #327162,
     thanks to Matt Kraai <kraai@ftbfs.org> for the report and Willi Mann
     <willi@wm1.at> for the patch)
Files: 
 7a27993758a665b13e0b5987f168ab1a 1204 mail optional courier_0.47-9.dsc
 b4ddeb073853383802ccbd64cfde0c1f 96316 mail optional courier_0.47-9.diff.gz
 955317454bc303bfe9165c7b1357de20 370728 doc optional courier-doc_0.47-9_all.deb
 db5edb0aeba8f4d5ee58ed855adb5bf4 233322 mail optional courier-base_0.47-9_i386.deb
 bad49d635ad244af873b3fd300054572 931692 mail optional courier-maildrop_0.47-9_i386.deb
 cae0359903dcb8bf9f03390a1c69629a 109462 mail optional courier-mlm_0.47-9_i386.deb
 acc637e9e98346d5e879cb052b01fcb4 2077492 mail extra courier-mta_0.47-9_i386.deb
 b807bde7714b913d9cc30767a1bb7829 28992 mail optional courier-faxmail_0.47-9_i386.deb
 89ab2373983705d3d22508bb384838df 34940 mail optional courier-webadmin_0.47-9_i386.deb
 71a4f410b0a23391d12e476392216c07 779502 mail optional sqwebmail_0.47-9_i386.deb
 f4edbeab7549b60afa9bf6b9ed1d0398 60836 mail optional courier-pcp_0.47-9_i386.deb
 6627882a81be5571fae7a05945f3cd69 417414 mail extra courier-pop_0.47-9_i386.deb
 458c519419b6cb1f7cdcb2b98c1cd0bb 66746 mail optional courier-ldap_0.47-9_i386.deb
 ae25dc1fab7810fadbe1165e77a60c64 55698 mail optional courier-authdaemon_0.47-9_i386.deb
 35a2614a18926fa9c44556ef6a41c17e 51954 mail optional courier-authmysql_0.47-9_i386.deb
 f51bd30184158a75c40f6c572c3ffc20 192176 mail optional courier-ssl_0.47-9_i386.deb
 4c8159ce12e441860b900f76035cdcd3 19456 mail extra courier-mta-ssl_0.47-9_i386.deb
 b72d696ca176a0c114717d4ed3ba7666 21060 mail optional courier-pop-ssl_0.47-9_i386.deb
 dd0c4c846fd6a72dbf0a6c831f23164f 52032 mail optional courier-authpostgresql_0.47-9_i386.deb
 982eb51b165fc0613ba9e02e47a00ba1 938980 mail extra courier-imap_3.0.8-9_i386.deb
 b52fd6d2fa9b54846d8562e86bc6e4d6 21266 mail extra courier-imap-ssl_3.0.8-9_i386.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (GNU/Linux)

iD8DBQFDJZswjgVfE5tya3ERAncHAJ9T1MZFbNGipc6fif3BvtDIFRXMbgCePwJ/
YumpQfn4xNOxhhRF3Ks2J18=
=5+NS
-----END PGP SIGNATURE-----




Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Mon, 25 Jun 2007 00:16:41 GMT) Full text and rfc822 format available.

Send a report that this bug log contains spam.


Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Thu Apr 24 21:40:16 2014; Machine Name: beach.debian.org

Debian Bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.