Debian Bug report logs - #543818
CVE-2009-2964: Multiple cross-site request forgery (CSRF) vulnerabilities

version graph

Package: squirrelmail; Maintainer for squirrelmail is Jeroen van Wolffelaar <jeroen@wolffelaar.nl>; Source for squirrelmail is src:squirrelmail.

Reported by: Giuseppe Iuculano <giuseppe@iuculano.it>

Date: Thu, 27 Aug 2009 07:03:01 UTC

Severity: serious

Tags: patch, security

Merged with 544465

Fixed in version squirrelmail/2:1.4.20~rc2-1

Done: Thijs Kinkhorst <thijs@debian.org>

Bug is archived. No further changes may be made.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox


Report forwarded to debian-bugs-dist@lists.debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Jeroen van Wolffelaar <jeroen@wolffelaar.nl>:
Bug#543818; Package squirrelmail. (Thu, 27 Aug 2009 07:03:05 GMT) Full text and rfc822 format available.

Acknowledgement sent to Giuseppe Iuculano <giuseppe@iuculano.it>:
New Bug report received and forwarded. Copy sent to team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Jeroen van Wolffelaar <jeroen@wolffelaar.nl>. (Thu, 27 Aug 2009 07:03:06 GMT) Full text and rfc822 format available.

Message #5 received at submit@bugs.debian.org (full text, mbox):

From: Giuseppe Iuculano <giuseppe@iuculano.it>
To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: CVE-2009-2964: Multiple cross-site request forgery (CSRF) vulnerabilities
Date: Thu, 27 Aug 2009 08:56:11 +0200
Package: squirrelmail
Severity: serious
Tags: security

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi,
the following CVE (Common Vulnerabilities & Exposures) id was
published for squirrelmail.

CVE-2009-2964[0]:
| Multiple cross-site request forgery (CSRF) vulnerabilities in
| SquirrelMail 1.4.19 and earlier allow remote attackers to hijack the
| authentication of unspecified victims via features such as send
| message and change preferences, related to (1)
| functions/mailbox_display.php, (2) src/addrbook_search_html.php, (3)
| src/addressbook.php, (4) src/compose.php, (5) src/folders.php, (6)
| src/folders_create.php, (7) src/folders_delete.php, (8)
| src/folders_rename_do.php, (9) src/folders_rename_getname.php, (10)
| src/folders_subscribe.php, (11) src/move_messages.php, (12)
| src/options.php, (13) src/options_highlight.php, (14)
| src/options_identities.php, (15) src/options_order.php, (16)
| src/search.php, and (17) src/vcard.php.

If you fix the vulnerability please also make sure to include the
CVE id in your changelog entry.

For further information see:

[0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2964
    http://security-tracker.debian.net/tracker/CVE-2009-2964

Cheers,
Giuseppe

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)

iEYEARECAAYFAkqWLggACgkQNxpp46476aq4qQCfd7xGKycb4zbR7luKUQdi8UeJ
YiAAnRkV5L1Tw1m62WToOIynC7NVSb1B
=fHbw
-----END PGP SIGNATURE-----




Information forwarded to debian-bugs-dist@lists.debian.org, Jeroen van Wolffelaar <jeroen@wolffelaar.nl>:
Bug#543818; Package squirrelmail. (Fri, 25 Sep 2009 10:54:03 GMT) Full text and rfc822 format available.

Acknowledgement sent to Thijs Kinkhorst <thijs@debian.org>:
Extra info received and forwarded to list. Copy sent to Jeroen van Wolffelaar <jeroen@wolffelaar.nl>. (Fri, 25 Sep 2009 10:54:03 GMT) Full text and rfc822 format available.

Message #10 received at 543818@bugs.debian.org (full text, mbox):

From: Thijs Kinkhorst <thijs@debian.org>
To: 543818@bugs.debian.org
Subject: Re: CVE-2009-2964: Multiple cross-site request forgery (CSRF) vulnerabilities
Date: Fri, 25 Sep 2009 12:49:01 +0200
[Message part 1 (text/plain, inline)]
Hi,

Thanks. I am aware of the issue, but since the patch is of rather high impact 
I need to study a bit on the correct way of getting it into Debian.


cheers,
Thijs
[signature.asc (application/pgp-signature, inline)]

Forcibly Merged 543818 544465. Request was from Thijs Kinkhorst <thijs@debian.org> to control@bugs.debian.org. (Sun, 27 Sep 2009 15:12:12 GMT) Full text and rfc822 format available.

Reply sent to Thijs Kinkhorst <thijs@debian.org>:
You have taken responsibility. (Sun, 27 Sep 2009 17:21:21 GMT) Full text and rfc822 format available.

Notification sent to Giuseppe Iuculano <giuseppe@iuculano.it>:
Bug acknowledged by developer. (Sun, 27 Sep 2009 17:21:22 GMT) Full text and rfc822 format available.

Message #17 received at 543818-close@bugs.debian.org (full text, mbox):

From: Thijs Kinkhorst <thijs@debian.org>
To: 543818-close@bugs.debian.org
Subject: Bug#543818: fixed in squirrelmail 2:1.4.20~rc2-1
Date: Sun, 27 Sep 2009 16:55:46 +0000
Source: squirrelmail
Source-Version: 2:1.4.20~rc2-1

We believe that the bug you reported is fixed in the latest version of
squirrelmail, which is due to be installed in the Debian FTP archive:

squirrelmail_1.4.20~rc2-1.diff.gz
  to pool/main/s/squirrelmail/squirrelmail_1.4.20~rc2-1.diff.gz
squirrelmail_1.4.20~rc2-1.dsc
  to pool/main/s/squirrelmail/squirrelmail_1.4.20~rc2-1.dsc
squirrelmail_1.4.20~rc2-1_all.deb
  to pool/main/s/squirrelmail/squirrelmail_1.4.20~rc2-1_all.deb
squirrelmail_1.4.20~rc2.orig.tar.gz
  to pool/main/s/squirrelmail/squirrelmail_1.4.20~rc2.orig.tar.gz



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 543818@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Thijs Kinkhorst <thijs@debian.org> (supplier of updated squirrelmail package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Format: 1.8
Date: Sun, 27 Sep 2009 16:46:03 +0200
Source: squirrelmail
Binary: squirrelmail
Architecture: source all
Version: 2:1.4.20~rc2-1
Distribution: unstable
Urgency: medium
Maintainer: Jeroen van Wolffelaar <jeroen@wolffelaar.nl>
Changed-By: Thijs Kinkhorst <thijs@debian.org>
Description: 
 squirrelmail - Webmail for nuts
Closes: 543818
Changes: 
 squirrelmail (2:1.4.20~rc2-1) unstable; urgency=medium
 .
   * New upstream release candidate.
     + Addresses cross site request forgery (CVE-2009-2964,
       closes: #543818).
   * Update to policy 3.8.3, no changes necessary.
Checksums-Sha1: 
 b678a099c0d89f7c57d8a95beff084dce27d2f3c 1527 squirrelmail_1.4.20~rc2-1.dsc
 11e1d8142d371f169bf14deec13659847e81b67b 648459 squirrelmail_1.4.20~rc2.orig.tar.gz
 11e967df46aa8cc63168d87ae557177d68c96106 20230 squirrelmail_1.4.20~rc2-1.diff.gz
 47c7f192c5881e972c4f08b22e4264eada1b2796 623614 squirrelmail_1.4.20~rc2-1_all.deb
Checksums-Sha256: 
 52be2e636c05753f3eb8a9a88432a6315e1a003aca990418b3aae5d9efbd8524 1527 squirrelmail_1.4.20~rc2-1.dsc
 6c3fc1ab5d0cbc25c7106452c049b36e80c0ab3dd6a8ff76255b66ef724d91b5 648459 squirrelmail_1.4.20~rc2.orig.tar.gz
 fb0be9296e32ed2f8cc6f1ccb3b3a145c2ab8b957b6074a660bdf90efd971fd3 20230 squirrelmail_1.4.20~rc2-1.diff.gz
 997921d0826791572855be23bd749eff127565b94982bf3d29bad95e3dd5b55f 623614 squirrelmail_1.4.20~rc2-1_all.deb
Files: 
 bf54f34da64083255431c8e33fbf1ccd 1527 web optional squirrelmail_1.4.20~rc2-1.dsc
 03523e8c7ad9d630988d5001c5743b69 648459 web optional squirrelmail_1.4.20~rc2.orig.tar.gz
 ec4771b958f266958b1734dca301eed2 20230 web optional squirrelmail_1.4.20~rc2-1.diff.gz
 8ea2b96e3859c393dbdcb53717edbb08 623614 web optional squirrelmail_1.4.20~rc2-1_all.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)

iQEcBAEBCAAGBQJKv3sYAAoJECIIoQCMVaAc8EAH/iPVf2rLcy+s9OTEyNl+l1sl
Vm4SlOmN1nugu4sXrtWjwYwOfiX8r+lK6JtQzUsYvdm9IJIRXRYGfSaAjn2z41Q9
kBkDXHvlTIzdI92tK/TjkDppMEOaASe3dzowLGRswMH9sUGn4PgmL5BEqQXHiWYM
PPVRcmio/U/8O369Al7LOOX7sThkgTEFIkPaU4K9CgBUEwQtL3RXBq8QI9fGc5Te
78zVxrJyep7Wb7PK0XKKTLdnqF6Nk5NvgZaQ95CwJ0OR0Q1mLSWuvfgakIH3vpl1
KF1+f9j0vkAnuVdZwYbrzwkXC5sqTeq01xdPHTZlNIqiLOrM6TqWvrYcZXFNNtY=
=j4hs
-----END PGP SIGNATURE-----





Reply sent to Thijs Kinkhorst <thijs@debian.org>:
You have taken responsibility. (Sun, 27 Sep 2009 17:21:23 GMT) Full text and rfc822 format available.

Notification sent to Nico Golde <nion@debian.org>:
Bug acknowledged by developer. (Sun, 27 Sep 2009 17:21:23 GMT) Full text and rfc822 format available.

Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Mon, 26 Oct 2009 07:31:51 GMT) Full text and rfc822 format available.

Send a report that this bug log contains spam.


Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Mon Apr 21 03:06:26 2014; Machine Name: buxtehude.debian.org

Debian Bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.