[SM-DEVEL] Ancient 1.2.6 version has exploitable security hole

SourceForge Headquarters 225 Broadway Suite 1600 San Diego, CA 92101 +1 (858) 454-5900

Hello people,

* NOTE: The 1.2.x stable series is not officially supported by the
* SquirrelMail team anymore. We're providing this update as a courtesy
* to our users.

A serious security hole has been found in SquirrelMail version 1.2.6, and
1.2.6 only. A remote attacker could execute code as the user the webserver
runs as, by manipulating an URL-variable.

Affected: SquirrelMail 1.2.6 only (<=1.2.5, >=1.2.7, and 1.4.x/1.5.x are
NOT vulnerable). Most notably this concerns those people running
SquirrelMail from Debian Woody (stable).

Possible solutions:
- For Debian, a security upload has taken place that will be released this
week. Debian users wishing to be more up-to-date can also track the
SquirrelMail package from testing (sarge) which easily backports to woody.

- Upgrade to the 1.4.x-branch (highly recommended, also security-wise) or
at least 1.2.10 if for some reason you must stick to the 1.2.x-branch.

- If you really need to keep 1.2.6, you can apply this patch:
http://cvs.sf.net/viewcvs.py/squirrelmail/squirrelmail/functions/display_messages.php?r1=1.48&r2=1.48.2.4&only_with_tag=SM-1_2-STABLE&diff_format=u

Thanks go to Grant Hollingworth for finding this very specific issue and
reporting it to the Debian SquirrelMail maintainers.

The CVE-id assigned to this bug is CAN-2005-0152.

Happy SquirrelMailing!

Thijs Kinkhorst