From: Thijs K. <li...@ki...> - 2005-01-31 20:57:36
|
Hello people, * NOTE: The 1.2.x stable series is not officially supported by the * SquirrelMail team anymore. We're providing this update as a courtesy * to our users. A serious security hole has been found in SquirrelMail version 1.2.6, and 1.2.6 only. A remote attacker could execute code as the user the webserver runs as, by manipulating an URL-variable. Affected: SquirrelMail 1.2.6 only (<=1.2.5, >=1.2.7, and 1.4.x/1.5.x are NOT vulnerable). Most notably this concerns those people running SquirrelMail from Debian Woody (stable). Possible solutions: - For Debian, a security upload has taken place that will be released this week. Debian users wishing to be more up-to-date can also track the SquirrelMail package from testing (sarge) which easily backports to woody. - Upgrade to the 1.4.x-branch (highly recommended, also security-wise) or at least 1.2.10 if for some reason you must stick to the 1.2.x-branch. - If you really need to keep 1.2.6, you can apply this patch: http://cvs.sf.net/viewcvs.py/squirrelmail/squirrelmail/functions/display_messages.php?r1=1.48&r2=1.48.2.4&only_with_tag=SM-1_2-STABLE&diff_format=u Thanks go to Grant Hollingworth for finding this very specific issue and reporting it to the Debian SquirrelMail maintainers. The CVE-id assigned to this bug is CAN-2005-0152. Happy SquirrelMailing! Thijs Kinkhorst |