[Full-disclosure] MDKSA-2005:108 - Updated squirrelmail packages fix XSS vulnerabilities

From: Mandriva Security Team (security_at_mandriva.com)
Date: 07/01/05

  • Next message: Mandriva Security Team: "[Full-disclosure] MDKSA-2005:109 - Updated php-pear packages fix remotely exploitable vulnerability"
    To: full-disclosure@lists.grok.org.uk
    Date: Thu, 30 Jun 2005 16:37:37 -0600
    
    

    -----BEGIN PGP SIGNED MESSAGE-----
    Hash: SHA1

     _______________________________________________________________________

                    Mandriva Linux Security Update Advisory
     _______________________________________________________________________

     Package name: squirrelmail
     Advisory ID: MDKSA-2005:108
     Date: June 30th, 2005

     Affected versions: Corporate 3.0
     ______________________________________________________________________

     Problem Description:

     The SquirrelMail PHP package is vulnerable to a number of cross-site
     scripting problems, most of which were reported by Martijn Brinkers.
     If an attacker could get a user to read a specially-crafted email or
     using a manipulated URL, they could execute arbitrary scripts running
     in the context of the victim's browser, which could lead to cookie
     theft, compromise of the user's webmail, etc.
     
     The updated packages have been patched to correct these problems.
     _______________________________________________________________________

     References:

      http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-1921
     ______________________________________________________________________

     Updated Packages:
      
     Corporate 3.0:
     183b7a7c227551f918d7492460bb6b3e corporate/3.0/RPMS/squirrelmail-1.4.2-11.1.C30mdk.noarch.rpm
     d518ad049ece85134416192604c02d2e corporate/3.0/RPMS/squirrelmail-poutils-1.4.2-11.1.C30mdk.noarch.rpm
     88b3c9159a1b186057f3b858a3533e26 corporate/3.0/SRPMS/squirrelmail-1.4.2-11.1.C30mdk.src.rpm

     Corporate 3.0/X86_64:
     8fdd9a1cc0ae5ccbbff200a1a3120fdd x86_64/corporate/3.0/RPMS/squirrelmail-1.4.2-11.1.C30mdk.noarch.rpm
     0453dd30fcc737a436dac03191ab44be x86_64/corporate/3.0/RPMS/squirrelmail-poutils-1.4.2-11.1.C30mdk.noarch.rpm
     88b3c9159a1b186057f3b858a3533e26 x86_64/corporate/3.0/SRPMS/squirrelmail-1.4.2-11.1.C30mdk.src.rpm
     _______________________________________________________________________

     To upgrade automatically use MandrakeUpdate or urpmi. The verification
     of md5 checksums and GPG signatures is performed automatically for you.

     All packages are signed by Mandriva for security. You can obtain the
     GPG public key of the Mandriva Security Team by executing:

      gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98

     You can view other update advisories for Mandriva Linux at:

      http://www.mandriva.com/security/advisories

     If you want to report vulnerabilities, please contact

      security_(at)_mandriva.com
     _______________________________________________________________________

     Type Bits/KeyID Date User ID
     pub 1024D/22458A98 2000-07-10 Mandriva Security Team
      <security*mandriva.com>

    -----BEGIN PGP SIGNATURE-----
    Version: GnuPG v1.2.4 (GNU/Linux)

    iD8DBQFCxHQxmqjQ0CJFipgRAgBcAKCcItxJHPqu88UjfQhjuysCCWxSRACgq20q
    RzR0DegfjibBLJ3LYkKAgDc=
    =XXrm
    -----END PGP SIGNATURE-----
    _______________________________________________
    Full-Disclosure - We believe in it.
    Charter: http://lists.grok.org.uk/full-disclosure-charter.html
    Hosted and sponsored by Secunia - http://secunia.com/


  • Next message: Mandriva Security Team: "[Full-disclosure] MDKSA-2005:109 - Updated php-pear packages fix remotely exploitable vulnerability"