Package: squirrelmail Version: 1.4.4-6 Severity: grave Tags: security fixed-upstream sarge etch sid
[I've submitted this a couple of days ago but it never arrived in the BTS for some reason] A vulnerability has been discovered in the handling of the $_POST variable in a specific part of SquirrelMail. This potentially allows for setting other people's preferences and possibly reading them, writing files at any location writable for www-data and cross site scripting. Upstream is preparing a new release that addresses this issue, which is known as CAN-2005-2095. A patch from upstream has been applied and is awaiting review by Jeroen and the secuirty team. Possibly the patch has to be changed to accomodate Debian specific needs (in terms of the number of changes). Thijs
signature.asc
Description: OpenPGP digital signature
