Your message dated Wed, 13 Jul 2005 13:32:43 -0400
with message-id <[EMAIL PROTECTED]>
and subject line Bug#317094: fixed in squirrelmail 2:1.4.4-6
has caused the attached Bug report to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what I am
talking about this indicates a serious mail system misconfiguration
somewhere. Please contact me immediately.)
Debian bug tracking system administrator
(administrator, Debian Bugs database)
--------------------------------------
Received: (at submit) by bugs.debian.org; 6 Jul 2005 08:11:57 +0000
>From [EMAIL PROTECTED] Wed Jul 06 01:11:57 2005
Return-path: <[EMAIL PROTECTED]>
Received: from mail.azu.nl (davis.azu.nl) [143.121.237.50]
by spohr.debian.org with esmtp (Exim 3.35 1 (Debian))
id 1Dq50f-0005oM-00; Wed, 06 Jul 2005 01:11:57 -0700
Received: from coltrane.azu.nl (coltrane.azu.nl [143.121.16.65])
by davis.azu.nl (Postfix) with ESMTP id 047AB3AEF
for <[EMAIL PROTECTED]>; Wed, 6 Jul 2005 10:11:24 +0200 (MEST)
Received: from isiwww.rrn.azu.nl (unknown [143.121.62.57])
by coltrane.azu.nl (Postfix) with ESMTP id AE44D113B
for <[EMAIL PROTECTED]>; Wed, 6 Jul 2005 10:11:24 +0200 (MEST)
Received: from [143.121.153.52] (zoltrix.rrn.azu.nl [143.121.153.52])
by isiwww.rrn.azu.nl (Postfix) with ESMTP id 543991B82A
for <[EMAIL PROTECTED]>; Wed, 6 Jul 2005 10:07:28 +0200 (CEST)
Message-ID: <[EMAIL PROTECTED]>
Date: Wed, 06 Jul 2005 10:11:20 +0200
From: Thijs Kinkhorst <[EMAIL PROTECTED]>
Organization: University Medical Center, Utrecht NL
User-Agent: Mozilla Thunderbird 1.0.2 (Windows/20050317)
X-Accept-Language: en-us, en
MIME-Version: 1.0
To: [EMAIL PROTECTED]
Subject: SquirrelMail $_POST variable handling vulnerability [CAN-2005-2095]
X-Enigmail-Version: 0.92.0.0
Content-Type: multipart/signed; micalg=pgp-sha1;
protocol="application/pgp-signature";
boundary="------------enigB61FEE8FEEBD7BF1EE8BEA5A"
Delivered-To: [EMAIL PROTECTED]
X-Spam-Checker-Version: SpamAssassin 2.60-bugs.debian.org_2005_01_02
(1.212-2003-09-23-exp) on spohr.debian.org
X-Spam-Status: No, hits=-7.0 required=4.0 tests=BAYES_01,HAS_PACKAGE
autolearn=no version=2.60-bugs.debian.org_2005_01_02
X-Spam-Level:
This is an OpenPGP/MIME signed message (RFC 2440 and 3156)
--------------enigB61FEE8FEEBD7BF1EE8BEA5A
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: 7bit
Package: squirrelmail
Version: 1.4.4-6
Severity: grave
Tags: security fixed-upstream sarge etch sid
[I've submitted this a couple of days ago but it never arrived in the
BTS for some reason]
A vulnerability has been discovered in the handling of the $_POST
variable in a specific part of SquirrelMail. This potentially allows for
setting other people's preferences and possibly reading them, writing
files at any location writable for www-data and cross site scripting.
Upstream is preparing a new release that addresses this issue, which is
known as CAN-2005-2095.
A patch from upstream has been applied and is awaiting review by Jeroen
and the secuirty team. Possibly the patch has to be changed to
accomodate Debian specific needs (in terms of the number of changes).
Thijs
--------------enigB61FEE8FEEBD7BF1EE8BEA5A
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: OpenPGP digital signature
Content-Disposition: attachment; filename="signature.asc"
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.0 (MingW32)
iD8DBQFCy5IrJdKMxZV9WM8RAhBXAJ9VMt8QJYqNc3P7VxVlXVpgCSkvKQCg3xmP
+Em8yFeT1a4HCluq13nTuXI=
=w1Xb
-----END PGP SIGNATURE-----
--------------enigB61FEE8FEEBD7BF1EE8BEA5A--
---------------------------------------
Received: (at 317094-close) by bugs.debian.org; 13 Jul 2005 17:39:56 +0000
>From [EMAIL PROTECTED] Wed Jul 13 10:39:56 2005
Return-path: <[EMAIL PROTECTED]>
Received: from newraff.debian.org [208.185.25.31] (mail)
by spohr.debian.org with esmtp (Exim 3.35 1 (Debian))
id 1DslDA-0001IU-00; Wed, 13 Jul 2005 10:39:56 -0700
Received: from katie by newraff.debian.org with local (Exim 3.35 1 (Debian))
id 1Dsl6B-0000Na-00; Wed, 13 Jul 2005 13:32:43 -0400
From: Thijs Kinkhorst <[EMAIL PROTECTED]>
To: [EMAIL PROTECTED]
X-Katie: $Revision: 1.56 $
Subject: Bug#317094: fixed in squirrelmail 2:1.4.4-6
Message-Id: <[EMAIL PROTECTED]>
Sender: Archive Administrator <[EMAIL PROTECTED]>
Date: Wed, 13 Jul 2005 13:32:43 -0400
Delivered-To: [EMAIL PROTECTED]
X-Spam-Checker-Version: SpamAssassin 2.60-bugs.debian.org_2005_01_02
(1.212-2003-09-23-exp) on spohr.debian.org
X-Spam-Status: No, hits=-6.0 required=4.0 tests=BAYES_00,HAS_BUG_NUMBER
autolearn=no version=2.60-bugs.debian.org_2005_01_02
X-Spam-Level:
X-CrossAssassin-Score: 2
Source: squirrelmail
Source-Version: 2:1.4.4-6
We believe that the bug you reported is fixed in the latest version of
squirrelmail, which is due to be installed in the Debian FTP archive:
squirrelmail_1.4.4-6.diff.gz
to pool/main/s/squirrelmail/squirrelmail_1.4.4-6.diff.gz
squirrelmail_1.4.4-6.dsc
to pool/main/s/squirrelmail/squirrelmail_1.4.4-6.dsc
squirrelmail_1.4.4-6_all.deb
to pool/main/s/squirrelmail/squirrelmail_1.4.4-6_all.deb
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [EMAIL PROTECTED],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Thijs Kinkhorst <[EMAIL PROTECTED]> (supplier of updated squirrelmail package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [EMAIL PROTECTED])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.7
Date: Sat, 09 Jul 2005 11:57:20 +0200
Source: squirrelmail
Binary: squirrelmail
Architecture: source all
Version: 2:1.4.4-6
Distribution: stable-security
Urgency: high
Maintainer: Jeroen van Wolffelaar <[EMAIL PROTECTED]>
Changed-By: Thijs Kinkhorst <[EMAIL PROTECTED]>
Description:
squirrelmail - Webmail for nuts
Closes: 314374 317094
Changes:
squirrelmail (2:1.4.4-6) stable-security; urgency=high
.
* Security fix, hence high urgency.
* Apply patch provided by upstream to fix several cross site scripting
flaws [CAN-2005-1769] (Closes: #314374)
* Work around arbitrary variable injection via extract() [CAN-2005-2095]
(Closes: #317094)
Files:
efd67c242cc9fb591e3ee8456825331d 742 web optional squirrelmail_1.4.4-6.dsc
30e06c1a6282a0abff142ccbe1b36a0c 23108 web optional
squirrelmail_1.4.4-6.diff.gz
50da6f9a18fe90e5760eb18c3255296c 569772 web optional
squirrelmail_1.4.4-6_all.deb
f50548b6f4f24d28afb5e6048977f4da 575871 web optional
squirrelmail_1.4.4.orig.tar.gz
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (GNU/Linux)
iD8DBQFC0PONW5ql+IAeqTIRArItAJ9ShE4w3upcklKW/dyKcDguCWlMQQCeJdIn
NBlWhi8HRSys8Qbr7Fv0jow=
=JzPZ
-----END PGP SIGNATURE-----
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
