Your message dated Wed, 13 Jul 2005 13:32:43 -0400
with message-id <[EMAIL PROTECTED]>
and subject line Bug#314374: fixed in squirrelmail 2:1.4.4-6
has caused the attached Bug report to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what I am
talking about this indicates a serious mail system misconfiguration
somewhere. Please contact me immediately.)
Debian bug tracking system administrator
(administrator, Debian Bugs database)
--------------------------------------
Received: (at submit) by bugs.debian.org; 15 Jun 2005 23:15:32 +0000
>From [EMAIL PROTECTED] Wed Jun 15 16:15:32 2005
Return-path: <[EMAIL PROTECTED]>
Received: from warp.os9.nl [145.99.250.222]
by spohr.debian.org with esmtp (Exim 3.35 1 (Debian))
id 1Dih6a-0000fI-00; Wed, 15 Jun 2005 16:15:32 -0700
Received: from darwin.os9.nl (darwin.os9.nl [145.99.250.219])
by warp.os9.nl (Postfix) with ESMTP id BD5BCE6A61
for <[EMAIL PROTECTED]>; Thu, 16 Jun 2005 01:14:59 +0200 (CEST)
Received: by darwin.os9.nl (Postfix, from userid 1000)
id 6910213923; Thu, 16 Jun 2005 01:15:28 +0200 (CEST)
Subject: SquirrelMail cross site scripting vulnerabilities [CAN-2005-1769]]
From: Thijs Kinkhorst <[EMAIL PROTECTED]>
To: [EMAIL PROTECTED]
Content-Type: multipart/signed; micalg=pgp-sha1;
protocol="application/pgp-signature"; boundary="=-ZNfs6H9usUo4ZeAIrnfc"
Organization: Squirrelmail Development Team
Date: Thu, 16 Jun 2005 01:15:28 +0200
Message-Id: <[EMAIL PROTECTED]>
Mime-Version: 1.0
X-Mailer: Evolution 2.2.2
Delivered-To: [EMAIL PROTECTED]
X-Spam-Checker-Version: SpamAssassin 2.60-bugs.debian.org_2005_01_02
(1.212-2003-09-23-exp) on spohr.debian.org
X-Spam-Status: No, hits=-8.0 required=4.0 tests=BAYES_00,HAS_PACKAGE
autolearn=no version=2.60-bugs.debian.org_2005_01_02
X-Spam-Level:
--=-ZNfs6H9usUo4ZeAIrnfc
Content-Type: text/plain
Content-Transfer-Encoding: quoted-printable
Package: squirrelmail
Version: 1.4.4-5
Tags: security fixed-upstream patch
> Several cross site scripting (XSS) vulnerabilties have been discovered
> in SquirrelMail versions 1.4.0 - 1.4.4. These have been addressed in a
> patch that can be found at [1]. We advise all our users to apply this
> patch. We're also releasing SquirrelMail 1.4.5 release candidate 1
> today. We expect version 1.4.5 to be out within two weeks from
> now.
>=20
> [1] http://prdownloads.sourceforge.net/squirrelmail/sqm-144-xss.patch
We're working on this. An updated package for sarge / etch / sid has
been prepared and will be tested.
Backporting to woody is not trivial (the code is more than 4 years old),
but we'll do a best effort.
Thijs
--=-ZNfs6H9usUo4ZeAIrnfc
Content-Type: application/pgp-signature; name=signature.asc
Content-Description: This is a digitally signed message part
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (GNU/Linux)
iD8DBQBCsLaQJdKMxZV9WM8RAvvlAJ0d1Ju+o211R/bawGd4b5ToPl0nDwCfbrhR
MNu5UODQjCpphQddftda/4g=
=kAZS
-----END PGP SIGNATURE-----
--=-ZNfs6H9usUo4ZeAIrnfc--
---------------------------------------
Received: (at 314374-close) by bugs.debian.org; 13 Jul 2005 17:39:41 +0000
>From [EMAIL PROTECTED] Wed Jul 13 10:39:41 2005
Return-path: <[EMAIL PROTECTED]>
Received: from newraff.debian.org [208.185.25.31] (mail)
by spohr.debian.org with esmtp (Exim 3.35 1 (Debian))
id 1DslCu-00019j-00; Wed, 13 Jul 2005 10:39:40 -0700
Received: from katie by newraff.debian.org with local (Exim 3.35 1 (Debian))
id 1Dsl6B-0000NY-00; Wed, 13 Jul 2005 13:32:43 -0400
From: Thijs Kinkhorst <[EMAIL PROTECTED]>
To: [EMAIL PROTECTED]
X-Katie: $Revision: 1.56 $
Subject: Bug#314374: fixed in squirrelmail 2:1.4.4-6
Message-Id: <[EMAIL PROTECTED]>
Sender: Archive Administrator <[EMAIL PROTECTED]>
Date: Wed, 13 Jul 2005 13:32:43 -0400
Delivered-To: [EMAIL PROTECTED]
X-Spam-Checker-Version: SpamAssassin 2.60-bugs.debian.org_2005_01_02
(1.212-2003-09-23-exp) on spohr.debian.org
X-Spam-Status: No, hits=-6.0 required=4.0 tests=BAYES_00,HAS_BUG_NUMBER
autolearn=no version=2.60-bugs.debian.org_2005_01_02
X-Spam-Level:
Source: squirrelmail
Source-Version: 2:1.4.4-6
We believe that the bug you reported is fixed in the latest version of
squirrelmail, which is due to be installed in the Debian FTP archive:
squirrelmail_1.4.4-6.diff.gz
to pool/main/s/squirrelmail/squirrelmail_1.4.4-6.diff.gz
squirrelmail_1.4.4-6.dsc
to pool/main/s/squirrelmail/squirrelmail_1.4.4-6.dsc
squirrelmail_1.4.4-6_all.deb
to pool/main/s/squirrelmail/squirrelmail_1.4.4-6_all.deb
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [EMAIL PROTECTED],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Thijs Kinkhorst <[EMAIL PROTECTED]> (supplier of updated squirrelmail package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [EMAIL PROTECTED])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.7
Date: Sat, 09 Jul 2005 11:57:20 +0200
Source: squirrelmail
Binary: squirrelmail
Architecture: source all
Version: 2:1.4.4-6
Distribution: stable-security
Urgency: high
Maintainer: Jeroen van Wolffelaar <[EMAIL PROTECTED]>
Changed-By: Thijs Kinkhorst <[EMAIL PROTECTED]>
Description:
squirrelmail - Webmail for nuts
Closes: 314374 317094
Changes:
squirrelmail (2:1.4.4-6) stable-security; urgency=high
.
* Security fix, hence high urgency.
* Apply patch provided by upstream to fix several cross site scripting
flaws [CAN-2005-1769] (Closes: #314374)
* Work around arbitrary variable injection via extract() [CAN-2005-2095]
(Closes: #317094)
Files:
efd67c242cc9fb591e3ee8456825331d 742 web optional squirrelmail_1.4.4-6.dsc
30e06c1a6282a0abff142ccbe1b36a0c 23108 web optional
squirrelmail_1.4.4-6.diff.gz
50da6f9a18fe90e5760eb18c3255296c 569772 web optional
squirrelmail_1.4.4-6_all.deb
f50548b6f4f24d28afb5e6048977f4da 575871 web optional
squirrelmail_1.4.4.orig.tar.gz
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (GNU/Linux)
iD8DBQFC0PONW5ql+IAeqTIRArItAJ9ShE4w3upcklKW/dyKcDguCWlMQQCeJdIn
NBlWhi8HRSys8Qbr7Fv0jow=
=JzPZ
-----END PGP SIGNATURE-----
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
