Could any of the developers comment on the following urls, reported it Saturday's vuln, please? _____________________________________
"Joost Pol noticed[2] that SquirrelMail is prone to a cross site scripting issue in the decoding of encoded text in certain headers. SquirrelMail correctly decodes the specially crafted header, but doesn't sanitize the result." http://www.linuxsecurity.com/content/view/117321 * Fedora: squirrelmail-1.4.3a-6.FC2 update 28th, November, 2004 CAN-2004-1036 Cross Site Scripting in encoded text http://www.linuxsecurity.com/content/view/106934 * Fedora: squirrelmail-1.4.3a-6.FC3 update 28th, November, 2004 CAN-2004-1036 Cross Site Scripting in encoded text http://www.linuxsecurity.com/content/view/106935 ____________________________________ Why are Conectiva and Fedora addressing this problem and not passing the results back to the SM developers? That doesn't fit in with the GPL licensing, surely? --Tonni -- Nothing sucksseeds like a pigeon without a beak ... mail: [EMAIL PROTECTED] http://www.billy.demon.nl They love us, don't they, They feed us, won't they ... ------------------------------------------------------- SF email is sponsored by - The IT Product Guide Read honest & candid reviews on hundreds of IT Products from real users. Discover which products truly live up to the hype. Start reading now. http://productguide.itmanagersjournal.com/ -- squirrelmail-users mailing list Posting Guidelines: http://squirrelmail.org/wiki/wiki.php?MailingListPostingGuidelines List Address: [EMAIL PROTECTED] List Archives: http://news.gmane.org/thread.php?group=gmane.mail.squirrelmail.user List Archives: http://sourceforge.net/mailarchive/forum.php?forum_id=2995 List Info: https://lists.sourceforge.net/lists/listinfo/squirrelmail-users
