> Could any of the developers comment on the following urls, reported it > Saturday's vuln, please?
These announcement are made by third party squirrelmail packagers. They provide link to announcement made by SquirrelMail developers. Packagers inform public about exploit fixes in their packages. SquirrelMail developers know about exploit, fixed it and informed squirrelmail-announce and other mailing lists about issue. http://article.gmane.org/gmane.mail.squirrelmail.user/21169 SquirrelMail developers provide patch for 1.4.3a that should fix that problem. RPM package available at squirrelmail site should include that fix. If you use older squirrelmail version, upgrade to 1.4.3a and add that patch to your install. If you use package provided by your OS packagers, check squirrelmail functions/mime.php file. If mime.php file decodeHeader function contains ------------------------ $iLastMatch = $i; $j = $i; $ret .= $res[1]; $encoding = ucfirst($res[3]); switch ($encoding) { case 'B': $replace = base64_decode($res[4]); $ret .= charset_decode($res[2],$replace); break; case 'Q': ------------------------ then your package should be fixed. First '$ret .= something' call is not sanitized. First part of patch fixes sanitizing, second part of patch provide fixes for some base64 formatting issues in replies/forwards. Any OS that provides own squirrelmail packages is affected. Announcements are about Conectiva and Fedora Linux. I think Debian Sid/Sarge and FreeBSD are already fixed. SuSE 8.1-9.1 might be still affected. I don't have information about squirrelmail package included in SuSE 9.2, because it is not public yet. If somebody uses that SuSE version, they might provide more info. Current 1.4.4cvs and 1.5.1cvs versions are not affected. Please note that you can't mix files from 1.4.4cvs with files from 1.4.3a. If you don't have access to patch program or have troubles with manual patching - ask for help on mailing list. -- Tomas ------------------------------------------------------- SF email is sponsored by - The IT Product Guide Read honest & candid reviews on hundreds of IT Products from real users. Discover which products truly live up to the hype. Start reading now. http://productguide.itmanagersjournal.com/ -- squirrelmail-users mailing list Posting Guidelines: http://squirrelmail.org/wiki/wiki.php?MailingListPostingGuidelines List Address: [EMAIL PROTECTED] List Archives: http://news.gmane.org/thread.php?group=gmane.mail.squirrelmail.user List Archives: http://sourceforge.net/mailarchive/forum.php?forum_id=2995 List Info: https://lists.sourceforge.net/lists/listinfo/squirrelmail-users
