Subject: | |
From: | |
Reply To: | |
Date: | Wed, 27 May 2009 06:28:42 -0500 |
Content-Type: | text/plain |
Parts/Attachments: |
|
|
Synopsis: Important: squirrelmail security update
Issue date: 2009-05-26
CVE Names: CVE-2009-1578 CVE-2009-1579 CVE-2009-1581
A server-side code injection flaw was found in the SquirrelMail
"map_yp_alias" function. If SquirrelMail was configured to retrieve a
user's IMAP server address from a Network Information Service (NIS)
server via the "map_yp_alias" function, an unauthenticated, remote
attacker using a specially-crafted username could use this flaw to
execute arbitrary code with the privileges of the web server.
(CVE-2009-1579)
Multiple cross-site scripting (XSS) flaws were found in SquirrelMail. An
attacker could construct a carefully crafted URL, which once visited by
an unsuspecting user, could cause the user's web browser to execute
malicious script in the context of the visited SquirrelMail web page.
(CVE-2009-1578)
It was discovered that SquirrelMail did not properly sanitize Cascading
Style Sheets (CSS) directives used in HTML mail. A remote attacker could
send a specially-crafted email that could place mail content above
SquirrelMail's controls, possibly allowing phishing and cross-site
scripting attacks. (CVE-2009-1581)
SL 3.0.x
SRPMS:
squirrelmail-1.4.8-13.el3.src.rpm
i386:
squirrelmail-1.4.8-13.el3.noarch.rpm
x86_64:
squirrelmail-1.4.8-13.el3.noarch.rpm
SL 4.x
SRPMS:
squirrelmail-1.4.8-5.el4_8.5.src.rpm
i386:
squirrelmail-1.4.8-5.el4_8.5.noarch.rpm
x86_64:
squirrelmail-1.4.8-5.el4_8.5.noarch.rpm
SL 5.x
SRPMS:
squirrelmail-1.4.8-5.el5_3.7.src.rpm
i386:
squirrelmail-1.4.8-5.el5_3.7.noarch.rpm
x86_64:
squirrelmail-1.4.8-5.el5_3.7.noarch.rpm
-Connie Sieh
-Troy Dawson
|
|
|