LISTSERV - SCIENTIFIC-LINUX-ERRATA Archives

Synopsis:	Moderate: squirrelmail security update
Issue date:	2009-10-08
CVE Names:	CVE-2009-2964

CVE-2009-2964 squirrelmail: CSRF issues in all forms

Form submissions in SquirrelMail did not implement protection against
Cross-Site Request Forgery (CSRF) attacks. If a remote attacker tricked 
a user into visiting a malicious web page, the attacker could hijack 
that user's authentication, inject malicious content into that user's
preferences, or possibly send mail without that user's permission. 
(CVE-2009-2964)

SL 3.0.x

       SRPMS:
squirrelmail-1.4.8-16.el3.src.rpm
       i386:
squirrelmail-1.4.8-16.el3.noarch.rpm
       x86_64:
squirrelmail-1.4.8-16.el3.noarch.rpm

SL 4.x

       SRPMS:
squirrelmail-1.4.8-5.el4_8.8.src.rpm
       i386:
squirrelmail-1.4.8-5.el4_8.8.noarch.rpm
       x86_64:
squirrelmail-1.4.8-5.el4_8.8.noarch.rpm

SL 5.x

       SRPMS:
squirrelmail-1.4.8-5.el5_4.10.src.rpm
       i386:
squirrelmail-1.4.8-5.el5_4.10.noarch.rpm
       x86_64:
squirrelmail-1.4.8-5.el5_4.10.noarch.rpm

-Connie Sieh
-Troy Dawson