Multiple CVEs for Squirrelmail <1.4.17

Karmic should hopefully auto-sync in a matter of days, as 1.4.18-1 is now in unstable. Here is a debdiffs for hardy through jaunty.

For dapper I'm able to fix 4 out of the 5 security-problems; the last one is simply not possible for me to apply the idea of it to the code; too many changes have happened.

First jaunty debdiff.

Intrepid debdiff.

Hardy debdiff.

Here is the one for dapper with 4 out of the 5 advisories fixed. The one missing is:
http://squirrelmail.org/security/issue/2009-05-11

If anyone has the time/skills to get it applied + working then great; but I'm simply not able to do anything about it.

For dapper i think the best option is to do a -security backport of the package (through proposed if necessary), if that is possible. As the squirrelmail minor-releases is mostly-bugfix i would vote for that.
1. Wait for squirrelmail_1.4.13-2ubuntu1.3 to be in hardy
(2. Upload squirrelmail_1.4.13-2ubuntu1.3~dapper1 to dapper-proposed for testing)?
3. If it is approved, upload to dapper-testing and dapper-updates

I've just tested backporting squirrelmail_1.4.13-2ubuntu1.3 and running it under dapper, and it compiles and works. Tested both under php5 and php4.

1.4.18-1 is now in karmic

Thanks for the patches! These are building in the security queue and will be available shortly.

This bug was fixed in the package squirrelmail - 2:1.4.13-2ubuntu1.3

---------------
squirrelmail (2:1.4.13-2ubuntu1.3) hardy-security; urgency=low

  * SECURITY UPDATE: (LP: #375513)
  * Multiple cross site scripting issues. Two issues were fixed that both
    allowed an attacker to run arbitrary script (XSS) on most any
    SquirrelMail page by getting the user to click on specially crafted
    SquirrelMail links.
    - http://squirrelmail.org/security/issue/2009-05-08
    - CVE-2009-1578
    - Patch taken from upstream svn rev. 13670. Applied inline.
  * Cross site scripting issues in decrypt_headers.php. An issue was fixed
    wherein input to the contrib/decrypt_headers.php script was not sanitized
    and allowed arbitrary script execution upon submission of certain values.
    - http://squirrelmail.org/security/issue/2009-05-09
    - CVE-2009-1578
    - Patch taken from upstream svn rev. 13672. Applied inline.
  * Server-side code injection in map_yp_alias username map. An issue was
    fixed that allowed arbitrary server-side code execution when SquirrelMail
    was configured to use the example "map_yp_alias" username mapping
    functionality.
    - http://squirrelmail.org/security/issue/2009-05-10
    - CVE-2009-1579
    - Patch taken from upstream svn rev. 13674. Applied inline.
  * Session fixation vulnerability. An issue was fixed that allowed an
    attacker to possibly steal user data by hijacking the SquirrelMail
    login session.
    - http://squirrelmail.org/security/issue/2009-05-11
    - CVE-2009-1580
    - Patch taken from upstream svn rev. 13676. Applied inline.
  * CSS positioning vulnerability. An issue was fixed that allowed phishing
    and cross-site scripting (XSS) attacks to be run by surreptitious
    placement of content in specially-crafted emails sent to SquirrelMail
    users.
    - http://squirrelmail.org/security/issue/2009-05-12
    - CVE-2009-1581
    - Patch taken from upstream svn rev. 13667. Applied inline.

 -- Andreas Wenning <email address hidden> Tue, 12 May 2009 21:13:30 +0200

This bug was fixed in the package squirrelmail - 2:1.4.15-3ubuntu0.2

---------------
squirrelmail (2:1.4.15-3ubuntu0.2) intrepid-security; urgency=low

  * SECURITY UPDATE: (LP: #375513)
  * Multiple cross site scripting issues. Two issues were fixed that both
    allowed an attacker to run arbitrary script (XSS) on most any
    SquirrelMail page by getting the user to click on specially crafted
    SquirrelMail links.
    - http://squirrelmail.org/security/issue/2009-05-08
    - CVE-2009-1578
    - Patch taken from upstream svn rev. 13670. Applied inline.
  * Cross site scripting issues in decrypt_headers.php. An issue was fixed
    wherein input to the contrib/decrypt_headers.php script was not sanitized
    and allowed arbitrary script execution upon submission of certain values.
    - http://squirrelmail.org/security/issue/2009-05-09
    - CVE-2009-1578
    - Patch taken from upstream svn rev. 13672. Applied inline.
  * Server-side code injection in map_yp_alias username map. An issue was
    fixed that allowed arbitrary server-side code execution when SquirrelMail
    was configured to use the example "map_yp_alias" username mapping
    functionality.
    - http://squirrelmail.org/security/issue/2009-05-10
    - CVE-2009-1579
    - Patch taken from upstream svn rev. 13674. Applied inline.
  * Session fixation vulnerability. An issue was fixed that allowed an
    attacker to possibly steal user data by hijacking the SquirrelMail
    login session.
    - http://squirrelmail.org/security/issue/2009-05-11
    - CVE-2009-1580
    - Patch taken from upstream svn rev. 13676. Applied inline.
  * CSS positioning vulnerability. An issue was fixed that allowed phishing
    and cross-site scripting (XSS) attacks to be run by surreptitious
    placement of content in specially-crafted emails sent to SquirrelMail
    users.
    - http://squirrelmail.org/security/issue/2009-05-12
    - CVE-2009-1581
    - Patch taken from upstream svn rev. 13667. Applied inline.

 -- Andreas Wenning <email address hidden> Tue, 12 May 2009 21:09:43 +0200

This bug was fixed in the package squirrelmail - 2:1.4.15-4ubuntu0.1

---------------
squirrelmail (2:1.4.15-4ubuntu0.1) jaunty-security; urgency=low

  * SECURITY UPDATE: (LP: #375513)
  * Multiple cross site scripting issues. Two issues were fixed that both
    allowed an attacker to run arbitrary script (XSS) on most any
    SquirrelMail page by getting the user to click on specially crafted
    SquirrelMail links.
    - http://squirrelmail.org/security/issue/2009-05-08
    - CVE-2009-1578
    - Patch taken from upstream svn rev. 13670. Applied inline.
  * Cross site scripting issues in decrypt_headers.php. An issue was fixed
    wherein input to the contrib/decrypt_headers.php script was not sanitized
    and allowed arbitrary script execution upon submission of certain values.
    - http://squirrelmail.org/security/issue/2009-05-09
    - CVE-2009-1578
    - Patch taken from upstream svn rev. 13672. Applied inline.
  * Server-side code injection in map_yp_alias username map. An issue was
    fixed that allowed arbitrary server-side code execution when SquirrelMail
    was configured to use the example "map_yp_alias" username mapping
    functionality.
    - http://squirrelmail.org/security/issue/2009-05-10
    - CVE-2009-1579
    - Patch taken from upstream svn rev. 13674. Applied inline.
  * Session fixation vulnerability. An issue was fixed that allowed an
    attacker to possibly steal user data by hijacking the SquirrelMail
    login session.
    - http://squirrelmail.org/security/issue/2009-05-11
    - CVE-2009-1580
    - Patch taken from upstream svn rev. 13676. Applied inline.
  * CSS positioning vulnerability. An issue was fixed that allowed phishing
    and cross-site scripting (XSS) attacks to be run by surreptitious
    placement of content in specially-crafted emails sent to SquirrelMail
    users.
    - http://squirrelmail.org/security/issue/2009-05-12
    - CVE-2009-1581
    - Patch taken from upstream svn rev. 13667. Applied inline.

 -- Andreas Wenning <email address hidden> Tue, 12 May 2009 21:06:15 +0200