CVE-2008-2379 insufficient input sanitising
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
| squirrelmail (Ubuntu) |
Medium
|
Unassigned | ||
| Dapper |
Medium
|
Unassigned | ||
| Gutsy |
Medium
|
Unassigned | ||
| Hardy |
Medium
|
Unassigned | ||
| Intrepid |
Medium
|
Unassigned | ||
| Jaunty |
Medium
|
Unassigned |
Bug Description
Binary package hint: squirrelmail
- -------
Debian Security Advisory DSA-168201 security_
http://
December 07, 2008 http://
- -------
Package : squirrelmail
Vulnerability : insufficient input sanitising
Problem type : remote
Debian-specific: no
CVE Id(s) : CVE-2008-2379
Ivan Markovic discovered that SquirrelMail, a webmail application, did not
sufficiently sanitise incoming HTML email, allowing an attacker to perform
cross site scripting through sending a malicious HTML email.
For the stable distribution (etch), this problem has been fixed in
version 1.4.9a-3.
For the unstable distribution (sid), this problem has been fixed in
version 1.4.15-4.
We recommend that you upgrade your squirrelmail package.
Changed in squirrelmail: | |
status: | New → Confirmed |
Changed in squirrelmail: | |
status: | New → Fix Committed |
status: | Confirmed → Fix Released |
status: | New → Fix Committed |
importance: | Undecided → Medium |
importance: | Undecided → Medium |
importance: | Undecided → Medium |
importance: | Undecided → Medium |
importance: | Undecided → Medium |
Launchpad Janitor (janitor) wrote : | #1 |
Changed in squirrelmail: | |
status: | Fix Committed → Fix Released |
Launchpad Janitor (janitor) wrote : | #2 |
This bug was fixed in the package squirrelmail - 2:1.4.15-3ubuntu0.1
---------------
squirrelmail (2:1.4.
* SECURITY UPDATE: cross site scripting issue in the HTML filter
(CVE-
- functions/mime.php: from the debian package version 1.4.15-4.
-- Kees Cook <email address hidden> Mon, 15 Dec 2008 14:33:21 -0800
Changed in squirrelmail: | |
status: | Fix Committed → Fix Released |
Andreas Wenning (andreas-wenning) wrote : | #3 |
For the fixes of gutsy and dapper, see bug 328938 for status
Changed in squirrelmail: | |
status: | New → Fix Committed |
status: | New → Fix Committed |
Launchpad Janitor (janitor) wrote : | #4 |
This bug was fixed in the package squirrelmail - 2:1.4.10a-
---------------
squirrelmail (2:1.4.
* SECURITY UPDATE: cross site scripting issue in the HTML filter.
Patch taken from upstream release. (LP: #306536)
- CVE-2008-2379
- http://
* SECURITY UPDATE: Cookies sent over HTTPS will now be confined to
HTTPS only (cookie secure flag) and more support for the HTTPOnly
cookie attribute. Patch taken from upstream release. (LP: #328938)
- CVE-2008-3663
- http://
-- Andreas Wenning <email address hidden> Fri, 13 Feb 2009 08:03:02 +0100
Changed in squirrelmail: | |
status: | Fix Committed → Fix Released |
Changed in squirrelmail (Ubuntu Dapper): | |
status: | Fix Committed → Fix Released |
This bug was fixed in the package squirrelmail - 2:1.4.13-2ubuntu1.1
--------------- 13-2ubuntu1. 1) hardy-security; urgency=low
squirrelmail (2:1.4.
* SECURITY UPDATE: cross site scripting issue in the HTML filter 2008-2379) . LP: #306536. mime.php: from the debian package version 1.4.15-4.
(CVE-
- functiions/
-- Reinhard Tartler <email address hidden> Tue, 09 Dec 2008 14:58:07 +0100