CVE-2008-2379 insufficient input sanitising
| Affects | Status | Importance | Assigned to | Milestone | |
|---|---|---|---|---|---|
| | squirrelmail (Ubuntu) |
Medium
|
Unassigned | ||
| | Dapper |
Medium
|
Unassigned | ||
| | Gutsy |
Medium
|
Unassigned | ||
| | Hardy |
Medium
|
Unassigned | ||
| | Intrepid |
Medium
|
Unassigned | ||
| | Jaunty |
Medium
|
Unassigned | ||
Bug Description
Binary package hint: squirrelmail
- -------
Debian Security Advisory DSA-168201 security_
http://
December 07, 2008 http://
- -------
Package : squirrelmail
Vulnerability : insufficient input sanitising
Problem type : remote
Debian-specific: no
CVE Id(s) : CVE-2008-2379
Ivan Markovic discovered that SquirrelMail, a webmail application, did not
sufficiently sanitise incoming HTML email, allowing an attacker to perform
cross site scripting through sending a malicious HTML email.
For the stable distribution (etch), this problem has been fixed in
version 1.4.9a-3.
For the unstable distribution (sid), this problem has been fixed in
version 1.4.15-4.
We recommend that you upgrade your squirrelmail package.
| Changed in squirrelmail: | |
| status: | New → Confirmed |
| Changed in squirrelmail: | |
| status: | New → Fix Committed |
| status: | Confirmed → Fix Released |
| status: | New → Fix Committed |
| importance: | Undecided → Medium |
| importance: | Undecided → Medium |
| importance: | Undecided → Medium |
| importance: | Undecided → Medium |
| importance: | Undecided → Medium |
| Launchpad Janitor (janitor) wrote : | #1 |
| Changed in squirrelmail: | |
| status: | Fix Committed → Fix Released |
| Launchpad Janitor (janitor) wrote : | #2 |
This bug was fixed in the package squirrelmail - 2:1.4.15-3ubuntu0.1
---------------
squirrelmail (2:1.4.
* SECURITY UPDATE: cross site scripting issue in the HTML filter
(CVE-
- functions/mime.php: from the debian package version 1.4.15-4.
-- Kees Cook <email address hidden> Mon, 15 Dec 2008 14:33:21 -0800
| Changed in squirrelmail: | |
| status: | Fix Committed → Fix Released |
| Andreas Wenning (andreas-wenning) wrote : | #3 |
For the fixes of gutsy and dapper, see bug 328938 for status
| Changed in squirrelmail: | |
| status: | New → Fix Committed |
| status: | New → Fix Committed |
| Launchpad Janitor (janitor) wrote : | #4 |
This bug was fixed in the package squirrelmail - 2:1.4.10a-
---------------
squirrelmail (2:1.4.
* SECURITY UPDATE: cross site scripting issue in the HTML filter.
Patch taken from upstream release. (LP: #306536)
- CVE-2008-2379
- http://
* SECURITY UPDATE: Cookies sent over HTTPS will now be confined to
HTTPS only (cookie secure flag) and more support for the HTTPOnly
cookie attribute. Patch taken from upstream release. (LP: #328938)
- CVE-2008-3663
- http://
-- Andreas Wenning <email address hidden> Fri, 13 Feb 2009 08:03:02 +0100
| Changed in squirrelmail: | |
| status: | Fix Committed → Fix Released |
| Changed in squirrelmail (Ubuntu Dapper): | |
| status: | Fix Committed → Fix Released |
This bug was fixed in the package squirrelmail - 2:1.4.13-2ubuntu1.1
---------------
squirrelmail (2:1.4.
* SECURITY UPDATE: cross site scripting issue in the HTML filter
(CVE-
- functiions/
-- Reinhard Tartler <email address hidden> Tue, 09 Dec 2008 14:58:07 +0100