Bug #306536 “CVE-2008-2379 insufficient input sanitising " : Bugs : “squirrelmail” package : Ubuntu

Bug Description

Binary package hint: squirrelmail

- ------------------------------------------------------------------------
Debian Security Advisory DSA-168201 security_at_debian.org
http://www.debian.org/security/ Thijs Kinkhorst
December 07, 2008 http://www.debian.org/security/faq
- ------------------------------------------------------------------------

Package : squirrelmail
Vulnerability : insufficient input sanitising
Problem type : remote
Debian-specific: no
CVE Id(s) : CVE-2008-2379

Ivan Markovic discovered that SquirrelMail, a webmail application, did not
sufficiently sanitise incoming HTML email, allowing an attacker to perform
cross site scripting through sending a malicious HTML email.

For the stable distribution (etch), this problem has been fixed in
version 1.4.9a-3.

For the unstable distribution (sid), this problem has been fixed in
version 1.4.15-4.

We recommend that you upgrade your squirrelmail package.

Add tags Tag help

Related branches

lp:~siretart/+junk/bug.306536

lp:ubuntu/dapper-security/squirrelmail

lp:ubuntu/gutsy-security/squirrelmail

lp:ubuntu/hardy-updates/squirrelmail

lp:ubuntu/intrepid-security/squirrelmail

CVE References

Kees Cook (kees) on 2008-12-15

Changed in squirrelmail:
status:	New → Confirmed

Kees Cook (kees) on 2008-12-15

Changed in squirrelmail:
status:	New → Fix Committed
status:	Confirmed → Fix Released
status:	New → Fix Committed
importance:	Undecided → Medium
importance:	Undecided → Medium
importance:	Undecided → Medium
importance:	Undecided → Medium
importance:	Undecided → Medium

Launchpad Janitor (janitor) wrote on 2008-12-18:

This bug was fixed in the package squirrelmail - 2:1.4.13-2ubuntu1.1

---------------
squirrelmail (2:1.4.13-2ubuntu1.1) hardy-security; urgency=low

  * SECURITY UPDATE: cross site scripting issue in the HTML filter
    (CVE-2008-2379). LP: #306536.
    - functiions/mime.php: from the debian package version 1.4.15-4.

-- Reinhard Tartler <email address hidden> Tue, 09 Dec 2008 14:58:07 +0100

Changed in squirrelmail:
status:	Fix Committed → Fix Released

Launchpad Janitor (janitor) wrote on 2008-12-18:

This bug was fixed in the package squirrelmail - 2:1.4.15-3ubuntu0.1

---------------
squirrelmail (2:1.4.15-3ubuntu0.1) intrepid-security; urgency=low

  * SECURITY UPDATE: cross site scripting issue in the HTML filter
    (CVE-2008-2379). LP: #306536.
    - functions/mime.php: from the debian package version 1.4.15-4.

-- Kees Cook <email address hidden> Mon, 15 Dec 2008 14:33:21 -0800

Changed in squirrelmail:
status:	Fix Committed → Fix Released

Andreas Wenning (andreas-wenning) wrote on 2009-02-13:

For the fixes of gutsy and dapper, see bug 328938 for status

Marc Deslauriers (mdeslaur) on 2009-03-25

Changed in squirrelmail:
status:	New → Fix Committed
status:	New → Fix Committed

Launchpad Janitor (janitor) wrote on 2009-03-26:

This bug was fixed in the package squirrelmail - 2:1.4.10a-2ubuntu0.1

---------------
squirrelmail (2:1.4.10a-2ubuntu0.1) gutsy-security; urgency=low

  * SECURITY UPDATE: cross site scripting issue in the HTML filter.
    Patch taken from upstream release. (LP: #306536)
    - CVE-2008-2379
    - http://www.squirrelmail.org/security/issue/2008-12-04
  * SECURITY UPDATE: Cookies sent over HTTPS will now be confined to
    HTTPS only (cookie secure flag) and more support for the HTTPOnly
    cookie attribute. Patch taken from upstream release. (LP: #328938)
    - CVE-2008-3663
    - http://www.squirrelmail.org/security/issue/2008-09-28

-- Andreas Wenning <email address hidden> Fri, 13 Feb 2009 08:03:02 +0100

Changed in squirrelmail:
status:	Fix Committed → Fix Released

Marc Deslauriers (mdeslaur) on 2009-03-26

Changed in squirrelmail (Ubuntu Dapper):
status:	Fix Committed → Fix Released

Ubuntu

CVE-2008-2379 insufficient input sanitising

Bug Description

Related branches

CVE References

Other bug subscribers