[CVE-2009-1381] Incomplete fix for CVE-2009-1579
Bug #396306 reported by
Andreas Wenning
This bug affects 1 person
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
squirrelmail (Ubuntu) |
Fix Released
|
Undecided
|
Unassigned | ||
Dapper |
Won't Fix
|
High
|
Unassigned | ||
Hardy |
Fix Released
|
High
|
Unassigned | ||
Intrepid |
Fix Released
|
High
|
Unassigned | ||
Jaunty |
Fix Released
|
High
|
Unassigned | ||
Karmic |
Fix Released
|
Undecided
|
Unassigned |
Bug Description
Binary package hint: squirrelmail
Server-side code injection in map_yp_alias username map
An issue was fixed that allowed arbitrary server-side code execution when SquirrelMail was configured to use the example "map_yp_alias" username mapping functionality.
This functionality is not enabled by default.
The fix in 1.4.18 was incomplete, upgrade to 1.4.19 or use the patch referenced below for full protection.
Changed in squirrelmail (Ubuntu): | |
status: | New → Fix Released |
Changed in squirrelmail (Ubuntu Jaunty): | |
assignee: | nobody → Andreas Wenning (andreas-wenning) |
importance: | Undecided → High |
status: | New → In Progress |
Changed in squirrelmail (Ubuntu Intrepid): | |
assignee: | nobody → Andreas Wenning (andreas-wenning) |
status: | New → In Progress |
importance: | Undecided → High |
Changed in squirrelmail (Ubuntu Hardy): | |
assignee: | nobody → Andreas Wenning (andreas-wenning) |
importance: | Undecided → High |
status: | New → In Progress |
visibility: | private → public |
Changed in squirrelmail (Ubuntu Hardy): | |
status: | In Progress → Fix Committed |
Changed in squirrelmail (Ubuntu Intrepid): | |
status: | In Progress → Fix Committed |
Changed in squirrelmail (Ubuntu Jaunty): | |
status: | In Progress → Fix Committed |
Changed in squirrelmail (Ubuntu Dapper): | |
status: | Incomplete → Won't Fix |
To post a comment you must log in.
Here comes the debdiffs for jaunty, intrepid and hardy. All of them have been tested.
First jaunty.