Ubuntu
squirrelmail package

[CVE-2009-1381] Incomplete fix for CVE-2009-1579

  1. Dapper (6.06)
  2. Bug #396306
Bug #396306 reported by Andreas Wenning
260
This bug affects 1 person
Affects Status Importance Assigned to Milestone
squirrelmail (Ubuntu)
Fix Released
Undecided
Unassigned
Dapper
Won't Fix
High
Unassigned
Hardy
Fix Released
High
Unassigned
Intrepid
Fix Released
High
Unassigned
Jaunty
Fix Released
High
Unassigned
Karmic
Fix Released
Undecided
Unassigned

Bug Description

Binary package hint: squirrelmail

Server-side code injection in map_yp_alias username map

An issue was fixed that allowed arbitrary server-side code execution when SquirrelMail was configured to use the example "map_yp_alias" username mapping functionality.

This functionality is not enabled by default.

The fix in 1.4.18 was incomplete, upgrade to 1.4.19 or use the patch referenced below for full protection.

Andreas Wenning (andreas-wenning)
Changed in squirrelmail (Ubuntu):
status: New → Fix Released
Changed in squirrelmail (Ubuntu Jaunty):
assignee: nobody → Andreas Wenning (andreas-wenning)
importance: Undecided → High
status: New → In Progress
Changed in squirrelmail (Ubuntu Intrepid):
assignee: nobody → Andreas Wenning (andreas-wenning)
status: New → In Progress
importance: Undecided → High
Changed in squirrelmail (Ubuntu Hardy):
assignee: nobody → Andreas Wenning (andreas-wenning)
importance: Undecided → High
status: New → In Progress
Andreas Wenning (andreas-wenning)
visibility: private → public
Revision history for this message
Andreas Wenning (andreas-wenning) wrote :

Here comes the debdiffs for jaunty, intrepid and hardy. All of them have been tested.

First jaunty.

Revision history for this message
Andreas Wenning (andreas-wenning) wrote :
Revision history for this message
Andreas Wenning (andreas-wenning) wrote :

Next intrepid.

Revision history for this message
Andreas Wenning (andreas-wenning) wrote :

And lastly hardy.

Revision history for this message
Andreas Wenning (andreas-wenning) wrote :

Dapper affected by the original problem as that hasn't been fixed; see bug 375513.

Changed in squirrelmail (Ubuntu Dapper):
importance: Undecided → High
status: New → Incomplete
Changed in squirrelmail (Ubuntu Hardy):
assignee: Andreas Wenning (andreas-wenning) → nobody
Changed in squirrelmail (Ubuntu Intrepid):
assignee: Andreas Wenning (andreas-wenning) → nobody
Changed in squirrelmail (Ubuntu Jaunty):
assignee: Andreas Wenning (andreas-wenning) → nobody
Marc Deslauriers (mdeslaur)
Changed in squirrelmail (Ubuntu Hardy):
status: In Progress → Fix Committed
Changed in squirrelmail (Ubuntu Intrepid):
status: In Progress → Fix Committed
Changed in squirrelmail (Ubuntu Jaunty):
status: In Progress → Fix Committed
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package squirrelmail - 2:1.4.13-2ubuntu1.4

---------------
squirrelmail (2:1.4.13-2ubuntu1.4) hardy-security; urgency=low

  * SECURITY UPDATE: (LP: #396306)
  * Server-side code injection in map_yp_alias username map. An issue was
    fixed that allowed arbitrary server-side code execution when SquirrelMail
    was configured to use the example "map_yp_alias" username mapping
    functionality.
    - Fixes incomplete fix for CVE-2009-1579
    - http://squirrelmail.org/security/issue/2009-05-10
    - CVE-2009-1381
    - Patch taken from upstream svn rev. 13733. Applied inline.

 -- Andreas Wenning <email address hidden> Tue, 07 Jul 2009 02:50:06 +0200

Changed in squirrelmail (Ubuntu Hardy):
status: Fix Committed → Fix Released
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package squirrelmail - 2:1.4.15-3ubuntu0.3

---------------
squirrelmail (2:1.4.15-3ubuntu0.3) intrepid-security; urgency=low

  * SECURITY UPDATE: (LP: #396306)
  * Server-side code injection in map_yp_alias username map. An issue was
    fixed that allowed arbitrary server-side code execution when SquirrelMail
    was configured to use the example "map_yp_alias" username mapping
    functionality.
    - Fixes incomplete fix for CVE-2009-1579
    - http://squirrelmail.org/security/issue/2009-05-10
    - CVE-2009-1381
    - Patch taken from upstream svn rev. 13733. Applied inline.

 -- Andreas Wenning <email address hidden> Tue, 07 Jul 2009 02:48:17 +0200

Changed in squirrelmail (Ubuntu Intrepid):
status: Fix Committed → Fix Released
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package squirrelmail - 2:1.4.15-4ubuntu0.2

---------------
squirrelmail (2:1.4.15-4ubuntu0.2) jaunty-security; urgency=low

  * SECURITY UPDATE: (LP: #396306)
  * Server-side code injection in map_yp_alias username map. An issue was
    fixed that allowed arbitrary server-side code execution when SquirrelMail
    was configured to use the example "map_yp_alias" username mapping
    functionality.
    - Fixes incomplete fix for CVE-2009-1579
    - http://squirrelmail.org/security/issue/2009-05-10
    - CVE-2009-1381
    - Patch taken from upstream svn rev. 13733. Applied inline.

 -- Andreas Wenning <email address hidden> Tue, 07 Jul 2009 02:39:55 +0200

Changed in squirrelmail (Ubuntu Jaunty):
status: Fix Committed → Fix Released
Rolf Leggewie (r0lf)
Changed in squirrelmail (Ubuntu Dapper):
status: Incomplete → Won't Fix
To post a comment you must log in.
This report contains Public Security information  
Everyone can see this security related information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.