* SECURITY UPDATE: (LP: #375513)
* Multiple cross site scripting issues. Two issues were fixed that both
allowed an attacker to run arbitrary script (XSS) on most any
SquirrelMail page by getting the user to click on specially crafted
SquirrelMail links.
- http://squirrelmail.org/security/issue/2009-05-08
- CVE-2009-1578
- Patch taken from upstream svn rev. 13670. Applied inline.
* Cross site scripting issues in decrypt_headers.php. An issue was fixed
wherein input to the contrib/decrypt_headers.php script was not sanitized
and allowed arbitrary script execution upon submission of certain values.
- http://squirrelmail.org/security/issue/2009-05-09
- CVE-2009-1578
- Patch taken from upstream svn rev. 13672. Applied inline.
* Server-side code injection in map_yp_alias username map. An issue was
fixed that allowed arbitrary server-side code execution when SquirrelMail
was configured to use the example "map_yp_alias" username mapping
functionality.
- http://squirrelmail.org/security/issue/2009-05-10
- CVE-2009-1579
- Patch taken from upstream svn rev. 13674. Applied inline.
* Session fixation vulnerability. An issue was fixed that allowed an
attacker to possibly steal user data by hijacking the SquirrelMail
login session.
- http://squirrelmail.org/security/issue/2009-05-11
- CVE-2009-1580
- Patch taken from upstream svn rev. 13676. Applied inline.
* CSS positioning vulnerability. An issue was fixed that allowed phishing
and cross-site scripting (XSS) attacks to be run by surreptitious
placement of content in specially-crafted emails sent to SquirrelMail
users.
- http://squirrelmail.org/security/issue/2009-05-12
- CVE-2009-1581
- Patch taken from upstream svn rev. 13667. Applied inline.
-- Andreas Wenning <email address hidden> Tue, 12 May 2009 21:06:15 +0200
This bug was fixed in the package squirrelmail - 2:1.4.15-4ubuntu0.1
--------------- 15-4ubuntu0. 1) jaunty-security; urgency=low
squirrelmail (2:1.4.
* SECURITY UPDATE: (LP: #375513) squirrelmail. org/security/ issue/2009- 05-08 headers. php. An issue was fixed decrypt_ headers. php script was not sanitized squirrelmail. org/security/ issue/2009- 05-09 squirrelmail. org/security/ issue/2009- 05-10 squirrelmail. org/security/ issue/2009- 05-11 squirrelmail. org/security/ issue/2009- 05-12
* Multiple cross site scripting issues. Two issues were fixed that both
allowed an attacker to run arbitrary script (XSS) on most any
SquirrelMail page by getting the user to click on specially crafted
SquirrelMail links.
- http://
- CVE-2009-1578
- Patch taken from upstream svn rev. 13670. Applied inline.
* Cross site scripting issues in decrypt_
wherein input to the contrib/
and allowed arbitrary script execution upon submission of certain values.
- http://
- CVE-2009-1578
- Patch taken from upstream svn rev. 13672. Applied inline.
* Server-side code injection in map_yp_alias username map. An issue was
fixed that allowed arbitrary server-side code execution when SquirrelMail
was configured to use the example "map_yp_alias" username mapping
functionality.
- http://
- CVE-2009-1579
- Patch taken from upstream svn rev. 13674. Applied inline.
* Session fixation vulnerability. An issue was fixed that allowed an
attacker to possibly steal user data by hijacking the SquirrelMail
login session.
- http://
- CVE-2009-1580
- Patch taken from upstream svn rev. 13676. Applied inline.
* CSS positioning vulnerability. An issue was fixed that allowed phishing
and cross-site scripting (XSS) attacks to be run by surreptitious
placement of content in specially-crafted emails sent to SquirrelMail
users.
- http://
- CVE-2009-1581
- Patch taken from upstream svn rev. 13667. Applied inline.
-- Andreas Wenning <email address hidden> Tue, 12 May 2009 21:06:15 +0200