© 2004
Canonical Ltd.
•
Terms of use
•
Data privacy
•
Contact Launchpad Support
•
Blog
•
Careers
•
System status
•
0e1f616
(Get the code!)
This bug was fixed in the package squirrelmail - 2:1.4.13-2ubuntu1.3
---------------
squirrelmail (2:1.4.
* SECURITY UPDATE: (LP: #375513)
* Multiple cross site scripting issues. Two issues were fixed that both
allowed an attacker to run arbitrary script (XSS) on most any
SquirrelMail page by getting the user to click on specially crafted
SquirrelMail links.
- http://
- CVE-2009-1578
- Patch taken from upstream svn rev. 13670. Applied inline.
* Cross site scripting issues in decrypt_
wherein input to the contrib/
and allowed arbitrary script execution upon submission of certain values.
- http://
- CVE-2009-1578
- Patch taken from upstream svn rev. 13672. Applied inline.
* Server-side code injection in map_yp_alias username map. An issue was
fixed that allowed arbitrary server-side code execution when SquirrelMail
was configured to use the example "map_yp_alias" username mapping
functionality.
- http://
- CVE-2009-1579
- Patch taken from upstream svn rev. 13674. Applied inline.
* Session fixation vulnerability. An issue was fixed that allowed an
attacker to possibly steal user data by hijacking the SquirrelMail
login session.
- http://
- CVE-2009-1580
- Patch taken from upstream svn rev. 13676. Applied inline.
* CSS positioning vulnerability. An issue was fixed that allowed phishing
and cross-site scripting (XSS) attacks to be run by surreptitious
placement of content in specially-crafted emails sent to SquirrelMail
users.
- http://
- CVE-2009-1581
- Patch taken from upstream svn rev. 13667. Applied inline.
-- Andreas Wenning <email address hidden> Tue, 12 May 2009 21:13:30 +0200