Ubuntu

CVE-2008-2379 insufficient input sanitising

Reported by Reinhard Tartler on 2008-12-09
4
Affects Status Importance Assigned to Milestone
squirrelmail (Ubuntu)
Medium
Unassigned
Dapper
Medium
Unassigned
Gutsy
Medium
Unassigned
Hardy
Medium
Unassigned
Intrepid
Medium
Unassigned
Jaunty
Medium
Unassigned

Bug Description

Binary package hint: squirrelmail

- ------------------------------------------------------------------------
Debian Security Advisory DSA-168201 security_at_debian.org
http://www.debian.org/security/ Thijs Kinkhorst
December 07, 2008 http://www.debian.org/security/faq
- ------------------------------------------------------------------------

Package : squirrelmail
Vulnerability : insufficient input sanitising
Problem type : remote
Debian-specific: no
CVE Id(s) : CVE-2008-2379

Ivan Markovic discovered that SquirrelMail, a webmail application, did not
sufficiently sanitise incoming HTML email, allowing an attacker to perform
cross site scripting through sending a malicious HTML email.

For the stable distribution (etch), this problem has been fixed in
version 1.4.9a-3.

For the unstable distribution (sid), this problem has been fixed in
version 1.4.15-4.

We recommend that you upgrade your squirrelmail package.

Kees Cook (kees) on 2008-12-15
Changed in squirrelmail:
status: New → Confirmed
Kees Cook (kees) on 2008-12-15
Changed in squirrelmail:
status: New → Fix Committed
status: Confirmed → Fix Released
status: New → Fix Committed
importance: Undecided → Medium
importance: Undecided → Medium
importance: Undecided → Medium
importance: Undecided → Medium
importance: Undecided → Medium
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package squirrelmail - 2:1.4.13-2ubuntu1.1

---------------
squirrelmail (2:1.4.13-2ubuntu1.1) hardy-security; urgency=low

  * SECURITY UPDATE: cross site scripting issue in the HTML filter
    (CVE-2008-2379). LP: #306536.
    - functiions/mime.php: from the debian package version 1.4.15-4.

 -- Reinhard Tartler <email address hidden> Tue, 09 Dec 2008 14:58:07 +0100

Changed in squirrelmail:
status: Fix Committed → Fix Released
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package squirrelmail - 2:1.4.15-3ubuntu0.1

---------------
squirrelmail (2:1.4.15-3ubuntu0.1) intrepid-security; urgency=low

  * SECURITY UPDATE: cross site scripting issue in the HTML filter
    (CVE-2008-2379). LP: #306536.
    - functions/mime.php: from the debian package version 1.4.15-4.

 -- Kees Cook <email address hidden> Mon, 15 Dec 2008 14:33:21 -0800

Changed in squirrelmail:
status: Fix Committed → Fix Released

For the fixes of gutsy and dapper, see bug 328938 for status

Changed in squirrelmail:
status: New → Fix Committed
status: New → Fix Committed
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package squirrelmail - 2:1.4.10a-2ubuntu0.1

---------------
squirrelmail (2:1.4.10a-2ubuntu0.1) gutsy-security; urgency=low

  * SECURITY UPDATE: cross site scripting issue in the HTML filter.
    Patch taken from upstream release. (LP: #306536)
    - CVE-2008-2379
    - http://www.squirrelmail.org/security/issue/2008-12-04
  * SECURITY UPDATE: Cookies sent over HTTPS will now be confined to
    HTTPS only (cookie secure flag) and more support for the HTTPOnly
    cookie attribute. Patch taken from upstream release. (LP: #328938)
    - CVE-2008-3663
    - http://www.squirrelmail.org/security/issue/2008-09-28

 -- Andreas Wenning <email address hidden> Fri, 13 Feb 2009 08:03:02 +0100

Changed in squirrelmail:
status: Fix Committed → Fix Released
Changed in squirrelmail (Ubuntu Dapper):
status: Fix Committed → Fix Released
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers