diff -u squirrelmail-1.4.6/functions/global.php squirrelmail-1.4.6/functions/global.php
--- squirrelmail-1.4.6/functions/global.php
+++ squirrelmail-1.4.6/functions/global.php
@@ -102,13 +102,29 @@
     }
 }
 
-
-
-/* strip any tags added to the url from PHP_SELF.
-   This fixes hand crafted url XXS expoits for any
-   page that uses PHP_SELF as the FORM action */
-
-$_SERVER['PHP_SELF'] = strip_tags($_SERVER['PHP_SELF']);
+/**
+ * Strip any tags added to the url from PHP_SELF.
+ * This fixes hand crafted url XXS expoits for any
+ * page that uses PHP_SELF as the FORM action.
+ * Must be executed before strings.php is loaded (php_self() call in strings.php).
+ * Update: strip_tags() won't catch something like
+ * src/right_main.php?sort=0&startMessage=1&mailbox=INBOX&xxx="><script>window.open("http://example.com")</script>
+ * or
+ * contrib/decrypt_headers.php/%22%20onmouseover=%22alert(%27hello%20world%27)%22%3E
+ * because it doesn't bother with broken tags.
+ * htmlspecialchars() is the preferred method.
+ */
+if (isset($_SERVER['PHP_SELF'])) {
+    $_SERVER['PHP_SELF'] = htmlspecialchars($_SERVER['PHP_SELF']);
+}
+/*
+ * same needed for QUERY_STRING because SquirrelMail
+ * uses it along with PHP_SELF when using location
+ * strings
+ */
+if (isset($_SERVER['QUERY_STRING'])) {
+    $_SERVER['QUERY_STRING'] = htmlspecialchars($_SERVER['QUERY_STRING']);
+}
 
 /**
  * returns true if current php version is at mimimum a.b.c
diff -u squirrelmail-1.4.6/functions/mime.php squirrelmail-1.4.6/functions/mime.php
--- squirrelmail-1.4.6/functions/mime.php
+++ squirrelmail-1.4.6/functions/mime.php
@@ -1814,6 +1814,12 @@
     /**
      * Fix stupid css declarations which lead to vulnerabilities
      * in IE.
+     *
+     * Also remove "position" attribute, as it can easily be set
+     * to "fixed" or "absolute" with "left" and "top" attributes
+     * of zero, taking over the whole content frame.  It can also
+     * be set to relative and move itself anywhere it wants to,
+     * displaying content in areas it shouldn't be allowed to touch.
      */
     $match   = Array('/\/\*.*\*\//',
                      '/expression/i',
@@ -1821,8 +1827,9 @@
                      '/binding/i',
                     '/include-source/i',
                     '/javascript/i',
-                    '/script/i');
-    $replace = Array('','idiocy', 'idiocy', 'idiocy', 'idiocy', 'idiocy', 'idiocy');
+                    '/script/i',
+                    '/position/i');
+    $replace = Array('','idiocy', 'idiocy', 'idiocy', 'idiocy', 'idiocy', 'idiocy', '');
     $contentNew = preg_replace($match, $replace, $contentTemp);
     if ($contentNew !== $contentTemp) {
         // insecure css declarations are used. From now on we don't care
@@ -2209,12 +2216,28 @@
                     "/binding/i",
                     "/behaviou*r/i",
                     "/include-source/i",
-                    "/position\s*:\s*absolute/i",
+
+                    // position:relative can also be exploited
+                    // to put content outside of email body area
+                    // and position:fixed is similarly exploitable
+                    // as position:absolute, so we'll remove it
+                    // altogether....
+                    //
+                    // Does this screw up legitimate HTML messages?
+                    // If so, the only fix I see is to allow position
+                    // attributes (any values?  I think we still have
+                    // to block static and fixed) only if $use_iframe
+                    // is enabled (1.5.0+)
+                    //
+                    // was:   "/position\s*:\s*absolute/i",
+                    //
+                    "/position\s*:/i",
+
                     "/(\\\\)?u(\\\\)?r(\\\\)?l(\\\\)?/i",
                     "/url\s*\(\s*([\'\"])\s*\S+script\s*:.*([\'\"])\s*\)/si",
                     "/url\s*\(\s*([\'\"])\s*mocha\s*:.*([\'\"])\s*\)/si",
                     "/url\s*\(\s*([\'\"])\s*about\s*:.*([\'\"])\s*\)/si",
-                    "/(.*)\s*:\s*url\s*\(\s*([\'\"]*)\s*\S+script\s*:.*([\'\"]*)\s*\)/si"
+                    "/(.*)\s*:\s*url\s*\(\s*([\'\"]*)\s*\S+script\s*:.*([\'\"]*)\s*\)/si",
                     ),
                 Array(
                     "",
diff -u squirrelmail-1.4.6/debian/changelog squirrelmail-1.4.6/debian/changelog
--- squirrelmail-1.4.6/debian/changelog
+++ squirrelmail-1.4.6/debian/changelog
@@ -1,3 +1,36 @@
+squirrelmail (2:1.4.6-1ubuntu0.4) dapper-security; urgency=low
+
+  * SECURITY UPDATE: (LP: #375513)
+  * Multiple cross site scripting issues. Two issues were fixed that both
+    allowed an attacker to run arbitrary script (XSS) on most any
+    SquirrelMail page by getting the user to click on specially crafted
+    SquirrelMail links.
+    - http://squirrelmail.org/security/issue/2009-05-08
+    - CVE-2009-1578
+    - Patch taken from upstream svn rev. 13670. Applied inline.
+  * Cross site scripting issues in decrypt_headers.php. An issue was fixed
+    wherein input to the contrib/decrypt_headers.php script was not sanitized
+    and allowed arbitrary script execution upon submission of certain values.
+    - http://squirrelmail.org/security/issue/2009-05-09
+    - CVE-2009-1578
+    - Patch taken from upstream svn rev. 13672. Applied inline.
+  * Server-side code injection in map_yp_alias username map. An issue was
+    fixed that allowed arbitrary server-side code execution when SquirrelMail
+    was configured to use the example "map_yp_alias" username mapping
+    functionality.
+    - http://squirrelmail.org/security/issue/2009-05-10
+    - CVE-2009-1579
+    - Patch taken from upstream svn rev. 13674. Applied inline.
+  * CSS positioning vulnerability. An issue was fixed that allowed phishing
+    and cross-site scripting (XSS) attacks to be run by surreptitious
+    placement of content in specially-crafted emails sent to SquirrelMail
+    users.
+    - http://squirrelmail.org/security/issue/2009-05-12
+    - CVE-2009-1581
+    - Patch taken from upstream svn rev. 13667. Applied inline.
+
+ -- Andreas Wenning <awen@awen.dk>  Tue, 12 May 2009 23:49:37 +0200
+
 squirrelmail (2:1.4.6-1ubuntu0.3) dapper-security; urgency=low
 
   * SECURITY UPDATE: Possible cookie theft in src/redirect.php if
diff -u squirrelmail-1.4.6/debian/control squirrelmail-1.4.6/debian/control
--- squirrelmail-1.4.6/debian/control
+++ squirrelmail-1.4.6/debian/control
@@ -1,7 +1,8 @@
 Source: squirrelmail
 Section: web
 Priority: optional
-Maintainer: Jeroen van Wolffelaar <jeroen@wolffelaar.nl>
+Maintainer: Ubuntu MOTU Developers <ubuntu-motu@lists.ubuntu.com>
+XSBC-Original-Maintainer: Jeroen van Wolffelaar <jeroen@wolffelaar.nl>
 Uploaders: Thijs Kinkhorst <kink@squirrelmail.org>, Sam Johnston <samj@aos.net.au>
 Build-Depends: debhelper (>= 5)
 Standards-Version: 3.6.2
only in patch2:
unchanged:
--- squirrelmail-1.4.6.orig/contrib/decrypt_headers.php
+++ squirrelmail-1.4.6/contrib/decrypt_headers.php
@@ -31,7 +31,7 @@
 define('SM_PATH','../');
 
 /**
- * include SquirrelMail string functions
+ * include SquirrelMail string and generic functions
  * script needs OneTimePadDecrypt() (functions/strings.php)
  * and sqgetGlobalVar() (functions/global.php, loaded by strings.php)
  */
@@ -73,23 +73,30 @@
     ."</head><body>";
 
 if (sqgetGlobalVar('submit',$submit,SQ_POST)) {
+    $continue = TRUE;
     if (! sqgetGlobalVar('secret',$secret,SQ_POST) ||
-        empty($secret))
-        echo "<p>You must enter encryption key.</p>\n";
+        empty($secret)) {
+        $continue = FALSE;
+        echo "<p>You must enter an encryption key.</p>\n";
+    }
     if (! sqgetGlobalVar('enc_string',$enc_string,SQ_POST) ||
-        empty($enc_string))
-        echo "<p>You must enter encrypted string.</p>\n";
-
-    if (isset($enc_string) && ! base64_decode($enc_string)) {
-        echo "<p>Encrypted string should be BASE64 encoded.<br />\n"
-            ."Please enter all characters that are listed after header name.</p>\n";
-    } elseif (isset($secret)) {
-        $string=OneTimePadDecrypt($enc_string,base64_encode($secret));
+        empty($enc_string)) {
+        $continue = FALSE;
+        echo "<p>You must enter an encrypted string.</p>\n";
+    }
 
-        if (sqgetGlobalVar('ip_addr',$is_addr,SQ_POST)) {
-            $string=hex2ip($string);
+    if ($continue) {
+        if (isset($enc_string) && ! base64_decode($enc_string)) {
+            echo "<p>Encrypted string should be BASE64 encoded.<br />\n"
+                ."Please enter all characters that are listed after header name.</p>\n";
+        } elseif (isset($secret)) {
+            $string=OneTimePadDecrypt($enc_string,base64_encode($secret));
+
+            if (sqgetGlobalVar('ip_addr',$is_addr,SQ_POST)) {
+                $string=hex2ip($string);
+            }
+            echo "<p>Decoded string: ".htmlspecialchars($string)."</p>\n";
         }
-        echo "<p>Decoded string: ".$string."</p>\n";
     }
     echo "<hr />";
 }
@@ -98,7 +105,7 @@
 <p>
 Secret key: <input type="password" name="secret"><br />
 Encrypted string: <input type="text" name="enc_string"><br />
-Check, if it is an address string: <input type="checkbox" name="ip_addr" /><br />
+<label for="ip_addr">Check here if you are decoding an address string (FromHash/ProxyHash): </label><input type="checkbox" name="ip_addr" id="ip_addr" /><br />
 <button type="submit" name="submit" value="submit">Submit</button>
 </p>
 </form>
only in patch2:
unchanged:
--- squirrelmail-1.4.6.orig/functions/imap_general.php
+++ squirrelmail-1.4.6/functions/imap_general.php
@@ -947,7 +947,7 @@
  * LDAP whatever way to find the users IMAP server.
  */
 function map_yp_alias($username) {
-   $yp = `ypmatch $username aliases`;
+   $yp = `ypmatch ' . escapeshellarg($username) . ' aliases`;
    return chop(substr($yp, strlen($username)+1));
 }