DSA 662-2: New squirrelmail package fixes regression
Posted on: 03/14/2005 10:23 AM

A new squirrelmail package has been released for Debian GNU/Linux

Debian Security Advisory DSA 662-2 security@debian.org
http://www.debian.org/security/ Martin Schulze
March 14th, 2005 http://www.debian.org/security/faq

Package : squirrelmail
Vulnerability : several
Problem-Type : remote
Debian-specific: no
CVE ID : CAN-2005-0104 CAN-2005-0152
Debian Bug : 292714 295836

Andrew Archibald discovered that the last update to squirrelmail which was intended to fix several problems caused a regression which got exposed when the user hits a session timeout. For completeness below is the original advisory text:

Several vulnerabilities have been discovered in Squirrelmail, a commonly used webmail system. The Common Vulnerabilities and Exposures project identifies the following problems:


Upstream developers noticed that an unsanitised variable could lead to cross site scripting.


Grant Hollingworth discovered that under certain circumstances URL manipulation could lead to the execution of arbitrary code with the privileges of www-data. This problem only exists in version 1.2.6 of Squirrelmail.

For the stable distribution (woody) these problems have been fixed in version 1.2.6-3.

The correction in the unstable distribution (sid) is not affected by this regression.

We recommend that you upgrade your squirrelmail package.

Upgrade Instructions

wget url
will fetch the file for you
dpkg -i file.deb
will install the referenced file.

If you are using the apt-get package manager, use the line for sources.list as given below:

apt-get update
will update the internal database
apt-get upgrade
will install corrected packages

You may use an automated update by adding the resources from the footer to the proper configuration.

Debian GNU/Linux 3.0 alias woody

Source archives:

Size/MD5 checksum: 646 1de7e6666fccf9bec33415a8f087aec6
Size/MD5 checksum: 21411 ec0e038ffe18e2035fccac02eb31ba21
Size/MD5 checksum: 1856087 be9e6be1de8d3dd818185d596b41a7f1

Architecture independent components:

Size/MD5 checksum: 1840798 13cfdb962ff49d27edee7ec6686a8265

These files will probably be moved into the stable distribution on its next update.

Printed from Linux Compatible (http://www.linuxcompatible.org/news/story/dsa_662_2_new_squirrelmail_package_fixes_regression.html)