[ MDVSA-2009:110 ] squirrelmail

[dude67]

_______________________________________________________________________

Package : squirrelmail
Date : May 12, 2009
Affected: Corporate 4.0
_______________________________________________________________________

Problem Description:

Multiple vulnerabilities has been identified and corrected in
squirrelmail:

Two issues were fixed that both allowed an attacker to run arbitrary
script (XSS) on most any SquirrelMail page by getting the user to
click on specially crafted SquirrelMail links (CVE-2009-1578).

An issue was fixed wherein input to the contrib/decrypt_headers.php
script was not sanitized and allowed arbitrary script execution upon
submission of certain values (CVE-2009-1578).

An issue was fixed that allowed arbitrary server-side code execution
when SquirrelMail was configured to use the example map_yp_alias
username mapping functionality (CVE-2009-1579).

An issue was fixed that allowed an attacker to possibly steal user
data by hijacking the SquirrelMail login session. (CVE-2009-1580).

An issue was fixed that allowed phishing and cross-site scripting
(XSS) attacks to be run by surreptitious placement of content in
specially-crafted emails sent to SquirrelMail users (CVE-2009-1581).

Additionally many of the bundled plugins has been upgraded. Basically
this is a syncronization with the latest squirrelmail package found
in Mandriva Cooker. The rpm changelog will reveal all the changes
(rpm -q --changelog squirrelmail).

The updated packages have been upgraded to the latest version of
squirrelmail to prevent this.
_______________________________________________________________________

References:

http://cve.mitre.org/cgi-bin/cvename.cg ... -2009-1578
http://cve.mitre.org/cgi-bin/cvename.cg ... -2009-1579
http://cve.mitre.org/cgi-bin/cvename.cg ... -2009-1580
http://cve.mitre.org/cgi-bin/cvename.cg ... -2009-1581
_______________________________________________________________________