|
|
SquirrelMail decodeHeader HTML Injection Vulnerability
Solution: The vendor has released a patch to correct this issue in version 1.4.3a of SquirrelMail. The patch may also apply to previous versions, but this has not been confirmed. A fix has been applied to CVS versions as of 23 October 2004. SuSE Linux has released a security summary report (SUSE-SR:2005:002) that contains fixes to address this and other vulnerabilities. Customers are advised to peruse the referenced advisory for further information regarding obtaining and applying appropriate updates. Gentoo Linux has released advisory GLSA 200411-25 dealing with this issue. Gentoo advises that all SquirrelMail users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose ">=mail-client/squirrelmail-1.4.3a-r2" Note: Users with the vhosts USE flag set should manually use webapp-config to finalize the update. For more information please see the referenced Gentoo advisory. Fedora has released advisories FEDORA-2004-471 and FEDORA-2004-472 for Fedora Core 2 and 3 respectively. Please see the attached advisories for details on obtaining and applying fixes. Conectiva Linux has made advisory CLA-2004:905 available dealing with this issue. Please see the referenced advisory for more information. SGI has released advisory 20050101-01-U to address various issues in SGI Advanced Linux Environment 3. This advisory includes updated SGI ProPack 3 Service Pack 3 packages. Please see the referenced advisory for more information. Apple Computers has released advisory APPLE-SA-2005-01-25 along with a security update dealing with this and other issues. Please see the referenced advisory for more information. SquirrelMail SquirrelMail 1.2.10
SquirrelMail SquirrelMail 1.2.7
SquirrelMail SquirrelMail 1.4.1
SquirrelMail SquirrelMail 1.4.2
SquirrelMail SquirrelMail 1.4.3 a
Apple Mac OS X Server 10.3.7
SGI ProPack 3.0
|
|
Privacy Statement |