Bug 190884
Summary: | CVE-2006-0188, 0195, 0377 - squirrelmail security issues | ||||||
---|---|---|---|---|---|---|---|
Product: | [Retired] Fedora Legacy | Reporter: | Marc Deslauriers <marc.deslauriers> | ||||
Component: | squirrelmail | Assignee: | Fedora Legacy Bugs <bugs> | ||||
Status: | CLOSED ERRATA | QA Contact: | |||||
Severity: | medium | Docs Contact: | |||||
Priority: | medium | ||||||
Version: | unspecified | CC: | deisenst, nils, pekkas, tseaver | ||||
Target Milestone: | --- | ||||||
Target Release: | --- | ||||||
Hardware: | All | ||||||
OS: | Linux | ||||||
URL: | https://rhn.redhat.com/errata/RHSA-2006-0283.html | ||||||
Whiteboard: | LEGACY, rh9, 1, 2, 3 | ||||||
Fixed In Version: | Doc Type: | Bug Fix | |||||
Doc Text: | Story Points: | --- | |||||
Clone Of: | Environment: | ||||||
Last Closed: | 2006-06-06 23:22:54 UTC | Type: | --- | ||||
Regression: | --- | Mount Type: | --- | ||||
Documentation: | --- | CRM: | |||||
Verified Versions: | Category: | --- | |||||
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||
Cloudforms Team: | --- | Target Upstream Version: | |||||
Embargoed: | |||||||
Attachments: |
|
Description
Marc Deslauriers
2006-05-05 22:13:33 UTC
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Here are updated packages to QA. e32ff605eabb23e878b9cda236313859387f3369 9/squirrelmail-1.4.6-3.rh9.1.legacy.src.rpm ceb4415436efda0389163a82cbf895870569e68e 1/squirrelmail-1.4.6-4.fc1.1.legacy.src.rpm 3c983c43247825ce32e144475263c254936c0327 2/squirrelmail-1.4.6-4.fc2.1.legacy.src.rpm 80e23122ccde12ef52621d55fae97a6dcee4d6c2 3/squirrelmail-1.4.6-4.fc3.1.legacy.src.rpm Downloads: http://www.infostrategique.com/linuxrpms/legacy/9/squirrelmail-1.4.6-3.rh9.1.legacy.src.rpm http://www.infostrategique.com/linuxrpms/legacy/1/squirrelmail-1.4.6-4.fc1.1.legacy.src.rpm http://www.infostrategique.com/linuxrpms/legacy/2/squirrelmail-1.4.6-4.fc2.1.legacy.src.rpm http://www.infostrategique.com/linuxrpms/legacy/3/squirrelmail-1.4.6-4.fc3.1.legacy.src.rpm -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.3 (GNU/Linux) iD8DBQFEW+YMLMAs/0C4zNoRAn/OAJwPYF30PXx96enVhX5M1ULoz2nVigCeI/ee Vkt60wIRnkp06dxEd2Grysg= =FfOM -----END PGP SIGNATURE----- In spec file at least for RHL9, we now ship %{_sysconfdir}/squirrelmail/default_pref. I.e., the location changed. config_local.php is also installed now. Does this cause issues for upgrades? Otherwise all looks good. default_pref and config_local.php weren't marked as config files in the old rh9 spec file. Everytime a new squirrelmail package came out, the files were overwritten anyway. With the new package, the files get overwritten one last time, but now they're marked as config files, so it shouldn't be a problem anymore. -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 QA w/ rpm-build-compare.sh: - source integrity good - no extra patches - spec files correspond to RHEL, should be OK +PUBLISH RHL9, FC1, FC2, FC3 e32ff605eabb23e878b9cda236313859387f3369 squirrelmail-1.4.6-3.rh9.1.legacy.src.rpm ceb4415436efda0389163a82cbf895870569e68e squirrelmail-1.4.6-4.fc1.1.legacy.src.rpm 3c983c43247825ce32e144475263c254936c0327 squirrelmail-1.4.6-4.fc2.1.legacy.src.rpm 80e23122ccde12ef52621d55fae97a6dcee4d6c2 squirrelmail-1.4.6-4.fc3.1.legacy.src.rpm -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.7 (GNU/Linux) iD8DBQFEXKpoGHbTkzxSL7QRAuz1AJ0TJAQXz/3eA7KWvAAl0jSld2FbtgCfSHMn xEaciiuT9HdyTHTP/5SKXuY= =BZZc -----END PGP SIGNATURE----- Packages were pushed to updates-testing -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Downloaded package does not match the md5 checksum (0e2dbf765d4df6592fad31ff331a3101fd33674e) published in the advisory (I'm assuming that this is an oversight): $ wget http://download.fedoralegacy.org/fedora/1/updates-testing/i386/squirrelmail-1.4.6-4.fc1.1.legacy.noarch.rpm --20:40:24-- http://download.fedoralegacy.org/fedora/1/updates-testing/i386/squirrelmail-1.4.6-4.fc1.1.legacy.noarch.rpm => `squirrelmail-1.4.6-4.fc1.1.legacy.noarch.rpm' ... $ md5sum squirrelmail-1.4.6-4.fc1.1.legacy.noarch.rpm c7897fd426e17ec8057599adf4cbe459 squirrelmail-1.4.6-4.fc1.1.legacy.noarch.rpm RPM signature check OK: $ rpm --checksig squirrelmail-1.4.6-4.fc1.1.legacy.noarch.rpm squirrelmail-1.4.6-4.fc1.1.legacy.noarch.rpm: (sha1) dsa sha1 md5 gpg OK Package installs cleanly: Application continues to operate correctly after installation. +VERIFY FC1 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.1 (GNU/Linux) iD8DBQFEaSIJ+gerLs4ltQ4RAhQYAKCqLL385QX6l7uUtu6XFCB/x/9ZYACfZhxH OolZVXOeIVmiHf50G+gmgcQ= =R+tA -----END PGP SIGNATURE----- Fedora Legacy uses sha1sum checksums. Please try again using sha1sum instead of md5sum. -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
> Fedora Legacy uses sha1sum checksums. Please try again using sha1sum
> instead of md5sum.
D'oh! I think I've made that mistake before. I can't even read the
advisory, which clearly says '(sha1sums)' just above.
$ sha1sum squirrelmail-1.4.6-4.fc1.1.legacy.noarch.rpm
0e2dbf765d4df6592fad31ff331a3101fd33674e
squirrelmail-1.4.6-4.fc1.1.legacy.noarch.rpm
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (GNU/Linux)
iD8DBQFEaT7x+gerLs4ltQ4RArwtAKC7Ctmdnrxf0T2owf4p9uV0hCPbNQCg26pg
0Iggg7ad01T5y9VMHWXNJ/Y=
=gmfn
-----END PGP SIGNATURE-----
Thanks -- Timeout in two weeks. Timeout over. Timeout over indeed. When will the package be pushed to updates? Very soon now, Nils. Would you like to look over the proposed FLSA release update notification I'm about to post? Created attachment 130642 [details]
Proposed FLSA to close this issue.
Oops. Marc, for FC3, does the squirrelmail-1.4.6-4.fc3.1.legacy.noarch.rpm package also need to be put into the x86_64 directory? If so, I missed that in the proposed FLSA ... It's OK, I'll add it in when I release it. Packages were released to updates. |