Bug 424791
| Summary: | Upgrade to SquirrelMail 1.4.13 | ||
|---|---|---|---|
| Product: | [Fedora] Fedora | Reporter: | Robert Scheck <redhat-bugzilla> |
| Component: | squirrelmail | Assignee: | Martin Bacovsky <mbacovsk> |
| Status: | CLOSED DUPLICATE | QA Contact: | Fedora Extras Quality Assurance <extras-qa> |
| Severity: | low | Docs Contact: | |
| Priority: | low | ||
| Version: | rawhide | ||
| Target Milestone: | --- | ||
| Target Release: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | Bug Fix | |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2007-12-14 21:47:38 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
|
Description
Robert Scheck
2007-12-14 09:17:25 UTC
ANNOUNCE: SquirrelMail 1.4.13 Released Dec 14, 2007 by Jonathan Angliss Due to the package compromise of 1.4.11, and 1.4.12, we are forced to release 1.4.13 to ensure no confusions. While initial review didn't uncover a need for concern, several proof of concepts show that the package alterations introduce a high risk security issue, allowing remote inclusion of files. These changes would allow a remote user the ability to execute exploit code on a victim machine, without any user interaction on the victim's server. This could grant the attacker the ability to deploy further code on the victim's server. We STRONGLY advise all users of 1.4.11, and 1.4.12 upgrade immediately. Squirrelmail packages as shipped with Fedora 7, Fedora 8 and Fedora development are all based on clean and uncompromised tarball, therefore they are not vulnerable to this issue. An update to 1.4.13 might be issued to avoid confusion and ensure users that their installation is not backdoored. *** This bug has been marked as a duplicate of 425291 *** |