Bug 425291 (CVE-2007-6348)

Summary: CVE-2007-6348 Squirrelmail compromise
Product: [Other] Security Response Reporter: Josh Bressers <bressers>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED NOTABUG QA Contact:
Severity: urgent Docs Contact:
Priority: medium    
Version: unspecifiedCC: mbacovsk, redhat-bugzilla
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2007-12-14 21:46:50 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 425301, 425311, 425321    
Bug Blocks:    

Description Josh Bressers 2007-12-14 19:21:07 UTC 
Squirrelmail versions 1.4.11 and 1.4.12 have been compromised on the upstream
server. These releases contain an inserted backdoor which could allow a remote
user to execute arbitrary code on the squirrelmail server.

The project has released version 1.4.13 which does not contain the backdoor.
Comment 1 Josh Bressers 2007-12-14 19:27:28 UTC 
This flaw does not affect any version of Squirrelmail shipped in Red Hat
Enterprise Linux.
Comment 3 Robert Scheck 2007-12-14 21:41:17 UTC 
It also does not affect Fedora or EPEL. I would suggest to mark this bug report
as duplicate of bug #424791 (or other way round, even if mine was before yours).
Comment 4 Lubomir Kundrak 2007-12-14 21:46:50 UTC 
Squirrelmail packages as shipped with Fedora 7, Fedora 8 and Fedora development
are all based on clean and uncompromised tarball, therefore they are not
vulnerable to this issue.

An update to 1.4.13 might be issued to avoid confusion and ensure users that
their installation is not backdoored.
Comment 5 Lubomir Kundrak 2007-12-14 21:47:38 UTC 
*** Bug 424791 has been marked as a duplicate of this bug. ***