Bug 425776

Summary: squirrelmail 1.4.11 and 1.4.12 are compromised
Product: [Fedora] Fedora Reporter: shrek-m <shrek-m>
Component: squirrelmailAssignee: Martin Bacovsky <mbacovsk>
Status: CLOSED RAWHIDE QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: urgent Docs Contact:
Priority: low    
Version: rawhide   
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2007-12-17 17:52:31 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description shrek-m 2007-12-15 10:56:22 UTC 
please update asap from 1.4.11 to 1.4.13 (not only 1.4.12 was compromised)
rawhide has 1.4.11
iirc f8  has too 1.4.11
f7 has 1.4.10a-1.fc7 


updated news in german
http://www.heise.de/newsticker/meldung/100636


squirrelmail.org
--------
http://squirrelmail.org/
ANNOUNCE: SquirrelMail 1.4.13 Released
Dec 14, 2007 by Jonathan Angliss
 	Due to the package compromise of 1.4.11, and 1.4.12, we are forced to release
1.4.13 to ensure no confusions. While initial review didn't uncover a need for
concern, several proof of concepts show that the package alterations introduce a
high risk security issue, allowing remote inclusion of files. These changes
would allow a remote user the ability to execute exploit code on a victim
machine, without any user interaction on the victim's server. This could grant
the attacker the ability to deploy further code on the victim's server.

We STRONGLY advise all users of 1.4.11, and 1.4.12 upgrade imme
----/----
Comment 1 Tomas 2007-12-17 17:08:39 UTC 
Fedora's rpms are not compromised.

False report.
Comment 2 shrek-m 2007-12-17 17:52:31 UTC 
nice to know, but ...
sqm: "we are forced to release 1.4.13 to ensure **no confusions**"

in a few month you will only remember that 1.4.11 and 1.4.12 sources were
externally compromised post release between 20071208 - 20071213.


1.4.13 is now in rawhide and in f8 updates.
easy to remember, without confusion.


closed as rawhide because i filed it against rawhide (not f8) which probably was
not packaged long time before 20071213.