Bug 517312 (CVE-2009-2964)
| Summary: | CVE-2009-2964 squirrelmail: CSRF issues in all forms | ||
|---|---|---|---|
| Product: | [Other] Security Response | Reporter: | Tomas Hoger <thoger> |
| Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> |
| Status: | CLOSED ERRATA | QA Contact: | |
| Severity: | medium | Docs Contact: | |
| Priority: | medium | ||
| Version: | unspecified | CC: | bressers, eric.eisenhart, kreilly, mhlavink, vdanen |
| Target Milestone: | --- | Keywords: | Security |
| Target Release: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | Bug Fix | |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2010-03-29 09:12:48 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
| Bug Depends On: | 522490, 522491, 522492, 522493, 522494, 833982 | ||
| Bug Blocks: | |||
|
Description
Tomas Hoger
2009-08-13 13:22:18 UTC
squirrelmail-1.4.19-2.fc11 has been submitted as an update for Fedora 11. http://admin.fedoraproject.org/updates/squirrelmail-1.4.19-2.fc11 squirrelmail-1.4.19-2.fc10 has been submitted as an update for Fedora 10. http://admin.fedoraproject.org/updates/squirrelmail-1.4.19-2.fc10 squirrelmail-1.4.19-2.fc10 has been pushed to the Fedora 10 stable repository. If problems still persist, please make note of it in this bug report. squirrelmail-1.4.19-2.fc11 has been pushed to the Fedora 11 stable repository. If problems still persist, please make note of it in this bug report. Common Vulnerabilities and Exposures assigned an identifier CVE-2009-2964 to the following vulnerability: Name: CVE-2009-2964 URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2964 Assigned: 20090825 Reference: CONFIRM: http://squirrelmail.svn.sourceforge.net/viewvc/squirrelmail/branches/SM-1_4-STABLE/squirrelmail/doc/ChangeLog?revision=13818&view=markup&pathrev=13818 Reference: CONFIRM: http://squirrelmail.svn.sourceforge.net/viewvc/squirrelmail?view=rev&revision=13818 Reference: CONFIRM: http://www.squirrelmail.org/security/issue/2009-08-12 Reference: CONFIRM: https://bugzilla.redhat.com/show_bug.cgi?id=517312 Reference: FEDORA:FEDORA-2009-8797 Reference: URL: https://www.redhat.com/archives/fedora-package-announce/2009-August/msg00927.html Reference: FEDORA:FEDORA-2009-8822 Reference: URL: https://www.redhat.com/archives/fedora-package-announce/2009-August/msg00954.html Reference: OSVDB:57001 Reference: URL: http://www.osvdb.org/57001 Reference: SECUNIA:34627 Reference: URL: http://secunia.com/advisories/34627 Reference: SECUNIA:36363 Reference: URL: http://secunia.com/advisories/36363 Reference: VUPEN:ADV-2009-2262 Reference: URL: http://www.vupen.com/english/advisories/2009/2262 Reference: XF:squirrelmail-unspecified-csrf(52406) Reference: URL: http://xforce.iss.net/xforce/xfdb/52406 Multiple cross-site request forgery (CSRF) vulnerabilities in SquirrelMail 1.4.19 and earlier allow remote attackers to hijack the authentication of unspecified victims via features such as send message and change preferences, related to (1) functions/mailbox_display.php, (2) src/addrbook_search_html.php, (3) src/addressbook.php, (4) src/compose.php, (5) src/folders.php, (6) src/folders_create.php, (7) src/folders_delete.php, (8) src/folders_rename_do.php, (9) src/folders_rename_getname.php, (10) src/folders_subscribe.php, (11) src/move_messages.php, (12) src/options.php, (13) src/options_highlight.php, (14) src/options_identities.php, (15) src/options_order.php, (16) src/search.php, and (17) src/vcard.php. This issue has been addressed in following products: Red Hat Enterprise Linux 3 Red Hat Enterprise Linux 4 Red Hat Enterprise Linux 5 Via RHSA-2009:1490 https://rhn.redhat.com/errata/RHSA-2009-1490.html |