There is a cross site scripting issue in the decoding of encoded text in certain headers. SquirrelMail correctly decodes the specially crafted header, but doesn't sanitize the decoded strings. https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=139739 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-1036 ------- Additional Comments From michal 2004-11-22 19:24:04 ---- Contrary to what is implied by "Keywords" RH73 did not supply squirrelmail it is not affected (well, obviously if you are not running squirrelmail as an additional application :-). RH9 did include a squirrelmail version for which even official updates were loooong time obsolete. In anything later this is already "standard". ------- Additional Comments From rob.myers.edu 2004-11-30 06:49:50 ---- -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Here are updated squirrelmail packages to QA for rh9 and fc1: - - includes patch for CAN-2004-1036 XSS vulnerability - - basically the same source. - - the fc1 rpm adds some requires: perl(Cwd) and perl(IO::Socket) but that is ok, correct? changelogs: rh9: * Tue Nov 30 2004 Rob Myers <rob.myers.edu> 1.4.3-0.f0.9.2.legacy - - apply patch for CAN-2004-1036 (FL #2290) fc1: * Tue Nov 30 2004 Rob Myers <rob.myers.edu> 1.4.3-0.f1.1.1.legacy - - apply patch for CAN-2004-1036 (FL #2290) sha1sums: rh9: a074793178877ad2ff9a8025369e4545693d8783 squirrelmail-1.4.3-0.f0.9.2.legacy.noarch.rpm e1b307f29b557f807c56ec5066cc0a6d69a5ae12 squirrelmail-1.4.3-0.f0.9.2.legacy.src.rpm fc1: 70482e093169bf04bb07a337b38c76776047dc91 squirrelmail-1.4.3-0.f1.1.1.legacy.noarch.rpm accfeb15082d204460dd202334a6c91f07ec1a1f squirrelmail-1.4.3-0.f1.1.1.legacy.src.rpm files: rh9: http://www.stl.gtri.gatech.edu/rmyers/fedoralegacy/squirrelmail-1.4.3-0.f0.9.2.legacy.src.rpm http://www.stl.gtri.gatech.edu/rmyers/fedoralegacy/squirrelmail-1.4.3-0.f0.9.2.legacy.noarch.rpm fc1: http://www.stl.gtri.gatech.edu/rmyers/fedoralegacy/squirrelmail-1.4.3-0.f1.1.1.legacy.src.rpm http://www.stl.gtri.gatech.edu/rmyers/fedoralegacy/squirrelmail-1.4.3-0.f1.1.1.legacy.noarch.rpm -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.3 (GNU/Linux) iD8DBQFBrKQdtU2XAt1OWnsRAv2iAKC4zRuuTDZX2LLK/ENfQsTD+/Jn8ACg8H6J eGNNNbQgwtKFdp8uZWh8apQ= =lAOx -----END PGP SIGNATURE----- ------- Additional Comments From pekkas 2004-12-19 08:56:39 ---- -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Note that FL has already provided an update to squirrelmail, to 1.4.3, so it does not need to be verified anymore. I didn't realize this outright, and I also verified the diffs -- between RHL9 1.2.10 -> 1.4.3 is very similar to RHEL3 1.2.1 -> 1.4.3, so the RHL9 upgrade has high chance for success. The only major changes seem to be security fixes for 1.2.10 which were integrated in 1.2.11, so this is OK. As for the RHL9/FC1 SRPMs QA: - sources and other original unmodified, OK - the spec file changes to the last RHL9 FL update, and FC1 update are minimal - patch integrity verified. - building or installation not tested. +PUBLISH RHL9,FC1 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.7 (GNU/Linux) iD8DBQFBxc7HGHbTkzxSL7QRAvXmAJ4yz47NCldT2PJlyA03M+2quKNrZACePbWq i5lD8Awl57k2dtfKByhbi9A= =80Sz -----END PGP SIGNATURE----- ------- Additional Comments From marcdeslauriers 2005-02-04 16:26:02 ---- Packages were built and pushed to updates-testing. ------- Additional Comments From pekkas 2005-02-15 22:50:15 ---- Sigh. https://rhn.redhat.com/errata/RHSA-2005-135.html introduces three new ones, CAN-2005-0075, CAN-2005-0103, CAN-2005-0104. I'd say this should go back to the drawing board, no use shipping updates just for the earlier vulnerability :( ------- Additional Comments From marcdeslauriers 2005-02-16 08:15:02 ---- There is a seperate bug for the new issues: Bug 2424 ------- Additional Comments From marcdeslauriers 2005-02-23 18:00:09 ---- This bug has been obsoleted by bug 2424 ------- Bug moved to this database by dkl 2005-03-30 18:29 ------- This bug previously known as bug 2290 at https://bugzilla.fedora.us/ https://bugzilla.fedora.us/show_bug.cgi?id=2290 Originally filed under the Fedora Legacy product and Package request component. Bug depends on bug(s) 2424. Unknown priority P2. Setting to default priority "normal". Unknown platform PC. Setting to default platform "All". Setting qa contact to the default for this product. This bug either had no qa contact or an invalid one.
*** This bug has been marked as a duplicate of 152900 ***