We, the SquirrelMail project, plan on publicizing the attached patch upcoming Wednesday, June 15th 2005. We're sending it here to give you some advance notice to prepare for this if you want to. Sorry for the short notice but this was mainly caused by the finding of some additional issues. - It contains fixes for several cross site scripting attacks, most by URL manipulation, and some by sending a specially crafted HTML email. - The attached patch is tentative; further testing or further revealed issues may warrant changes between now and the release. - The patch is made against the 1.4.4-release version of SquirrelMail. - Please do not disclose information about this vulnerability until Wednesday. - Credits to many of the findings go to Martijn Brinkers.
This issue should also affect RHEL3
Created attachment 115373 [details] Current upstream patch
Created attachment 115434 [details] Latest upstream patch
removing embargo
An advisory has been issued which should help the problem described in this bug report. This report is therefore being closed with a resolution of ERRATA. For more information on the solution and/or where to find the updated files, please follow the link below. You may reopen this bug report if the solution does not work for you. http://rhn.redhat.com/errata/RHSA-2005-595.html
There is a problem with the patch file squirrelmail-1.4.3a-CAN-2005-1769.patch the line $abook-error = htmlspecialchars($abook_error); should be $abook->error = htmlspecialchars($abook_error);
Jindrich, If you can roll up some new packages without the typo ASAP. It seems this bug breaks all addressbooks in squirrelmail. This type came from upstream, they fixed it without telling anyone.
Josh, packages with the fixed patch are now added.
*** Bug 165094 has been marked as a duplicate of this bug. ***