Bug 424791 - Upgrade to SquirrelMail 1.4.13
Upgrade to SquirrelMail 1.4.13
Status: CLOSED DUPLICATE of bug 425291
Product: Fedora
Classification: Fedora
Component: squirrelmail (Show other bugs)
All Linux
low Severity low
: ---
: ---
Assigned To: Martin Bacovsky
Fedora Extras Quality Assurance
Depends On:
  Show dependency treegraph
Reported: 2007-12-14 04:17 EST by Robert Scheck
Modified: 2007-12-14 16:47 EST (History)
0 users

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2007-12-14 16:47:38 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

  None (edit)
Description Robert Scheck 2007-12-14 04:17:25 EST
Description of problem:
Squirrelmail 1.4.12 was released some time ago - it is only a bugfix release.
When downloading it, please verify, that the md5sum matches with the official
ones, because the Squirrelmail Project had a compromised package on the servers
for some time.

Version-Release number of selected component (if applicable):

Expected results:
Upgrade to 1.4.12 or newer... ;-)
Comment 1 Robert Scheck 2007-12-14 16:40:55 EST
ANNOUNCE: SquirrelMail 1.4.13 Released
Dec 14, 2007 by Jonathan Angliss

Due to the package compromise of 1.4.11, and 1.4.12, we are forced to release 
1.4.13 to ensure no confusions. While initial review didn't uncover a need for 
concern, several proof of concepts show that the package alterations introduce
a high risk security issue, allowing remote inclusion of files. These changes 
would allow a remote user the ability to execute exploit code on a victim 
machine, without any user interaction on the victim's server. This could grant 
the attacker the ability to deploy further code on the victim's server.

We STRONGLY advise all users of 1.4.11, and 1.4.12 upgrade immediately.
Comment 2 Lubomir Kundrak 2007-12-14 16:47:38 EST
Squirrelmail packages as shipped with Fedora 7, Fedora 8 and Fedora development
are all based on clean and uncompromised tarball, therefore they are not
vulnerable to this issue.

An update to 1.4.13 might be issued to avoid confusion and ensure users that
their installation is not backdoored.

*** This bug has been marked as a duplicate of 425291 ***

Note You need to log in before you can comment on or make changes to this bug.