Red Hat Bugzilla – Bug 424791
Upgrade to SquirrelMail 1.4.13
Last modified: 2007-12-14 16:47:38 EST
Description of problem:
Squirrelmail 1.4.12 was released some time ago - it is only a bugfix release.
When downloading it, please verify, that the md5sum matches with the official
ones, because the Squirrelmail Project had a compromised package on the servers
for some time.
Version-Release number of selected component (if applicable):
Upgrade to 1.4.12 or newer... ;-)
ANNOUNCE: SquirrelMail 1.4.13 Released
Dec 14, 2007 by Jonathan Angliss
Due to the package compromise of 1.4.11, and 1.4.12, we are forced to release
1.4.13 to ensure no confusions. While initial review didn't uncover a need for
concern, several proof of concepts show that the package alterations introduce
a high risk security issue, allowing remote inclusion of files. These changes
would allow a remote user the ability to execute exploit code on a victim
machine, without any user interaction on the victim's server. This could grant
the attacker the ability to deploy further code on the victim's server.
We STRONGLY advise all users of 1.4.11, and 1.4.12 upgrade immediately.
Squirrelmail packages as shipped with Fedora 7, Fedora 8 and Fedora development
are all based on clean and uncompromised tarball, therefore they are not
vulnerable to this issue.
An update to 1.4.13 might be issued to avoid confusion and ensure users that
their installation is not backdoored.
*** This bug has been marked as a duplicate of 425291 ***