Bug 425291 - (CVE-2007-6348) CVE-2007-6348 Squirrelmail compromise
CVE-2007-6348 Squirrelmail compromise
Status: CLOSED NOTABUG
Product: Security Response
Classification: Other
Component: vulnerability (Show other bugs)
unspecified
All Linux
medium Severity urgent
: ---
: ---
Assigned To: Red Hat Product Security
reported=20071213,source=bugtraq,publ...
: Security
: 424791 (view as bug list)
Depends On: 425301 425311 425321
Blocks:
  Show dependency treegraph
 
Reported: 2007-12-14 14:21 EST by Josh Bressers
Modified: 2007-12-14 16:47 EST (History)
2 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2007-12-14 16:46:50 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Josh Bressers 2007-12-14 14:21:07 EST
Squirrelmail versions 1.4.11 and 1.4.12 have been compromised on the upstream
server. These releases contain an inserted backdoor which could allow a remote
user to execute arbitrary code on the squirrelmail server.

The project has released version 1.4.13 which does not contain the backdoor.
Comment 1 Josh Bressers 2007-12-14 14:27:28 EST
This flaw does not affect any version of Squirrelmail shipped in Red Hat
Enterprise Linux.
Comment 3 Robert Scheck 2007-12-14 16:41:17 EST
It also does not affect Fedora or EPEL. I would suggest to mark this bug report
as duplicate of bug #424791 (or other way round, even if mine was before yours).
Comment 4 Lubomir Kundrak 2007-12-14 16:46:50 EST
Squirrelmail packages as shipped with Fedora 7, Fedora 8 and Fedora development
are all based on clean and uncompromised tarball, therefore they are not
vulnerable to this issue.

An update to 1.4.13 might be issued to avoid confusion and ensure users that
their installation is not backdoored.
Comment 5 Lubomir Kundrak 2007-12-14 16:47:38 EST
*** Bug 424791 has been marked as a duplicate of this bug. ***

Note You need to log in before you can comment on or make changes to this bug.