Bug 425291 (CVE-2007-6348) - CVE-2007-6348 Squirrelmail compromise
Summary: CVE-2007-6348 Squirrelmail compromise
Keywords:
Status: CLOSED NOTABUG
Alias: CVE-2007-6348
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
urgent
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
: 424791 (view as bug list)
Depends On: 425301 425311 425321
Blocks:
TreeView+ depends on / blocked
 
Reported: 2007-12-14 19:21 UTC by Josh Bressers
Modified: 2021-11-12 19:47 UTC (History)
2 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2007-12-14 21:46:50 UTC
Embargoed:

Attachments (Terms of Use)

Description Josh Bressers 2007-12-14 19:21:07 UTC 
Squirrelmail versions 1.4.11 and 1.4.12 have been compromised on the upstream
server. These releases contain an inserted backdoor which could allow a remote
user to execute arbitrary code on the squirrelmail server.

The project has released version 1.4.13 which does not contain the backdoor.
Comment 1 Josh Bressers 2007-12-14 19:27:28 UTC 
This flaw does not affect any version of Squirrelmail shipped in Red Hat
Enterprise Linux.
Comment 3 Robert Scheck 2007-12-14 21:41:17 UTC 
It also does not affect Fedora or EPEL. I would suggest to mark this bug report
as duplicate of bug #424791 (or other way round, even if mine was before yours).
Comment 4 Lubomir Kundrak 2007-12-14 21:46:50 UTC 
Squirrelmail packages as shipped with Fedora 7, Fedora 8 and Fedora development
are all based on clean and uncompromised tarball, therefore they are not
vulnerable to this issue.

An update to 1.4.13 might be issued to avoid confusion and ensure users that
their installation is not backdoored.
Comment 5 Lubomir Kundrak 2007-12-14 21:47:38 UTC 
*** Bug 424791 has been marked as a duplicate of this bug. ***
Note You need to log in before you can comment on or make changes to this bug.