Bug 425291 (CVE-2007-6348) - CVE-2007-6348 Squirrelmail compromise
Summary: CVE-2007-6348 Squirrelmail compromise
Alias: CVE-2007-6348
Product: Security Response
Classification: Other
Component: vulnerability   
(Show other bugs)
Version: unspecified
Hardware: All Linux
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
Whiteboard: reported=20071213,source=bugtraq,publ...
Keywords: Security
: 424791 (view as bug list)
Depends On: 425301 425311 425321
TreeView+ depends on / blocked
Reported: 2007-12-14 19:21 UTC by Josh Bressers
Modified: 2007-12-14 21:47 UTC (History)
2 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2007-12-14 21:46:50 UTC
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

Description Josh Bressers 2007-12-14 19:21:07 UTC
Squirrelmail versions 1.4.11 and 1.4.12 have been compromised on the upstream
server. These releases contain an inserted backdoor which could allow a remote
user to execute arbitrary code on the squirrelmail server.

The project has released version 1.4.13 which does not contain the backdoor.

Comment 1 Josh Bressers 2007-12-14 19:27:28 UTC
This flaw does not affect any version of Squirrelmail shipped in Red Hat
Enterprise Linux.

Comment 3 Robert Scheck 2007-12-14 21:41:17 UTC
It also does not affect Fedora or EPEL. I would suggest to mark this bug report
as duplicate of bug #424791 (or other way round, even if mine was before yours).

Comment 4 Lubomir Kundrak 2007-12-14 21:46:50 UTC
Squirrelmail packages as shipped with Fedora 7, Fedora 8 and Fedora development
are all based on clean and uncompromised tarball, therefore they are not
vulnerable to this issue.

An update to 1.4.13 might be issued to avoid confusion and ensure users that
their installation is not backdoored.

Comment 5 Lubomir Kundrak 2007-12-14 21:47:38 UTC
*** Bug 424791 has been marked as a duplicate of this bug. ***

Note You need to log in before you can comment on or make changes to this bug.