Bug 425776 - squirrelmail 1.4.11 and 1.4.12 are compromised
squirrelmail 1.4.11 and 1.4.12 are compromised
Product: Fedora
Classification: Fedora
Component: squirrelmail (Show other bugs)
All Linux
low Severity urgent
: ---
: ---
Assigned To: Martin Bacovsky
Fedora Extras Quality Assurance
Depends On:
  Show dependency treegraph
Reported: 2007-12-15 05:56 EST by shrek-m
Modified: 2007-12-17 12:52 EST (History)
0 users

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2007-12-17 12:52:31 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

  None (edit)
Description shrek-m 2007-12-15 05:56:22 EST
please update asap from 1.4.11 to 1.4.13 (not only 1.4.12 was compromised)
rawhide has 1.4.11
iirc f8  has too 1.4.11
f7 has 1.4.10a-1.fc7 

updated news in german

ANNOUNCE: SquirrelMail 1.4.13 Released
Dec 14, 2007 by Jonathan Angliss
 	Due to the package compromise of 1.4.11, and 1.4.12, we are forced to release
1.4.13 to ensure no confusions. While initial review didn't uncover a need for
concern, several proof of concepts show that the package alterations introduce a
high risk security issue, allowing remote inclusion of files. These changes
would allow a remote user the ability to execute exploit code on a victim
machine, without any user interaction on the victim's server. This could grant
the attacker the ability to deploy further code on the victim's server.

We STRONGLY advise all users of 1.4.11, and 1.4.12 upgrade imme
Comment 1 Tomas 2007-12-17 12:08:39 EST
Fedora's rpms are not compromised.

False report.
Comment 2 shrek-m 2007-12-17 12:52:31 EST
nice to know, but ...
sqm: "we are forced to release 1.4.13 to ensure **no confusions**"

in a few month you will only remember that 1.4.11 and 1.4.12 sources were
externally compromised post release between 20071208 - 20071213.

1.4.13 is now in rawhide and in f8 updates.
easy to remember, without confusion.

closed as rawhide because i filed it against rawhide (not f8) which probably was
not packaged long time before 20071213.

Note You need to log in before you can comment on or make changes to this bug.