Red Hat Bugzilla – Bug 425776
squirrelmail 1.4.11 and 1.4.12 are compromised
Last modified: 2007-12-17 12:52:31 EST
please update asap from 1.4.11 to 1.4.13 (not only 1.4.12 was compromised) rawhide has 1.4.11 iirc f8 has too 1.4.11 f7 has 1.4.10a-1.fc7 updated news in german http://www.heise.de/newsticker/meldung/100636 squirrelmail.org -------- http://squirrelmail.org/ ANNOUNCE: SquirrelMail 1.4.13 Released Dec 14, 2007 by Jonathan Angliss Due to the package compromise of 1.4.11, and 1.4.12, we are forced to release 1.4.13 to ensure no confusions. While initial review didn't uncover a need for concern, several proof of concepts show that the package alterations introduce a high risk security issue, allowing remote inclusion of files. These changes would allow a remote user the ability to execute exploit code on a victim machine, without any user interaction on the victim's server. This could grant the attacker the ability to deploy further code on the victim's server. We STRONGLY advise all users of 1.4.11, and 1.4.12 upgrade imme ----/----
Fedora's rpms are not compromised. False report.
nice to know, but ... sqm: "we are forced to release 1.4.13 to ensure **no confusions**" in a few month you will only remember that 1.4.11 and 1.4.12 sources were externally compromised post release between 20071208 - 20071213. 1.4.13 is now in rawhide and in f8 updates. easy to remember, without confusion. closed as rawhide because i filed it against rawhide (not f8) which probably was not packaged long time before 20071213.