Bug 425776 - squirrelmail 1.4.11 and 1.4.12 are compromised
Summary: squirrelmail 1.4.11 and 1.4.12 are compromised
Status: CLOSED RAWHIDE
Alias: None
Product: Fedora
Classification: Fedora
Component: squirrelmail   
(Show other bugs)
Version: rawhide
Hardware: All
OS: Linux
low
urgent
Target Milestone: ---
Assignee: Martin Bacovsky
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Keywords:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2007-12-15 10:56 UTC by shrek-m
Modified: 2007-12-17 17:52 UTC (History)
0 users

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2007-12-17 17:52:31 UTC
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

Description shrek-m 2007-12-15 10:56:22 UTC
please update asap from 1.4.11 to 1.4.13 (not only 1.4.12 was compromised)
rawhide has 1.4.11
iirc f8  has too 1.4.11
f7 has 1.4.10a-1.fc7 


updated news in german
http://www.heise.de/newsticker/meldung/100636


squirrelmail.org
--------
http://squirrelmail.org/
ANNOUNCE: SquirrelMail 1.4.13 Released
Dec 14, 2007 by Jonathan Angliss
 	Due to the package compromise of 1.4.11, and 1.4.12, we are forced to release
1.4.13 to ensure no confusions. While initial review didn't uncover a need for
concern, several proof of concepts show that the package alterations introduce a
high risk security issue, allowing remote inclusion of files. These changes
would allow a remote user the ability to execute exploit code on a victim
machine, without any user interaction on the victim's server. This could grant
the attacker the ability to deploy further code on the victim's server.

We STRONGLY advise all users of 1.4.11, and 1.4.12 upgrade imme
----/----

Comment 1 Tomas 2007-12-17 17:08:39 UTC
Fedora's rpms are not compromised.

False report.

Comment 2 shrek-m 2007-12-17 17:52:31 UTC
nice to know, but ...
sqm: "we are forced to release 1.4.13 to ensure **no confusions**"

in a few month you will only remember that 1.4.11 and 1.4.12 sources were
externally compromised post release between 20071208 - 20071213.


1.4.13 is now in rawhide and in f8 updates.
easy to remember, without confusion.


closed as rawhide because i filed it against rawhide (not f8) which probably was
not packaged long time before 20071213.


Note You need to log in before you can comment on or make changes to this bug.