Red Hat Bugzilla – Bug 425776
squirrelmail 1.4.11 and 1.4.12 are compromised
Last modified: 2007-12-17 12:52:31 EST
please update asap from 1.4.11 to 1.4.13 (not only 1.4.12 was compromised)
rawhide has 1.4.11
iirc f8 has too 1.4.11
f7 has 1.4.10a-1.fc7
updated news in german
ANNOUNCE: SquirrelMail 1.4.13 Released
Dec 14, 2007 by Jonathan Angliss
Due to the package compromise of 1.4.11, and 1.4.12, we are forced to release
1.4.13 to ensure no confusions. While initial review didn't uncover a need for
concern, several proof of concepts show that the package alterations introduce a
high risk security issue, allowing remote inclusion of files. These changes
would allow a remote user the ability to execute exploit code on a victim
machine, without any user interaction on the victim's server. This could grant
the attacker the ability to deploy further code on the victim's server.
We STRONGLY advise all users of 1.4.11, and 1.4.12 upgrade imme
Fedora's rpms are not compromised.
nice to know, but ...
sqm: "we are forced to release 1.4.13 to ensure **no confusions**"
in a few month you will only remember that 1.4.11 and 1.4.12 sources were
externally compromised post release between 20071208 - 20071213.
1.4.13 is now in rawhide and in f8 updates.
easy to remember, without confusion.
closed as rawhide because i filed it against rawhide (not f8) which probably was
not packaged long time before 20071213.