On Tue, 01 Feb 2005 at 15:20:36 +0000, Abel wrote: > This message has been automatically generated in response to the creation of > a ticket regarding: "[SECURITY] [DSA 662-1] New squirrelmail package fixes > several vulnerabilities" > > There is no need to reply to this message right now. Your ticket has been > assigned an ID of [sowood.co.uk #1150]. > > Please include the string [sowood.co.uk #1150] > in the subject line of all future correspondence about this issue. You can do > this by replying to this message. > > Thank you, > > [EMAIL PROTECTED] > > ------------------------------------------------------------------------- > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > - -------------------------------------------------------------------------- > Debian Security Advisory DSA 662-1 [EMAIL PROTECTED] > http://www.debian.org/security/ Martin Schulze > February 1st, 2005 http://www.debian.org/security/faq > - -------------------------------------------------------------------------- > > Package : squirrelmail > Vulnerability : several > Problem-Type : remote > Debian-specific: no > CVE ID : CAN-2005-0104 CAN-2005-0152 > Debian Bug : 292714 > > Several vulnerabilities have been discovered in Squirrelmail, a > commonly used webmail system. The Common Vulnerabilities and > Exposures project identifies the following problems: > > CAN-2005-0104 > > Upstream developers noticed that an unsanitised variable could > lead to cross site scripting. > > CAN-2005-0152 > > Grant Hollingworth discovered that under certain circumstances URL > manipulation could lead to the execution of arbitrary code with > the privileges of www-data. This problem only exists in version > 1.2.6 of Squirrelmail. > > For the stable distribution (woody) these problems have been fixed in > version 1.2.6-2. > > For the unstable distribution (sid) the problem that affects unstable > has been fixed in version 1.4.4-1. > > We recommend that you upgrade your squirrelmail package. > > > Upgrade Instructions > - -------------------- > > wget url > will fetch the file for you > dpkg -i file.deb > will install the referenced file. > > If you are using the apt-get package manager, use the line for > sources.list as given below: > > apt-get update > will update the internal database > apt-get upgrade > will install corrected packages > > You may use an automated update by adding the resources from the > footer to the proper configuration. > > > Debian GNU/Linux 3.0 alias woody > - -------------------------------- > > Source archives: > > > http://security.debian.org/pool/updates/main/s/squirrelmail/squirrelmail_1.2.6-2.dsc > Size/MD5 checksum: 646 4900cffd3e5d45735f65c21476efc806 > > http://security.debian.org/pool/updates/main/s/squirrelmail/squirrelmail_1.2.6-2.diff.gz > Size/MD5 checksum: 21204 4614ece547701e83d640b5740bb59d51 > > http://security.debian.org/pool/updates/main/s/squirrelmail/squirrelmail_1.2.6.orig.tar.gz > Size/MD5 checksum: 1856087 be9e6be1de8d3dd818185d596b41a7f1 > > Architecture independent components: > > > http://security.debian.org/pool/updates/main/s/squirrelmail/squirrelmail_1.2.6-2_all.deb > Size/MD5 checksum: 1840668 2d23a6986ab2862bb1acd160b5a2919c > > > These files will probably be moved into the stable distribution on > its next update. > > - > --------------------------------------------------------------------------------- > For apt-get: deb http://security.debian.org/ stable/updates main > For dpkg-ftp: ftp://security.debian.org/debian-security > dists/stable/updates/main > Mailing list: [email protected] > Package info: `apt-cache show <pkg>' and http://packages.debian.org/<pkg> > > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v1.2.5 (GNU/Linux) > > iD8DBQFB/5XHW5ql+IAeqTIRAkpkAKCe9RF1LswG8hauggRbypCgsGxfygCeK10Z > F2TH29V21YfxpuF3gCLIDxE= > =KEhs > -----END PGP SIGNATURE----- > > > -- > To UNSUBSCRIBE, email to [EMAIL PROTECTED] > with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED] > > > > -- > To UNSUBSCRIBE, email to [EMAIL PROTECTED] > with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED] >
Please stop sending automated replies to Debian mailing lists. -- Tomasz Papszun SysAdm @ TP S.A. Lodz, Poland | And it's only [EMAIL PROTECTED] http://www.lodz.tpsa.pl/iso/ | ones and zeros. [EMAIL PROTECTED] http://www.ClamAV.net/ A GPL virus scanner -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
