Vulmon Recent Vulnerabilities Research Posts Trends Blog About Contact

squirrelmail: CVE-2018-8741: path traversal vulnerability

Related Vulnerabilities: CVE-2018-8741  

Source

Debian Bug report logs - #893202
squirrelmail: CVE-2018-8741: path traversal vulnerability

version graph

Package: src:squirrelmail; Maintainer for src:squirrelmail is Jeroen van Wolffelaar <jeroen@wolffelaar.nl>;

Reported by: Salvatore Bonaccorso <carnil@debian.org>

Date: Sat, 17 Mar 2018 09:30:05 UTC

Severity: grave

Tags: fixed-upstream, security, upstream

Found in version squirrelmail/2:1.4.23~svn20120406-2

Fixed in version squirrelmail/2:1.4.23~svn20120406-2+deb8u2

Done: Salvatore Bonaccorso <carnil@debian.org>

Bug is archived. No further changes may be made.

Forwarded to https://sourceforge.net/p/squirrelmail/bugs/2846/

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox

Report forwarded to debian-bugs-dist@lists.debian.org, carnil@debian.org, team@security.debian.org, Jeroen van Wolffelaar <jeroen@wolffelaar.nl>:
Bug#893202; Package src:squirrelmail. (Sat, 17 Mar 2018 09:30:08 GMT) (full text, mbox, link).

Acknowledgement sent to Salvatore Bonaccorso <carnil@debian.org>:
New Bug report received and forwarded. Copy sent to carnil@debian.org, team@security.debian.org, Jeroen van Wolffelaar <jeroen@wolffelaar.nl>. (Sat, 17 Mar 2018 09:30:08 GMT) (full text, mbox, link).

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Salvatore Bonaccorso <carnil@debian.org>
To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: squirrelmail: path traversal vulnerability allows
Date: Sat, 17 Mar 2018 10:27:54 +0100
Source: squirrelmail
Version: 2:1.4.23~svn20120406-2
Severity: grave
Tags: security upstream

Hi

Sice there is no CVE assigned fill a Debian bug to have a reference.

See http://www.openwall.com/lists/oss-security/2018/03/17/2 for
additional information.

Regards,
Salvatore

Changed Bug title to 'squirrelmail: path traversal vulnerability' from 'squirrelmail: path traversal vulnerability allows'. Request was from Salvatore Bonaccorso <carnil@debian.org> to control@bugs.debian.org. (Sat, 17 Mar 2018 09:33:06 GMT) (full text, mbox, link).

Changed Bug title to 'squirrelmail: CVE-2018-8741: path traversal vulnerability' from 'squirrelmail: path traversal vulnerability'. Request was from Salvatore Bonaccorso <carnil@debian.org> to control@bugs.debian.org. (Sat, 17 Mar 2018 13:51:02 GMT) (full text, mbox, link).

Set Bug forwarded-to-address to 'https://sourceforge.net/p/squirrelmail/bugs/2846/'. Request was from Salvatore Bonaccorso <carnil@debian.org> to control@bugs.debian.org. (Sat, 07 Apr 2018 12:27:04 GMT) (full text, mbox, link).

Added tag(s) fixed-upstream. Request was from debian-bts-link@lists.debian.org to control@bugs.debian.org. (Fri, 13 Apr 2018 22:25:34 GMT) (full text, mbox, link).

Reply sent to Salvatore Bonaccorso <carnil@debian.org>:
You have taken responsibility. (Mon, 16 Apr 2018 18:36:06 GMT) (full text, mbox, link).

Notification sent to Salvatore Bonaccorso <carnil@debian.org>:
Bug acknowledged by developer. (Mon, 16 Apr 2018 18:36:06 GMT) (full text, mbox, link).

Message #18 received at 893202-close@bugs.debian.org (full text, mbox, reply):

From: Salvatore Bonaccorso <carnil@debian.org>
To: 893202-close@bugs.debian.org
Subject: Bug#893202: fixed in squirrelmail 2:1.4.23~svn20120406-2+deb8u2
Date: Mon, 16 Apr 2018 18:32:55 +0000
Source: squirrelmail
Source-Version: 2:1.4.23~svn20120406-2+deb8u2

We believe that the bug you reported is fixed in the latest version of
squirrelmail, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 893202@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Salvatore Bonaccorso <carnil@debian.org> (supplier of updated squirrelmail package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Sat, 07 Apr 2018 15:24:43 +0200
Source: squirrelmail
Binary: squirrelmail
Architecture: all source
Version: 2:1.4.23~svn20120406-2+deb8u2
Distribution: jessie-security
Urgency: high
Maintainer: Jeroen van Wolffelaar <jeroen@wolffelaar.nl>
Changed-By: Salvatore Bonaccorso <carnil@debian.org>
Closes: 893202
Description: 
 squirrelmail - Webmail for nuts
Changes:
 squirrelmail (2:1.4.23~svn20120406-2+deb8u2) jessie-security; urgency=high
 .
   * Non-maintainer upload by the Security Team.
   * Path traversal vulnerability (CVE-2018-8741)
     Directory traversal flaw in Deliver.class.php can allow a remote
     attacker to retrieve or delete arbitrary files. (Closes: #893202)
Checksums-Sha1: 
 979c050944cec020109ca236f7b1cba48749c492 2186 squirrelmail_1.4.23~svn20120406-2+deb8u2.dsc
 48c5a43d231b33d8e6e4c6d3655c126fd90dd7ae 35032 squirrelmail_1.4.23~svn20120406-2+deb8u2.debian.tar.xz
 96f163637b5a94b78d3477c6d07b5daa7472fc31 499632 squirrelmail_1.4.23~svn20120406-2+deb8u2_all.deb
Checksums-Sha256: 
 0d7fb031fea6ef72de78aeb5cf3841f37767a40b1c706d57b5bc23e9eaf4bf5c 2186 squirrelmail_1.4.23~svn20120406-2+deb8u2.dsc
 aec6f8157e10bc0a490dd12c48b76791c8fc027141086c01895b629358219e18 35032 squirrelmail_1.4.23~svn20120406-2+deb8u2.debian.tar.xz
 b5f652a746391b0368dfe7e75bdc12c5c6eaaaa77a9e6bd12406e5ef276032bc 499632 squirrelmail_1.4.23~svn20120406-2+deb8u2_all.deb
Files: 
 80640afa1147ccf9cd9fa41222e4d4e6 2186 web optional squirrelmail_1.4.23~svn20120406-2+deb8u2.dsc
 97ffd7598b81a2ff78fd50e45ada8a1b 35032 web optional squirrelmail_1.4.23~svn20120406-2+deb8u2.debian.tar.xz
 f7523f175880000052e5ebd9da26061c 499632 web optional squirrelmail_1.4.23~svn20120406-2+deb8u2_all.deb

-----BEGIN PGP SIGNATURE-----

iQKmBAEBCgCQFiEERkRAmAjBceBVMd3uBUy48xNDz0QFAlrIyHlfFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2
NDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQSHGNhcm5pbEBk
ZWJpYW4ub3JnAAoJEAVMuPMTQ89EaJ8P/2LczzJHLQ7kfcVTgGPazLfrqIf15eKK
brJfjrT/k8BPeSh9xF0enqPy05fqCFXzrTDpO8U4zvvrPixdVclW2W5HcUZFx0q9
J2/2RJHmwUPwTjUFCXaNrci0bXlvTb2hgwJVxz3apiYLpEEEWtJSEFBFudyKYtM5
kdScgiHbvLjLh5QWHlL6T/Y3/0xwqOjDnlIukdA+Ht8EJwURF7P4Qh7dMNQ16RwW
r4FWrXzobI6NHZeo7yvgGte1GYw8DegpAixlRwQxRpP/PdyA30247O4FYIjMIH0o
NiqSaelNLc41xtpTGfkFLlYi0cPVoFVyP4uG4Vv3AmiJ4R5vcNvaF9eAw9M/TL+S
WJn3NGnt/ieNqCy+T7p0HHJKBIxbHqwgmJeG0kpPsUQ1yXgyMEUj46xfnTkQ5jBA
z2u+6i5/O3pDGmExJoeuLPe0F+ez5WgA9figfONh9Av4ytAakerq2ZX3gWtoasgT
UU+7U4SmF1Tpe6t7p/OkUGDiUX9p+C4W4efr2F/wdMrXyxLL5f2oWTl1qlTzfdbn
MhPA9pcIxrUUh8Ahy53tHx6kxwQ74ai3Z30Fo0Kvblfw1+mNoTg6XBLCIXYGQzyH
3SeqHv/Goxl2u+jwfF4nBMu9K0UuanGy6fImWG/fkEnfSpaoVwCvVFrnQHHlepEK
lLmDIhFn4mHi
=2lkj
-----END PGP SIGNATURE-----

Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Tue, 15 May 2018 07:25:18 GMT) (full text, mbox, link).

Send a report that this bug log contains spam.

Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Wed Jun 19 17:40:29 2019; Machine Name: buxtehude

Debian Bug tracking system

Debbugs is free software and licensed under the terms of the GNU Public License version 2. The current version can be obtained from https://bugs.debian.org/debbugs-source/.

Copyright © 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson, 2005-2017 Don Armstrong, and many other contributors.

Vulmon Search

Vulmon Search is a vulnerability search engine. It gives comprehensive vulnerability information through a very simple user interface.

About

Home Recent Vulnerabilities Research Posts Trends Blog About Contact

Products

Vulmon Search Vulmon Research Vulmon Alerts Vulmap

Connect

Twitter Reddit Linkedin Facebook

Vulnerability Notification Service
You don’t have to wait for vulnerability scanning results
Get Started