DSA-1290-1 squirrelmail -- missing input sanitising

Debian Security Advisory

DSA-1290-1 squirrelmail -- missing input sanitising

Date Reported:

13 May 2007

Affected Packages:

squirrelmail

Vulnerable:

Yes

Security database references:

In Mitre's CVE dictionary: CVE-2007-1262.

More information:

It was discovered that the webmail package Squirrelmail performs insufficient sanitising inside the HTML filter, which allows the injection of arbitrary web script code during the display of HTML email messages.

For the oldstable distribution (sarge) this problem has been fixed in version 2:1.4.4-11.

For the stable distribution (etch) this problem has been fixed in version 2:1.4.9a-2.

For the unstable distribution (sid) this problem has been fixed in version 2:1.4.10a-1.

We recommend that you upgrade your squirrelmail package.

Fixed in:

Debian GNU/Linux 3.1 (sarge)

Source:

http://security.debian.org/pool/updates/main/s/squirrelmail/squirrelmail_1.4.4-11.dsc

http://security.debian.org/pool/updates/main/s/squirrelmail/squirrelmail_1.4.4-11.diff.gz

http://security.debian.org/pool/updates/main/s/squirrelmail/squirrelmail_1.4.4.orig.tar.gz

Architecture-independent component:

http://security.debian.org/pool/updates/main/s/squirrelmail/squirrelmail_1.4.4-11_all.deb

Debian GNU/Linux 4.0 (etch)

Source:

http://security.debian.org/pool/updates/main/s/squirrelmail/squirrelmail_1.4.9a-2.dsc

http://security.debian.org/pool/updates/main/s/squirrelmail/squirrelmail_1.4.9a-2.diff.gz

http://security.debian.org/pool/updates/main/s/squirrelmail/squirrelmail_1.4.9a.orig.tar.gz

Architecture-independent component:

http://security.debian.org/pool/updates/main/s/squirrelmail/squirrelmail_1.4.9a-2_all.deb

MD5 checksums of the listed files are available in the original advisory.