RedHat: Moderate: SquirrelMail security update
Summary
Summary
SquirrelMail is a standards-based webmail package written in PHP4. A bug was found in the way SquirrelMail handled the $_POST variable. A user's SquirrelMail preferences could be read or modified if the user is tricked into visiting a malicious URL. The Common Vulnerabilities and Exposures project assigned the name CAN-2005-2095 to this issue. Several cross-site scripting bugs were discovered in SquirrelMail. An attacker could inject arbitrary Javascript or HTML content into SquirrelMail pages by tricking a user into visiting a carefully crafted URL, or by sending them a carefully constructed HTML email message. (CAN-2005-1769) All users of SquirrelMail should upgrade to this updated package, which contains backported patches that resolve these issues.
Solution
Before applying this update, make sure that all previously-released
errata relevant to your system have been applied. Use Red Hat
Network to download and update your packages. To launch the Red Hat
Update Agent, use the following command:
up2date
For information on how to install packages manually, refer to the
following Web page for the System Administration or Customization
guide specific to your system:
http://www.redhat.com/docs/manuals/enterprise/
Additionally, users will have to bring up the "Network Proxy" dialog and
reset their keys for the settings to take place.
5. Bug IDs fixed (http://bugzilla.redhat.com/):
160241 - CAN-2005-1769 Multiple XSS issues in squirrelmail
162275 - CAN-2005-2095 squirrelmail cross site posting issue
6. RPMs required:
Red Hat Enterprise Linux AS version 3:
SRPMS:
ba88d8cade37412c5abda4e5c4660b18 squirrelmail-1.4.3a-10.EL3.src.rpm
noarch:
78615d9edfaa42e09f81267778e121ed squirrelmail-1.4.3a-10.EL3.noarch.rpm
Red Hat Desktop version 3:
SRPMS:
ba88d8cade37412c5abda4e5c4660b18 squirrelmail-1.4.3a-10.EL3.src.rpm
noarch:
78615d9edfaa42e09f81267778e121ed squirrelmail-1.4.3a-10.EL3.noarch.rpm
Red Hat Enterprise Linux ES version 3:
SRPMS:
ba88d8cade37412c5abda4e5c4660b18 squirrelmail-1.4.3a-10.EL3.src.rpm
noarch:
78615d9edfaa42e09f81267778e121ed squirrelmail-1.4.3a-10.EL3.noarch.rpm
Red Hat Enterprise Linux WS version 3:
SRPMS:
ba88d8cade37412c5abda4e5c4660b18 squirrelmail-1.4.3a-10.EL3.src.rpm
noarch:
78615d9edfaa42e09f81267778e121ed squirrelmail-1.4.3a-10.EL3.noarch.rpm
Red Hat Enterprise Linux AS version 4:
SRPMS:
4abd471bd12dce975d68297c2a82837f squirrelmail-1.4.3a-11.EL4.src.rpm
noarch:
b19badf585b022e32acd1a546b624e1b squirrelmail-1.4.3a-11.EL4.noarch.rpm
Red Hat Enterprise Linux Desktop version 4:
SRPMS:
4abd471bd12dce975d68297c2a82837f squirrelmail-1.4.3a-11.EL4.src.rpm
noarch:
b19badf585b022e32acd1a546b624e1b squirrelmail-1.4.3a-11.EL4.noarch.rpm
Red Hat Enterprise Linux ES version 4:
SRPMS:
4abd471bd12dce975d68297c2a82837f squirrelmail-1.4.3a-11.EL4.src.rpm
noarch:
b19badf585b022e32acd1a546b624e1b squirrelmail-1.4.3a-11.EL4.noarch.rpm
Red Hat Enterprise Linux WS version 4:
SRPMS:
4abd471bd12dce975d68297c2a82837f squirrelmail-1.4.3a-11.EL4.src.rpm
noarch:
b19badf585b022e32acd1a546b624e1b squirrelmail-1.4.3a-11.EL4.noarch.rpm
These packages are GPG signed by Red Hat for security. Our key and
details on how to verify the signature are available from
https://www.redhat.com/security/team/key/#package
References
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-2095 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-1769
Package List
Topic
Topic
Relevant Releases Architectures
Red Hat Enterprise Linux AS version 3 - noarch
Red Hat Desktop version 3 - noarch
Red Hat Enterprise Linux ES version 3 - noarch
Red Hat Enterprise Linux WS version 3 - noarch
Red Hat Enterprise Linux AS version 4 - noarch
Red Hat Enterprise Linux Desktop version 4 - noarch
Red Hat Enterprise Linux ES version 4 - noarch
Red Hat Enterprise Linux WS version 4 - noarch
Bugs Fixed