CVE-2008-2379 insufficient input sanitising

Bug #306536 reported by Reinhard Tartler
4
Affects Status Importance Assigned to Milestone
squirrelmail (Ubuntu)
Fix Released
Medium
Unassigned
Dapper
Fix Released
Medium
Unassigned
Gutsy
Fix Released
Medium
Unassigned
Hardy
Fix Released
Medium
Unassigned
Intrepid
Fix Released
Medium
Unassigned
Jaunty
Fix Released
Medium
Unassigned

Bug Description

Binary package hint: squirrelmail

- ------------------------------------------------------------------------
Debian Security Advisory DSA-168201 security_at_debian.org
http://www.debian.org/security/ Thijs Kinkhorst
December 07, 2008 http://www.debian.org/security/faq
- ------------------------------------------------------------------------

Package : squirrelmail
Vulnerability : insufficient input sanitising
Problem type : remote
Debian-specific: no
CVE Id(s) : CVE-2008-2379

Ivan Markovic discovered that SquirrelMail, a webmail application, did not
sufficiently sanitise incoming HTML email, allowing an attacker to perform
cross site scripting through sending a malicious HTML email.

For the stable distribution (etch), this problem has been fixed in
version 1.4.9a-3.

For the unstable distribution (sid), this problem has been fixed in
version 1.4.15-4.

We recommend that you upgrade your squirrelmail package.

Kees Cook (kees)
Changed in squirrelmail:
status: New → Confirmed
Kees Cook (kees)
Changed in squirrelmail:
status: New → Fix Committed
status: Confirmed → Fix Released
status: New → Fix Committed
importance: Undecided → Medium
importance: Undecided → Medium
importance: Undecided → Medium
importance: Undecided → Medium
importance: Undecided → Medium
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package squirrelmail - 2:1.4.13-2ubuntu1.1

---------------
squirrelmail (2:1.4.13-2ubuntu1.1) hardy-security; urgency=low

  * SECURITY UPDATE: cross site scripting issue in the HTML filter
    (CVE-2008-2379). LP: #306536.
    - functiions/mime.php: from the debian package version 1.4.15-4.

 -- Reinhard Tartler <email address hidden> Tue, 09 Dec 2008 14:58:07 +0100

Changed in squirrelmail:
status: Fix Committed → Fix Released
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package squirrelmail - 2:1.4.15-3ubuntu0.1

---------------
squirrelmail (2:1.4.15-3ubuntu0.1) intrepid-security; urgency=low

  * SECURITY UPDATE: cross site scripting issue in the HTML filter
    (CVE-2008-2379). LP: #306536.
    - functions/mime.php: from the debian package version 1.4.15-4.

 -- Kees Cook <email address hidden> Mon, 15 Dec 2008 14:33:21 -0800

Changed in squirrelmail:
status: Fix Committed → Fix Released
Revision history for this message
Andreas Wenning (andreas-wenning) wrote :

For the fixes of gutsy and dapper, see bug 328938 for status

Changed in squirrelmail:
status: New → Fix Committed
status: New → Fix Committed
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package squirrelmail - 2:1.4.10a-2ubuntu0.1

---------------
squirrelmail (2:1.4.10a-2ubuntu0.1) gutsy-security; urgency=low

  * SECURITY UPDATE: cross site scripting issue in the HTML filter.
    Patch taken from upstream release. (LP: #306536)
    - CVE-2008-2379
    - http://www.squirrelmail.org/security/issue/2008-12-04
  * SECURITY UPDATE: Cookies sent over HTTPS will now be confined to
    HTTPS only (cookie secure flag) and more support for the HTTPOnly
    cookie attribute. Patch taken from upstream release. (LP: #328938)
    - CVE-2008-3663
    - http://www.squirrelmail.org/security/issue/2008-09-28

 -- Andreas Wenning <email address hidden> Fri, 13 Feb 2009 08:03:02 +0100

Changed in squirrelmail:
status: Fix Committed → Fix Released
Changed in squirrelmail (Ubuntu Dapper):
status: Fix Committed → Fix Released
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.