CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:P/I:P/A:P
AI Score
Confidence
Low
EPSS
Percentile
90.8%
Debian Security Advisory DSA 662-2 [email protected]
http://www.debian.org/security/ Martin Schulze
March 14th, 2005 http://www.debian.org/security/faq
Package : squirrelmail
Vulnerability : several
Problem-Type : remote
Debian-specific: no
CVE ID : CAN-2005-0104 CAN-2005-0152
Debian Bug : 292714 295836
Andrew Archibald discovered that the last update to squirrelmail which
was intended to fix several problems caused a regression which got
exposed when the user hits a session timeout. For completeness below
is the original advisory text:
Several vulnerabilities have been discovered in Squirrelmail, a
commonly used webmail system. The Common Vulnerabilities and
Exposures project identifies the following problems:
CAN-2005-0104
Upstream developers noticed that an unsanitised variable could
lead to cross site scripting.
CAN-2005-0152
Grant Hollingworth discovered that under certain circumstances URL
manipulation could lead to the execution of arbitrary code with
the privileges of www-data. This problem only exists in version
1.2.6 of Squirrelmail.
For the stable distribution (woody) these problems have been fixed in
version 1.2.6-3.
The correction in the unstable distribution (sid) is not affected by
this regression.
We recommend that you upgrade your squirrelmail package.
Upgrade Instructions
wget url
will fetch the file for you
dpkg -i file.deb
will install the referenced file.
If you are using the apt-get package manager, use the line for
sources.list as given below:
apt-get update
will update the internal database
apt-get upgrade
will install corrected packages
You may use an automated update by adding the resources from the
footer to the proper configuration.
Debian GNU/Linux 3.0 alias woody
Source archives:
http://security.debian.org/pool/updates/main/s/squirrelmail/squirrelmail_1.2.6-3.dsc
Size/MD5 checksum: 646 1de7e6666fccf9bec33415a8f087aec6
http://security.debian.org/pool/updates/main/s/squirrelmail/squirrelmail_1.2.6-3.diff.gz
Size/MD5 checksum: 21411 ec0e038ffe18e2035fccac02eb31ba21
http://security.debian.org/pool/updates/main/s/squirrelmail/squirrelmail_1.2.6.orig.tar.gz
Size/MD5 checksum: 1856087 be9e6be1de8d3dd818185d596b41a7f1
Architecture independent components:
http://security.debian.org/pool/updates/main/s/squirrelmail/squirrelmail_1.2.6-3_all.deb
Size/MD5 checksum: 1840798 13cfdb962ff49d27edee7ec6686a8265
These files will probably be moved into the stable distribution on
its next update.
For apt-get: deb http://security.debian.org/ stable/updates main
For dpkg-ftp: ftp://security.debian.org/debian-security dists/stable/updates/main
Mailing list: [email protected]
Package info: `apt-cache show <pkg>' and http://packages.debian.org/<pkg>