| Summary: | squirrelmail several new XSS security issues (CVE-2018-1495[0-5]) | ||
|---|---|---|---|
| Product: | Mageia | Reporter: | David Walser <luigiwalser> |
| Component: | Security | Assignee: | QA Team <qa-bugs> |
| Status: | RESOLVED FIXED | QA Contact: | Sec team <security> |
| Severity: | normal | ||
| Priority: | Normal | CC: | andrewsfarm, brtians1, herman.viaene, mageia, marja11, sysadmin-bugs, tmb |
| Version: | 6 | Keywords: | advisory, has_procedure, validated_update |
| Target Milestone: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | MGA6-32-OK MGA6-64-OK | ||
| Source RPM: | squirrelmail-1.4.23-0.svn20180505.1.mga7.src.rpm | CVE: | |
| Status comment: | |||
|
Description
David Walser
2018-07-29 19:36:16 CEST
David Walser
2018-07-29 19:36:39 CEST
CC:
(none) =>
mageia You're the registered maintainer, David ;-) CC:
(none) =>
marja11 @David: I've had a look into the fixes. Do you still use squirrelmail? From my perspektive, I would say, we can apply these changes. Hi Marc. I don't think I've used it in 16 years. You can apply the fixes if you don't mind.
Marc Krämer
2018-07-31 18:26:53 CEST
Assignee:
luigiwalser =>
mageia Suggested advisory: ======================== Updated squirrelmail packages fix XSS-security vulnerability: It was discovered that some special tags have not been filtered accordingly which can be used for an XSS-attack. References: https://sourceforge.net/p/squirrelmail/bugs/2831/ ======================== Updated packages in core/updates_testing: ======================== squirrelmail-1.4.22-15.2.mga6 squirrelmail-poutils-1.4.22-15.2.mga6 squirrelmail-cyrus-1.4.22-15.2.mga6 squirrelmail-ar-1.4.22-15.2.mga6 squirrelmail-bg-1.4.22-15.2.mga6 squirrelmail-bn-india-1.4.22-15.2.mga6 squirrelmail-bn-bangladesh-1.4.22-15.2.mga6 squirrelmail-ca-1.4.22-15.2.mga6 squirrelmail-cs-1.4.22-15.2.mga6 squirrelmail-cy-1.4.22-15.2.mga6 squirrelmail-da-1.4.22-15.2.mga6 squirrelmail-de-1.4.22-15.2.mga6 squirrelmail-el-1.4.22-15.2.mga6 squirrelmail-es-1.4.22-15.2.mga6 squirrelmail-et-1.4.22-15.2.mga6 squirrelmail-eu-1.4.22-15.2.mga6 squirrelmail-fa-1.4.22-15.2.mga6 squirrelmail-fi-1.4.22-15.2.mga6 squirrelmail-fo-1.4.22-15.2.mga6 squirrelmail-fr-1.4.22-15.2.mga6 squirrelmail-fy-1.4.22-15.2.mga6 squirrelmail-he-1.4.22-15.2.mga6 squirrelmail-hr-1.4.22-15.2.mga6 squirrelmail-hu-1.4.22-15.2.mga6 squirrelmail-id-1.4.22-15.2.mga6 squirrelmail-is-1.4.22-15.2.mga6 squirrelmail-it-1.4.22-15.2.mga6 squirrelmail-ja-1.4.22-15.2.mga6 squirrelmail-ko-1.4.22-15.2.mga6 squirrelmail-lt-1.4.22-15.2.mga6 squirrelmail-ms-1.4.22-15.2.mga6 squirrelmail-nb-1.4.22-15.2.mga6 squirrelmail-nl-1.4.22-15.2.mga6 squirrelmail-nn-1.4.22-15.2.mga6 squirrelmail-pl-1.4.22-15.2.mga6 squirrelmail-pt-1.4.22-15.2.mga6 squirrelmail-ro-1.4.22-15.2.mga6 squirrelmail-ru-1.4.22-15.2.mga6 squirrelmail-sk-1.4.22-15.2.mga6 squirrelmail-sl-1.4.22-15.2.mga6 squirrelmail-sr-1.4.22-15.2.mga6 squirrelmail-sv-1.4.22-15.2.mga6 squirrelmail-tr-1.4.22-15.2.mga6 squirrelmail-ug-1.4.22-15.2.mga6 squirrelmail-uk-1.4.22-15.2.mga6 squirrelmail-vi-1.4.22-15.2.mga6 squirrelmail-zh_CN-1.4.22-15.2.mga6 squirrelmail-zh_TW-1.4.22-15.2.mga6 squirrelmail-ka-1.4.22-15.2.mga6 squirrelmail-km-1.4.22-15.2.mga6 squirrelmail-lv-1.4.22-15.2.mga6 squirrelmail-mk-1.4.22-15.2.mga6 squirrelmail-ta-1.4.22-15.2.mga6 Source RPMs: squirrelmail-1.4.22-15.2.mga6.src.rpm
Marc Krämer
2018-07-31 18:31:21 CEST
Assignee:
mageia =>
qa-bugs
Thomas Backlund
2018-08-03 09:16:36 CEST
CC:
(none) =>
tmb MGA6-32 MATE in Dutch on IBM Thinkpad R50e At installation I expected that selecting squirrelmail this would draw in the nl language pack automatically as other packages do. I had to do it manually, but even then squirrelmail displays in pure English. Googling learned me that I had to change the Display preferences in the squirrelmail "Options" page. Followed Brian'lead in bug 22793 Comment 6. Created an additional user squitest on the system, initiated the folders and files on this and my regular user as shown, and I have been able to send and reply mail between these two users. OK for me. CC:
(none) =>
herman.viaene mga6-64 xfce in US English on VBOX Installed as per instructions in bug 22793 Comment 6. created new user and Emailed back and forth in local host. Working as far as I can tell. Whiteboard:
MGA6-32-OK =>
MGA6-32-OK MGA6-64-OK With OKs in both arches, this looks good to go to me. Validating. Suggested advisory in comment 4. CC:
(none) =>
andrewsfarm, sysadmin-bugs
Thomas Backlund
2018-08-31 21:46:47 CEST
Keywords:
(none) =>
advisory An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2018-0357.html Status:
NEW =>
RESOLVED These got CVE-2018-1495[0-5]: https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/CVXTYMZ35IC5KPNMAE6BWAQWURMX7KZO/ Summary:
squirrelmail several new XSS security issues =>
squirrelmail several new XSS security issues (CVE-2018-1495[0-5]) @David: there is only some development in svn, but no real releases! I suggest switching to an updated svn version (at least for mga7) and maybe drop this package for mga8. I think we already have the latest security fixes, but it would make sense to update to the same svn snapshot that Fedora did (in Cauldron). I appreciate your help in maintaining this one. Since we lost our roundcubemail maintainer, this has actually been our only maintained webmail package. since roundcube is php too, I can maintain this. Squirrel is very simple. Roundcube is a more modern mail frontend. I know squirrelmail is not very active, but I guess enough people out there still care about it with these security issues getting fixed. The only remaining concern is whether it continues to work with new versions of PHP. I guess we'll see. |