Bug 24454

Summary: squirrelmail new XSS security issues
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: normal    
Priority: Normal CC: andrewsfarm, davidwhodgins, herman.viaene, mageia, sysadmin-bugs, tmb
Version: 6Keywords: advisory, validated_update
Target Milestone: ---   
Hardware: All   
OS: Linux   
Whiteboard: MGA6-32-OK
Source RPM: squirrelmail-1.4.23-0.svn20180505.3.mga7.src.rpm CVE:
Status comment: Fixes available in upstream SVN

Description David Walser 2019-03-01 23:31:12 CET 
Squirrelmail has fixed some XSS issues in SVN:
https://www.openwall.com/lists/oss-security/2019/03/01/2

Hanno also linked to fixes for other bugs.
David Walser 2019-03-01 23:31:46 CET

Status comment: (none) => Fixes available in upstream SVN
Whiteboard: (none) => MGA6TOO

Marc Krämer 2019-03-22 10:54:58 CET

Assignee: php => mageia
CC: (none) => mageia

Comment 1 Marc Krämer 2019-03-22 12:02:06 CET 
Suggested advisory:
========================
Updated squirellmail packages to fix a small XSS-security issue.

References:
https://www.openwall.com/lists/oss-security/2019/03/01/2
========================

Updated packages in core/updates_testing:
========================
squirrelmail-1.4.22-16.2.mga6

Source RPMs:
squirrelmail-1.4.22-16.2.mga6.src.rpm

Assignee: mageia => qa-bugs

Thomas Backlund 2019-03-22 21:10:09 CET

Version: Cauldron => 6
Whiteboard: MGA6TOO => (none)
CC: (none) => tmb

Comment 2 Herman Viaene 2019-03-23 13:54:17 CET 
MGA6-32 MATE on IBM Thinkpad R50e
No installation issues, apart from the remark there are no new language rpm's?

Followed bug 22793 Comment 6 and my own in bug 23366, apart from the fact that there is no "mail" group on this laptop, so I just skipped the chgrp command.
Dovecot was already on this laptop, so after restarting httpd, I have been able to send, receive, answer and receiving the answer between the two user.
OK for me.

CC: (none) => herman.viaene
Whiteboard: (none) => MGA6-32-OK

Comment 3 Thomas Andrews 2019-04-05 00:23:06 CEST 
No installation issues in 64-bit. Sending this one on its way.

Validating. Suggested advisory in Comment 1.

Keywords: (none) => validated_update
CC: (none) => andrewsfarm, sysadmin-bugs

Dave Hodgins 2019-04-10 21:31:36 CEST

CC: (none) => davidwhodgins
Keywords: (none) => advisory

Comment 4 Mageia Robot 2019-04-10 23:26:33 CEST 
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2019-0136.html

Resolution: (none) => FIXED
Status: NEW => RESOLVED