| Summary: | squirrelmail new security issue CVE-2019-12970 | ||
|---|---|---|---|
| Product: | Mageia | Reporter: | David Walser <luigiwalser> |
| Component: | Security | Assignee: | QA Team <qa-bugs> |
| Status: | RESOLVED FIXED | QA Contact: | Sec team <security> |
| Severity: | major | ||
| Priority: | Normal | CC: | andrewsfarm, mageia, ouaurelien, sysadmin-bugs |
| Version: | 7 | Keywords: | advisory, validated_update |
| Target Milestone: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | MGA7-64-OK | ||
| Source RPM: | squirrelmail-1.4.23-0.svn20190322_0200.1.mga7.src.rpm | CVE: | CVE-2019-12970 |
| Status comment: | |||
| Bug Depends on: | |||
| Bug Blocks: | 26842 | ||
|
Description
David Walser
2020-12-15 00:38:43 CET
David Walser
2020-12-15 00:38:52 CET
Whiteboard:
(none) =>
MGA7TOO This is for you David W, per maintdb.txt... So, assigning for you. Assignee:
bugsquad =>
luigiwalser
David Walser
2020-12-15 16:11:00 CET
CC:
(none) =>
mageia we should consider dropping squirrelmail. The official site is unchanged since 2011 (1.4.22). It does not really look like there is some active development going on. I can patch it for mga7. Should we drop it for mga8? Yeah, I doubt it will work with PHP 8. Hi Marc, I see you took care of Bug 26842 also (thanks!). Do we have all of the patches from here? https://github.com/hannob/squirrelpatches/tree/main/patches Package list for the current build: squirrelmail-1.4.23-0.svn20201220_0200.1.mga7 squirrelmail-poutils-1.4.23-0.svn20201220_0200.1.mga7 squirrelmail-cyrus-1.4.23-0.svn20201220_0200.1.mga7 squirrelmail-ar-1.4.23-0.svn20201220_0200.1.mga7 squirrelmail-bg-1.4.23-0.svn20201220_0200.1.mga7 squirrelmail-bn-india-1.4.23-0.svn20201220_0200.1.mga7 squirrelmail-bn-bangladesh-1.4.23-0.svn20201220_0200.1.mga7 squirrelmail-ca-1.4.23-0.svn20201220_0200.1.mga7 squirrelmail-cs-1.4.23-0.svn20201220_0200.1.mga7 squirrelmail-cy-1.4.23-0.svn20201220_0200.1.mga7 squirrelmail-da-1.4.23-0.svn20201220_0200.1.mga7 squirrelmail-de-1.4.23-0.svn20201220_0200.1.mga7 squirrelmail-el-1.4.23-0.svn20201220_0200.1.mga7 squirrelmail-es-1.4.23-0.svn20201220_0200.1.mga7 squirrelmail-et-1.4.23-0.svn20201220_0200.1.mga7 squirrelmail-eu-1.4.23-0.svn20201220_0200.1.mga7 squirrelmail-fa-1.4.23-0.svn20201220_0200.1.mga7 squirrelmail-fi-1.4.23-0.svn20201220_0200.1.mga7 squirrelmail-fo-1.4.23-0.svn20201220_0200.1.mga7 squirrelmail-fr-1.4.23-0.svn20201220_0200.1.mga7 squirrelmail-fy-1.4.23-0.svn20201220_0200.1.mga7 squirrelmail-he-1.4.23-0.svn20201220_0200.1.mga7 squirrelmail-hr-1.4.23-0.svn20201220_0200.1.mga7 squirrelmail-hu-1.4.23-0.svn20201220_0200.1.mga7 squirrelmail-id-1.4.23-0.svn20201220_0200.1.mga7 squirrelmail-is-1.4.23-0.svn20201220_0200.1.mga7 squirrelmail-it-1.4.23-0.svn20201220_0200.1.mga7 squirrelmail-ja-1.4.23-0.svn20201220_0200.1.mga7 squirrelmail-ko-1.4.23-0.svn20201220_0200.1.mga7 squirrelmail-lt-1.4.23-0.svn20201220_0200.1.mga7 squirrelmail-ms-1.4.23-0.svn20201220_0200.1.mga7 squirrelmail-nb-1.4.23-0.svn20201220_0200.1.mga7 squirrelmail-nl-1.4.23-0.svn20201220_0200.1.mga7 squirrelmail-nn-1.4.23-0.svn20201220_0200.1.mga7 squirrelmail-pl-1.4.23-0.svn20201220_0200.1.mga7 squirrelmail-pt-1.4.23-0.svn20201220_0200.1.mga7 squirrelmail-ro-1.4.23-0.svn20201220_0200.1.mga7 squirrelmail-ru-1.4.23-0.svn20201220_0200.1.mga7 squirrelmail-sk-1.4.23-0.svn20201220_0200.1.mga7 squirrelmail-sl-1.4.23-0.svn20201220_0200.1.mga7 squirrelmail-sr-1.4.23-0.svn20201220_0200.1.mga7 squirrelmail-sv-1.4.23-0.svn20201220_0200.1.mga7 squirrelmail-tr-1.4.23-0.svn20201220_0200.1.mga7 squirrelmail-ug-1.4.23-0.svn20201220_0200.1.mga7 squirrelmail-uk-1.4.23-0.svn20201220_0200.1.mga7 squirrelmail-vi-1.4.23-0.svn20201220_0200.1.mga7 squirrelmail-zh_CN-1.4.23-0.svn20201220_0200.1.mga7 squirrelmail-zh_TW-1.4.23-0.svn20201220_0200.1.mga7 squirrelmail-ka-1.4.23-0.svn20201220_0200.1.mga7 squirrelmail-km-1.4.23-0.svn20201220_0200.1.mga7 squirrelmail-lv-1.4.23-0.svn20201220_0200.1.mga7 squirrelmail-mk-1.4.23-0.svn20201220_0200.1.mga7 squirrelmail-ta-1.4.23-0.svn20201220_0200.1.mga7 Version:
Cauldron =>
7 @David: just the security patch. All others are "just" warnings. I really don't think there are (much) users, so if you don't mind, I will drop this package for mga8. Advisory: ======================== Updated squirrelmail packages fix security vulnerabilities: XSS was discovered in SquirrelMail through 1.4.22. Due to improper handling of RCDATA and RAWTEXT type elements, the built-in sanitization mechanism can be bypassed. Malicious script content from HTML e-mail can be executed within the application context via crafted use of (for example) a NOEMBED, NOFRAMES, NOSCRIPT, or TEXTAREA element (CVE-2019-12970). An unsafe use of unserialize() in compose.php has also been fixed. References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-12970 https://www.openwall.com/lists/oss-security/2020/06/20/1 https://ubuntu.com/security/notices/USN-4669-1 Installed squirrelmail, dovecot, and dependencies, then got the pending updates for dovecot and squirrelmail. No installation issues. to test, more or less used the procedure outlined by Dave Hodgins in Bug 20703. A bit of stumbling along the way, but eventually was able to set up the server, and log in. Since the package is being dropped for Mageia 8, (Comment 6) I don't see the need to go further in this test. Giving it an OK, and validating. Advisory in Comment 8, package list in Comment 5. Keywords:
(none) =>
validated_update Advisory pushed to SVN. CVE:
(none) =>
CVE-2019-12970 An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2021-0010.html Status:
NEW =>
RESOLVED |