A security issue in squirrelmail has been announced today (April 19): http://openwall.com/lists/oss-security/2017/04/19/6 The patch is included in that message and has been added in Mageia 5 and Cauldron SVN (and pushed in Cauldron). Giuseppe, do the other patches you added in Cauldron also need to be added to the Mageia 5 package? If so, please add them.
Apparently CVE-2017-5181 was also assigned for this vulnerability: http://openwall.com/lists/oss-security/2017/04/19/7
Synched with cauldron. src.rpm: squirrelmail-1.4.22-12.2.mga5
Assignee: ghibomgx => qa-bugsCC: (none) => mageia
Advisory: ======================== Updated squirrelmail packages fix security vulnerability: Squirrelmail version 1.4.22 (and probably prior) is vulnerable to a remote code execution vulnerability because it fails to sanitize a string before passing it to a popen call. It's possible to exploit this vulnerability to execute arbitrary shell commands on the remote server (CVE-2017-7692). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7692 http://openwall.com/lists/oss-security/2017/04/19/6 ======================== Updated packages in core/updates_testing: ======================== squirrelmail-1.4.22-12.2.mga5 squirrelmail-poutils-1.4.22-12.2.mga5 squirrelmail-cyrus-1.4.22-12.2.mga5 squirrelmail-ar-1.4.22-12.2.mga5 squirrelmail-bg-1.4.22-12.2.mga5 squirrelmail-bn-india-1.4.22-12.2.mga5 squirrelmail-bn-bangladesh-1.4.22-12.2.mga5 squirrelmail-ca-1.4.22-12.2.mga5 squirrelmail-cs-1.4.22-12.2.mga5 squirrelmail-cy-1.4.22-12.2.mga5 squirrelmail-da-1.4.22-12.2.mga5 squirrelmail-de-1.4.22-12.2.mga5 squirrelmail-el-1.4.22-12.2.mga5 squirrelmail-es-1.4.22-12.2.mga5 squirrelmail-et-1.4.22-12.2.mga5 squirrelmail-eu-1.4.22-12.2.mga5 squirrelmail-fa-1.4.22-12.2.mga5 squirrelmail-fi-1.4.22-12.2.mga5 squirrelmail-fo-1.4.22-12.2.mga5 squirrelmail-fr-1.4.22-12.2.mga5 squirrelmail-fy-1.4.22-12.2.mga5 squirrelmail-he-1.4.22-12.2.mga5 squirrelmail-hr-1.4.22-12.2.mga5 squirrelmail-hu-1.4.22-12.2.mga5 squirrelmail-id-1.4.22-12.2.mga5 squirrelmail-is-1.4.22-12.2.mga5 squirrelmail-it-1.4.22-12.2.mga5 squirrelmail-ja-1.4.22-12.2.mga5 squirrelmail-ko-1.4.22-12.2.mga5 squirrelmail-lt-1.4.22-12.2.mga5 squirrelmail-ms-1.4.22-12.2.mga5 squirrelmail-nb-1.4.22-12.2.mga5 squirrelmail-nl-1.4.22-12.2.mga5 squirrelmail-nn-1.4.22-12.2.mga5 squirrelmail-pl-1.4.22-12.2.mga5 squirrelmail-pt-1.4.22-12.2.mga5 squirrelmail-ro-1.4.22-12.2.mga5 squirrelmail-ru-1.4.22-12.2.mga5 squirrelmail-sk-1.4.22-12.2.mga5 squirrelmail-sl-1.4.22-12.2.mga5 squirrelmail-sr-1.4.22-12.2.mga5 squirrelmail-sv-1.4.22-12.2.mga5 squirrelmail-tr-1.4.22-12.2.mga5 squirrelmail-ug-1.4.22-12.2.mga5 squirrelmail-uk-1.4.22-12.2.mga5 squirrelmail-vi-1.4.22-12.2.mga5 squirrelmail-zh_CN-1.4.22-12.2.mga5 squirrelmail-zh_TW-1.4.22-12.2.mga5 squirrelmail-ka-1.4.22-12.2.mga5 squirrelmail-km-1.4.22-12.2.mga5 squirrelmail-lv-1.4.22-12.2.mga5 squirrelmail-mk-1.4.22-12.2.mga5 squirrelmail-ta-1.4.22-12.2.mga5 from squirrelmail-1.4.22-12.2.mga5.src.rpm
Whiteboard: (none) => advisoryCC: (none) => davidwhodgins
MGA5-64 on Lenovo B50 KDE No installation issues. I can call squirrelmail-conf as root, but setting up is something for someone with experience with mail systems.
CC: (none) => herman.viaene
Testing on Mageia 5 i586 Getting imap working with dovecot ... # urpmi dovecot # systemctl start dovecot.service As user dave $ mkdir mail $ mkdir mail/.imap $ mkdir mail/.imap/INBOX $ touch mail/.imap/INBOX/dovecot.index $ touch mail/.imap/INBOX/dovecot.index.cache $ touch mail/.imap/INBOX/dovecot.index.log As root # cd cd /home/dave/mail/.imap/INBOX/ # chgrp mail * Then send a mail to dave from root. # urpmi squirrelmail # systemctl restart httpd.service login at https://i5v.hodgins.homeip.net/squirrelmail/src/login.php Confirm messages can be read and sent. Install the update, which gets the message ... 1/1: squirrelmail warning: /etc/squirrelmail/plugins/avelsieve_config.php created as /etc/squirrelmail/plugins/avelsieve_config.php.rpmnew ##################################################################################################### Merging changes between "/etc/squirrelmail/plugins/avelsieve_config.php" and "/etc/squirrelmail/plugins/avelsieve_config.php.rpmnew"...failed - orphaned options detected. # systemctl restart httpd.service Confirm squirrrelmail still working.
Whiteboard: advisory => advisory MGA5-32-OK
Same testing on Mageia 5 x86_64 ok. Validating the update.
Whiteboard: advisory MGA5-32-OK => advisory MGA5-32-OK MGA5-64-OKKeywords: (none) => validated_updateCC: (none) => sysadmin-bugs
An update for this issue has been pushed to the Mageia Updates repository. http://advisories.mageia.org/MGASA-2017-0121.html
Resolution: (none) => FIXEDStatus: NEW => RESOLVED
*** Bug 20854 has been marked as a duplicate of this bug. ***
CC: (none) => zombie_ryushu