Bug 24454 - squirrelmail new XSS security issues
Summary: squirrelmail new XSS security issues
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 6
Hardware: All Linux
Priority: Normal normal
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL:
Whiteboard: MGA6-32-OK
Keywords: advisory, validated_update
Depends on:
Blocks:
 
Reported: 2019-03-01 23:31 CET by David Walser
Modified: 2019-04-10 23:26 CEST (History)
6 users (show)

See Also:
Source RPM: squirrelmail-1.4.23-0.svn20180505.3.mga7.src.rpm
CVE:
Status comment: Fixes available in upstream SVN


Attachments

Description David Walser 2019-03-01 23:31:12 CET
Squirrelmail has fixed some XSS issues in SVN:
https://www.openwall.com/lists/oss-security/2019/03/01/2

Hanno also linked to fixes for other bugs.
David Walser 2019-03-01 23:31:46 CET

Status comment: (none) => Fixes available in upstream SVN
Whiteboard: (none) => MGA6TOO

Marc Krämer 2019-03-22 10:54:58 CET

Assignee: php => mageia
CC: (none) => mageia

Comment 1 Marc Krämer 2019-03-22 12:02:06 CET
Suggested advisory:
========================
Updated squirellmail packages to fix a small XSS-security issue.

References:
https://www.openwall.com/lists/oss-security/2019/03/01/2
========================

Updated packages in core/updates_testing:
========================
squirrelmail-1.4.22-16.2.mga6

Source RPMs:
squirrelmail-1.4.22-16.2.mga6.src.rpm

Assignee: mageia => qa-bugs

Thomas Backlund 2019-03-22 21:10:09 CET

CC: (none) => tmb
Whiteboard: MGA6TOO => (none)
Version: Cauldron => 6

Comment 2 Herman Viaene 2019-03-23 13:54:17 CET
MGA6-32 MATE on IBM Thinkpad R50e
No installation issues, apart from the remark there are no new language rpm's?

Followed bug 22793 Comment 6 and my own in bug 23366, apart from the fact that there is no "mail" group on this laptop, so I just skipped the chgrp command.
Dovecot was already on this laptop, so after restarting httpd, I have been able to send, receive, answer and receiving the answer between the two user.
OK for me.

Whiteboard: (none) => MGA6-32-OK
CC: (none) => herman.viaene

Comment 3 Thomas Andrews 2019-04-05 00:23:06 CEST
No installation issues in 64-bit. Sending this one on its way.

Validating. Suggested advisory in Comment 1.

CC: (none) => andrewsfarm, sysadmin-bugs
Keywords: (none) => validated_update

Dave Hodgins 2019-04-10 21:31:36 CEST

CC: (none) => davidwhodgins
Keywords: (none) => advisory

Comment 4 Mageia Robot 2019-04-10 23:26:33 CEST
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2019-0136.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED


Note You need to log in before you can comment on or make changes to this bug.