Ubuntu has issued an advisory on December 10: https://ubuntu.com/security/notices/USN-4669-1 Mageia 7 is also affected. There's also Bug 26842 still to address.
Whiteboard: (none) => MGA7TOOBlocks: (none) => 26842
This is for you David W, per maintdb.txt... So, assigning for you.
Assignee: bugsquad => luigiwalserCC: (none) => ouaurelien
CC: (none) => mageia
we should consider dropping squirrelmail. The official site is unchanged since 2011 (1.4.22). It does not really look like there is some active development going on. I can patch it for mga7. Should we drop it for mga8?
Yeah, I doubt it will work with PHP 8.
Hi Marc, I see you took care of Bug 26842 also (thanks!). Do we have all of the patches from here? https://github.com/hannob/squirrelpatches/tree/main/patches
Package list for the current build: squirrelmail-1.4.23-0.svn20201220_0200.1.mga7 squirrelmail-poutils-1.4.23-0.svn20201220_0200.1.mga7 squirrelmail-cyrus-1.4.23-0.svn20201220_0200.1.mga7 squirrelmail-ar-1.4.23-0.svn20201220_0200.1.mga7 squirrelmail-bg-1.4.23-0.svn20201220_0200.1.mga7 squirrelmail-bn-india-1.4.23-0.svn20201220_0200.1.mga7 squirrelmail-bn-bangladesh-1.4.23-0.svn20201220_0200.1.mga7 squirrelmail-ca-1.4.23-0.svn20201220_0200.1.mga7 squirrelmail-cs-1.4.23-0.svn20201220_0200.1.mga7 squirrelmail-cy-1.4.23-0.svn20201220_0200.1.mga7 squirrelmail-da-1.4.23-0.svn20201220_0200.1.mga7 squirrelmail-de-1.4.23-0.svn20201220_0200.1.mga7 squirrelmail-el-1.4.23-0.svn20201220_0200.1.mga7 squirrelmail-es-1.4.23-0.svn20201220_0200.1.mga7 squirrelmail-et-1.4.23-0.svn20201220_0200.1.mga7 squirrelmail-eu-1.4.23-0.svn20201220_0200.1.mga7 squirrelmail-fa-1.4.23-0.svn20201220_0200.1.mga7 squirrelmail-fi-1.4.23-0.svn20201220_0200.1.mga7 squirrelmail-fo-1.4.23-0.svn20201220_0200.1.mga7 squirrelmail-fr-1.4.23-0.svn20201220_0200.1.mga7 squirrelmail-fy-1.4.23-0.svn20201220_0200.1.mga7 squirrelmail-he-1.4.23-0.svn20201220_0200.1.mga7 squirrelmail-hr-1.4.23-0.svn20201220_0200.1.mga7 squirrelmail-hu-1.4.23-0.svn20201220_0200.1.mga7 squirrelmail-id-1.4.23-0.svn20201220_0200.1.mga7 squirrelmail-is-1.4.23-0.svn20201220_0200.1.mga7 squirrelmail-it-1.4.23-0.svn20201220_0200.1.mga7 squirrelmail-ja-1.4.23-0.svn20201220_0200.1.mga7 squirrelmail-ko-1.4.23-0.svn20201220_0200.1.mga7 squirrelmail-lt-1.4.23-0.svn20201220_0200.1.mga7 squirrelmail-ms-1.4.23-0.svn20201220_0200.1.mga7 squirrelmail-nb-1.4.23-0.svn20201220_0200.1.mga7 squirrelmail-nl-1.4.23-0.svn20201220_0200.1.mga7 squirrelmail-nn-1.4.23-0.svn20201220_0200.1.mga7 squirrelmail-pl-1.4.23-0.svn20201220_0200.1.mga7 squirrelmail-pt-1.4.23-0.svn20201220_0200.1.mga7 squirrelmail-ro-1.4.23-0.svn20201220_0200.1.mga7 squirrelmail-ru-1.4.23-0.svn20201220_0200.1.mga7 squirrelmail-sk-1.4.23-0.svn20201220_0200.1.mga7 squirrelmail-sl-1.4.23-0.svn20201220_0200.1.mga7 squirrelmail-sr-1.4.23-0.svn20201220_0200.1.mga7 squirrelmail-sv-1.4.23-0.svn20201220_0200.1.mga7 squirrelmail-tr-1.4.23-0.svn20201220_0200.1.mga7 squirrelmail-ug-1.4.23-0.svn20201220_0200.1.mga7 squirrelmail-uk-1.4.23-0.svn20201220_0200.1.mga7 squirrelmail-vi-1.4.23-0.svn20201220_0200.1.mga7 squirrelmail-zh_CN-1.4.23-0.svn20201220_0200.1.mga7 squirrelmail-zh_TW-1.4.23-0.svn20201220_0200.1.mga7 squirrelmail-ka-1.4.23-0.svn20201220_0200.1.mga7 squirrelmail-km-1.4.23-0.svn20201220_0200.1.mga7 squirrelmail-lv-1.4.23-0.svn20201220_0200.1.mga7 squirrelmail-mk-1.4.23-0.svn20201220_0200.1.mga7 squirrelmail-ta-1.4.23-0.svn20201220_0200.1.mga7
Version: Cauldron => 7Whiteboard: MGA7TOO => (none)
@David: just the security patch. All others are "just" warnings. I really don't think there are (much) users, so if you don't mind, I will drop this package for mga8.
Ok.
Assignee: luigiwalser => qa-bugs
Advisory: ======================== Updated squirrelmail packages fix security vulnerabilities: XSS was discovered in SquirrelMail through 1.4.22. Due to improper handling of RCDATA and RAWTEXT type elements, the built-in sanitization mechanism can be bypassed. Malicious script content from HTML e-mail can be executed within the application context via crafted use of (for example) a NOEMBED, NOFRAMES, NOSCRIPT, or TEXTAREA element (CVE-2019-12970). An unsafe use of unserialize() in compose.php has also been fixed. References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-12970 https://www.openwall.com/lists/oss-security/2020/06/20/1 https://ubuntu.com/security/notices/USN-4669-1
Installed squirrelmail, dovecot, and dependencies, then got the pending updates for dovecot and squirrelmail. No installation issues. to test, more or less used the procedure outlined by Dave Hodgins in Bug 20703. A bit of stumbling along the way, but eventually was able to set up the server, and log in. Since the package is being dropped for Mageia 8, (Comment 6) I don't see the need to go further in this test. Giving it an OK, and validating. Advisory in Comment 8, package list in Comment 5.
Keywords: (none) => validated_updateWhiteboard: (none) => MGA7-64-OKCC: (none) => andrewsfarm, sysadmin-bugs
Advisory pushed to SVN.
CVE: (none) => CVE-2019-12970Keywords: (none) => advisorySource RPM: squirrelmail-1.4.23-0.svn20191227_0200.2.mga8.src.rpm => squirrelmail-1.4.23-0.svn20190322_0200.1.mga7.src.rpm
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2021-0010.html
Status: NEW => RESOLVEDResolution: (none) => FIXED