Lucene search

K
centosCentOS ProjectCESA-2006:0283
HistoryMay 03, 2006 - 5:43 p.m.

squirrelmail security update

2006-05-0317:43:37
CentOS Project
lists.centos.org
60

5 Medium

CVSS2

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

PARTIAL

Availability Impact

NONE

AV:N/AC:L/Au:N/C:N/I:P/A:N

0.012 Low

EPSS

Percentile

85.3%

CentOS Errata and Security Advisory CESA-2006:0283

SquirrelMail is a standards-based webmail package written in PHP4.

A bug was found in the way SquirrelMail presents the right frame to the
user. If a user can be tricked into opening a carefully crafted URL, it is
possible to present the user with arbitrary HTML data. (CVE-2006-0188)

A bug was found in the way SquirrelMail filters incoming HTML email. It is
possible to cause a victim’s web browser to request remote content by
opening a HTML email while running a web browser that processes certain
types of invalid style sheets. Only Internet Explorer is known to process
such malformed style sheets. (CVE-2006-0195)

A bug was found in the way SquirrelMail processes a request to select an
IMAP mailbox. If a user can be tricked into opening a carefully crafted
URL, it is possible to execute arbitrary IMAP commands as the user viewing
their mail with SquirrelMail. (CVE-2006-0377)

Users of SquirrelMail are advised to upgrade to this updated package, which
contains SquirrelMail version 1.4.6 and is not vulnerable to these issues.

Merged security bulletin from advisories:
https://lists.centos.org/pipermail/centos-announce/2006-May/075024.html
https://lists.centos.org/pipermail/centos-announce/2006-May/075025.html
https://lists.centos.org/pipermail/centos-announce/2006-May/075027.html
https://lists.centos.org/pipermail/centos-announce/2006-May/075029.html
https://lists.centos.org/pipermail/centos-announce/2006-May/075033.html
https://lists.centos.org/pipermail/centos-announce/2006-May/075035.html
https://lists.centos.org/pipermail/centos-announce/2006-May/075036.html
https://lists.centos.org/pipermail/centos-announce/2006-May/075039.html
https://lists.centos.org/pipermail/centos-announce/2006-May/075040.html

Affected packages:
squirrelmail

Upstream details at:
https://access.redhat.com/errata/RHSA-2006:0283

5 Medium

CVSS2

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

PARTIAL

Availability Impact

NONE

AV:N/AC:L/Au:N/C:N/I:P/A:N

0.012 Low

EPSS

Percentile

85.3%