(RHSA-2004:654) squirrelmail security update

2004-12-23T05:00:00
ID RHSA-2004:654
Type redhat
Reporter RedHat
Modified 2017-07-28T09:44:02

Description

SquirrelMail is a webmail package written in PHP.

A cross-site scripting bug has been found in SquirrelMail. This issue could allow an attacker to send a mail with a carefully crafted header, which could result in causing the victim's machine to execute a malicious script. The Common Vulnerabilities and Exposures project has assigned the name CAN-2004-1036 to this issue.

Additionally, the following issues have been addressed:

  • updated splash screens
  • HIGASHIYAMA Masato's patch to improve Japanese support
  • real 1.4.3a tarball
  • config_local.php and default_pref in /etc/squirrelmail/ to match upstream
    RPM.

Please note that it is possible that upgrading to this package may remove your SquirrelMail configuration files due to a bug in the RPM package. Upgrading will prevent this from happening in the future.

Users of SquirrelMail are advised to upgrade to this updated package which contains a patched version of SquirrelMail version 1.43a and is not vulnerable to these issues.