(RHSA-2009:1490) Moderate: squirrelmail security update

2009-10-0800:00:00

access.redhat.com

6.8 Medium

CVSS2

Access Vector

NETWORK

Access Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:M/Au:N/C:P/I:P/A:P

0.004 Low

EPSS

Percentile

70.7%

JSON

SquirrelMail is a standards-based webmail package written in PHP.

Form submissions in SquirrelMail did not implement protection against
Cross-Site Request Forgery (CSRF) attacks. If a remote attacker tricked a
user into visiting a malicious web page, the attacker could hijack that
user’s authentication, inject malicious content into that user’s
preferences, or possibly send mail without that user’s permission.
(CVE-2009-2964)

Users of SquirrelMail should upgrade to this updated package, which
contains a backported patch to correct these issues.

OSVersionArchitecturePackageVersionFilename
RedHat5noarchsquirrelmail< 1.4.8-5.el5_4.10squirrelmail-1.4.8-5.el5_4.10.noarch.rpm
RedHat4noarchsquirrelmail< 1.4.8-5.el4_8.8squirrelmail-1.4.8-5.el4_8.8.noarch.rpm
RedHat5srcsquirrelmail< 1.4.8-5.el5_4.10squirrelmail-1.4.8-5.el5_4.10.src.rpm
RedHat4srcsquirrelmail< 1.4.8-5.el4_8.8squirrelmail-1.4.8-5.el4_8.8.src.rpm

OS	Version	Architecture	Package	Version	Filename
RedHat	5	noarch	squirrelmail	< 1.4.8-5.el5_4.10	squirrelmail-1.4.8-5.el5_4.10.noarch.rpm
RedHat	4	noarch	squirrelmail	< 1.4.8-5.el4_8.8	squirrelmail-1.4.8-5.el4_8.8.noarch.rpm
RedHat	5	src	squirrelmail	< 1.4.8-5.el5_4.10	squirrelmail-1.4.8-5.el5_4.10.src.rpm
RedHat	4	src	squirrelmail	< 1.4.8-5.el4_8.8	squirrelmail-1.4.8-5.el4_8.8.src.rpm