--------------------------------------------------------------------- Fedora Legacy Update Advisory Synopsis: Updated squirrelmail package fixes security issues Advisory ID: FLSA:190884 Issue date: 2006-06-06 Product: Red Hat Linux, Fedora Core Keywords: Bugfix CVE Names: CVE-2006-0188 CVE-2006-0195 CVE-2006-0377 --------------------------------------------------------------------- --------------------------------------------------------------------- 1. Topic: An updated squirrelmail package that fixes three security issues is now available. SquirrelMail is a standards-based webmail package written in PHP4. 2. Relevant releases/architectures: Red Hat Linux 9 - i386 Fedora Core 1 - i386 Fedora Core 2 - i386 Fedora Core 3 - i386, x86_64 3. Problem description: A bug was found in the way SquirrelMail presents the right frame to the user. If a user can be tricked into opening a carefully crafted URL, it is possible to present the user with arbitrary HTML data. (CVE-2006-0188) A bug was found in the way SquirrelMail filters incoming HTML email. It is possible to cause a victim's web browser to request remote content by opening a HTML email while running a web browser that processes certain types of invalid style sheets. Only Internet Explorer is known to process such malformed style sheets. (CVE-2006-0195) A bug was found in the way SquirrelMail processes a request to select an IMAP mailbox. If a user can be tricked into opening a carefully crafted URL, it is possible to execute arbitrary IMAP commands as the user viewing their mail with SquirrelMail. (CVE-2006-0377) Users of SquirrelMail are advised to upgrade to this updated package, which contains SquirrelMail version 1.4.6 and is not vulnerable to these issues. 4. Solution: Before applying this update, make sure all previously released errata relevant to your system have been applied. To update all RPMs for your particular architecture, run: rpm -Fvh [filenames] where [filenames] is a list of the RPMs you wish to upgrade. Only those RPMs which are currently installed will be updated. Those RPMs which are not installed but included in the list will not be updated. Note that you can also use wildcards (*.rpm) if your current directory *only* contains the desired RPMs. Please note that this update is also available via yum and apt. Many people find this an easier way to apply updates. To use yum issue: yum update or to use apt: apt-get update; apt-get upgrade This will start an interactive process that will result in the appropriate RPMs being upgraded on your system. This assumes that you have yum or apt-get configured for obtaining Fedora Legacy content. Please visit http://www.fedoralegacy.org/docs for directions on how to configure yum and apt-get. 5. Bug IDs fixed: https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=190884 6. RPMs required: Red Hat Linux 9: SRPM: http://download.fedoralegacy.org/redhat/9/updates/SRPMS/squirrelmail-1.4.6-3.rh9.1.legacy.src.rpm i386: http://download.fedoralegacy.org/redhat/9/updates/i386/squirrelmail-1.4.6-3.rh9.1.legacy.noarch.rpm Fedora Core 1: SRPM: http://download.fedoralegacy.org/fedora/1/updates/SRPMS/squirrelmail-1.4.6-4.fc1.1.legacy.src.rpm i386: http://download.fedoralegacy.org/fedora/1/updates/i386/squirrelmail-1.4.6-4.fc1.1.legacy.noarch.rpm Fedora Core 2: SRPM: http://download.fedoralegacy.org/fedora/2/updates/SRPMS/squirrelmail-1.4.6-4.fc2.1.legacy.src.rpm i386: http://download.fedoralegacy.org/fedora/2/updates/i386/squirrelmail-1.4.6-4.fc2.1.legacy.noarch.rpm Fedora Core 3: SRPM: http://download.fedoralegacy.org/fedora/3/updates/SRPMS/squirrelmail-1.4.6-4.fc3.1.legacy.src.rpm i386: http://download.fedoralegacy.org/fedora/3/updates/i386/squirrelmail-1.4.6-4.fc3.1.legacy.noarch.rpm x86_64: http://download.fedoralegacy.org/fedora/3/updates/x86_64/squirrelmail-1.4.6-4.fc3.1.legacy.noarch.rpm 7. Verification: SHA1 sum Package Name --------------------------------------------------------------------- rh9: 62ae72ed168667c97e1b6ccc5bc23dea6c374bcb redhat/9/updates/i386/squirrelmail-1.4.6-3.rh9.1.legacy.noarch.rpm 51264756a2f2bb5d8e6f5b6d1d33dcba40f41a68 redhat/9/updates/SRPMS/squirrelmail-1.4.6-3.rh9.1.legacy.src.rpm fc1: 0e2dbf765d4df6592fad31ff331a3101fd33674e fedora/1/updates/i386/squirrelmail-1.4.6-4.fc1.1.legacy.noarch.rpm 7c6d183c795bfd1da1e872a74e7ff1f197afb93a fedora/1/updates/SRPMS/squirrelmail-1.4.6-4.fc1.1.legacy.src.rpm fc2: 36bc9ae701f8844d6369dde0f2d4a537b2dce85c fedora/2/updates/i386/squirrelmail-1.4.6-4.fc2.1.legacy.noarch.rpm 60098c585bc6bab9df4e3883e3a0b0762fd4dc6d fedora/2/updates/SRPMS/squirrelmail-1.4.6-4.fc2.1.legacy.src.rpm fc3: 9e96352495249c4aa526b24729128696467ca728 fedora/3/updates/i386/squirrelmail-1.4.6-4.fc3.1.legacy.noarch.rpm 9e96352495249c4aa526b24729128696467ca728 fedora/3/updates/x86_64/squirrelmail-1.4.6-4.fc3.1.legacy.noarch.rpm 3003904d9a5594cb6e3ebb190930bb9d82d83f60 fedora/3/updates/SRPMS/squirrelmail-1.4.6-4.fc3.1.legacy.src.rpm These packages are GPG signed by Fedora Legacy for security. Our key is available from http://www.fedoralegacy.org/about/security.php You can verify each package with the following command: rpm --checksig -v <filename> If you only wish to verify that each package has not been corrupted or tampered with, examine only the sha1sum with the following command: sha1sum <filename> 8. References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-0188 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-0195 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-0377 9. Contact: The Fedora Legacy security contact is <secnotice@xxxxxxxxxxxxxxxx>. More project details at http://www.fedoralegacy.org ---------------------------------------------------------------------
Attachment:
signature.asc
Description: OpenPGP digital signature