exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

FLSA-2006-190884.txt

FLSA-2006-190884.txt
Posted Jun 11, 2006
Site fedoralegacy.org

Fedora Legacy Update Advisory: FLSA:190884 - Updated squirrelmail package fixes security issues.

tags | advisory
systems | linux, fedora
SHA-256 | ad9bdc6fac6d6604d850286db5fc0e5f4f4d12d654dd15c972aacd0ed0836ea2

FLSA-2006-190884.txt

Change Mirror Download
---------------------------------------------------------------------
Fedora Legacy Update Advisory

Synopsis: Updated squirrelmail package fixes security issues
Advisory ID: FLSA:190884
Issue date: 2006-06-06
Product: Red Hat Linux, Fedora Core
Keywords: Bugfix
CVE Names: CVE-2006-0188 CVE-2006-0195 CVE-2006-0377
---------------------------------------------------------------------


---------------------------------------------------------------------
1. Topic:

An updated squirrelmail package that fixes three security issues is now
available.

SquirrelMail is a standards-based webmail package written in PHP4.

2. Relevant releases/architectures:

Red Hat Linux 9 - i386
Fedora Core 1 - i386
Fedora Core 2 - i386
Fedora Core 3 - i386, x86_64

3. Problem description:

A bug was found in the way SquirrelMail presents the right frame to the
user. If a user can be tricked into opening a carefully crafted URL, it
is possible to present the user with arbitrary HTML data.
(CVE-2006-0188)

A bug was found in the way SquirrelMail filters incoming HTML email. It
is possible to cause a victim's web browser to request remote content by
opening a HTML email while running a web browser that processes certain
types of invalid style sheets. Only Internet Explorer is known to
process such malformed style sheets. (CVE-2006-0195)

A bug was found in the way SquirrelMail processes a request to select an
IMAP mailbox. If a user can be tricked into opening a carefully crafted
URL, it is possible to execute arbitrary IMAP commands as the user
viewing their mail with SquirrelMail. (CVE-2006-0377)

Users of SquirrelMail are advised to upgrade to this updated package,
which contains SquirrelMail version 1.4.6 and is not vulnerable to these
issues.

4. Solution:

Before applying this update, make sure all previously released errata
relevant to your system have been applied.

To update all RPMs for your particular architecture, run:

rpm -Fvh [filenames]

where [filenames] is a list of the RPMs you wish to upgrade. Only those
RPMs which are currently installed will be updated. Those RPMs which
are not installed but included in the list will not be updated. Note
that you can also use wildcards (*.rpm) if your current directory *only*
contains the desired RPMs.

Please note that this update is also available via yum and apt. Many
people find this an easier way to apply updates. To use yum issue:

yum update

or to use apt:

apt-get update; apt-get upgrade

This will start an interactive process that will result in the
appropriate RPMs being upgraded on your system. This assumes that you
have yum or apt-get configured for obtaining Fedora Legacy content.
Please visit http://www.fedoralegacy.org/docs for directions on how to
configure yum and apt-get.

5. Bug IDs fixed:

https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=190884

6. RPMs required:

Red Hat Linux 9:

SRPM:
http://download.fedoralegacy.org/redhat/9/updates/SRPMS/squirrelmail-1.4.6-3.rh9.1.legacy.src.rpm

i386:
http://download.fedoralegacy.org/redhat/9/updates/i386/squirrelmail-1.4.6-3.rh9.1.legacy.noarch.rpm

Fedora Core 1:

SRPM:
http://download.fedoralegacy.org/fedora/1/updates/SRPMS/squirrelmail-1.4.6-4.fc1.1.legacy.src.rpm

i386:
http://download.fedoralegacy.org/fedora/1/updates/i386/squirrelmail-1.4.6-4.fc1.1.legacy.noarch.rpm

Fedora Core 2:

SRPM:
http://download.fedoralegacy.org/fedora/2/updates/SRPMS/squirrelmail-1.4.6-4.fc2.1.legacy.src.rpm

i386:
http://download.fedoralegacy.org/fedora/2/updates/i386/squirrelmail-1.4.6-4.fc2.1.legacy.noarch.rpm

Fedora Core 3:

SRPM:
http://download.fedoralegacy.org/fedora/3/updates/SRPMS/squirrelmail-1.4.6-4.fc3.1.legacy.src.rpm

i386:
http://download.fedoralegacy.org/fedora/3/updates/i386/squirrelmail-1.4.6-4.fc3.1.legacy.noarch.rpm

x86_64:
http://download.fedoralegacy.org/fedora/3/updates/x86_64/squirrelmail-1.4.6-4.fc3.1.legacy.noarch.rpm

7. Verification:

SHA1 sum Package Name
---------------------------------------------------------------------

rh9:
62ae72ed168667c97e1b6ccc5bc23dea6c374bcb
redhat/9/updates/i386/squirrelmail-1.4.6-3.rh9.1.legacy.noarch.rpm
51264756a2f2bb5d8e6f5b6d1d33dcba40f41a68
redhat/9/updates/SRPMS/squirrelmail-1.4.6-3.rh9.1.legacy.src.rpm

fc1:
0e2dbf765d4df6592fad31ff331a3101fd33674e
fedora/1/updates/i386/squirrelmail-1.4.6-4.fc1.1.legacy.noarch.rpm
7c6d183c795bfd1da1e872a74e7ff1f197afb93a
fedora/1/updates/SRPMS/squirrelmail-1.4.6-4.fc1.1.legacy.src.rpm

fc2:
36bc9ae701f8844d6369dde0f2d4a537b2dce85c
fedora/2/updates/i386/squirrelmail-1.4.6-4.fc2.1.legacy.noarch.rpm
60098c585bc6bab9df4e3883e3a0b0762fd4dc6d
fedora/2/updates/SRPMS/squirrelmail-1.4.6-4.fc2.1.legacy.src.rpm

fc3:
9e96352495249c4aa526b24729128696467ca728
fedora/3/updates/i386/squirrelmail-1.4.6-4.fc3.1.legacy.noarch.rpm
9e96352495249c4aa526b24729128696467ca728
fedora/3/updates/x86_64/squirrelmail-1.4.6-4.fc3.1.legacy.noarch.rpm
3003904d9a5594cb6e3ebb190930bb9d82d83f60
fedora/3/updates/SRPMS/squirrelmail-1.4.6-4.fc3.1.legacy.src.rpm


These packages are GPG signed by Fedora Legacy for security. Our key is
available from http://www.fedoralegacy.org/about/security.php

You can verify each package with the following command:

rpm --checksig -v <filename>

If you only wish to verify that each package has not been corrupted or
tampered with, examine only the sha1sum with the following command:

sha1sum <filename>

8. References:

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-0188
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-0195
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-0377

9. Contact:

The Fedora Legacy security contact is <secnotice@fedoralegacy.org>. More
project details at http://www.fedoralegacy.org

---------------------------------------------------------------------

Login or Register to add favorites

File Archive:

April 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Apr 1st
    10 Files
  • 2
    Apr 2nd
    26 Files
  • 3
    Apr 3rd
    40 Files
  • 4
    Apr 4th
    6 Files
  • 5
    Apr 5th
    26 Files
  • 6
    Apr 6th
    0 Files
  • 7
    Apr 7th
    0 Files
  • 8
    Apr 8th
    22 Files
  • 9
    Apr 9th
    14 Files
  • 10
    Apr 10th
    10 Files
  • 11
    Apr 11th
    13 Files
  • 12
    Apr 12th
    14 Files
  • 13
    Apr 13th
    0 Files
  • 14
    Apr 14th
    0 Files
  • 15
    Apr 15th
    30 Files
  • 16
    Apr 16th
    10 Files
  • 17
    Apr 17th
    22 Files
  • 18
    Apr 18th
    45 Files
  • 19
    Apr 19th
    0 Files
  • 20
    Apr 20th
    0 Files
  • 21
    Apr 21st
    0 Files
  • 22
    Apr 22nd
    0 Files
  • 23
    Apr 23rd
    0 Files
  • 24
    Apr 24th
    0 Files
  • 25
    Apr 25th
    0 Files
  • 26
    Apr 26th
    0 Files
  • 27
    Apr 27th
    0 Files
  • 28
    Apr 28th
    0 Files
  • 29
    Apr 29th
    0 Files
  • 30
    Apr 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close