Debian Security Advisory 662-2 - Andrew Archibald discovered that the last update to squirrelmail which was intended to fix several problems caused a regression which got exposed when the user hits a session timeout.
30570cad6d9a79ce284b36f9cf85e7b18ef089817e6634baac61546c0fb4cb6e
Debian Security Advisory 662-1 - Several vulnerabilities have been discovered in Squirrelmail, a commonly used webmail system. Upstream developers noticed that an unsanitized variable could lead to cross site scripting. Grant Hollingworth discovered that under certain circumstances URL manipulation could lead to the execution of arbitrary code with the privileges of www-data. This problem only exists in version 1.2.6 of Squirrelmail.
2f1b470ff1e1b6b6d1992aa09267ff6a4ccd36243f44f033382e76d37b0a7dff
SquirrelMail Security Advisory - SquirrelMail 1.4.4 has been released to resolve a number of security issues. Manoel Zaninetti reported an issue in src/webmail.php which would allow a crafted URL to include a remote web page. A possible cross site scripting issue exists in src/webmail.php that is only accessible when the PHP installation is running with register_globals set to On.
5773619867fb37cf0ce9656875f5125f481bb03dec469652efec6634f72bd105