-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 _______________________________________________________________________ Mandriva Linux Security Advisory MDVSA-2009:110 http://www.mandriva.com/security/ _______________________________________________________________________ Package : squirrelmail Date : May 12, 2009 Affected: Corporate 4.0 _______________________________________________________________________ Problem Description: Multiple vulnerabilities has been identified and corrected in squirrelmail: Two issues were fixed that both allowed an attacker to run arbitrary script (XSS) on most any SquirrelMail page by getting the user to click on specially crafted SquirrelMail links (CVE-2009-1578). An issue was fixed wherein input to the contrib/decrypt_headers.php script was not sanitized and allowed arbitrary script execution upon submission of certain values (CVE-2009-1578). An issue was fixed that allowed arbitrary server-side code execution when SquirrelMail was configured to use the example map_yp_alias username mapping functionality (CVE-2009-1579). An issue was fixed that allowed an attacker to possibly steal user data by hijacking the SquirrelMail login session. (CVE-2009-1580). An issue was fixed that allowed phishing and cross-site scripting (XSS) attacks to be run by surreptitious placement of content in specially-crafted emails sent to SquirrelMail users (CVE-2009-1581). Additionally many of the bundled plugins has been upgraded. Basically this is a syncronization with the latest squirrelmail package found in Mandriva Cooker. The rpm changelog will reveal all the changes (rpm -q --changelog squirrelmail). The updated packages have been upgraded to the latest version of squirrelmail to prevent this. _______________________________________________________________________ References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1578 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1579 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1580 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1581 _______________________________________________________________________ Updated Packages: Corporate 4.0: d8e8e8560b8b5cf89bb06dbda75033ef corporate/4.0/i586/squirrelmail-1.4.18-0.1.20060mlcs4.noarch.rpm 0ba6c8b99d8ccac0df0d3e90a7d70f47 corporate/4.0/i586/squirrelmail-ar-1.4.18-0.1.20060mlcs4.noarch.rpm 54b0bb74cba4da1dffdf0dc044de0986 corporate/4.0/i586/squirrelmail-bg-1.4.18-0.1.20060mlcs4.noarch.rpm fe1cfa4f6317fd8e295e0265be5da46b corporate/4.0/i586/squirrelmail-bn-1.4.18-0.1.20060mlcs4.noarch.rpm 46835353a19ca7e290ee0f538dc1cfec corporate/4.0/i586/squirrelmail-ca-1.4.18-0.1.20060mlcs4.noarch.rpm 786fcdba5121c48523b856cf3ff2c7a2 corporate/4.0/i586/squirrelmail-cs-1.4.18-0.1.20060mlcs4.noarch.rpm a792847e8d14f3249700e6779d2abbf1 corporate/4.0/i586/squirrelmail-cy-1.4.18-0.1.20060mlcs4.noarch.rpm b539efa2ba48b7b20f7c5e095fd43286 corporate/4.0/i586/squirrelmail-cyrus-1.4.18-0.1.20060mlcs4.noarch.rpm a57030df0e927b18ff0d40d745400cec corporate/4.0/i586/squirrelmail-da-1.4.18-0.1.20060mlcs4.noarch.rpm 3d97a69708fef53af1c525c39c093b07 corporate/4.0/i586/squirrelmail-de-1.4.18-0.1.20060mlcs4.noarch.rpm 98441c32e477f087e78782a37e15ff4c corporate/4.0/i586/squirrelmail-el-1.4.18-0.1.20060mlcs4.noarch.rpm 98b2e8b09c82a5ebc00047683bc6b20b corporate/4.0/i586/squirrelmail-en-1.4.18-0.1.20060mlcs4.noarch.rpm af04c8fd5c883b91959969d29c3af0cb corporate/4.0/i586/squirrelmail-es-1.4.18-0.1.20060mlcs4.noarch.rpm 7e2d7a7bbab015d551b058352b21162c corporate/4.0/i586/squirrelmail-et-1.4.18-0.1.20060mlcs4.noarch.rpm e3b34eb6311c4ee45b3e39285cc547f4 corporate/4.0/i586/squirrelmail-eu-1.4.18-0.1.20060mlcs4.noarch.rpm 8f4b2e47224cd83b244745b11f7cda9f corporate/4.0/i586/squirrelmail-fa-1.4.18-0.1.20060mlcs4.noarch.rpm fa7b77a672e5afa5e09b771d1ead14ff corporate/4.0/i586/squirrelmail-fi-1.4.18-0.1.20060mlcs4.noarch.rpm cb03089c1d10100f95b51e9345cc276b corporate/4.0/i586/squirrelmail-fo-1.4.18-0.1.20060mlcs4.noarch.rpm bb4bbb512b376271caff2ab4677a47e9 corporate/4.0/i586/squirrelmail-fr-1.4.18-0.1.20060mlcs4.noarch.rpm 2dcc5aee1f396884ea1f74c22b12c33a corporate/4.0/i586/squirrelmail-fy-1.4.18-0.1.20060mlcs4.noarch.rpm b87f520a511a53315ac9e1d594b7e3b9 corporate/4.0/i586/squirrelmail-he-1.4.18-0.1.20060mlcs4.noarch.rpm 4fdce8e38907de080ed1e1b76ef1d738 corporate/4.0/i586/squirrelmail-hr-1.4.18-0.1.20060mlcs4.noarch.rpm 0033224ec4127bd3768ec8b04b8de062 corporate/4.0/i586/squirrelmail-hu-1.4.18-0.1.20060mlcs4.noarch.rpm 18abc4c3cef94dc46cf26f33c3810e01 corporate/4.0/i586/squirrelmail-id-1.4.18-0.1.20060mlcs4.noarch.rpm 53c1d4d450cfa0c73e146aadf151d98b corporate/4.0/i586/squirrelmail-is-1.4.18-0.1.20060mlcs4.noarch.rpm aff35aa1c9e1e1e5be59b51b24ed1dbd corporate/4.0/i586/squirrelmail-it-1.4.18-0.1.20060mlcs4.noarch.rpm c1b86cbcf1f7060fa760f58cd10862b6 corporate/4.0/i586/squirrelmail-ja-1.4.18-0.1.20060mlcs4.noarch.rpm dd889c369ce6880478f594b5fbdb2bed corporate/4.0/i586/squirrelmail-ka-1.4.18-0.1.20060mlcs4.noarch.rpm 7f7f23c4354b9b586eb53d4a6662578d corporate/4.0/i586/squirrelmail-ko-1.4.18-0.1.20060mlcs4.noarch.rpm 7ef00ea3edaa930bbbbb3029ef0cd483 corporate/4.0/i586/squirrelmail-lt-1.4.18-0.1.20060mlcs4.noarch.rpm 2e290b9724563cdfaef6077b7e4d2404 corporate/4.0/i586/squirrelmail-ms-1.4.18-0.1.20060mlcs4.noarch.rpm d2e83840bb4c30d4d5a8c3e2445c4866 corporate/4.0/i586/squirrelmail-nb-1.4.18-0.1.20060mlcs4.noarch.rpm c3400f8c12162f3e625eb4333aca6269 corporate/4.0/i586/squirrelmail-nl-1.4.18-0.1.20060mlcs4.noarch.rpm a4df4067f08adbf6f4645e7e0204a66f corporate/4.0/i586/squirrelmail-nn-1.4.18-0.1.20060mlcs4.noarch.rpm 4af182f66a0bc66a3df4ac85a2366c71 corporate/4.0/i586/squirrelmail-pl-1.4.18-0.1.20060mlcs4.noarch.rpm be322cd83156490966e1a9a546fec7a5 corporate/4.0/i586/squirrelmail-poutils-1.4.18-0.1.20060mlcs4.noarch.rpm 7c604c320705c107d00888de6df2531a corporate/4.0/i586/squirrelmail-pt-1.4.18-0.1.20060mlcs4.noarch.rpm 8835fcddd28bd9bce91bae8f89214a66 corporate/4.0/i586/squirrelmail-ro-1.4.18-0.1.20060mlcs4.noarch.rpm faa71dda2dd7dd2aebc3b64feccd9b60 corporate/4.0/i586/squirrelmail-ru-1.4.18-0.1.20060mlcs4.noarch.rpm be7210a088ee2a9473a01cf020041291 corporate/4.0/i586/squirrelmail-sk-1.4.18-0.1.20060mlcs4.noarch.rpm 88c8e74238c41d3cee2eb5ed592ab4f3 corporate/4.0/i586/squirrelmail-sl-1.4.18-0.1.20060mlcs4.noarch.rpm b0979772171542783998eedba64e6f65 corporate/4.0/i586/squirrelmail-sr-1.4.18-0.1.20060mlcs4.noarch.rpm 4f66d88d87725ff3af94589b42de62e2 corporate/4.0/i586/squirrelmail-sv-1.4.18-0.1.20060mlcs4.noarch.rpm a6dd2a4308464c4a1671e97903432149 corporate/4.0/i586/squirrelmail-th-1.4.18-0.1.20060mlcs4.noarch.rpm e183c600779db301dd94240c1006833b corporate/4.0/i586/squirrelmail-tr-1.4.18-0.1.20060mlcs4.noarch.rpm 64c9cda07ccfde2387d77eaff2e99d13 corporate/4.0/i586/squirrelmail-ug-1.4.18-0.1.20060mlcs4.noarch.rpm dabb27edcf029498991e9f396422e5e3 corporate/4.0/i586/squirrelmail-uk-1.4.18-0.1.20060mlcs4.noarch.rpm 88fcde6cd52d9dbe4c96f5410c9cdfd4 corporate/4.0/i586/squirrelmail-vi-1.4.18-0.1.20060mlcs4.noarch.rpm 3b990fe5c878e16b2021634fbef588aa corporate/4.0/i586/squirrelmail-zh_CN-1.4.18-0.1.20060mlcs4.noarch.rpm c3ff953563b24c0e8246272d3dc84545 corporate/4.0/i586/squirrelmail-zh_TW-1.4.18-0.1.20060mlcs4.noarch.rpm 2b54d7cc703b418576918d90d3d4432d corporate/4.0/SRPMS/squirrelmail-1.4.18-0.1.20060mlcs4.src.rpm Corporate 4.0/X86_64: 433b77767d50f8346c5a616bf6c37ea2 corporate/4.0/x86_64/squirrelmail-1.4.18-0.1.20060mlcs4.noarch.rpm 26a33e2dda348016b78eb1c32d154952 corporate/4.0/x86_64/squirrelmail-ar-1.4.18-0.1.20060mlcs4.noarch.rpm 51ca0e83e805a042b988807e8b1a55c1 corporate/4.0/x86_64/squirrelmail-bg-1.4.18-0.1.20060mlcs4.noarch.rpm b6d5c2acd0a54be834c21123be20ccbc corporate/4.0/x86_64/squirrelmail-bn-1.4.18-0.1.20060mlcs4.noarch.rpm c73dc29350d2218f4a8379d5ad43dc32 corporate/4.0/x86_64/squirrelmail-ca-1.4.18-0.1.20060mlcs4.noarch.rpm 9641ed777f9d0aae1a6278e1eb125ebf corporate/4.0/x86_64/squirrelmail-cs-1.4.18-0.1.20060mlcs4.noarch.rpm 215ad01fb29c693fec6fec4cc0ff307a corporate/4.0/x86_64/squirrelmail-cy-1.4.18-0.1.20060mlcs4.noarch.rpm c269ea6df090c0fc0d75ca4c7e262d54 corporate/4.0/x86_64/squirrelmail-cyrus-1.4.18-0.1.20060mlcs4.noarch.rpm 763e673dc24adcd1653211f8fb0fe6e0 corporate/4.0/x86_64/squirrelmail-da-1.4.18-0.1.20060mlcs4.noarch.rpm b410626dcc1ad28322bc85afad65f8ac corporate/4.0/x86_64/squirrelmail-de-1.4.18-0.1.20060mlcs4.noarch.rpm f6a62db321be2288b9f495ae2814a438 corporate/4.0/x86_64/squirrelmail-el-1.4.18-0.1.20060mlcs4.noarch.rpm 316eb97651c2c1a49efea3983b53c439 corporate/4.0/x86_64/squirrelmail-en-1.4.18-0.1.20060mlcs4.noarch.rpm 1bc2e0fb21a7324c10b135ccd516d585 corporate/4.0/x86_64/squirrelmail-es-1.4.18-0.1.20060mlcs4.noarch.rpm 96386f72703a22f104409aa4718ef0f5 corporate/4.0/x86_64/squirrelmail-et-1.4.18-0.1.20060mlcs4.noarch.rpm 6923952a68a66762bfaa4a9619642c01 corporate/4.0/x86_64/squirrelmail-eu-1.4.18-0.1.20060mlcs4.noarch.rpm 978805a5ae2da3e0511ea54f0acb3273 corporate/4.0/x86_64/squirrelmail-fa-1.4.18-0.1.20060mlcs4.noarch.rpm 9f7925ac87f879d7f1fe5cebc33edf5d corporate/4.0/x86_64/squirrelmail-fi-1.4.18-0.1.20060mlcs4.noarch.rpm 4d159c46967e426da5a8350780c97146 corporate/4.0/x86_64/squirrelmail-fo-1.4.18-0.1.20060mlcs4.noarch.rpm 8555c7977a29a63ef56e39a18594396c corporate/4.0/x86_64/squirrelmail-fr-1.4.18-0.1.20060mlcs4.noarch.rpm eb14ed59d6ca55b903c312aec98cbb04 corporate/4.0/x86_64/squirrelmail-fy-1.4.18-0.1.20060mlcs4.noarch.rpm 35426fbeca91dd6d36111ce0117ab8e6 corporate/4.0/x86_64/squirrelmail-he-1.4.18-0.1.20060mlcs4.noarch.rpm a298bd3ce7d892066c86bddf207689f1 corporate/4.0/x86_64/squirrelmail-hr-1.4.18-0.1.20060mlcs4.noarch.rpm 657c49dc5e8e53a5610e24d4767517b0 corporate/4.0/x86_64/squirrelmail-hu-1.4.18-0.1.20060mlcs4.noarch.rpm 8ad488461ae8c982e69491aabbd15115 corporate/4.0/x86_64/squirrelmail-id-1.4.18-0.1.20060mlcs4.noarch.rpm 4a32ee4464c6fbc0c8a142da0fa506ad corporate/4.0/x86_64/squirrelmail-is-1.4.18-0.1.20060mlcs4.noarch.rpm 3f1b8c7da67999601e9e1eaaa47f4839 corporate/4.0/x86_64/squirrelmail-it-1.4.18-0.1.20060mlcs4.noarch.rpm 650d8271a74d939af54cc930eac0a6be corporate/4.0/x86_64/squirrelmail-ja-1.4.18-0.1.20060mlcs4.noarch.rpm bd4bb44415013aa1e7ba189bae0740c9 corporate/4.0/x86_64/squirrelmail-ka-1.4.18-0.1.20060mlcs4.noarch.rpm b5a43940b104900b60a916778901128c corporate/4.0/x86_64/squirrelmail-ko-1.4.18-0.1.20060mlcs4.noarch.rpm 3ac9259e6f1ab8028e6cc3699a800534 corporate/4.0/x86_64/squirrelmail-lt-1.4.18-0.1.20060mlcs4.noarch.rpm ae422f5869b23da06795517f46d39ca0 corporate/4.0/x86_64/squirrelmail-ms-1.4.18-0.1.20060mlcs4.noarch.rpm a5c298865d6cea53ea04e3672f780581 corporate/4.0/x86_64/squirrelmail-nb-1.4.18-0.1.20060mlcs4.noarch.rpm 32adde69f7693c4f8e3655c676de2111 corporate/4.0/x86_64/squirrelmail-nl-1.4.18-0.1.20060mlcs4.noarch.rpm 5423fb5f6a21041058293207025185f6 corporate/4.0/x86_64/squirrelmail-nn-1.4.18-0.1.20060mlcs4.noarch.rpm 62fb5a9fa032c67067ca91a68bb2bba1 corporate/4.0/x86_64/squirrelmail-pl-1.4.18-0.1.20060mlcs4.noarch.rpm 9fcd278d4aefee3f0862a4d77ca0c83b corporate/4.0/x86_64/squirrelmail-poutils-1.4.18-0.1.20060mlcs4.noarch.rpm b215defbe454e8e228ca4e985ab994a0 corporate/4.0/x86_64/squirrelmail-pt-1.4.18-0.1.20060mlcs4.noarch.rpm 1a48db345473823edb70d89669cea0b7 corporate/4.0/x86_64/squirrelmail-ro-1.4.18-0.1.20060mlcs4.noarch.rpm 9e05871e2006613bf9336ed142607a1b corporate/4.0/x86_64/squirrelmail-ru-1.4.18-0.1.20060mlcs4.noarch.rpm c434553549f5cf0228d7e9004900b469 corporate/4.0/x86_64/squirrelmail-sk-1.4.18-0.1.20060mlcs4.noarch.rpm 8ab1c97df6777152033328c3bebdb39b corporate/4.0/x86_64/squirrelmail-sl-1.4.18-0.1.20060mlcs4.noarch.rpm 2987e7b4a7d30e4f783c1276abe52690 corporate/4.0/x86_64/squirrelmail-sr-1.4.18-0.1.20060mlcs4.noarch.rpm b5a050b41662ba0aca81d6cec644acdc corporate/4.0/x86_64/squirrelmail-sv-1.4.18-0.1.20060mlcs4.noarch.rpm 525b72de2e17ccc3ea2734503d643bc6 corporate/4.0/x86_64/squirrelmail-th-1.4.18-0.1.20060mlcs4.noarch.rpm f679385f3d809513d49bdd292e48eac6 corporate/4.0/x86_64/squirrelmail-tr-1.4.18-0.1.20060mlcs4.noarch.rpm 8137527b2d022475d03d3df47ebf466c corporate/4.0/x86_64/squirrelmail-ug-1.4.18-0.1.20060mlcs4.noarch.rpm 0f4fb23a47835c098c1f590ebc29fb2b corporate/4.0/x86_64/squirrelmail-uk-1.4.18-0.1.20060mlcs4.noarch.rpm 5ea1cd5f19f8672bdc7f5ca3fc1d2209 corporate/4.0/x86_64/squirrelmail-vi-1.4.18-0.1.20060mlcs4.noarch.rpm 31ac87a5c439d15d51c545bdbd73bb02 corporate/4.0/x86_64/squirrelmail-zh_CN-1.4.18-0.1.20060mlcs4.noarch.rpm 3f6464ee203709d39ff1dc2912ead586 corporate/4.0/x86_64/squirrelmail-zh_TW-1.4.18-0.1.20060mlcs4.noarch.rpm 2b54d7cc703b418576918d90d3d4432d corporate/4.0/SRPMS/squirrelmail-1.4.18-0.1.20060mlcs4.src.rpm _______________________________________________________________________ To upgrade automatically use MandrivaUpdate or urpmi. The verification of md5 checksums and GPG signatures is performed automatically for you. All packages are signed by Mandriva for security. You can obtain the GPG public key of the Mandriva Security Team by executing: gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98 You can view other update advisories for Mandriva Linux at: http://www.mandriva.com/security/advisories If you want to report vulnerabilities, please contact security_(at)_mandriva.com _______________________________________________________________________ Type Bits/KeyID Date User ID pub 1024D/22458A98 2000-07-10 Mandriva Security Team -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (GNU/Linux) iD8DBQFKCdcEmqjQ0CJFipgRAkYWAKCjNlcOP2von8aLzdwC/UjWdH3mJACePW7i s0bXxM7J1FKwpNPJvigZ11A= =O+8B -----END PGP SIGNATURE-----