Yellow Dog Linux Security Advisory: YDU-20030602-2
security
yellowdog-updates@lists.terrasoftsolutions.com
Tue, 03 Jun 2003 15:04:34 -0600
Yellow Dog Linux Security Announcement
--------------------------------------
Package: squirrelmail
Issue Date: Jun 02,2003
Priority: medium
Advisory ID: YDU-20030602-2
1. Topic:
Updated squirrelmail packages are available.
2. Problem:
"SquirrelMail is a webmail package written in PHP. Multiple vulnerabilities
have been found which affect versions of SquirrelMail shipped with Red Hat
Linux 8.0 and Red Hat Linux 9.
Cross-site scripting vulnerabilities in SquirrelMail version 1.2.10 and
earlier allow remote attackers to execute script as other Web users via
mailbox displays, message displays, or search results displays. The Common
Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name
CAN-2003-0160 to these issues.
All users are advised to upgrade to these errata packages containing
SquirrelMail version 1.2.11, which is not vulnerable to these issues."
(From Red Hat Advisory)
3. Solution:
a) Updating via apt...
We suggest that you use the apt-get program to keep your
system up-to-date. The following command(s) will retrieve
and install the fixed version of this update onto your system:
apt-get update
apt-get install squirrelmail
b) Updating manually...
Download the updates below and then run the following rpm command.
(Please use a mirror site)
rpm -Fvh [filenames]
Yellow Dog Linux 3.0
ftp://ftp.yellowdoglinux.com/pub/yellowdog/updates/yellowdog-3.0/
ppc/squirrelmail-1.2.11-1.noarch.rpm
4. Verification
MD5 checksum Package
-------------------------------- ----------------------------
[Yellow Dog Linux 3.0]
ffc1ebdb9290f8155edd26d609281143 SRPMS/squirrelmail-1.2.11-1.src.rpm
0862041c9681b723b3c0dc2e755f73be ppc/squirrelmail-1.2.11-1.noarch.rpm
If you wish to verify that each package has not been corrupted or
tampered with,
examine the md5sum with the following command: md5sum <filename>
5. Misc.
Terra Soft has setup a moderated mailing list where these security,
bugfix, and package
enhancement announcements will be posted. See
http://lists.terrasoftsolutions.com/ for more
information.
For information regarding the usage of apt-get, see:
http://www.yellowdoglinux.com/support/solutions/ydl_general/apt-get.shtml