Yellow Dog Linux Security Advisory: YDU-20030602-2

security yellowdog-updates@lists.terrasoftsolutions.com
Tue, 03 Jun 2003 15:04:34 -0600 

Yellow Dog Linux Security Announcement
--------------------------------------

Package:	squirrelmail
Issue Date:	Jun 02,2003
Priority:	medium
Advisory ID: 	YDU-20030602-2


1. 	Topic:

	Updated squirrelmail packages are available.


2. 	Problem:

	"SquirrelMail is a webmail package written in PHP. Multiple vulnerabilities
	have been found which affect versions of SquirrelMail shipped with Red Hat
	Linux 8.0 and Red Hat Linux 9.

	Cross-site scripting vulnerabilities in SquirrelMail version 1.2.10 and
	earlier allow remote attackers to execute script as other Web users via
	mailbox displays, message displays, or search results displays. The Common
	Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name
	CAN-2003-0160 to these issues.

	All users are advised to upgrade to these errata packages containing
	SquirrelMail version 1.2.11, which is not vulnerable to these issues."
	
	(From Red Hat Advisory)

3. 	Solution:

     	a) Updating via apt...
     	We suggest that you use the apt-get program to keep your
     	system up-to-date. The following command(s) will retrieve
     	and install the fixed version of this update onto your system:

		apt-get update
		apt-get install squirrelmail

     	b) Updating manually...
	Download the updates below and then run the following rpm command.
     	(Please use a mirror site)

		rpm -Fvh [filenames]
		Yellow Dog Linux 3.0
		ftp://ftp.yellowdoglinux.com/pub/yellowdog/updates/yellowdog-3.0/
			ppc/squirrelmail-1.2.11-1.noarch.rpm

4. Verification

MD5 checksum			  Package
--------------------------------  ----------------------------
[Yellow Dog Linux 3.0]
ffc1ebdb9290f8155edd26d609281143  SRPMS/squirrelmail-1.2.11-1.src.rpm
0862041c9681b723b3c0dc2e755f73be  ppc/squirrelmail-1.2.11-1.noarch.rpm

If you wish to verify that each package has not been corrupted or
tampered with,
examine the md5sum with the following command: md5sum <filename>


5. Misc.

Terra Soft has setup a moderated mailing list where these security,
bugfix, and package
enhancement announcements will be posted. See
http://lists.terrasoftsolutions.com/ for more
information.

For information regarding the usage of apt-get, see:
http://www.yellowdoglinux.com/support/solutions/ydl_general/apt-get.shtml