Description: | Description:
The remote host is missing an update to squirrelmail announced via advisory FEDORA-2004-159.
SquirrelMail is a standards-based webmail package written in PHP4. It includes built-in pure PHP support for the IMAP and SMTP protocols, and all pages render in pure HTML 4.0 (with no Javascript) for maximum compatibility across browsers. It has very few requirements and is very easy to configure and install. SquirrelMail has all the functionality you would want from an email client, including strong MIME support, address books, and folder manipulation.
Update Information:
An SQL injection flaw was found in SquirrelMail version 1.4.2 and earlier. If SquirrelMail is configured to store user addressbooks in the database, a remote attacker could use this flaw to execute arbitrary SQL statements. The Common Vulnerabilities and Exposures project has assigned the name CVE-2004-0521 to this issue.
A number of cross-site scripting (XSS) flaws in SquirrelMail version 1.4.2 and earlier could allow remote attackers to execute scripts as other web users. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the names CVE-2004-0519 and CVE-2004-0520 to these issues.
This update includes the SquirrelMail version 1.4.3a which is not vulnerable to these issues.
* Mon Jun 07 2004 Gary Benson 1.4.3-0.f1.1
- upgrade to 1.4.3a. - retain stuff after version when adding release to it.
* Wed Jun 02 2004 Gary Benson
- upgrade to 1.4.3.
* Fri Feb 13 2004 Elliot Lee
- rebuilt.
* Wed Jan 21 2004 Gary Benson 1.4.2-2
- fix calendar plugin breakage (#113902).
* Thu Jan 08 2004 Gary Benson 1.4.2-1
- upgrade to 1.4.2. - tighten up permissions on /etc/squirrelmail/config.php (#112774).
This update can be downloaded from: http://download.fedora.redhat.com/pub/fedora/linux/core/updates/1/
be17fbe0ab2c017c9f8aafc407c3fb68 SRPMS/squirrelmail-1.4.3-0.f1.1.src.rpm 4c8288b42458e69e656230afd2a4a38f i386/squirrelmail-1.4.3-0.f1.1.noarch.rpm 4c8288b42458e69e656230afd2a4a38f x86_64/squirrelmail-1.4.3-0.f1.1.noarch.rpm
This update can also be installed with the Update Agent you can launch the Update Agent with the 'up2date' command.
Solution: Apply the appropriate updates. http://www.fedoranews.org/updates/FEDORA-2004-159.shtml
Risk factor : Critical
CVSS Score: 10.0
|