RHSA-2007:0358 - Security Advisory

Overview
Updated Packages

Synopsis

Moderate: squirrelmail security update

Type/Severity

Security Advisory: Moderate

Topic

A new squirrelmail package that fixes security issues is now available for
Red Hat Enterprise Linux 3, 4 and 5.

This update has been rated as having moderate security impact by the Red
Hat Security Response Team.

Description

SquirrelMail is a standards-based webmail package written in PHP4.

Several HTML filtering bugs were discovered in SquirrelMail. An attacker
could inject arbitrary JavaScript leading to cross-site scripting attacks
by sending an e-mail viewed by a user within SquirrelMail.
(CVE-2007-1262)

Squirrelmail did not sufficiently check arguments to IMG tags in HTML
e-mail messages. This could be exploited by an attacker by sending
arbitrary e-mail messages on behalf of a squirrelmail user tricked into opening
a maliciously crafted HTML e-mail message. (CVE-2007-2589)

Users of SquirrelMail should upgrade to this erratum package, which
contains a backported patch to correct these issues.

Solution

Before applying this update, make sure that all previously-released
errata relevant to your system have been applied.

This update is available via Red Hat Network. Details on how to use
the Red Hat Network to apply this update are available at
http://kbase.redhat.com/faq/FAQ_58_10188

Affected Products

Red Hat Enterprise Linux Server 5 x86_64
Red Hat Enterprise Linux Server 5 ia64
Red Hat Enterprise Linux Server 5 i386
Red Hat Enterprise Linux Server 4 x86_64
Red Hat Enterprise Linux Server 4 ia64
Red Hat Enterprise Linux Server 4 i386
Red Hat Enterprise Linux Server 3 x86_64
Red Hat Enterprise Linux Server 3 ia64
Red Hat Enterprise Linux Server 3 i386
Red Hat Enterprise Linux Server - Extended Update Support 4.5 x86_64
Red Hat Enterprise Linux Server - Extended Update Support 4.5 ia64
Red Hat Enterprise Linux Server - Extended Update Support 4.5 i386
Red Hat Enterprise Linux Workstation 5 x86_64
Red Hat Enterprise Linux Workstation 5 i386
Red Hat Enterprise Linux Workstation 4 x86_64
Red Hat Enterprise Linux Workstation 4 ia64
Red Hat Enterprise Linux Workstation 4 i386
Red Hat Enterprise Linux Workstation 3 x86_64
Red Hat Enterprise Linux Workstation 3 ia64
Red Hat Enterprise Linux Workstation 3 i386
Red Hat Enterprise Linux Desktop 4 x86_64
Red Hat Enterprise Linux Desktop 4 i386
Red Hat Enterprise Linux Desktop 3 x86_64
Red Hat Enterprise Linux Desktop 3 i386
Red Hat Enterprise Linux for IBM z Systems 5 s390x
Red Hat Enterprise Linux for IBM z Systems 4 s390x
Red Hat Enterprise Linux for IBM z Systems 4 s390
Red Hat Enterprise Linux for IBM z Systems 3 s390x
Red Hat Enterprise Linux for IBM z Systems 3 s390
Red Hat Enterprise Linux for IBM z Systems - Extended Update Support 4.5 s390x
Red Hat Enterprise Linux for IBM z Systems - Extended Update Support 4.5 s390
Red Hat Enterprise Linux for Power, big endian 5 ppc
Red Hat Enterprise Linux for Power, big endian 4 ppc
Red Hat Enterprise Linux for Power, big endian 3 ppc
Red Hat Enterprise Linux for Power, big endian - Extended Update Support 4.5 ppc
Red Hat Enterprise Linux Server from RHUI 5 x86_64
Red Hat Enterprise Linux Server from RHUI 5 i386

Fixes

BZ - 239647 - CVE-2007-1262 XSS through HTML message in squirrelmail
BZ - 239828 - CVE-2007-2589 CSRF through HTML message in squirrelmail

CVEs

References

Note: More recent versions of these packages may be available. Click a package name for more details.

Red Hat Enterprise Linux Server 5

SRPM
squirrelmail-1.4.8-4.0.1.el5.src.rpm	SHA-256: d72a663cc77af9873af1f0dd70d40430affe44949881de3623779c48d1ffdc77
x86_64
squirrelmail-1.4.8-4.0.1.el5.noarch.rpm	SHA-256: 561f6389e54c47f0da0d962b81322254b084f25bde7025317e382b0211a6be42
ia64
squirrelmail-1.4.8-4.0.1.el5.noarch.rpm	SHA-256: 561f6389e54c47f0da0d962b81322254b084f25bde7025317e382b0211a6be42
i386
squirrelmail-1.4.8-4.0.1.el5.noarch.rpm	SHA-256: 561f6389e54c47f0da0d962b81322254b084f25bde7025317e382b0211a6be42

Red Hat Enterprise Linux Server 4

SRPM
squirrelmail-1.4.8-4.0.1.el4.src.rpm	SHA-256: d2030066c06fc2e92eb22a1d17840ce42c7572713daf69a46d83bd9d0209c7f2
x86_64
squirrelmail-1.4.8-4.0.1.el4.noarch.rpm	SHA-256: d2750d9047813b233716c760425c227b3c25af54f3cd938ab58b0872b798cdab
squirrelmail-1.4.8-4.0.1.el4.noarch.rpm	SHA-256: d2750d9047813b233716c760425c227b3c25af54f3cd938ab58b0872b798cdab
ia64
squirrelmail-1.4.8-4.0.1.el4.noarch.rpm	SHA-256: d2750d9047813b233716c760425c227b3c25af54f3cd938ab58b0872b798cdab
squirrelmail-1.4.8-4.0.1.el4.noarch.rpm	SHA-256: d2750d9047813b233716c760425c227b3c25af54f3cd938ab58b0872b798cdab
i386
squirrelmail-1.4.8-4.0.1.el4.noarch.rpm	SHA-256: d2750d9047813b233716c760425c227b3c25af54f3cd938ab58b0872b798cdab
squirrelmail-1.4.8-4.0.1.el4.noarch.rpm	SHA-256: d2750d9047813b233716c760425c227b3c25af54f3cd938ab58b0872b798cdab

Red Hat Enterprise Linux Server - Extended Update Support 4.5

SRPM
squirrelmail-1.4.8-4.0.1.el4.src.rpm	SHA-256: d2030066c06fc2e92eb22a1d17840ce42c7572713daf69a46d83bd9d0209c7f2
x86_64
squirrelmail-1.4.8-4.0.1.el4.noarch.rpm	SHA-256: d2750d9047813b233716c760425c227b3c25af54f3cd938ab58b0872b798cdab
squirrelmail-1.4.8-4.0.1.el4.noarch.rpm	SHA-256: d2750d9047813b233716c760425c227b3c25af54f3cd938ab58b0872b798cdab
ia64
squirrelmail-1.4.8-4.0.1.el4.noarch.rpm	SHA-256: d2750d9047813b233716c760425c227b3c25af54f3cd938ab58b0872b798cdab
squirrelmail-1.4.8-4.0.1.el4.noarch.rpm	SHA-256: d2750d9047813b233716c760425c227b3c25af54f3cd938ab58b0872b798cdab
i386
squirrelmail-1.4.8-4.0.1.el4.noarch.rpm	SHA-256: d2750d9047813b233716c760425c227b3c25af54f3cd938ab58b0872b798cdab
squirrelmail-1.4.8-4.0.1.el4.noarch.rpm	SHA-256: d2750d9047813b233716c760425c227b3c25af54f3cd938ab58b0872b798cdab

Red Hat Enterprise Linux Workstation 5

SRPM
squirrelmail-1.4.8-4.0.1.el5.src.rpm	SHA-256: d72a663cc77af9873af1f0dd70d40430affe44949881de3623779c48d1ffdc77
x86_64
squirrelmail-1.4.8-4.0.1.el5.noarch.rpm	SHA-256: 561f6389e54c47f0da0d962b81322254b084f25bde7025317e382b0211a6be42
i386
squirrelmail-1.4.8-4.0.1.el5.noarch.rpm	SHA-256: 561f6389e54c47f0da0d962b81322254b084f25bde7025317e382b0211a6be42

Red Hat Enterprise Linux Workstation 4

SRPM
squirrelmail-1.4.8-4.0.1.el4.src.rpm	SHA-256: d2030066c06fc2e92eb22a1d17840ce42c7572713daf69a46d83bd9d0209c7f2
x86_64
squirrelmail-1.4.8-4.0.1.el4.noarch.rpm	SHA-256: d2750d9047813b233716c760425c227b3c25af54f3cd938ab58b0872b798cdab
ia64
squirrelmail-1.4.8-4.0.1.el4.noarch.rpm	SHA-256: d2750d9047813b233716c760425c227b3c25af54f3cd938ab58b0872b798cdab
i386
squirrelmail-1.4.8-4.0.1.el4.noarch.rpm	SHA-256: d2750d9047813b233716c760425c227b3c25af54f3cd938ab58b0872b798cdab

Red Hat Enterprise Linux Desktop 4

SRPM
squirrelmail-1.4.8-4.0.1.el4.src.rpm	SHA-256: d2030066c06fc2e92eb22a1d17840ce42c7572713daf69a46d83bd9d0209c7f2
x86_64
squirrelmail-1.4.8-4.0.1.el4.noarch.rpm	SHA-256: d2750d9047813b233716c760425c227b3c25af54f3cd938ab58b0872b798cdab
i386
squirrelmail-1.4.8-4.0.1.el4.noarch.rpm	SHA-256: d2750d9047813b233716c760425c227b3c25af54f3cd938ab58b0872b798cdab

Red Hat Enterprise Linux for IBM z Systems 5

SRPM
squirrelmail-1.4.8-4.0.1.el5.src.rpm	SHA-256: d72a663cc77af9873af1f0dd70d40430affe44949881de3623779c48d1ffdc77
s390x
squirrelmail-1.4.8-4.0.1.el5.noarch.rpm	SHA-256: 561f6389e54c47f0da0d962b81322254b084f25bde7025317e382b0211a6be42

Red Hat Enterprise Linux for IBM z Systems 4

SRPM
squirrelmail-1.4.8-4.0.1.el4.src.rpm	SHA-256: d2030066c06fc2e92eb22a1d17840ce42c7572713daf69a46d83bd9d0209c7f2
s390x
squirrelmail-1.4.8-4.0.1.el4.noarch.rpm	SHA-256: d2750d9047813b233716c760425c227b3c25af54f3cd938ab58b0872b798cdab
s390
squirrelmail-1.4.8-4.0.1.el4.noarch.rpm	SHA-256: d2750d9047813b233716c760425c227b3c25af54f3cd938ab58b0872b798cdab

Red Hat Enterprise Linux for IBM z Systems - Extended Update Support 4.5

SRPM
squirrelmail-1.4.8-4.0.1.el4.src.rpm	SHA-256: d2030066c06fc2e92eb22a1d17840ce42c7572713daf69a46d83bd9d0209c7f2
s390x
squirrelmail-1.4.8-4.0.1.el4.noarch.rpm	SHA-256: d2750d9047813b233716c760425c227b3c25af54f3cd938ab58b0872b798cdab
s390
squirrelmail-1.4.8-4.0.1.el4.noarch.rpm	SHA-256: d2750d9047813b233716c760425c227b3c25af54f3cd938ab58b0872b798cdab

Red Hat Enterprise Linux for Power, big endian 5

SRPM
squirrelmail-1.4.8-4.0.1.el5.src.rpm	SHA-256: d72a663cc77af9873af1f0dd70d40430affe44949881de3623779c48d1ffdc77
ppc
squirrelmail-1.4.8-4.0.1.el5.noarch.rpm	SHA-256: 561f6389e54c47f0da0d962b81322254b084f25bde7025317e382b0211a6be42

Red Hat Enterprise Linux for Power, big endian 4

SRPM
squirrelmail-1.4.8-4.0.1.el4.src.rpm	SHA-256: d2030066c06fc2e92eb22a1d17840ce42c7572713daf69a46d83bd9d0209c7f2
ppc
squirrelmail-1.4.8-4.0.1.el4.noarch.rpm	SHA-256: d2750d9047813b233716c760425c227b3c25af54f3cd938ab58b0872b798cdab

Red Hat Enterprise Linux for Power, big endian - Extended Update Support 4.5

SRPM
squirrelmail-1.4.8-4.0.1.el4.src.rpm	SHA-256: d2030066c06fc2e92eb22a1d17840ce42c7572713daf69a46d83bd9d0209c7f2
ppc
squirrelmail-1.4.8-4.0.1.el4.noarch.rpm	SHA-256: d2750d9047813b233716c760425c227b3c25af54f3cd938ab58b0872b798cdab

Red Hat Enterprise Linux Server from RHUI 5

SRPM
squirrelmail-1.4.8-4.0.1.el5.src.rpm	SHA-256: d72a663cc77af9873af1f0dd70d40430affe44949881de3623779c48d1ffdc77
x86_64
squirrelmail-1.4.8-4.0.1.el5.noarch.rpm	SHA-256: 561f6389e54c47f0da0d962b81322254b084f25bde7025317e382b0211a6be42
i386
squirrelmail-1.4.8-4.0.1.el5.noarch.rpm	SHA-256: 561f6389e54c47f0da0d962b81322254b084f25bde7025317e382b0211a6be42

The Red Hat security contact is secalert@redhat.com. More contact details at https://access.redhat.com/security/team/contact/.