RHSA-2009:0010 - Security Advisory

Overview
Updated Packages

Synopsis

Moderate: squirrelmail security update

Type/Severity

Security Advisory: Moderate

Topic

An updated squirrelmail package that resolves various security issues is
now available for Red Hat Enterprise Linux 3, 4 and 5.

This update has been rated as having moderate security impact by the Red
Hat Security Response Team.

Description

SquirrelMail is an easy-to-configure, standards-based, webmail package
written in PHP. It includes built-in PHP support for the IMAP and SMTP
protocols, and pure HTML 4.0 page-rendering (with no JavaScript required)
for maximum browser-compatibility, strong MIME support, address books, and
folder manipulation.

Ivan Markovic discovered a cross-site scripting (XSS) flaw in SquirrelMail
caused by insufficient HTML mail sanitization. A remote attacker could send
a specially-crafted HTML mail or attachment that could cause a user's Web
browser to execute a malicious script in the context of the SquirrelMail
session when that email or attachment was opened by the user.
(CVE-2008-2379)

It was discovered that SquirrelMail allowed cookies over insecure
connections (ie did not restrict cookies to HTTPS connections). An attacker
who controlled the communication channel between a user and the
SquirrelMail server, or who was able to sniff the user's network
communication, could use this flaw to obtain the user's session cookie, if
a user made an HTTP request to the server. (CVE-2008-3663)

Note: After applying this update, all session cookies set for SquirrelMail
sessions started over HTTPS connections will have the "secure" flag set.
That is, browsers will only send such cookies over an HTTPS connection. If
needed, you can revert to the previous behavior by setting the
configuration option "$only_secure_cookies" to "false" in SquirrelMail's
/etc/squirrelmail/config.php configuration file.

Users of squirrelmail should upgrade to this updated package, which
contains backported patches to correct these issues.

Solution

Before applying this update, make sure that all previously-released errata
relevant to your system have been applied.

This update is available via Red Hat Network. Details on how to use the Red
Hat Network to apply this update are available at
http://kbase.redhat.com/faq/docs/DOC-11259

Affected Products

Red Hat Enterprise Linux Server 5 x86_64
Red Hat Enterprise Linux Server 5 ia64
Red Hat Enterprise Linux Server 5 i386
Red Hat Enterprise Linux Server 4 x86_64
Red Hat Enterprise Linux Server 4 ia64
Red Hat Enterprise Linux Server 4 i386
Red Hat Enterprise Linux Server 3 x86_64
Red Hat Enterprise Linux Server 3 ia64
Red Hat Enterprise Linux Server 3 i386
Red Hat Enterprise Linux Server - Extended Update Support 5.2 x86_64
Red Hat Enterprise Linux Server - Extended Update Support 5.2 ia64
Red Hat Enterprise Linux Server - Extended Update Support 5.2 i386
Red Hat Enterprise Linux Server - Extended Update Support 4.7 x86_64
Red Hat Enterprise Linux Server - Extended Update Support 4.7 ia64
Red Hat Enterprise Linux Server - Extended Update Support 4.7 i386
Red Hat Enterprise Linux Workstation 5 x86_64
Red Hat Enterprise Linux Workstation 5 i386
Red Hat Enterprise Linux Workstation 4 x86_64
Red Hat Enterprise Linux Workstation 4 ia64
Red Hat Enterprise Linux Workstation 4 i386
Red Hat Enterprise Linux Workstation 3 x86_64
Red Hat Enterprise Linux Workstation 3 ia64
Red Hat Enterprise Linux Workstation 3 i386
Red Hat Enterprise Linux Desktop 4 x86_64
Red Hat Enterprise Linux Desktop 4 i386
Red Hat Enterprise Linux Desktop 3 x86_64
Red Hat Enterprise Linux Desktop 3 i386
Red Hat Enterprise Linux for IBM z Systems 5 s390x
Red Hat Enterprise Linux for IBM z Systems 4 s390x
Red Hat Enterprise Linux for IBM z Systems 4 s390
Red Hat Enterprise Linux for IBM z Systems 3 s390x
Red Hat Enterprise Linux for IBM z Systems 3 s390
Red Hat Enterprise Linux for IBM z Systems - Extended Update Support 5.2 s390x
Red Hat Enterprise Linux for IBM z Systems - Extended Update Support 4.7 s390x
Red Hat Enterprise Linux for IBM z Systems - Extended Update Support 4.7 s390
Red Hat Enterprise Linux for Power, big endian 5 ppc
Red Hat Enterprise Linux for Power, big endian 4 ppc
Red Hat Enterprise Linux for Power, big endian 3 ppc
Red Hat Enterprise Linux for Power, big endian - Extended Update Support 5.2 ppc
Red Hat Enterprise Linux for Power, big endian - Extended Update Support 4.7 ppc
Red Hat Enterprise Linux Server from RHUI 5 x86_64
Red Hat Enterprise Linux Server from RHUI 5 i386

Fixes

BZ - 464183 - CVE-2008-3663 squirrelmail: session hijacking - secure flag not set for HTTPS-only cookies
BZ - 473877 - CVE-2008-2379 squirrelmail: XSS issue caused by an insufficient html mail sanitation

CVEs

References

Note: More recent versions of these packages may be available. Click a package name for more details.

Red Hat Enterprise Linux Server 5

SRPM
squirrelmail-1.4.8-5.el5_2.2.src.rpm	SHA-256: 1bc81ce488d07da2a95da3690cc6631afd4f7cf781be75a9f5e45d46401e58e9
x86_64
squirrelmail-1.4.8-5.el5_2.2.noarch.rpm	SHA-256: 0c5cb5eb9e94040700e7443c5d0af21e779a237c60837692a6c3bff3a8fdb38b
ia64
squirrelmail-1.4.8-5.el5_2.2.noarch.rpm	SHA-256: 0c5cb5eb9e94040700e7443c5d0af21e779a237c60837692a6c3bff3a8fdb38b
i386
squirrelmail-1.4.8-5.el5_2.2.noarch.rpm	SHA-256: 0c5cb5eb9e94040700e7443c5d0af21e779a237c60837692a6c3bff3a8fdb38b

Red Hat Enterprise Linux Server 4

SRPM
squirrelmail-1.4.8-5.el4_7.2.src.rpm	SHA-256: 55cc9b6aa3be8eae08b449396342b7cea794837fe04ad01bc4317c8467d82f35
x86_64
squirrelmail-1.4.8-5.el4_7.2.noarch.rpm	SHA-256: dbe33bd5e41e2d11e418c7035d9f3fe5d27c7f8a71e43c26b2795a022957a2d1
squirrelmail-1.4.8-5.el4_7.2.noarch.rpm	SHA-256: dbe33bd5e41e2d11e418c7035d9f3fe5d27c7f8a71e43c26b2795a022957a2d1
ia64
squirrelmail-1.4.8-5.el4_7.2.noarch.rpm	SHA-256: dbe33bd5e41e2d11e418c7035d9f3fe5d27c7f8a71e43c26b2795a022957a2d1
squirrelmail-1.4.8-5.el4_7.2.noarch.rpm	SHA-256: dbe33bd5e41e2d11e418c7035d9f3fe5d27c7f8a71e43c26b2795a022957a2d1
i386
squirrelmail-1.4.8-5.el4_7.2.noarch.rpm	SHA-256: dbe33bd5e41e2d11e418c7035d9f3fe5d27c7f8a71e43c26b2795a022957a2d1
squirrelmail-1.4.8-5.el4_7.2.noarch.rpm	SHA-256: dbe33bd5e41e2d11e418c7035d9f3fe5d27c7f8a71e43c26b2795a022957a2d1

Red Hat Enterprise Linux Server - Extended Update Support 4.7

SRPM
squirrelmail-1.4.8-5.el4_7.2.src.rpm	SHA-256: 55cc9b6aa3be8eae08b449396342b7cea794837fe04ad01bc4317c8467d82f35
x86_64
squirrelmail-1.4.8-5.el4_7.2.noarch.rpm	SHA-256: dbe33bd5e41e2d11e418c7035d9f3fe5d27c7f8a71e43c26b2795a022957a2d1
squirrelmail-1.4.8-5.el4_7.2.noarch.rpm	SHA-256: dbe33bd5e41e2d11e418c7035d9f3fe5d27c7f8a71e43c26b2795a022957a2d1
ia64
squirrelmail-1.4.8-5.el4_7.2.noarch.rpm	SHA-256: dbe33bd5e41e2d11e418c7035d9f3fe5d27c7f8a71e43c26b2795a022957a2d1
squirrelmail-1.4.8-5.el4_7.2.noarch.rpm	SHA-256: dbe33bd5e41e2d11e418c7035d9f3fe5d27c7f8a71e43c26b2795a022957a2d1
i386
squirrelmail-1.4.8-5.el4_7.2.noarch.rpm	SHA-256: dbe33bd5e41e2d11e418c7035d9f3fe5d27c7f8a71e43c26b2795a022957a2d1
squirrelmail-1.4.8-5.el4_7.2.noarch.rpm	SHA-256: dbe33bd5e41e2d11e418c7035d9f3fe5d27c7f8a71e43c26b2795a022957a2d1

Red Hat Enterprise Linux Workstation 5

SRPM
squirrelmail-1.4.8-5.el5_2.2.src.rpm	SHA-256: 1bc81ce488d07da2a95da3690cc6631afd4f7cf781be75a9f5e45d46401e58e9
x86_64
squirrelmail-1.4.8-5.el5_2.2.noarch.rpm	SHA-256: 0c5cb5eb9e94040700e7443c5d0af21e779a237c60837692a6c3bff3a8fdb38b
i386
squirrelmail-1.4.8-5.el5_2.2.noarch.rpm	SHA-256: 0c5cb5eb9e94040700e7443c5d0af21e779a237c60837692a6c3bff3a8fdb38b

Red Hat Enterprise Linux Workstation 4

SRPM
squirrelmail-1.4.8-5.el4_7.2.src.rpm	SHA-256: 55cc9b6aa3be8eae08b449396342b7cea794837fe04ad01bc4317c8467d82f35
x86_64
squirrelmail-1.4.8-5.el4_7.2.noarch.rpm	SHA-256: dbe33bd5e41e2d11e418c7035d9f3fe5d27c7f8a71e43c26b2795a022957a2d1
ia64
squirrelmail-1.4.8-5.el4_7.2.noarch.rpm	SHA-256: dbe33bd5e41e2d11e418c7035d9f3fe5d27c7f8a71e43c26b2795a022957a2d1
i386
squirrelmail-1.4.8-5.el4_7.2.noarch.rpm	SHA-256: dbe33bd5e41e2d11e418c7035d9f3fe5d27c7f8a71e43c26b2795a022957a2d1

Red Hat Enterprise Linux Desktop 4

SRPM
squirrelmail-1.4.8-5.el4_7.2.src.rpm	SHA-256: 55cc9b6aa3be8eae08b449396342b7cea794837fe04ad01bc4317c8467d82f35
x86_64
squirrelmail-1.4.8-5.el4_7.2.noarch.rpm	SHA-256: dbe33bd5e41e2d11e418c7035d9f3fe5d27c7f8a71e43c26b2795a022957a2d1
i386
squirrelmail-1.4.8-5.el4_7.2.noarch.rpm	SHA-256: dbe33bd5e41e2d11e418c7035d9f3fe5d27c7f8a71e43c26b2795a022957a2d1

Red Hat Enterprise Linux for IBM z Systems 5

SRPM
squirrelmail-1.4.8-5.el5_2.2.src.rpm	SHA-256: 1bc81ce488d07da2a95da3690cc6631afd4f7cf781be75a9f5e45d46401e58e9
s390x
squirrelmail-1.4.8-5.el5_2.2.noarch.rpm	SHA-256: 0c5cb5eb9e94040700e7443c5d0af21e779a237c60837692a6c3bff3a8fdb38b

Red Hat Enterprise Linux for IBM z Systems 4

SRPM
squirrelmail-1.4.8-5.el4_7.2.src.rpm	SHA-256: 55cc9b6aa3be8eae08b449396342b7cea794837fe04ad01bc4317c8467d82f35
s390x
squirrelmail-1.4.8-5.el4_7.2.noarch.rpm	SHA-256: dbe33bd5e41e2d11e418c7035d9f3fe5d27c7f8a71e43c26b2795a022957a2d1
s390
squirrelmail-1.4.8-5.el4_7.2.noarch.rpm	SHA-256: dbe33bd5e41e2d11e418c7035d9f3fe5d27c7f8a71e43c26b2795a022957a2d1

Red Hat Enterprise Linux for IBM z Systems - Extended Update Support 4.7

SRPM
squirrelmail-1.4.8-5.el4_7.2.src.rpm	SHA-256: 55cc9b6aa3be8eae08b449396342b7cea794837fe04ad01bc4317c8467d82f35
s390x
squirrelmail-1.4.8-5.el4_7.2.noarch.rpm	SHA-256: dbe33bd5e41e2d11e418c7035d9f3fe5d27c7f8a71e43c26b2795a022957a2d1
s390
squirrelmail-1.4.8-5.el4_7.2.noarch.rpm	SHA-256: dbe33bd5e41e2d11e418c7035d9f3fe5d27c7f8a71e43c26b2795a022957a2d1

Red Hat Enterprise Linux for Power, big endian 5

SRPM
squirrelmail-1.4.8-5.el5_2.2.src.rpm	SHA-256: 1bc81ce488d07da2a95da3690cc6631afd4f7cf781be75a9f5e45d46401e58e9
ppc
squirrelmail-1.4.8-5.el5_2.2.noarch.rpm	SHA-256: 0c5cb5eb9e94040700e7443c5d0af21e779a237c60837692a6c3bff3a8fdb38b

Red Hat Enterprise Linux for Power, big endian 4

SRPM
squirrelmail-1.4.8-5.el4_7.2.src.rpm	SHA-256: 55cc9b6aa3be8eae08b449396342b7cea794837fe04ad01bc4317c8467d82f35
ppc
squirrelmail-1.4.8-5.el4_7.2.noarch.rpm	SHA-256: dbe33bd5e41e2d11e418c7035d9f3fe5d27c7f8a71e43c26b2795a022957a2d1

Red Hat Enterprise Linux for Power, big endian - Extended Update Support 4.7

SRPM
squirrelmail-1.4.8-5.el4_7.2.src.rpm	SHA-256: 55cc9b6aa3be8eae08b449396342b7cea794837fe04ad01bc4317c8467d82f35
ppc
squirrelmail-1.4.8-5.el4_7.2.noarch.rpm	SHA-256: dbe33bd5e41e2d11e418c7035d9f3fe5d27c7f8a71e43c26b2795a022957a2d1

Red Hat Enterprise Linux Server from RHUI 5

SRPM
squirrelmail-1.4.8-5.el5_2.2.src.rpm	SHA-256: 1bc81ce488d07da2a95da3690cc6631afd4f7cf781be75a9f5e45d46401e58e9
x86_64
squirrelmail-1.4.8-5.el5_2.2.noarch.rpm	SHA-256: 0c5cb5eb9e94040700e7443c5d0af21e779a237c60837692a6c3bff3a8fdb38b
i386
squirrelmail-1.4.8-5.el5_2.2.noarch.rpm	SHA-256: 0c5cb5eb9e94040700e7443c5d0af21e779a237c60837692a6c3bff3a8fdb38b

The Red Hat security contact is secalert@redhat.com. More contact details at https://access.redhat.com/security/team/contact/.