Issued:
2009-01-12
Updated:
2009-01-12

RHSA-2009:0010 - Security Advisory

Synopsis

Moderate: squirrelmail security update

Type/Severity

Security Advisory: Moderate

Red Hat Insights patch analysis

Identify and remediate systems affected by this advisory.

View affected systems

Topic

An updated squirrelmail package that resolves various security issues is
now available for Red Hat Enterprise Linux 3, 4 and 5.

This update has been rated as having moderate security impact by the Red
Hat Security Response Team.

Description

SquirrelMail is an easy-to-configure, standards-based, webmail package
written in PHP. It includes built-in PHP support for the IMAP and SMTP
protocols, and pure HTML 4.0 page-rendering (with no JavaScript required)
for maximum browser-compatibility, strong MIME support, address books, and
folder manipulation.

Ivan Markovic discovered a cross-site scripting (XSS) flaw in SquirrelMail
caused by insufficient HTML mail sanitization. A remote attacker could send
a specially-crafted HTML mail or attachment that could cause a user's Web
browser to execute a malicious script in the context of the SquirrelMail
session when that email or attachment was opened by the user.
(CVE-2008-2379)

It was discovered that SquirrelMail allowed cookies over insecure
connections (ie did not restrict cookies to HTTPS connections). An attacker
who controlled the communication channel between a user and the
SquirrelMail server, or who was able to sniff the user's network
communication, could use this flaw to obtain the user's session cookie, if
a user made an HTTP request to the server. (CVE-2008-3663)

Note: After applying this update, all session cookies set for SquirrelMail
sessions started over HTTPS connections will have the "secure" flag set.
That is, browsers will only send such cookies over an HTTPS connection. If
needed, you can revert to the previous behavior by setting the
configuration option "$only_secure_cookies" to "false" in SquirrelMail's
/etc/squirrelmail/config.php configuration file.

Users of squirrelmail should upgrade to this updated package, which
contains backported patches to correct these issues.

Solution

Before applying this update, make sure that all previously-released errata
relevant to your system have been applied.

This update is available via Red Hat Network. Details on how to use the Red
Hat Network to apply this update are available at
http://kbase.redhat.com/faq/docs/DOC-11259

Affected Products

  • Red Hat Enterprise Linux Server 5 x86_64
  • Red Hat Enterprise Linux Server 5 ia64
  • Red Hat Enterprise Linux Server 5 i386
  • Red Hat Enterprise Linux Server 4 x86_64
  • Red Hat Enterprise Linux Server 4 ia64
  • Red Hat Enterprise Linux Server 4 i386
  • Red Hat Enterprise Linux Server 3 x86_64
  • Red Hat Enterprise Linux Server 3 ia64
  • Red Hat Enterprise Linux Server 3 i386
  • Red Hat Enterprise Linux for x86_64 - Extended Update Support 5.2 x86_64
  • Red Hat Enterprise Linux for x86_64 - Extended Update Support 5.2 ia64
  • Red Hat Enterprise Linux for x86_64 - Extended Update Support 5.2 i386
  • Red Hat Enterprise Linux for x86_64 - Extended Update Support 4.7 x86_64
  • Red Hat Enterprise Linux for x86_64 - Extended Update Support 4.7 ia64
  • Red Hat Enterprise Linux for x86_64 - Extended Update Support 4.7 i386
  • Red Hat Enterprise Linux Workstation 5 x86_64
  • Red Hat Enterprise Linux Workstation 5 i386
  • Red Hat Enterprise Linux Workstation 4 x86_64
  • Red Hat Enterprise Linux Workstation 4 ia64
  • Red Hat Enterprise Linux Workstation 4 i386
  • Red Hat Enterprise Linux Workstation 3 x86_64
  • Red Hat Enterprise Linux Workstation 3 ia64
  • Red Hat Enterprise Linux Workstation 3 i386
  • Red Hat Enterprise Linux Desktop 4 x86_64
  • Red Hat Enterprise Linux Desktop 4 i386
  • Red Hat Enterprise Linux Desktop 3 x86_64
  • Red Hat Enterprise Linux Desktop 3 i386
  • Red Hat Enterprise Linux for IBM z Systems 5 s390x
  • Red Hat Enterprise Linux for IBM z Systems 4 s390x
  • Red Hat Enterprise Linux for IBM z Systems 4 s390
  • Red Hat Enterprise Linux for IBM z Systems 3 s390x
  • Red Hat Enterprise Linux for IBM z Systems 3 s390
  • Red Hat Enterprise Linux for IBM z Systems - Extended Update Support 5.2 s390x
  • Red Hat Enterprise Linux for IBM z Systems - Extended Update Support 4.7 s390x
  • Red Hat Enterprise Linux for IBM z Systems - Extended Update Support 4.7 s390
  • Red Hat Enterprise Linux for Power, big endian 5 ppc
  • Red Hat Enterprise Linux for Power, big endian 4 ppc
  • Red Hat Enterprise Linux for Power, big endian 3 ppc
  • Red Hat Enterprise Linux for Power, big endian - Extended Update Support 5.2 ppc
  • Red Hat Enterprise Linux for Power, big endian - Extended Update Support 4.7 ppc
  • Red Hat Enterprise Linux Server from RHUI 5 x86_64
  • Red Hat Enterprise Linux Server from RHUI 5 i386

Fixes

  • BZ - 464183 - CVE-2008-3663 squirrelmail: session hijacking - secure flag not set for HTTPS-only cookies
  • BZ - 473877 - CVE-2008-2379 squirrelmail: XSS issue caused by an insufficient html mail sanitation

Red Hat Enterprise Linux Server 5

SRPM
squirrelmail-1.4.8-5.el5_2.2.src.rpm SHA-256: 1bc81ce488d07da2a95da3690cc6631afd4f7cf781be75a9f5e45d46401e58e9
x86_64
squirrelmail-1.4.8-5.el5_2.2.noarch.rpm SHA-256: 0c5cb5eb9e94040700e7443c5d0af21e779a237c60837692a6c3bff3a8fdb38b
ia64
squirrelmail-1.4.8-5.el5_2.2.noarch.rpm SHA-256: 0c5cb5eb9e94040700e7443c5d0af21e779a237c60837692a6c3bff3a8fdb38b
i386
squirrelmail-1.4.8-5.el5_2.2.noarch.rpm SHA-256: 0c5cb5eb9e94040700e7443c5d0af21e779a237c60837692a6c3bff3a8fdb38b

Red Hat Enterprise Linux Server 4

SRPM
squirrelmail-1.4.8-5.el4_7.2.src.rpm SHA-256: 55cc9b6aa3be8eae08b449396342b7cea794837fe04ad01bc4317c8467d82f35
x86_64
squirrelmail-1.4.8-5.el4_7.2.noarch.rpm SHA-256: dbe33bd5e41e2d11e418c7035d9f3fe5d27c7f8a71e43c26b2795a022957a2d1
squirrelmail-1.4.8-5.el4_7.2.noarch.rpm SHA-256: dbe33bd5e41e2d11e418c7035d9f3fe5d27c7f8a71e43c26b2795a022957a2d1
ia64
squirrelmail-1.4.8-5.el4_7.2.noarch.rpm SHA-256: dbe33bd5e41e2d11e418c7035d9f3fe5d27c7f8a71e43c26b2795a022957a2d1
squirrelmail-1.4.8-5.el4_7.2.noarch.rpm SHA-256: dbe33bd5e41e2d11e418c7035d9f3fe5d27c7f8a71e43c26b2795a022957a2d1
i386
squirrelmail-1.4.8-5.el4_7.2.noarch.rpm SHA-256: dbe33bd5e41e2d11e418c7035d9f3fe5d27c7f8a71e43c26b2795a022957a2d1
squirrelmail-1.4.8-5.el4_7.2.noarch.rpm SHA-256: dbe33bd5e41e2d11e418c7035d9f3fe5d27c7f8a71e43c26b2795a022957a2d1

Red Hat Enterprise Linux Server 3

SRPM
x86_64
ia64
i386

Red Hat Enterprise Linux for x86_64 - Extended Update Support 5.2

SRPM
x86_64
ia64
i386

Red Hat Enterprise Linux for x86_64 - Extended Update Support 4.7

SRPM
squirrelmail-1.4.8-5.el4_7.2.src.rpm SHA-256: 55cc9b6aa3be8eae08b449396342b7cea794837fe04ad01bc4317c8467d82f35
x86_64
squirrelmail-1.4.8-5.el4_7.2.noarch.rpm SHA-256: dbe33bd5e41e2d11e418c7035d9f3fe5d27c7f8a71e43c26b2795a022957a2d1
squirrelmail-1.4.8-5.el4_7.2.noarch.rpm SHA-256: dbe33bd5e41e2d11e418c7035d9f3fe5d27c7f8a71e43c26b2795a022957a2d1
ia64
squirrelmail-1.4.8-5.el4_7.2.noarch.rpm SHA-256: dbe33bd5e41e2d11e418c7035d9f3fe5d27c7f8a71e43c26b2795a022957a2d1
squirrelmail-1.4.8-5.el4_7.2.noarch.rpm SHA-256: dbe33bd5e41e2d11e418c7035d9f3fe5d27c7f8a71e43c26b2795a022957a2d1
i386
squirrelmail-1.4.8-5.el4_7.2.noarch.rpm SHA-256: dbe33bd5e41e2d11e418c7035d9f3fe5d27c7f8a71e43c26b2795a022957a2d1
squirrelmail-1.4.8-5.el4_7.2.noarch.rpm SHA-256: dbe33bd5e41e2d11e418c7035d9f3fe5d27c7f8a71e43c26b2795a022957a2d1

Red Hat Enterprise Linux Workstation 5

SRPM
squirrelmail-1.4.8-5.el5_2.2.src.rpm SHA-256: 1bc81ce488d07da2a95da3690cc6631afd4f7cf781be75a9f5e45d46401e58e9
x86_64
squirrelmail-1.4.8-5.el5_2.2.noarch.rpm SHA-256: 0c5cb5eb9e94040700e7443c5d0af21e779a237c60837692a6c3bff3a8fdb38b
i386
squirrelmail-1.4.8-5.el5_2.2.noarch.rpm SHA-256: 0c5cb5eb9e94040700e7443c5d0af21e779a237c60837692a6c3bff3a8fdb38b

Red Hat Enterprise Linux Workstation 4

SRPM
squirrelmail-1.4.8-5.el4_7.2.src.rpm SHA-256: 55cc9b6aa3be8eae08b449396342b7cea794837fe04ad01bc4317c8467d82f35
x86_64
squirrelmail-1.4.8-5.el4_7.2.noarch.rpm SHA-256: dbe33bd5e41e2d11e418c7035d9f3fe5d27c7f8a71e43c26b2795a022957a2d1
ia64
squirrelmail-1.4.8-5.el4_7.2.noarch.rpm SHA-256: dbe33bd5e41e2d11e418c7035d9f3fe5d27c7f8a71e43c26b2795a022957a2d1
i386
squirrelmail-1.4.8-5.el4_7.2.noarch.rpm SHA-256: dbe33bd5e41e2d11e418c7035d9f3fe5d27c7f8a71e43c26b2795a022957a2d1

Red Hat Enterprise Linux Workstation 3

SRPM
x86_64
ia64
i386

Red Hat Enterprise Linux Desktop 4

SRPM
squirrelmail-1.4.8-5.el4_7.2.src.rpm SHA-256: 55cc9b6aa3be8eae08b449396342b7cea794837fe04ad01bc4317c8467d82f35
x86_64
squirrelmail-1.4.8-5.el4_7.2.noarch.rpm SHA-256: dbe33bd5e41e2d11e418c7035d9f3fe5d27c7f8a71e43c26b2795a022957a2d1
i386
squirrelmail-1.4.8-5.el4_7.2.noarch.rpm SHA-256: dbe33bd5e41e2d11e418c7035d9f3fe5d27c7f8a71e43c26b2795a022957a2d1

Red Hat Enterprise Linux Desktop 3

SRPM
x86_64
i386

Red Hat Enterprise Linux for IBM z Systems 5

SRPM
squirrelmail-1.4.8-5.el5_2.2.src.rpm SHA-256: 1bc81ce488d07da2a95da3690cc6631afd4f7cf781be75a9f5e45d46401e58e9
s390x
squirrelmail-1.4.8-5.el5_2.2.noarch.rpm SHA-256: 0c5cb5eb9e94040700e7443c5d0af21e779a237c60837692a6c3bff3a8fdb38b

Red Hat Enterprise Linux for IBM z Systems 4

SRPM
squirrelmail-1.4.8-5.el4_7.2.src.rpm SHA-256: 55cc9b6aa3be8eae08b449396342b7cea794837fe04ad01bc4317c8467d82f35
s390x
squirrelmail-1.4.8-5.el4_7.2.noarch.rpm SHA-256: dbe33bd5e41e2d11e418c7035d9f3fe5d27c7f8a71e43c26b2795a022957a2d1
s390
squirrelmail-1.4.8-5.el4_7.2.noarch.rpm SHA-256: dbe33bd5e41e2d11e418c7035d9f3fe5d27c7f8a71e43c26b2795a022957a2d1

Red Hat Enterprise Linux for IBM z Systems 3

SRPM
s390x
s390

Red Hat Enterprise Linux for IBM z Systems - Extended Update Support 5.2

SRPM
s390x

Red Hat Enterprise Linux for IBM z Systems - Extended Update Support 4.7

SRPM
squirrelmail-1.4.8-5.el4_7.2.src.rpm SHA-256: 55cc9b6aa3be8eae08b449396342b7cea794837fe04ad01bc4317c8467d82f35
s390x
squirrelmail-1.4.8-5.el4_7.2.noarch.rpm SHA-256: dbe33bd5e41e2d11e418c7035d9f3fe5d27c7f8a71e43c26b2795a022957a2d1
s390
squirrelmail-1.4.8-5.el4_7.2.noarch.rpm SHA-256: dbe33bd5e41e2d11e418c7035d9f3fe5d27c7f8a71e43c26b2795a022957a2d1

Red Hat Enterprise Linux for Power, big endian 5

SRPM
squirrelmail-1.4.8-5.el5_2.2.src.rpm SHA-256: 1bc81ce488d07da2a95da3690cc6631afd4f7cf781be75a9f5e45d46401e58e9
ppc
squirrelmail-1.4.8-5.el5_2.2.noarch.rpm SHA-256: 0c5cb5eb9e94040700e7443c5d0af21e779a237c60837692a6c3bff3a8fdb38b

Red Hat Enterprise Linux for Power, big endian 4

SRPM
squirrelmail-1.4.8-5.el4_7.2.src.rpm SHA-256: 55cc9b6aa3be8eae08b449396342b7cea794837fe04ad01bc4317c8467d82f35
ppc
squirrelmail-1.4.8-5.el4_7.2.noarch.rpm SHA-256: dbe33bd5e41e2d11e418c7035d9f3fe5d27c7f8a71e43c26b2795a022957a2d1

Red Hat Enterprise Linux for Power, big endian 3

SRPM
ppc

Red Hat Enterprise Linux for Power, big endian - Extended Update Support 5.2

SRPM
ppc

Red Hat Enterprise Linux for Power, big endian - Extended Update Support 4.7

SRPM
squirrelmail-1.4.8-5.el4_7.2.src.rpm SHA-256: 55cc9b6aa3be8eae08b449396342b7cea794837fe04ad01bc4317c8467d82f35
ppc
squirrelmail-1.4.8-5.el4_7.2.noarch.rpm SHA-256: dbe33bd5e41e2d11e418c7035d9f3fe5d27c7f8a71e43c26b2795a022957a2d1

Red Hat Enterprise Linux Server from RHUI 5

SRPM
squirrelmail-1.4.8-5.el5_2.2.src.rpm SHA-256: 1bc81ce488d07da2a95da3690cc6631afd4f7cf781be75a9f5e45d46401e58e9
x86_64
squirrelmail-1.4.8-5.el5_2.2.noarch.rpm SHA-256: 0c5cb5eb9e94040700e7443c5d0af21e779a237c60837692a6c3bff3a8fdb38b
i386
squirrelmail-1.4.8-5.el5_2.2.noarch.rpm SHA-256: 0c5cb5eb9e94040700e7443c5d0af21e779a237c60837692a6c3bff3a8fdb38b

The Red Hat security contact is secalert@redhat.com. More contact details at https://access.redhat.com/security/team/contact/.