[RHSA-2009:0010-01] Moderate: squirrelmail security update

[news 28]

-----BEGIN PGP SIGNED MESSAGE-----

Hash: SHA1

 

=====================================================================

Red Hat Security Advisory

 

Synopsis: Moderate: squirrelmail security update

Advisory ID: RHSA-2009:0010-01

Product: Red Hat Enterprise Linux

Advisory URL: https://rhn.redhat.com/errata/RHSA-2009-0010.html

Issue date: 2009-01-12

CVE Names: CVE-2008-2379 CVE-2008-3663

=====================================================================

 

1. Summary:

 

An updated squirrelmail package that resolves various security issues is

now available for Red Hat Enterprise Linux 3, 4 and 5.

 

This update has been rated as having moderate security impact by the Red

Hat Security Response Team.

 

2. Relevant releases/architectures:

 

Red Hat Enterprise Linux AS version 3 - noarch

Red Hat Desktop version 3 - noarch

Red Hat Enterprise Linux ES version 3 - noarch

Red Hat Enterprise Linux WS version 3 - noarch

Red Hat Enterprise Linux AS version 4 - noarch

Red Hat Enterprise Linux Desktop version 4 - noarch

Red Hat Enterprise Linux ES version 4 - noarch

Red Hat Enterprise Linux WS version 4 - noarch

RHEL Desktop Workstation (v. 5 client) - noarch

Red Hat Enterprise Linux (v. 5 server) - noarch

 

3. Description:

 

SquirrelMail is an easy-to-configure, standards-based, webmail package

written in PHP. It includes built-in PHP support for the IMAP and SMTP

protocols, and pure HTML 4.0 page-rendering (with no JavaScript required)

for maximum browser-compatibility, strong MIME support, address books, and

folder manipulation.

 

Ivan Markovic discovered a cross-site scripting (XSS) flaw in SquirrelMail

caused by insufficient HTML mail sanitization. A remote attacker could send

a specially-crafted HTML mail or attachment that could cause a user's Web

browser to execute a malicious script in the context of the SquirrelMail

session when that email or attachment was opened by the user.

(CVE-2008-2379)

 

It was discovered that SquirrelMail allowed cookies over insecure

connections (ie did not restrict cookies to HTTPS connections). An attacker

who controlled the communication channel between a user and the

SquirrelMail server, or who was able to sniff the user's network

communication, could use this flaw to obtain the user's session cookie, if

a user made an HTTP request to the server. (CVE-2008-3663)

 

Note: After applying this update, all session cookies set for SquirrelMail

sessions started over HTTPS connections will have the "secure" flag set.

That is, browsers will only send such cookies over an HTTPS connection. If

needed, you can revert to the previous behavior by setting the

configuration option "$only_secure_cookies" to "false" in SquirrelMail's

/etc/squirrelmail/config.php configuration file.

 

Users of squirrelmail should upgrade to this updated package, which

contains backported patches to correct these issues.

 

4. Solution:

 

Before applying this update, make sure that all previously-released errata

relevant to your system have been applied.

 

This update is available via Red Hat Network. Details on how to use the Red

Hat Network to apply this update are available at

http://kbase.redhat.com/faq/docs/DOC-11259

 

5. Bugs fixed (http://bugzilla.redhat.com/):

 

464183 - CVE-2008-3663 squirrelmail: session hijacking - secure flag not set for HTTPS-only cookies

473877 - CVE-2008-2379 squirrelmail: XSS issue caused by an insufficient html mail sanitation

 

6. Package List:

 

Red Hat Enterprise Linux AS version 3:

 

Source:

ftp://updates.redhat.com/enterprise/3AS/en/os/SRPMS/squirrelmail-1.4.8-8.el3.src.rpm

 

noarch:

squirrelmail-1.4.8-8.el3.noarch.rpm

 

Red Hat Desktop version 3:

 

Source:

ftp://updates.redhat.com/enterprise/3desktop/en/os/SRPMS/squirrelmail-1.4.8-8.el3.src.rpm

 

noarch:

squirrelmail-1.4.8-8.el3.noarch.rpm

 

Red Hat Enterprise Linux ES version 3:

 

Source:

ftp://updates.redhat.com/enterprise/3ES/en/os/SRPMS/squirrelmail-1.4.8-8.el3.src.rpm

 

noarch:

squirrelmail-1.4.8-8.el3.noarch.rpm

 

Red Hat Enterprise Linux WS version 3:

 

Source:

ftp://updates.redhat.com/enterprise/3WS/en/os/SRPMS/squirrelmail-1.4.8-8.el3.src.rpm

 

noarch:

squirrelmail-1.4.8-8.el3.noarch.rpm

 

Red Hat Enterprise Linux AS version 4:

 

Source:

ftp://updates.redhat.com/enterprise/4AS/en/os/SRPMS/squirrelmail-1.4.8-5.el4_7.2.src.rpm

 

noarch:

squirrelmail-1.4.8-5.el4_7.2.noarch.rpm

 

Red Hat Enterprise Linux Desktop version 4:

 

Source:

ftp://updates.redhat.com/enterprise/4Desktop/en/os/SRPMS/squirrelmail-1.4.8-5.el4_7.2.src.rpm

 

noarch:

squirrelmail-1.4.8-5.el4_7.2.noarch.rpm

 

Red Hat Enterprise Linux ES version 4:

 

Source:

ftp://updates.redhat.com/enterprise/4ES/en/os/SRPMS/squirrelmail-1.4.8-5.el4_7.2.src.rpm

 

noarch:

squirrelmail-1.4.8-5.el4_7.2.noarch.rpm

 

Red Hat Enterprise Linux WS version 4:

 

Source:

ftp://updates.redhat.com/enterprise/4WS/en/os/SRPMS/squirrelmail-1.4.8-5.el4_7.2.src.rpm

 

noarch:

squirrelmail-1.4.8-5.el4_7.2.noarch.rpm

 

RHEL Desktop Workstation (v. 5 client):

 

Source:

ftp://ftp.redhat.com/pub/redhat/linux/enterprise/5Client/en/os/SRPMS/squirrelmail-1.4.8-5.el5_2.2.src.rpm

 

noarch:

squirrelmail-1.4.8-5.el5_2.2.noarch.rpm

 

Red Hat Enterprise Linux (v. 5 server):

 

Source:

ftp://ftp.redhat.com/pub/redhat/linux/enterprise/5Server/en/os/SRPMS/squirrelmail-1.4.8-5.el5_2.2.src.rpm

 

noarch:

squirrelmail-1.4.8-5.el5_2.2.noarch.rpm

 

These packages are GPG signed by Red Hat for security. Our key and

details on how to verify the signature are available from

https://www.redhat.com/security/team/key/#package

 

7. References:

 

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-2379

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-3663

http://www.redhat.com/security/updates/classification/#moderate

http://www.squirrelmail.org/security/issue/2008-09-28

http://www.squirrelmail.org/security/issue/2008-12-04

 

8. Contact:

 

The Red Hat security contact is . More contact

details at https://www.redhat.com/security/team/contact/

 

Copyright 2009 Red Hat, Inc.

-----BEGIN PGP SIGNATURE-----

Version: GnuPG v1.4.4 (GNU/Linux)

 

iD8DBQFJa1OUXlSAg2UNWIIRAjYoAKCrseJGTbsrTt2ahY4oXeMdP7xslACgtqLn

w5iTjh6rWIkR5xKGWREUIZg=

=ioAP

-----END PGP SIGNATURE-----

 

 

--