| Revision Date: | 2005-02-15 | Version: | 502 |
| Title: | RHSA-2005:099: squirrelmail security update (Moderate) |
| Description: | SquirrelMail is a standards-based webmail package written in PHP4.
Jimmy Conner discovered a missing variable initialization in Squirrelmail. This flaw could allow potential insecure file inclusions on servers where the PHP setting "register_globals" is set to "On". This is not a default or recommended setting. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2005-0075 to this issue.
A URL sanitisation bug was found in Squirrelmail. This flaw could allow a cross site scripting attack when loading the URL for the sidebar. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2005-0103 to this issue.
A missing variable initialization bug was found in Squirrelmail. This flaw could allow a cross site scripting attack. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2005-0104 to this issue.
Users of Squirrelmail are advised to upgrade to this updated package, which contains backported patches to correct these issues.
|
| Family: | unix | Class: | patch |
| Status: | | Reference(s): | CVE-2005-0075
CVE-2005-0103
CVE-2005-0104
RHSA-2005:099-01
|
| Platform(s): | Red Hat Enterprise Linux 4
| Product(s): | |
| Definition Synopsis |
| Red Hat Enterprise Linux 4 is installed AND squirrelmail is earlier than 0:1.4.3a-9.EL4
AND squirrelmail is signed with Red Hat master key
|