oss-sec mailing list archives

Re: CVE request: Squirrelmail < 1.4.18 XSS, session fixation, server-side code execution

From: Tomas Hoger <thoger () redhat com>
Date: Tue, 12 May 2009 16:23:06 +0200

Hi Hanno!

On Tue, 12 May 2009 09:43:36 +0200 Hanno Böck <hanno () hboeck de> wrote:

From squirrelmail.org:
The SquirrelMail Team is pleased to announce the release of
SquirrelMail version 1.4.18. The most notable changes for this
version are several security fixes, including a couple XSS exploits,
a session fixation issue, and an obscure but dangerous server-side
code execution hole.


Was this meant as CVE request?  Upstream changelog does mention CVEs
for the issues, as well as upstream SVN commits and security page:
  http://www.squirrelmail.org/security/

HTH

-- 
Tomas Hoger / Red Hat Security Response Team

Current thread:

CVE request: Squirrelmail < 1.4.18 XSS, session fixation, server-side code execution Hanno Böck (May 12)
- Re: CVE request: Squirrelmail < 1.4.18 XSS, session fixation, server-side code execution Tomas Hoger (May 12)
  - Re: CVE request: Squirrelmail < 1.4.18 XSS, session fixation, server-side code execution Hanno Böck (May 12)