-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Format: 1.7 Date: Sun, 30 Jan 2005 18:27:25 +0100 Source: squirrelmail Binary: squirrelmail Architecture: source all Version: 1:1.2.6-2 Distribution: stable-security Urgency: high Maintainer: Sam Johnston <samj@debian.org> Changed-By: Thijs Kinkhorst <kink@squirrelmail.org> Description: squirrelmail - Webmail for nuts Closes: 292714 Changes: squirrelmail (1:1.2.6-2) stable-security; urgency=high . * Security upload * [CAN-2005-0152] Close security hole where URL-manipulation in combination with register_globals and allow_url_fopen both set to On could lead to remote code execution as the www-data user. (Closes: #292714). This issue is specific to exactly version 1.2.6 of SquirrelMail (older and newer versions not vulnerable). Thanks Grant Hollingworth for discovering this bug and notifying us about it. * [CAN-2005-0104] Fix possible XSS issues in src/webmail.php. Files: 4900cffd3e5d45735f65c21476efc806 646 web optional squirrelmail_1.2.6-2.dsc 4614ece547701e83d640b5740bb59d51 21204 web optional squirrelmail_1.2.6-2.diff.gz 2d23a6986ab2862bb1acd160b5a2919c 1840668 web optional squirrelmail_1.2.6-2_all.deb -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.4 (GNU/Linux) Comment: Signed by Jeroen van Wolffelaar <jeroen@wolffelaar.nl> iD8DBQFB/RpYl2uISwgTVp8RApKvAJsEYt+t9KjcusfFtDVgGOjLS5lVVACfV8OV 4Pr+HwmqkWlp1pEHefK8DrM= =q3FH -----END PGP SIGNATURE----- Accepted: squirrelmail_1.2.6-2.diff.gz to pool/main/s/squirrelmail/squirrelmail_1.2.6-2.diff.gz squirrelmail_1.2.6-2.dsc to pool/main/s/squirrelmail/squirrelmail_1.2.6-2.dsc squirrelmail_1.2.6-2_all.deb to pool/main/s/squirrelmail/squirrelmail_1.2.6-2_all.deb
