Red Hat 9042 Published by

Fedora Legacy Update Advisory

Synopsis: Updated squirrelmail package fixes security issues
Advisory ID: FLSA:190884
Issue date: 2006-06-06
Product: Red Hat Linux, Fedora Core
Keywords: Bugfix
CVE Names: CVE-2006-0188 CVE-2006-0195 CVE-2006-0377
---------------------------------------------------------------------



---------------------------------------------------------------------
1. Topic:

An updated squirrelmail package that fixes three security issues is now
available.

SquirrelMail is a standards-based webmail package written in PHP4.

2. Relevant releases/architectures:

Red Hat Linux 9 - i386
Fedora Core 1 - i386
Fedora Core 2 - i386
Fedora Core 3 - i386, x86_64

3. Problem description:

A bug was found in the way SquirrelMail presents the right frame to the
user. If a user can be tricked into opening a carefully crafted URL, it
is possible to present the user with arbitrary HTML data.
(CVE-2006-0188)

A bug was found in the way SquirrelMail filters incoming HTML email. It
is possible to cause a victim's web browser to request remote content by
opening a HTML email while running a web browser that processes certain
types of invalid style sheets. Only Internet Explorer is known to
process such malformed style sheets. (CVE-2006-0195)

A bug was found in the way SquirrelMail processes a request to select an
IMAP mailbox. If a user can be tricked into opening a carefully crafted
URL, it is possible to execute arbitrary IMAP commands as the user
viewing their mail with SquirrelMail. (CVE-2006-0377)

Users of SquirrelMail are advised to upgrade to this updated package,
which contains SquirrelMail version 1.4.6 and is not vulnerable to these
issues.

4. Solution:

Before applying this update, make sure all previously released errata
relevant to your system have been applied.

To update all RPMs for your particular architecture, run:

rpm -Fvh [filenames]

where [filenames] is a list of the RPMs you wish to upgrade. Only those
RPMs which are currently installed will be updated. Those RPMs which
are not installed but included in the list will not be updated. Note
that you can also use wildcards (*.rpm) if your current directory *only*
contains the desired RPMs.

Please note that this update is also available via yum and apt. Many
people find this an easier way to apply updates. To use yum issue:

yum update

or to use apt:

apt-get update; apt-get upgrade

This will start an interactive process that will result in the
appropriate RPMs being upgraded on your system. This assumes that you
have yum or apt-get configured for obtaining Fedora Legacy content.
Please visit http://www.fedoralegacy.org/docs for directions on how to
configure yum and apt-get.

5. Bug IDs fixed:

https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=190884

6. RPMs required:

Red Hat Linux 9:

SRPM:
http://download.fedoralegacy.org/redhat/9/updates/SRPMS/squirrelmail-1.4.
6-3.rh9.1.legacy.src.rpm

i386:
http://download.fedoralegacy.org/redhat/9/updates/i386/squirrelmail-1.4.6
-3.rh9.1.legacy.noarch.rpm

Fedora Core 1:

SRPM:
http://download.fedoralegacy.org/fedora/1/updates/SRPMS/squirrelmail-1.4.
6-4.fc1.1.legacy.src.rpm

i386:
http://download.fedoralegacy.org/fedora/1/updates/i386/squirrelmail-1.4.6
-4.fc1.1.legacy.noarch.rpm

Fedora Core 2:

SRPM:
http://download.fedoralegacy.org/fedora/2/updates/SRPMS/squirrelmail-1.4.
6-4.fc2.1.legacy.src.rpm

i386:
http://download.fedoralegacy.org/fedora/2/updates/i386/squirrelmail-1.4.6
-4.fc2.1.legacy.noarch.rpm

Fedora Core 3:

SRPM:
http://download.fedoralegacy.org/fedora/3/updates/SRPMS/squirrelmail-1.4.
6-4.fc3.1.legacy.src.rpm

i386:
http://download.fedoralegacy.org/fedora/3/updates/i386/squirrelmail-1.4.6
-4.fc3.1.legacy.noarch.rpm

x86_64:
http://download.fedoralegacy.org/fedora/3/updates/x86_64/squirrelmail-1.4
.6-4.fc3.1.legacy.noarch.rpm

7. Verification:

SHA1 sum Package Name
---------------------------------------------------------------------

rh9:
62ae72ed168667c97e1b6ccc5bc23dea6c374bcb
redhat/9/updates/i386/squirrelmail-1.4.6-3.rh9.1.legacy.noarch.rpm
51264756a2f2bb5d8e6f5b6d1d33dcba40f41a68
redhat/9/updates/SRPMS/squirrelmail-1.4.6-3.rh9.1.legacy.src.rpm

fc1:
0e2dbf765d4df6592fad31ff331a3101fd33674e
fedora/1/updates/i386/squirrelmail-1.4.6-4.fc1.1.legacy.noarch.rpm
7c6d183c795bfd1da1e872a74e7ff1f197afb93a
fedora/1/updates/SRPMS/squirrelmail-1.4.6-4.fc1.1.legacy.src.rpm

fc2:
36bc9ae701f8844d6369dde0f2d4a537b2dce85c
fedora/2/updates/i386/squirrelmail-1.4.6-4.fc2.1.legacy.noarch.rpm
60098c585bc6bab9df4e3883e3a0b0762fd4dc6d
fedora/2/updates/SRPMS/squirrelmail-1.4.6-4.fc2.1.legacy.src.rpm

fc3:
9e96352495249c4aa526b24729128696467ca728
fedora/3/updates/i386/squirrelmail-1.4.6-4.fc3.1.legacy.noarch.rpm
9e96352495249c4aa526b24729128696467ca728
fedora/3/updates/x86_64/squirrelmail-1.4.6-4.fc3.1.legacy.noarch.rpm
3003904d9a5594cb6e3ebb190930bb9d82d83f60
fedora/3/updates/SRPMS/squirrelmail-1.4.6-4.fc3.1.legacy.src.rpm


These packages are GPG signed by Fedora Legacy for security. Our key is
available from http://www.fedoralegacy.org/about/security.php

You can verify each package with the following command:

rpm --checksig -v <filename>

If you only wish to verify that each package has not been corrupted or
tampered with, examine only the sha1sum with the following command:

sha1sum <filename>

8. References:

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-0188
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-0195
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-0377

9. Contact:

The Fedora Legacy security contact is <secnotice@fedoralegacy.org>. More
project details at http://www.fedoralegacy.org