ESB-2018.2584 - [Win][UNIX/Linux][Debian] squirrelmail: Cross-site scripting - Remote with user interaction 2018-08-31

Printable version
PGP/GPG verifiable version

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                               ESB-2018.2584
                 [DLA 1484-1] squirrelmail security update
                              31 August 2018

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           squirrelmail
Publisher:         Debian
Operating System:  Debian GNU/Linux 8
                   UNIX variants (UNIX, Linux, OSX)
                   Windows
Impact/Access:     Cross-site Scripting -- Remote with User Interaction
Resolution:        Patch/Upgrade
CVE Names:         CVE-2018-14955 CVE-2018-14954 CVE-2018-14953
                   CVE-2018-14952 CVE-2018-14951 CVE-2018-14950

Original Bulletin: 
   https://lists.debian.org/debian-lts-announce/2018/08/msg00031.html

Comment: This advisory references vulnerabilities in products which run on 
         platforms other than Debian. It is recommended that administrators 
         running squirrelmail check for an updated version of the software 
         for their operating system.

- --------------------------BEGIN INCLUDED TEXT--------------------

Package        : squirrelmail
Version        : 2:1.4.23~svn20120406-2+deb8u3
CVE IDs        : CVE-2018-14950 CVE-2018-14951 CVE-2018-14952
                 CVE-2018-14953 CVE-2018-14954 CVE-2018-14955
Debian Bug     : #905023

It was discovered that there were a number of Cross Site Scripting
(XSS) vulnerabilities in the squirrelmail webmail client.

For Debian 8 "Jessie", these issues has been fixed in squirrelmail
version 2:1.4.23~svn20120406-2+deb8u3.

We recommend that you upgrade your squirrelmail packages.


Regards,

- - --
      ,''`.
     : :'  :     Chris Lamb
     `. `'`      lamby@debian.org / chris-lamb.co.uk
       `-

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        https://www.auscert.org.au/bulletins/

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBW4it0maOgq3Tt24GAQgaeA/9EHfSC28bEo/vuAoopyBdJ1hJ3EHFN15x
WEJenRcYL2X7PlVx2SSpzEtknxqtWuW6ZLtkWMeGWUe5SFvTplzQ6UAfoRzXH++H
wyL+5XV+/+jUZY5i9kO90QF+FO0sYJQ8x1krprJCyYcWCPj185ulceSax5u3uIL/
hgYmy3a8iO65UL0lP9h0ciDYwqzmCMFO9WuG4cU+otor0qX7uOSYJ8XCIQ3QaA3d
6DXWi2Q4epJ2ztyn1Kp6jlNNKAb7QF9AXEXKnMcsRp9DNxK5fPE0GO/d3I8wY7C1
7tSLadBjGqJiSCJ0zD8sr8e/wJx5UZwBj0E3HsKApeB5kwS5XvnlLEb4ObaklyLq
IREfEn2sZ+2kd4LKKkel/aWOHj9kRmx9Rt6k7Cn3W10PBQ1k5f9aN9dKUCg9wC4D
UwOtcEOX3RndYcWjW7Z3+QHY2/FPBfXZJwLv3arpiDynhES58x7fdELw1OyRYw84
NG7yb5NL8JxCS8A92Q5VJqNMBuldivqjUbynGoEIze6ju14LGJWPk/CaeoRjQ0K7
7FJ53sYkHsO+8aH3cIyuEOxD5lZKxaq+8kn/0sIxF5rpsk1yD356lyeJsU51KvHv
uZs4kxYzZlS6P39t74r4BjEW/qrMqdPEWtxfOBaC8iYB9OUPiW7RGHd4H2hn1x42
cR+nDNtqTQA=
=feZE
-----END PGP SIGNATURE-----

« Back to bulletins