Skip to navigation

Security Advisory Important: squirrelmail security update

Advisory: RHSA-2009:0057-3
Type: Security Advisory
Severity: Important
Issued on: 2009-01-19
Last updated on: 2009-01-19
Affected Products: RHEL Desktop Workstation (v. 5 client)
Red Hat Desktop (v. 3)
Red Hat Desktop (v. 4)
Red Hat Enterprise Linux (v. 5 server)
Red Hat Enterprise Linux AS (v. 3)
Red Hat Enterprise Linux AS (v. 4)
Red Hat Enterprise Linux AS (v. 4.7.z)
Red Hat Enterprise Linux ES (v. 3)
Red Hat Enterprise Linux ES (v. 4)
Red Hat Enterprise Linux ES (v. 4.7.z)
Red Hat Enterprise Linux EUS (v. 5.2.z server)
Red Hat Enterprise Linux WS (v. 3)
Red Hat Enterprise Linux WS (v. 4)
CVEs (cve.mitre.org): CVE-2009-0030
CVE-2009-1580

Details

An updated squirrelmail package that fixes a security issue is now
available for Red Hat Enterprise Linux 3, 4 and 5.

This update has been rated as having important security impact by the Red
Hat Security Response Team.

SquirrelMail is an easy-to-configure, standards-based, webmail package
written in PHP. It includes built-in PHP support for the IMAP and SMTP
protocols, and pure HTML 4.0 page-rendering (with no JavaScript required)
for maximum browser-compatibility, strong MIME support, address books, and
folder manipulation.

The Red Hat SquirrelMail packages provided by the RHSA-2009:0010 advisory
introduced a session handling flaw. Users who logged back into SquirrelMail
without restarting their web browsers were assigned fixed session
identifiers. A remote attacker could make use of that flaw to hijack user
sessions. (CVE-2009-0030)

SquirrelMail users should upgrade to this updated package, which contains a
patch to correct this issue. As well, all users who used affected versions
of SquirrelMail should review their preferences.


Solution

Before applying this update, make sure that all previously-released
errata relevant to your system have been applied.

This update is available via Red Hat Network. Details on how to use
the Red Hat Network to apply this update are available at
http://kbase.redhat.com/faq/docs/DOC-11259

Updated packages

RHEL Desktop Workstation (v. 5 client)

SRPMS:
squirrelmail-1.4.8-5.el5_2.3.src.rpm
File outdated by:  RHSA-2013:0126
    MD5: 1d90a789cd3b82bb10bd57b54380dda4
 
IA-32:
squirrelmail-1.4.8-5.el5_2.3.noarch.rpm
File outdated by:  RHSA-2013:0126
    MD5: 342b7d722948a564b4b3232ed56e3dad
 
x86_64:
squirrelmail-1.4.8-5.el5_2.3.noarch.rpm
File outdated by:  RHSA-2013:0126
    MD5: 342b7d722948a564b4b3232ed56e3dad
 
Red Hat Desktop (v. 3)

SRPMS:
squirrelmail-1.4.8-9.el3.src.rpm
File outdated by:  RHSA-2009:1490
    MD5: 47117d57f9d093e3e100222bcbdc7271
 
IA-32:
squirrelmail-1.4.8-9.el3.noarch.rpm
File outdated by:  RHSA-2009:1490
    MD5: c8809d2b2323b9e6455cc61b0c7107c5
 
x86_64:
squirrelmail-1.4.8-9.el3.noarch.rpm
File outdated by:  RHSA-2009:1490
    MD5: c8809d2b2323b9e6455cc61b0c7107c5
 
Red Hat Desktop (v. 4)

SRPMS:
squirrelmail-1.4.8-5.el4_7.3.src.rpm
File outdated by:  RHSA-2012:0103
    MD5: 5ebd64eb7cff5a789e8fb563525c07a9
 
IA-32:
squirrelmail-1.4.8-5.el4_7.3.noarch.rpm
File outdated by:  RHSA-2012:0103
    MD5: 4f7c00098edd35b93e9e35a301f18805
 
x86_64:
squirrelmail-1.4.8-5.el4_7.3.noarch.rpm
File outdated by:  RHSA-2012:0103
    MD5: 4f7c00098edd35b93e9e35a301f18805
 
Red Hat Enterprise Linux (v. 5 server)

SRPMS:
squirrelmail-1.4.8-5.el5_2.3.src.rpm
File outdated by:  RHSA-2013:0126
    MD5: 1d90a789cd3b82bb10bd57b54380dda4
 
IA-32:
squirrelmail-1.4.8-5.el5_2.3.noarch.rpm
File outdated by:  RHSA-2013:0126
    MD5: 342b7d722948a564b4b3232ed56e3dad
 
IA-64:
squirrelmail-1.4.8-5.el5_2.3.noarch.rpm
File outdated by:  RHSA-2013:0126
    MD5: 342b7d722948a564b4b3232ed56e3dad
 
PPC:
squirrelmail-1.4.8-5.el5_2.3.noarch.rpm
File outdated by:  RHSA-2013:0126
    MD5: 342b7d722948a564b4b3232ed56e3dad
 
s390x:
squirrelmail-1.4.8-5.el5_2.3.noarch.rpm
File outdated by:  RHSA-2013:0126
    MD5: 342b7d722948a564b4b3232ed56e3dad
 
x86_64:
squirrelmail-1.4.8-5.el5_2.3.noarch.rpm
File outdated by:  RHSA-2013:0126
    MD5: 342b7d722948a564b4b3232ed56e3dad
 
Red Hat Enterprise Linux AS (v. 3)

SRPMS:
squirrelmail-1.4.8-9.el3.src.rpm
File outdated by:  RHSA-2009:1490
    MD5: 47117d57f9d093e3e100222bcbdc7271
 
IA-32:
squirrelmail-1.4.8-9.el3.noarch.rpm
File outdated by:  RHSA-2009:1490
    MD5: c8809d2b2323b9e6455cc61b0c7107c5
 
IA-64:
squirrelmail-1.4.8-9.el3.noarch.rpm
File outdated by:  RHSA-2009:1490
    MD5: c8809d2b2323b9e6455cc61b0c7107c5
 
PPC:
squirrelmail-1.4.8-9.el3.noarch.rpm
File outdated by:  RHSA-2009:1490
    MD5: c8809d2b2323b9e6455cc61b0c7107c5
 
s390:
squirrelmail-1.4.8-9.el3.noarch.rpm
File outdated by:  RHSA-2009:1490
    MD5: c8809d2b2323b9e6455cc61b0c7107c5
 
s390x:
squirrelmail-1.4.8-9.el3.noarch.rpm
File outdated by:  RHSA-2009:1490
    MD5: c8809d2b2323b9e6455cc61b0c7107c5
 
x86_64:
squirrelmail-1.4.8-9.el3.noarch.rpm
File outdated by:  RHSA-2009:1490
    MD5: c8809d2b2323b9e6455cc61b0c7107c5
 
Red Hat Enterprise Linux AS (v. 4)

SRPMS:
squirrelmail-1.4.8-5.el4_7.3.src.rpm
File outdated by:  RHSA-2012:0103
    MD5: 5ebd64eb7cff5a789e8fb563525c07a9
 
IA-32:
squirrelmail-1.4.8-5.el4_7.3.noarch.rpm
File outdated by:  RHSA-2012:0103
    MD5: 4f7c00098edd35b93e9e35a301f18805
 
IA-64:
squirrelmail-1.4.8-5.el4_7.3.noarch.rpm
File outdated by:  RHSA-2012:0103
    MD5: 4f7c00098edd35b93e9e35a301f18805
 
PPC:
squirrelmail-1.4.8-5.el4_7.3.noarch.rpm
File outdated by:  RHSA-2012:0103
    MD5: 4f7c00098edd35b93e9e35a301f18805
 
s390:
squirrelmail-1.4.8-5.el4_7.3.noarch.rpm
File outdated by:  RHSA-2012:0103
    MD5: 4f7c00098edd35b93e9e35a301f18805
 
s390x:
squirrelmail-1.4.8-5.el4_7.3.noarch.rpm
File outdated by:  RHSA-2012:0103
    MD5: 4f7c00098edd35b93e9e35a301f18805
 
x86_64:
squirrelmail-1.4.8-5.el4_7.3.noarch.rpm
File outdated by:  RHSA-2012:0103
    MD5: 4f7c00098edd35b93e9e35a301f18805
 
Red Hat Enterprise Linux AS (v. 4.7.z)

SRPMS:
squirrelmail-1.4.8-5.el4_7.3.src.rpm
File outdated by:  RHSA-2012:0103
    MD5: 5ebd64eb7cff5a789e8fb563525c07a9
 
IA-32:
squirrelmail-1.4.8-5.el4_7.3.noarch.rpm     MD5: 4f7c00098edd35b93e9e35a301f18805
 
IA-64:
squirrelmail-1.4.8-5.el4_7.3.noarch.rpm     MD5: 4f7c00098edd35b93e9e35a301f18805
 
PPC:
squirrelmail-1.4.8-5.el4_7.3.noarch.rpm     MD5: 4f7c00098edd35b93e9e35a301f18805
 
s390:
squirrelmail-1.4.8-5.el4_7.3.noarch.rpm     MD5: 4f7c00098edd35b93e9e35a301f18805
 
s390x:
squirrelmail-1.4.8-5.el4_7.3.noarch.rpm     MD5: 4f7c00098edd35b93e9e35a301f18805
 
x86_64:
squirrelmail-1.4.8-5.el4_7.3.noarch.rpm     MD5: 4f7c00098edd35b93e9e35a301f18805
 
Red Hat Enterprise Linux ES (v. 3)

SRPMS:
squirrelmail-1.4.8-9.el3.src.rpm
File outdated by:  RHSA-2009:1490
    MD5: 47117d57f9d093e3e100222bcbdc7271
 
IA-32:
squirrelmail-1.4.8-9.el3.noarch.rpm
File outdated by:  RHSA-2009:1490
    MD5: c8809d2b2323b9e6455cc61b0c7107c5
 
IA-64:
squirrelmail-1.4.8-9.el3.noarch.rpm
File outdated by:  RHSA-2009:1490
    MD5: c8809d2b2323b9e6455cc61b0c7107c5
 
x86_64:
squirrelmail-1.4.8-9.el3.noarch.rpm
File outdated by:  RHSA-2009:1490
    MD5: c8809d2b2323b9e6455cc61b0c7107c5
 
Red Hat Enterprise Linux ES (v. 4)

SRPMS:
squirrelmail-1.4.8-5.el4_7.3.src.rpm
File outdated by:  RHSA-2012:0103
    MD5: 5ebd64eb7cff5a789e8fb563525c07a9
 
IA-32:
squirrelmail-1.4.8-5.el4_7.3.noarch.rpm
File outdated by:  RHSA-2012:0103
    MD5: 4f7c00098edd35b93e9e35a301f18805
 
IA-64:
squirrelmail-1.4.8-5.el4_7.3.noarch.rpm
File outdated by:  RHSA-2012:0103
    MD5: 4f7c00098edd35b93e9e35a301f18805
 
x86_64:
squirrelmail-1.4.8-5.el4_7.3.noarch.rpm
File outdated by:  RHSA-2012:0103
    MD5: 4f7c00098edd35b93e9e35a301f18805
 
Red Hat Enterprise Linux ES (v. 4.7.z)

SRPMS:
squirrelmail-1.4.8-5.el4_7.3.src.rpm
File outdated by:  RHSA-2012:0103
    MD5: 5ebd64eb7cff5a789e8fb563525c07a9
 
IA-32:
squirrelmail-1.4.8-5.el4_7.3.noarch.rpm     MD5: 4f7c00098edd35b93e9e35a301f18805
 
IA-64:
squirrelmail-1.4.8-5.el4_7.3.noarch.rpm     MD5: 4f7c00098edd35b93e9e35a301f18805
 
x86_64:
squirrelmail-1.4.8-5.el4_7.3.noarch.rpm     MD5: 4f7c00098edd35b93e9e35a301f18805
 
Red Hat Enterprise Linux EUS (v. 5.2.z server)

SRPMS:
squirrelmail-1.4.8-5.el5_2.3.src.rpm
File outdated by:  RHSA-2013:0126
    MD5: 1d90a789cd3b82bb10bd57b54380dda4
 
IA-32:
squirrelmail-1.4.8-5.el5_2.3.noarch.rpm     MD5: 342b7d722948a564b4b3232ed56e3dad
 
IA-64:
squirrelmail-1.4.8-5.el5_2.3.noarch.rpm     MD5: 342b7d722948a564b4b3232ed56e3dad
 
PPC:
squirrelmail-1.4.8-5.el5_2.3.noarch.rpm     MD5: 342b7d722948a564b4b3232ed56e3dad
 
s390x:
squirrelmail-1.4.8-5.el5_2.3.noarch.rpm     MD5: 342b7d722948a564b4b3232ed56e3dad
 
x86_64:
squirrelmail-1.4.8-5.el5_2.3.noarch.rpm     MD5: 342b7d722948a564b4b3232ed56e3dad
 
Red Hat Enterprise Linux WS (v. 3)

SRPMS:
squirrelmail-1.4.8-9.el3.src.rpm
File outdated by:  RHSA-2009:1490
    MD5: 47117d57f9d093e3e100222bcbdc7271
 
IA-32:
squirrelmail-1.4.8-9.el3.noarch.rpm
File outdated by:  RHSA-2009:1490
    MD5: c8809d2b2323b9e6455cc61b0c7107c5
 
IA-64:
squirrelmail-1.4.8-9.el3.noarch.rpm
File outdated by:  RHSA-2009:1490
    MD5: c8809d2b2323b9e6455cc61b0c7107c5
 
x86_64:
squirrelmail-1.4.8-9.el3.noarch.rpm
File outdated by:  RHSA-2009:1490
    MD5: c8809d2b2323b9e6455cc61b0c7107c5
 
Red Hat Enterprise Linux WS (v. 4)

SRPMS:
squirrelmail-1.4.8-5.el4_7.3.src.rpm
File outdated by:  RHSA-2012:0103
    MD5: 5ebd64eb7cff5a789e8fb563525c07a9
 
IA-32:
squirrelmail-1.4.8-5.el4_7.3.noarch.rpm
File outdated by:  RHSA-2012:0103
    MD5: 4f7c00098edd35b93e9e35a301f18805
 
IA-64:
squirrelmail-1.4.8-5.el4_7.3.noarch.rpm
File outdated by:  RHSA-2012:0103
    MD5: 4f7c00098edd35b93e9e35a301f18805
 
x86_64:
squirrelmail-1.4.8-5.el4_7.3.noarch.rpm
File outdated by:  RHSA-2012:0103
    MD5: 4f7c00098edd35b93e9e35a301f18805
 
(The unlinked packages above are only available from the Red Hat Network)

Bugs fixed (see bugzilla for more information)

480224 - Squirrelmail session management broken by security backport
480488 - CVE-2009-0030 squirrelmail: session management flaw


References



These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from:
https://www.redhat.com/security/team/key/#package

The Red Hat security contact is secalert@redhat.com. More contact details at http://www.redhat.com/security/team/contact/