RHSA-2009:0010
Vulnerability from csaf_redhat
Published
2009-01-12 14:24
Modified
2024-11-22 02:23
Summary
Red Hat Security Advisory: squirrelmail security update
Notes
Topic
An updated squirrelmail package that resolves various security issues is
now available for Red Hat Enterprise Linux 3, 4 and 5.
This update has been rated as having moderate security impact by the Red
Hat Security Response Team.
Details
SquirrelMail is an easy-to-configure, standards-based, webmail package
written in PHP. It includes built-in PHP support for the IMAP and SMTP
protocols, and pure HTML 4.0 page-rendering (with no JavaScript required)
for maximum browser-compatibility, strong MIME support, address books, and
folder manipulation.
Ivan Markovic discovered a cross-site scripting (XSS) flaw in SquirrelMail
caused by insufficient HTML mail sanitization. A remote attacker could send
a specially-crafted HTML mail or attachment that could cause a user's Web
browser to execute a malicious script in the context of the SquirrelMail
session when that email or attachment was opened by the user.
(CVE-2008-2379)
It was discovered that SquirrelMail allowed cookies over insecure
connections (ie did not restrict cookies to HTTPS connections). An attacker
who controlled the communication channel between a user and the
SquirrelMail server, or who was able to sniff the user's network
communication, could use this flaw to obtain the user's session cookie, if
a user made an HTTP request to the server. (CVE-2008-3663)
Note: After applying this update, all session cookies set for SquirrelMail
sessions started over HTTPS connections will have the "secure" flag set.
That is, browsers will only send such cookies over an HTTPS connection. If
needed, you can revert to the previous behavior by setting the
configuration option "$only_secure_cookies" to "false" in SquirrelMail's
/etc/squirrelmail/config.php configuration file.
Users of squirrelmail should upgrade to this updated package, which
contains backported patches to correct these issues.
Terms of Use
This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.
{
"document": {
"aggregate_severity": {
"namespace": "https://access.redhat.com/security/updates/classification/",
"text": "Moderate"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "An updated squirrelmail package that resolves various security issues is\nnow available for Red Hat Enterprise Linux 3, 4 and 5.\n\nThis update has been rated as having moderate security impact by the Red\nHat Security Response Team.",
"title": "Topic"
},
{
"category": "general",
"text": "SquirrelMail is an easy-to-configure, standards-based, webmail package\nwritten in PHP. It includes built-in PHP support for the IMAP and SMTP\nprotocols, and pure HTML 4.0 page-rendering (with no JavaScript required)\nfor maximum browser-compatibility, strong MIME support, address books, and\nfolder manipulation.\n\nIvan Markovic discovered a cross-site scripting (XSS) flaw in SquirrelMail\ncaused by insufficient HTML mail sanitization. A remote attacker could send\na specially-crafted HTML mail or attachment that could cause a user\u0027s Web\nbrowser to execute a malicious script in the context of the SquirrelMail\nsession when that email or attachment was opened by the user.\n(CVE-2008-2379)\n\nIt was discovered that SquirrelMail allowed cookies over insecure\nconnections (ie did not restrict cookies to HTTPS connections). An attacker\nwho controlled the communication channel between a user and the\nSquirrelMail server, or who was able to sniff the user\u0027s network\ncommunication, could use this flaw to obtain the user\u0027s session cookie, if\na user made an HTTP request to the server. (CVE-2008-3663)\n\nNote: After applying this update, all session cookies set for SquirrelMail\nsessions started over HTTPS connections will have the \"secure\" flag set.\nThat is, browsers will only send such cookies over an HTTPS connection. If\nneeded, you can revert to the previous behavior by setting the\nconfiguration option \"$only_secure_cookies\" to \"false\" in SquirrelMail\u0027s\n/etc/squirrelmail/config.php configuration file.\n\nUsers of squirrelmail should upgrade to this updated package, which\ncontains backported patches to correct these issues.",
"title": "Details"
},
{
"category": "legal_disclaimer",
"text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.",
"title": "Terms of Use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://access.redhat.com/security/team/contact/",
"issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.",
"name": "Red Hat Product Security",
"namespace": "https://www.redhat.com"
},
"references": [
{
"category": "self",
"summary": "https://access.redhat.com/errata/RHSA-2009:0010",
"url": "https://access.redhat.com/errata/RHSA-2009:0010"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/updates/classification/#moderate",
"url": "https://access.redhat.com/security/updates/classification/#moderate"
},
{
"category": "external",
"summary": "http://www.squirrelmail.org/security/issue/2008-09-28",
"url": "http://www.squirrelmail.org/security/issue/2008-09-28"
},
{
"category": "external",
"summary": "http://www.squirrelmail.org/security/issue/2008-12-04",
"url": "http://www.squirrelmail.org/security/issue/2008-12-04"
},
{
"category": "external",
"summary": "464183",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=464183"
},
{
"category": "external",
"summary": "473877",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=473877"
},
{
"category": "self",
"summary": "Canonical URL",
"url": "https://security.access.redhat.com/data/csaf/v2/advisories/2009/rhsa-2009_0010.json"
}
],
"title": "Red Hat Security Advisory: squirrelmail security update",
"tracking": {
"current_release_date": "2024-11-22T02:23:48+00:00",
"generator": {
"date": "2024-11-22T02:23:48+00:00",
"engine": {
"name": "Red Hat SDEngine",
"version": "4.2.1"
}
},
"id": "RHSA-2009:0010",
"initial_release_date": "2009-01-12T14:24:00+00:00",
"revision_history": [
{
"date": "2009-01-12T14:24:00+00:00",
"number": "1",
"summary": "Initial version"
},
{
"date": "2009-01-12T09:26:41+00:00",
"number": "2",
"summary": "Last updated version"
},
{
"date": "2024-11-22T02:23:48+00:00",
"number": "3",
"summary": "Last generated version"
}
],
"status": "final",
"version": "3"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_name",
"name": "Red Hat Enterprise Linux Desktop Workstation (v. 5 client)",
"product": {
"name": "Red Hat Enterprise Linux Desktop Workstation (v. 5 client)",
"product_id": "5Client-Workstation",
"product_identification_helper": {
"cpe": "cpe:/o:redhat:enterprise_linux:5::client_workstation"
}
}
},
{
"category": "product_name",
"name": "Red Hat Enterprise Linux (v. 5 server)",
"product": {
"name": "Red Hat Enterprise Linux (v. 5 server)",
"product_id": "5Server",
"product_identification_helper": {
"cpe": "cpe:/o:redhat:enterprise_linux:5::server"
}
}
},
{
"category": "product_name",
"name": "Red Hat Enterprise Linux AS version 4",
"product": {
"name": "Red Hat Enterprise Linux AS version 4",
"product_id": "4AS",
"product_identification_helper": {
"cpe": "cpe:/o:redhat:enterprise_linux:4::as"
}
}
},
{
"category": "product_name",
"name": "Red Hat Enterprise Linux Desktop version 4",
"product": {
"name": "Red Hat Enterprise Linux Desktop version 4",
"product_id": "4Desktop",
"product_identification_helper": {
"cpe": "cpe:/o:redhat:enterprise_linux:4::desktop"
}
}
},
{
"category": "product_name",
"name": "Red Hat Enterprise Linux ES version 4",
"product": {
"name": "Red Hat Enterprise Linux ES version 4",
"product_id": "4ES",
"product_identification_helper": {
"cpe": "cpe:/o:redhat:enterprise_linux:4::es"
}
}
},
{
"category": "product_name",
"name": "Red Hat Enterprise Linux WS version 4",
"product": {
"name": "Red Hat Enterprise Linux WS version 4",
"product_id": "4WS",
"product_identification_helper": {
"cpe": "cpe:/o:redhat:enterprise_linux:4::ws"
}
}
},
{
"category": "product_name",
"name": "Red Hat Enterprise Linux AS version 3",
"product": {
"name": "Red Hat Enterprise Linux AS version 3",
"product_id": "3AS",
"product_identification_helper": {
"cpe": "cpe:/o:redhat:enterprise_linux:3::as"
}
}
},
{
"category": "product_name",
"name": "Red Hat Desktop version 3",
"product": {
"name": "Red Hat Desktop version 3",
"product_id": "3Desktop",
"product_identification_helper": {
"cpe": "cpe:/o:redhat:enterprise_linux:3::desktop"
}
}
},
{
"category": "product_name",
"name": "Red Hat Enterprise Linux ES version 3",
"product": {
"name": "Red Hat Enterprise Linux ES version 3",
"product_id": "3ES",
"product_identification_helper": {
"cpe": "cpe:/o:redhat:enterprise_linux:3::es"
}
}
},
{
"category": "product_name",
"name": "Red Hat Enterprise Linux WS version 3",
"product": {
"name": "Red Hat Enterprise Linux WS version 3",
"product_id": "3WS",
"product_identification_helper": {
"cpe": "cpe:/o:redhat:enterprise_linux:3::ws"
}
}
}
],
"category": "product_family",
"name": "Red Hat Enterprise Linux"
},
{
"branches": [
{
"category": "product_version",
"name": "squirrelmail-0:1.4.8-5.el5_2.2.src",
"product": {
"name": "squirrelmail-0:1.4.8-5.el5_2.2.src",
"product_id": "squirrelmail-0:1.4.8-5.el5_2.2.src",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/squirrelmail@1.4.8-5.el5_2.2?arch=src"
}
}
},
{
"category": "product_version",
"name": "squirrelmail-0:1.4.8-5.el4_7.2.src",
"product": {
"name": "squirrelmail-0:1.4.8-5.el4_7.2.src",
"product_id": "squirrelmail-0:1.4.8-5.el4_7.2.src",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/squirrelmail@1.4.8-5.el4_7.2?arch=src"
}
}
},
{
"category": "product_version",
"name": "squirrelmail-0:1.4.8-8.el3.src",
"product": {
"name": "squirrelmail-0:1.4.8-8.el3.src",
"product_id": "squirrelmail-0:1.4.8-8.el3.src",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/squirrelmail@1.4.8-8.el3?arch=src"
}
}
}
],
"category": "architecture",
"name": "src"
},
{
"branches": [
{
"category": "product_version",
"name": "squirrelmail-0:1.4.8-5.el5_2.2.noarch",
"product": {
"name": "squirrelmail-0:1.4.8-5.el5_2.2.noarch",
"product_id": "squirrelmail-0:1.4.8-5.el5_2.2.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/squirrelmail@1.4.8-5.el5_2.2?arch=noarch"
}
}
},
{
"category": "product_version",
"name": "squirrelmail-0:1.4.8-5.el4_7.2.noarch",
"product": {
"name": "squirrelmail-0:1.4.8-5.el4_7.2.noarch",
"product_id": "squirrelmail-0:1.4.8-5.el4_7.2.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/squirrelmail@1.4.8-5.el4_7.2?arch=noarch"
}
}
},
{
"category": "product_version",
"name": "squirrelmail-0:1.4.8-8.el3.noarch",
"product": {
"name": "squirrelmail-0:1.4.8-8.el3.noarch",
"product_id": "squirrelmail-0:1.4.8-8.el3.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/squirrelmail@1.4.8-8.el3?arch=noarch"
}
}
}
],
"category": "architecture",
"name": "noarch"
}
],
"category": "vendor",
"name": "Red Hat"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "squirrelmail-0:1.4.8-8.el3.noarch as a component of Red Hat Enterprise Linux AS version 3",
"product_id": "3AS:squirrelmail-0:1.4.8-8.el3.noarch"
},
"product_reference": "squirrelmail-0:1.4.8-8.el3.noarch",
"relates_to_product_reference": "3AS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "squirrelmail-0:1.4.8-8.el3.src as a component of Red Hat Enterprise Linux AS version 3",
"product_id": "3AS:squirrelmail-0:1.4.8-8.el3.src"
},
"product_reference": "squirrelmail-0:1.4.8-8.el3.src",
"relates_to_product_reference": "3AS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "squirrelmail-0:1.4.8-8.el3.noarch as a component of Red Hat Desktop version 3",
"product_id": "3Desktop:squirrelmail-0:1.4.8-8.el3.noarch"
},
"product_reference": "squirrelmail-0:1.4.8-8.el3.noarch",
"relates_to_product_reference": "3Desktop"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "squirrelmail-0:1.4.8-8.el3.src as a component of Red Hat Desktop version 3",
"product_id": "3Desktop:squirrelmail-0:1.4.8-8.el3.src"
},
"product_reference": "squirrelmail-0:1.4.8-8.el3.src",
"relates_to_product_reference": "3Desktop"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "squirrelmail-0:1.4.8-8.el3.noarch as a component of Red Hat Enterprise Linux ES version 3",
"product_id": "3ES:squirrelmail-0:1.4.8-8.el3.noarch"
},
"product_reference": "squirrelmail-0:1.4.8-8.el3.noarch",
"relates_to_product_reference": "3ES"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "squirrelmail-0:1.4.8-8.el3.src as a component of Red Hat Enterprise Linux ES version 3",
"product_id": "3ES:squirrelmail-0:1.4.8-8.el3.src"
},
"product_reference": "squirrelmail-0:1.4.8-8.el3.src",
"relates_to_product_reference": "3ES"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "squirrelmail-0:1.4.8-8.el3.noarch as a component of Red Hat Enterprise Linux WS version 3",
"product_id": "3WS:squirrelmail-0:1.4.8-8.el3.noarch"
},
"product_reference": "squirrelmail-0:1.4.8-8.el3.noarch",
"relates_to_product_reference": "3WS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "squirrelmail-0:1.4.8-8.el3.src as a component of Red Hat Enterprise Linux WS version 3",
"product_id": "3WS:squirrelmail-0:1.4.8-8.el3.src"
},
"product_reference": "squirrelmail-0:1.4.8-8.el3.src",
"relates_to_product_reference": "3WS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "squirrelmail-0:1.4.8-5.el4_7.2.noarch as a component of Red Hat Enterprise Linux AS version 4",
"product_id": "4AS:squirrelmail-0:1.4.8-5.el4_7.2.noarch"
},
"product_reference": "squirrelmail-0:1.4.8-5.el4_7.2.noarch",
"relates_to_product_reference": "4AS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "squirrelmail-0:1.4.8-5.el4_7.2.src as a component of Red Hat Enterprise Linux AS version 4",
"product_id": "4AS:squirrelmail-0:1.4.8-5.el4_7.2.src"
},
"product_reference": "squirrelmail-0:1.4.8-5.el4_7.2.src",
"relates_to_product_reference": "4AS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "squirrelmail-0:1.4.8-5.el4_7.2.noarch as a component of Red Hat Enterprise Linux Desktop version 4",
"product_id": "4Desktop:squirrelmail-0:1.4.8-5.el4_7.2.noarch"
},
"product_reference": "squirrelmail-0:1.4.8-5.el4_7.2.noarch",
"relates_to_product_reference": "4Desktop"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "squirrelmail-0:1.4.8-5.el4_7.2.src as a component of Red Hat Enterprise Linux Desktop version 4",
"product_id": "4Desktop:squirrelmail-0:1.4.8-5.el4_7.2.src"
},
"product_reference": "squirrelmail-0:1.4.8-5.el4_7.2.src",
"relates_to_product_reference": "4Desktop"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "squirrelmail-0:1.4.8-5.el4_7.2.noarch as a component of Red Hat Enterprise Linux ES version 4",
"product_id": "4ES:squirrelmail-0:1.4.8-5.el4_7.2.noarch"
},
"product_reference": "squirrelmail-0:1.4.8-5.el4_7.2.noarch",
"relates_to_product_reference": "4ES"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "squirrelmail-0:1.4.8-5.el4_7.2.src as a component of Red Hat Enterprise Linux ES version 4",
"product_id": "4ES:squirrelmail-0:1.4.8-5.el4_7.2.src"
},
"product_reference": "squirrelmail-0:1.4.8-5.el4_7.2.src",
"relates_to_product_reference": "4ES"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "squirrelmail-0:1.4.8-5.el4_7.2.noarch as a component of Red Hat Enterprise Linux WS version 4",
"product_id": "4WS:squirrelmail-0:1.4.8-5.el4_7.2.noarch"
},
"product_reference": "squirrelmail-0:1.4.8-5.el4_7.2.noarch",
"relates_to_product_reference": "4WS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "squirrelmail-0:1.4.8-5.el4_7.2.src as a component of Red Hat Enterprise Linux WS version 4",
"product_id": "4WS:squirrelmail-0:1.4.8-5.el4_7.2.src"
},
"product_reference": "squirrelmail-0:1.4.8-5.el4_7.2.src",
"relates_to_product_reference": "4WS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "squirrelmail-0:1.4.8-5.el5_2.2.noarch as a component of Red Hat Enterprise Linux Desktop Workstation (v. 5 client)",
"product_id": "5Client-Workstation:squirrelmail-0:1.4.8-5.el5_2.2.noarch"
},
"product_reference": "squirrelmail-0:1.4.8-5.el5_2.2.noarch",
"relates_to_product_reference": "5Client-Workstation"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "squirrelmail-0:1.4.8-5.el5_2.2.src as a component of Red Hat Enterprise Linux Desktop Workstation (v. 5 client)",
"product_id": "5Client-Workstation:squirrelmail-0:1.4.8-5.el5_2.2.src"
},
"product_reference": "squirrelmail-0:1.4.8-5.el5_2.2.src",
"relates_to_product_reference": "5Client-Workstation"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "squirrelmail-0:1.4.8-5.el5_2.2.noarch as a component of Red Hat Enterprise Linux (v. 5 server)",
"product_id": "5Server:squirrelmail-0:1.4.8-5.el5_2.2.noarch"
},
"product_reference": "squirrelmail-0:1.4.8-5.el5_2.2.noarch",
"relates_to_product_reference": "5Server"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "squirrelmail-0:1.4.8-5.el5_2.2.src as a component of Red Hat Enterprise Linux (v. 5 server)",
"product_id": "5Server:squirrelmail-0:1.4.8-5.el5_2.2.src"
},
"product_reference": "squirrelmail-0:1.4.8-5.el5_2.2.src",
"relates_to_product_reference": "5Server"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2008-2379",
"cwe": {
"id": "CWE-79",
"name": "Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)"
},
"discovery_date": "2008-11-29T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "473877"
}
],
"notes": [
{
"category": "description",
"text": "Cross-site scripting (XSS) vulnerability in SquirrelMail before 1.4.17 allows remote attackers to inject arbitrary web script or HTML via a crafted hyperlink in an HTML part of an e-mail message.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "squirrelmail: XSS issue caused by an insufficient html mail sanitation",
"title": "Vulnerability summary"
}
],
"product_status": {
"fixed": [
"3AS:squirrelmail-0:1.4.8-8.el3.noarch",
"3AS:squirrelmail-0:1.4.8-8.el3.src",
"3Desktop:squirrelmail-0:1.4.8-8.el3.noarch",
"3Desktop:squirrelmail-0:1.4.8-8.el3.src",
"3ES:squirrelmail-0:1.4.8-8.el3.noarch",
"3ES:squirrelmail-0:1.4.8-8.el3.src",
"3WS:squirrelmail-0:1.4.8-8.el3.noarch",
"3WS:squirrelmail-0:1.4.8-8.el3.src",
"4AS:squirrelmail-0:1.4.8-5.el4_7.2.noarch",
"4AS:squirrelmail-0:1.4.8-5.el4_7.2.src",
"4Desktop:squirrelmail-0:1.4.8-5.el4_7.2.noarch",
"4Desktop:squirrelmail-0:1.4.8-5.el4_7.2.src",
"4ES:squirrelmail-0:1.4.8-5.el4_7.2.noarch",
"4ES:squirrelmail-0:1.4.8-5.el4_7.2.src",
"4WS:squirrelmail-0:1.4.8-5.el4_7.2.noarch",
"4WS:squirrelmail-0:1.4.8-5.el4_7.2.src",
"5Client-Workstation:squirrelmail-0:1.4.8-5.el5_2.2.noarch",
"5Client-Workstation:squirrelmail-0:1.4.8-5.el5_2.2.src",
"5Server:squirrelmail-0:1.4.8-5.el5_2.2.noarch",
"5Server:squirrelmail-0:1.4.8-5.el5_2.2.src"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2008-2379"
},
{
"category": "external",
"summary": "RHBZ#473877",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=473877"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2008-2379",
"url": "https://www.cve.org/CVERecord?id=CVE-2008-2379"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2008-2379",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2008-2379"
}
],
"release_date": "2008-12-03T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2009-01-12T14:24:00+00:00",
"details": "Before applying this update, make sure that all previously-released errata\nrelevant to your system have been applied.\n\nThis update is available via Red Hat Network. Details on how to use the Red\nHat Network to apply this update are available at\nhttp://kbase.redhat.com/faq/docs/DOC-11259",
"product_ids": [
"3AS:squirrelmail-0:1.4.8-8.el3.noarch",
"3AS:squirrelmail-0:1.4.8-8.el3.src",
"3Desktop:squirrelmail-0:1.4.8-8.el3.noarch",
"3Desktop:squirrelmail-0:1.4.8-8.el3.src",
"3ES:squirrelmail-0:1.4.8-8.el3.noarch",
"3ES:squirrelmail-0:1.4.8-8.el3.src",
"3WS:squirrelmail-0:1.4.8-8.el3.noarch",
"3WS:squirrelmail-0:1.4.8-8.el3.src",
"4AS:squirrelmail-0:1.4.8-5.el4_7.2.noarch",
"4AS:squirrelmail-0:1.4.8-5.el4_7.2.src",
"4Desktop:squirrelmail-0:1.4.8-5.el4_7.2.noarch",
"4Desktop:squirrelmail-0:1.4.8-5.el4_7.2.src",
"4ES:squirrelmail-0:1.4.8-5.el4_7.2.noarch",
"4ES:squirrelmail-0:1.4.8-5.el4_7.2.src",
"4WS:squirrelmail-0:1.4.8-5.el4_7.2.noarch",
"4WS:squirrelmail-0:1.4.8-5.el4_7.2.src",
"5Client-Workstation:squirrelmail-0:1.4.8-5.el5_2.2.noarch",
"5Client-Workstation:squirrelmail-0:1.4.8-5.el5_2.2.src",
"5Server:squirrelmail-0:1.4.8-5.el5_2.2.noarch",
"5Server:squirrelmail-0:1.4.8-5.el5_2.2.src"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2009:0010"
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "squirrelmail: XSS issue caused by an insufficient html mail sanitation"
},
{
"cve": "CVE-2008-3663",
"discovery_date": "2008-09-24T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "464183"
}
],
"notes": [
{
"category": "description",
"text": "Squirrelmail 1.4.15 does not set the secure flag for the session cookie in an https session, which can cause the cookie to be sent in http requests and make it easier for remote attackers to capture this cookie.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "squirrelmail: session hijacking - secure flag not set for HTTPS-only cookies",
"title": "Vulnerability summary"
}
],
"product_status": {
"fixed": [
"3AS:squirrelmail-0:1.4.8-8.el3.noarch",
"3AS:squirrelmail-0:1.4.8-8.el3.src",
"3Desktop:squirrelmail-0:1.4.8-8.el3.noarch",
"3Desktop:squirrelmail-0:1.4.8-8.el3.src",
"3ES:squirrelmail-0:1.4.8-8.el3.noarch",
"3ES:squirrelmail-0:1.4.8-8.el3.src",
"3WS:squirrelmail-0:1.4.8-8.el3.noarch",
"3WS:squirrelmail-0:1.4.8-8.el3.src",
"4AS:squirrelmail-0:1.4.8-5.el4_7.2.noarch",
"4AS:squirrelmail-0:1.4.8-5.el4_7.2.src",
"4Desktop:squirrelmail-0:1.4.8-5.el4_7.2.noarch",
"4Desktop:squirrelmail-0:1.4.8-5.el4_7.2.src",
"4ES:squirrelmail-0:1.4.8-5.el4_7.2.noarch",
"4ES:squirrelmail-0:1.4.8-5.el4_7.2.src",
"4WS:squirrelmail-0:1.4.8-5.el4_7.2.noarch",
"4WS:squirrelmail-0:1.4.8-5.el4_7.2.src",
"5Client-Workstation:squirrelmail-0:1.4.8-5.el5_2.2.noarch",
"5Client-Workstation:squirrelmail-0:1.4.8-5.el5_2.2.src",
"5Server:squirrelmail-0:1.4.8-5.el5_2.2.noarch",
"5Server:squirrelmail-0:1.4.8-5.el5_2.2.src"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2008-3663"
},
{
"category": "external",
"summary": "RHBZ#464183",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=464183"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2008-3663",
"url": "https://www.cve.org/CVERecord?id=CVE-2008-3663"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2008-3663",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2008-3663"
}
],
"release_date": "2008-08-12T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2009-01-12T14:24:00+00:00",
"details": "Before applying this update, make sure that all previously-released errata\nrelevant to your system have been applied.\n\nThis update is available via Red Hat Network. Details on how to use the Red\nHat Network to apply this update are available at\nhttp://kbase.redhat.com/faq/docs/DOC-11259",
"product_ids": [
"3AS:squirrelmail-0:1.4.8-8.el3.noarch",
"3AS:squirrelmail-0:1.4.8-8.el3.src",
"3Desktop:squirrelmail-0:1.4.8-8.el3.noarch",
"3Desktop:squirrelmail-0:1.4.8-8.el3.src",
"3ES:squirrelmail-0:1.4.8-8.el3.noarch",
"3ES:squirrelmail-0:1.4.8-8.el3.src",
"3WS:squirrelmail-0:1.4.8-8.el3.noarch",
"3WS:squirrelmail-0:1.4.8-8.el3.src",
"4AS:squirrelmail-0:1.4.8-5.el4_7.2.noarch",
"4AS:squirrelmail-0:1.4.8-5.el4_7.2.src",
"4Desktop:squirrelmail-0:1.4.8-5.el4_7.2.noarch",
"4Desktop:squirrelmail-0:1.4.8-5.el4_7.2.src",
"4ES:squirrelmail-0:1.4.8-5.el4_7.2.noarch",
"4ES:squirrelmail-0:1.4.8-5.el4_7.2.src",
"4WS:squirrelmail-0:1.4.8-5.el4_7.2.noarch",
"4WS:squirrelmail-0:1.4.8-5.el4_7.2.src",
"5Client-Workstation:squirrelmail-0:1.4.8-5.el5_2.2.noarch",
"5Client-Workstation:squirrelmail-0:1.4.8-5.el5_2.2.src",
"5Server:squirrelmail-0:1.4.8-5.el5_2.2.noarch",
"5Server:squirrelmail-0:1.4.8-5.el5_2.2.src"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2009:0010"
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "squirrelmail: session hijacking - secure flag not set for HTTPS-only cookies"
}
]
}
Loading…
Loading…
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
- Confirmed: The vulnerability is confirmed from an analyst perspective.
- Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
- Patched: This vulnerability was successfully patched by the user reporting the sighting.
- Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
- Not confirmed: The user expresses doubt about the veracity of the vulnerability.
- Not patched: This vulnerability was not successfully patched by the user reporting the sighting.