Moderate: squirrelmail security update

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

-
------------------------------------------------------------
---------
                   Red Hat Security Advisory

Synopsis:          Moderate: squirrelmail security update
Advisory ID:       RHSA-2006:0668-01
Advisory URL:      htt
ps://rhn.redhat.com/errata/RHSA-2006-0668.html
Issue date:        2006-09-26
Updated on:        2006-09-26
Product:           Red Hat Enterprise Linux
CVE Names:         CVE-2006-4019 
-
------------------------------------------------------------
---------

1. Summary:

A new squirrelmail package that fixes a security issue as
well as several
bugs is now available for Red Hat Enterprise Linux 3 and 4.

This update has been rated as having moderate security
impact by the Red
Hat Security Response Team.

2. Relevant releases/architectures:

Red Hat Enterprise Linux AS version 3 - noarch
Red Hat Desktop version 3 - noarch
Red Hat Enterprise Linux ES version 3 - noarch
Red Hat Enterprise Linux WS version 3 - noarch
Red Hat Enterprise Linux AS version 4 - noarch
Red Hat Enterprise Linux Desktop version 4 - noarch
Red Hat Enterprise Linux ES version 4 - noarch
Red Hat Enterprise Linux WS version 4 - noarch

3. Problem description:

SquirrelMail is a standards-based webmail package written in
PHP.

A dynamic variable evaluation flaw was found in
SquirrelMail.  Users who
have an account on a SquirrelMail server and are logged in
could use this
flaw to overwrite variables which may allow them to read or
write other
users' preferences or attachments.  (CVE-2006-4019)

Users of SquirrelMail should upgrade to this erratum
package, which
contains SquirrelMail 1.4.8 to correct this issue.  This
package also
contains a number of additional patches to correct various
bugs.

Note: After installing this update, users are advised to
restart their httpd
service to ensure that the new version functions correctly.

4. Solution:

Before applying this update, make sure all previously
released errata
relevant to your system have been applied.

This update is available via Red Hat Network.  To use Red
Hat Network,
launch the Red Hat Update Agent with the following command:

up2date

This will start an interactive process that will result in
the appropriate
RPMs being upgraded on your system.

5. Bug IDs fixed (http://bugzilla.redhat.co
m/):

192236 - [Squirrelmail] sqspell_config.php not listed as a
config file
194457 - squirrelmail cannot handle handle multibyte
characters in attachment.
194598 - "Message Highlighting" help not
translated in ja_JP
194599 - ja_JP help pages are garbled
195452 - squirrelmail view_text.php cannot handle handle
multibyte characters in attachment.
195639 - Squirrelmail file download issue on JP MS Windows
XP.
196017 - squirrelmail cannot convert Subject to zen-kaku
kata-kana.
196117 - Wrong ja_JP translation for "refresh folder
list"
202195 - CVE-2006-4019 Squirrelmail authenticated user
variable overwriting

6. RPMs required:

Red Hat Enterprise Linux AS version 3:

SRPMS:
ftp://updates.redhat.com/enterprise/3AS/en/os/SRPMS/squirrel
mail-1.4.8-2.el3.src.rpm
ab9d7fa0864948074a24fbb0fac716e5 
squirrelmail-1.4.8-2.el3.src.rpm

noarch:
0f4921da7a788f633aa016f993a9a9b6 
squirrelmail-1.4.8-2.el3.noarch.rpm

Red Hat Desktop version 3:

SRPMS:
ftp://updates.redhat.com/enterprise/3desktop/en/os/SRPMS/squ
irrelmail-1.4.8-2.el3.src.rpm
ab9d7fa0864948074a24fbb0fac716e5 
squirrelmail-1.4.8-2.el3.src.rpm

noarch:
0f4921da7a788f633aa016f993a9a9b6 
squirrelmail-1.4.8-2.el3.noarch.rpm

Red Hat Enterprise Linux ES version 3:

SRPMS:
ftp://updates.redhat.com/enterprise/3ES/en/os/SRPMS/squirrel
mail-1.4.8-2.el3.src.rpm
ab9d7fa0864948074a24fbb0fac716e5 
squirrelmail-1.4.8-2.el3.src.rpm

noarch:
0f4921da7a788f633aa016f993a9a9b6 
squirrelmail-1.4.8-2.el3.noarch.rpm

Red Hat Enterprise Linux WS version 3:

SRPMS:
ftp://updates.redhat.com/enterprise/3WS/en/os/SRPMS/squirrel
mail-1.4.8-2.el3.src.rpm
ab9d7fa0864948074a24fbb0fac716e5 
squirrelmail-1.4.8-2.el3.src.rpm

noarch:
0f4921da7a788f633aa016f993a9a9b6 
squirrelmail-1.4.8-2.el3.noarch.rpm

Red Hat Enterprise Linux AS version 4:

SRPMS:
ftp://updates.redhat.com/enterprise/4AS/en/os/SRPMS/squirrel
mail-1.4.8-2.el4.src.rpm
de02b249ec7954627c88123fbdf77e7b 
squirrelmail-1.4.8-2.el4.src.rpm

noarch:
5a86f850038d3a2df211c29af5c9070c 
squirrelmail-1.4.8-2.el4.noarch.rpm

Red Hat Enterprise Linux Desktop version 4:

SRPMS:
ftp://updates.redhat.com/enterprise/4Desktop/en/os/SRPMS/squ
irrelmail-1.4.8-2.el4.src.rpm
de02b249ec7954627c88123fbdf77e7b 
squirrelmail-1.4.8-2.el4.src.rpm

noarch:
5a86f850038d3a2df211c29af5c9070c 
squirrelmail-1.4.8-2.el4.noarch.rpm

Red Hat Enterprise Linux ES version 4:

SRPMS:
ftp://updates.redhat.com/enterprise/4ES/en/os/SRPMS/squirrel
mail-1.4.8-2.el4.src.rpm
de02b249ec7954627c88123fbdf77e7b 
squirrelmail-1.4.8-2.el4.src.rpm

noarch:
5a86f850038d3a2df211c29af5c9070c 
squirrelmail-1.4.8-2.el4.noarch.rpm

Red Hat Enterprise Linux WS version 4:

SRPMS:
ftp://updates.redhat.com/enterprise/4WS/en/os/SRPMS/squirrel
mail-1.4.8-2.el4.src.rpm
de02b249ec7954627c88123fbdf77e7b 
squirrelmail-1.4.8-2.el4.src.rpm

noarch:
5a86f850038d3a2df211c29af5c9070c 
squirrelmail-1.4.8-2.el4.noarch.rpm

These packages are GPG signed by Red Hat for security.  Our
key and 
details on how to verify the signature are available from
htt
ps://www.redhat.com/security/team/key/#package

7. References:

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-200
6-4019
http://www.redhat.com/security/updates/classifica
tion/#moderate

8. Contact:

The Red Hat security contact is <secalertredhat.com>.  More contact
details at https:/
/www.redhat.com/security/team/contact/

Copyright 2006 Red Hat, Inc.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (GNU/Linux)

iD8DBQFFGRycXlSAg2UNWIIRAqfYAKC7/PpwTVsu0NE4VkgarNMzz0qrtQCc
Dtem
U+y750rIe6Ai7kBWDH8jSgQ=
=zEr9
-----END PGP SIGNATURE-----


-- 
Enterprise-watch-list mailing list
Enterprise-watch-listredhat.com
https://www.redhat.com/mailman/listinfo/enterprise-
watch-list