=====================================================================
                                  CERT-Renater

                       Note d'Information No. 2005/VULN430
_____________________________________________________________________

DATE                      : 01/07/2005

HARDWARE PLATFORM(S)      : /

OPERATING SYSTEM(S)       : Systems running squirrelmail.

======================================================================
  _______________________________________________________________________

                 Mandriva Linux Security Update Advisory
  _______________________________________________________________________

  Package name:           squirrelmail
  Advisory ID:            MDKSA-2005:108
  Date:                   June 30th, 2005

  Affected versions:	 Corporate 3.0
  ______________________________________________________________________

  Problem Description:

  The SquirrelMail PHP package is vulnerable to a number of cross-site
  scripting problems, most of which were reported by Martijn Brinkers.
  If an attacker could get a user to read a specially-crafted email or
  using a manipulated URL, they could execute arbitrary scripts running
  in the context of the victim's browser, which could lead to cookie
  theft, compromise of the user's webmail, etc.

  The updated packages have been patched to correct these problems.
  _______________________________________________________________________

  References:

   http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-1921
  ______________________________________________________________________

  Updated Packages:

  Corporate 3.0:
  183b7a7c227551f918d7492460bb6b3e  corporate/3.0/RPMS/squirrelmail-1.4.2-11.1.C30mdk.noarch.rpm
  d518ad049ece85134416192604c02d2e  corporate/3.0/RPMS/squirrelmail-poutils-1.4.2-11.1.C30mdk.noarch.rpm
  88b3c9159a1b186057f3b858a3533e26  corporate/3.0/SRPMS/squirrelmail-1.4.2-11.1.C30mdk.src.rpm

  Corporate 3.0/X86_64:
  8fdd9a1cc0ae5ccbbff200a1a3120fdd  x86_64/corporate/3.0/RPMS/squirrelmail-1.4.2-11.1.C30mdk.noarch.rpm
  0453dd30fcc737a436dac03191ab44be  x86_64/corporate/3.0/RPMS/squirrelmail-poutils-1.4.2-11.1.C30mdk.noarch.rpm
  88b3c9159a1b186057f3b858a3533e26  x86_64/corporate/3.0/SRPMS/squirrelmail-1.4.2-11.1.C30mdk.src.rpm
  _______________________________________________________________________

  To upgrade automatically use MandrakeUpdate or urpmi.  The verification
  of md5 checksums and GPG signatures is performed automatically for you.

  All packages are signed by Mandriva for security.  You can obtain the
  GPG public key of the Mandriva Security Team by executing:

   gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98

  You can view other update advisories for Mandriva Linux at:

   http://www.mandriva.com/security/advisories

  If you want to report vulnerabilities, please contact

   security_(at)_mandriva.com
  _______________________________________________________________________

  Type Bits/KeyID     Date       User ID
  pub  1024D/22458A98 2000-07-10 Mandriva Security Team
   <security*mandriva.com>

======================================================================

         =========================================================
         Les serveurs de référence du CERT-Renater
         http://www.urec.fr/securite
         http://www.cru.fr/securite
         http://www.renater.fr
         =========================================================
         + CERT-RENATER          | tel : 01-53-94-20-44          +
         + 151 bd de l'Hopital   | fax : 01-53-94-20-41          +
         + 75013 Paris           | email: certsvp@renater.fr     +
         =========================================================