Bug#327727: marked as done (SqWebMail HTML Emails Script Insertion Vulnerability [CAN-2005-2769])

Mon, 12 Sep 2005 08:49:30 -0700 

Your message dated Mon, 12 Sep 2005 08:32:08 -0700
with message-id <[EMAIL PROTECTED]>
and subject line Bug#327727: fixed in courier 0.47-9
has caused the attached Bug report to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what I am
talking about this indicates a serious mail system misconfiguration
somewhere.  Please contact me immediately.)

Debian bug tracking system administrator
(administrator, Debian Bugs database)

--------------------------------------
Received: (at submit) by bugs.debian.org; 11 Sep 2005 18:18:05 +0000
>From [EMAIL PROTECTED] Sun Sep 11 11:18:05 2005
Return-path: <[EMAIL PROTECTED]>
Received: from kitenet.net [64.62.161.42] (postfix)
        by spohr.debian.org with esmtp (Exim 3.36 1 (Debian))
        id 1EEWOz-0004zm-00; Sun, 11 Sep 2005 11:18:05 -0700
Received: from dragon.kitenet.net (cpe-66-207-84-23.wb.hsw.ntelos.net 
[66.207.84.23])
        (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits))
        (Client CN "Joey Hess", Issuer "Joey Hess" (verified OK))
        by kitenet.net (Postfix) with ESMTP id 102DD1821E
        for <[EMAIL PROTECTED]>; Sun, 11 Sep 2005 18:18:04 +0000 (GMT)
Received: by dragon.kitenet.net (Postfix, from userid 1000)
        id A3A86BF6C5; Sun, 11 Sep 2005 14:18:12 -0400 (EDT)
Date: Sun, 11 Sep 2005 14:18:11 -0400
From: Joey Hess <[EMAIL PROTECTED]>
To: Debian Bug Tracking System <[EMAIL PROTECTED]>
Subject: SqWebMail HTML Emails Script Insertion Vulnerability [CAN-2005-2769]
Message-ID: <[EMAIL PROTECTED]>
Mime-Version: 1.0
Content-Type: multipart/signed; micalg=pgp-sha1;
        protocol="application/pgp-signature"; boundary="J/dobhs11T7y2rNN"
Content-Disposition: inline
X-Reportbug-Version: 3.17
X-Debbugs-Cc: Debian Security Team <[EMAIL PROTECTED]>
User-Agent: Mutt/1.5.10i
Delivered-To: [EMAIL PROTECTED]
X-Spam-Checker-Version: SpamAssassin 2.60-bugs.debian.org_2005_01_02 
        (1.212-2003-09-23-exp) on spohr.debian.org
X-Spam-Level: 
X-Spam-Status: No, hits=-11.0 required=4.0 tests=BAYES_00,HAS_PACKAGE,
        X_DEBBUGS_CC autolearn=ham version=2.60-bugs.debian.org_2005_01_02


--J/dobhs11T7y2rNN
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

Package: sqwebmail
Severity: serious
Version: 0.47-8
Tags: security

Another cross site scripting bug has been found in sqwebmail. Note that
this is different from #327181.

http://lists.grok.org.uk/pipermail/full-disclosure/2005-August/036622.html

This is CAN-2005-2769.

-- System Information:
Debian Release: testing/unstable
  APT prefers unstable
  APT policy: (500, 'unstable'), (1, 'experimental')
Architecture: i386 (i686)
Shell:  /bin/sh linked to /bin/bash
Kernel: Linux 2.4.27
Locale: LANG=3Den_US.UTF-8, LC_CTYPE=3Den_US.UTF-8 (charmap=3DUTF-8)

--=20
see shy jo

--J/dobhs11T7y2rNN
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: Digital signature
Content-Disposition: inline

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (GNU/Linux)

iD8DBQFDJHTjd8HHehbQuO8RAooTAKCCfAh2PTA/S+FkXMzbgr/+YzC+swCeOhd2
U2a3pjUKZ7JhrkwgYkwWOWE=
=75RS
-----END PGP SIGNATURE-----

--J/dobhs11T7y2rNN--

---------------------------------------
Received: (at 327727-close) by bugs.debian.org; 12 Sep 2005 15:38:02 +0000
>From [EMAIL PROTECTED] Mon Sep 12 08:38:02 2005
Return-path: <[EMAIL PROTECTED]>
Received: from katie by spohr.debian.org with local (Exim 3.36 1 (Debian))
        id 1EEqHw-0007zJ-00; Mon, 12 Sep 2005 08:32:08 -0700
From: Stefan Hornburg (Racke) <[EMAIL PROTECTED]>
To: [EMAIL PROTECTED]
X-Katie: $Revision: 1.56 $
Subject: Bug#327727: fixed in courier 0.47-9
Message-Id: <[EMAIL PROTECTED]>
Sender: Archive Administrator <[EMAIL PROTECTED]>
Date: Mon, 12 Sep 2005 08:32:08 -0700
Delivered-To: [EMAIL PROTECTED]
X-Spam-Checker-Version: SpamAssassin 2.60-bugs.debian.org_2005_01_02 
        (1.212-2003-09-23-exp) on spohr.debian.org
X-Spam-Level: 
X-Spam-Status: No, hits=-4.2 required=4.0 tests=BAYES_00,HAS_BUG_NUMBER,MLM 
        autolearn=no version=2.60-bugs.debian.org_2005_01_02
X-CrossAssassin-Score: 3

Source: courier
Source-Version: 0.47-9

We believe that the bug you reported is fixed in the latest version of
courier, which is due to be installed in the Debian FTP archive:

courier-authdaemon_0.47-9_i386.deb
  to pool/main/c/courier/courier-authdaemon_0.47-9_i386.deb
courier-authmysql_0.47-9_i386.deb
  to pool/main/c/courier/courier-authmysql_0.47-9_i386.deb
courier-authpostgresql_0.47-9_i386.deb
  to pool/main/c/courier/courier-authpostgresql_0.47-9_i386.deb
courier-base_0.47-9_i386.deb
  to pool/main/c/courier/courier-base_0.47-9_i386.deb
courier-doc_0.47-9_all.deb
  to pool/main/c/courier/courier-doc_0.47-9_all.deb
courier-faxmail_0.47-9_i386.deb
  to pool/main/c/courier/courier-faxmail_0.47-9_i386.deb
courier-imap-ssl_3.0.8-9_i386.deb
  to pool/main/c/courier/courier-imap-ssl_3.0.8-9_i386.deb
courier-imap_3.0.8-9_i386.deb
  to pool/main/c/courier/courier-imap_3.0.8-9_i386.deb
courier-ldap_0.47-9_i386.deb
  to pool/main/c/courier/courier-ldap_0.47-9_i386.deb
courier-maildrop_0.47-9_i386.deb
  to pool/main/c/courier/courier-maildrop_0.47-9_i386.deb
courier-mlm_0.47-9_i386.deb
  to pool/main/c/courier/courier-mlm_0.47-9_i386.deb
courier-mta-ssl_0.47-9_i386.deb
  to pool/main/c/courier/courier-mta-ssl_0.47-9_i386.deb
courier-mta_0.47-9_i386.deb
  to pool/main/c/courier/courier-mta_0.47-9_i386.deb
courier-pcp_0.47-9_i386.deb
  to pool/main/c/courier/courier-pcp_0.47-9_i386.deb
courier-pop-ssl_0.47-9_i386.deb
  to pool/main/c/courier/courier-pop-ssl_0.47-9_i386.deb
courier-pop_0.47-9_i386.deb
  to pool/main/c/courier/courier-pop_0.47-9_i386.deb
courier-ssl_0.47-9_i386.deb
  to pool/main/c/courier/courier-ssl_0.47-9_i386.deb
courier-webadmin_0.47-9_i386.deb
  to pool/main/c/courier/courier-webadmin_0.47-9_i386.deb
courier_0.47-9.diff.gz
  to pool/main/c/courier/courier_0.47-9.diff.gz
courier_0.47-9.dsc
  to pool/main/c/courier/courier_0.47-9.dsc
sqwebmail_0.47-9_i386.deb
  to pool/main/c/courier/sqwebmail_0.47-9_i386.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to [EMAIL PROTECTED],
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Stefan Hornburg (Racke) <[EMAIL PROTECTED]> (supplier of updated courier 
package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [EMAIL PROTECTED])


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.7
Date: Mon, 12 Sep 2005 16:29:35 +0200
Source: courier
Binary: courier-authpostgresql courier-ldap courier-faxmail courier-pcp 
courier-authmysql courier-imap courier-authdaemon courier-base sqwebmail 
courier-ssl courier-pop courier-mta courier-webadmin courier-imap-ssl 
courier-doc courier-mlm courier-maildrop courier-mta-ssl courier-pop-ssl
Architecture: source i386 all
Version: 0.47-9
Distribution: unstable
Urgency: high
Maintainer: Stefan Hornburg (Racke) <[EMAIL PROTECTED]>
Changed-By: Stefan Hornburg (Racke) <[EMAIL PROTECTED]>
Description: 
 courier-authdaemon - Courier Mail Server - Authentication daemon
 courier-authmysql - Courier Mail Server - MySQL authentication
 courier-authpostgresql - Courier Mail Server - PostgreSQL Authentication
 courier-base - Courier Mail Server - Base system
 courier-doc - Courier Mail Server - Additional documentation
 courier-faxmail - Courier Mail Server - Faxmail gateway
 courier-imap - Courier Mail Server - IMAP server
 courier-imap-ssl - Courier Mail Server - IMAP over SSL
 courier-ldap - Courier Mail Server - LDAP support
 courier-maildrop - Courier Mail Server - Mail delivery agent
 courier-mlm - Courier Mail Server - Mailing list manager
 courier-mta - Courier Mail Server - ESMTP daemon
 courier-mta-ssl - Courier Mail Server - ESMTP over SSL
 courier-pcp - Courier Mail Server - PCP server
 courier-pop - Courier Mail Server - POP3 server
 courier-pop-ssl - Courier Mail Server - POP3 over SSL
 courier-ssl - Courier Mail Server - SSL/TLS Support
 courier-webadmin - Courier Mail Server - Web-based administration frontend
 sqwebmail  - Courier Mail Server - Webmail server
Closes: 327162 327181 327727
Changes: 
 courier (0.47-9) unstable; urgency=high
 .
   * applied extended patch for cross-side scripting issues in sqwebmail
     to filter out certain MSIE-only scripting constructs (Closes: #327181,
     thanks to Martin Schulze <[EMAIL PROTECTED]> for the original report),
     also fixes the issue described in [CAN-2005-2769] (Closes: #327727)
   * fix FTBFS due to changed behaviour of find binary (Closes: #327162,
     thanks to Matt Kraai <[EMAIL PROTECTED]> for the report and Willi Mann
     <[EMAIL PROTECTED]> for the patch)
Files: 
 7a27993758a665b13e0b5987f168ab1a 1204 mail optional courier_0.47-9.dsc
 b4ddeb073853383802ccbd64cfde0c1f 96316 mail optional courier_0.47-9.diff.gz
 955317454bc303bfe9165c7b1357de20 370728 doc optional courier-doc_0.47-9_all.deb
 db5edb0aeba8f4d5ee58ed855adb5bf4 233322 mail optional 
courier-base_0.47-9_i386.deb
 bad49d635ad244af873b3fd300054572 931692 mail optional 
courier-maildrop_0.47-9_i386.deb
 cae0359903dcb8bf9f03390a1c69629a 109462 mail optional 
courier-mlm_0.47-9_i386.deb
 acc637e9e98346d5e879cb052b01fcb4 2077492 mail extra courier-mta_0.47-9_i386.deb
 b807bde7714b913d9cc30767a1bb7829 28992 mail optional 
courier-faxmail_0.47-9_i386.deb
 89ab2373983705d3d22508bb384838df 34940 mail optional 
courier-webadmin_0.47-9_i386.deb
 71a4f410b0a23391d12e476392216c07 779502 mail optional sqwebmail_0.47-9_i386.deb
 f4edbeab7549b60afa9bf6b9ed1d0398 60836 mail optional 
courier-pcp_0.47-9_i386.deb
 6627882a81be5571fae7a05945f3cd69 417414 mail extra courier-pop_0.47-9_i386.deb
 458c519419b6cb1f7cdcb2b98c1cd0bb 66746 mail optional 
courier-ldap_0.47-9_i386.deb
 ae25dc1fab7810fadbe1165e77a60c64 55698 mail optional 
courier-authdaemon_0.47-9_i386.deb
 35a2614a18926fa9c44556ef6a41c17e 51954 mail optional 
courier-authmysql_0.47-9_i386.deb
 f51bd30184158a75c40f6c572c3ffc20 192176 mail optional 
courier-ssl_0.47-9_i386.deb
 4c8159ce12e441860b900f76035cdcd3 19456 mail extra 
courier-mta-ssl_0.47-9_i386.deb
 b72d696ca176a0c114717d4ed3ba7666 21060 mail optional 
courier-pop-ssl_0.47-9_i386.deb
 dd0c4c846fd6a72dbf0a6c831f23164f 52032 mail optional 
courier-authpostgresql_0.47-9_i386.deb
 982eb51b165fc0613ba9e02e47a00ba1 938980 mail extra 
courier-imap_3.0.8-9_i386.deb
 b52fd6d2fa9b54846d8562e86bc6e4d6 21266 mail extra 
courier-imap-ssl_3.0.8-9_i386.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (GNU/Linux)

iD8DBQFDJZswjgVfE5tya3ERAncHAJ9T1MZFbNGipc6fif3BvtDIFRXMbgCePwJ/
YumpQfn4xNOxhhRF3Ks2J18=
=5+NS
-----END PGP SIGNATURE-----


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Reply via email to