Your message dated Mon, 12 Sep 2005 08:32:08 -0700 with message-id <[EMAIL PROTECTED]> and subject line Bug#327181: fixed in courier 0.47-9 has caused the attached Bug report to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what I am talking about this indicates a serious mail system misconfiguration somewhere. Please contact me immediately.) Debian bug tracking system administrator (administrator, Debian Bugs database) -------------------------------------- Received: (at submit) by bugs.debian.org; 8 Sep 2005 08:07:07 +0000 >From [EMAIL PROTECTED] Thu Sep 08 01:07:07 2005 Return-path: <[EMAIL PROTECTED]> Received: from mail.cobolt.net (mustang.cobolt.net) [213.180.160.231] by spohr.debian.org with esmtp (Exim 3.36 1 (Debian)) id 1EDHR5-0001K5-00; Thu, 08 Sep 2005 01:07:07 -0700 Received: from a81-14-176-156.net-htp.de ([81.14.176.156] helo=coldhand.linuxia.de) by mustang.cobolt.net with esmtpa (Exim 4.50) id 1EDHQx-0002UH-Rj; Thu, 08 Sep 2005 10:07:00 +0200 Date: Thu, 8 Sep 2005 10:06:53 +0200 From: Stefan Hornburg <[EMAIL PROTECTED]> To: [EMAIL PROTECTED] Cc: [EMAIL PROTECTED] Subject: SqWebMail Conditional Comments Script Insertion Vulnerability Message-Id: <[EMAIL PROTECTED]> Organization: LinuXia Systems X-Mailer: Sylpheed version 1.0.4 (GTK+ 1.2.10; i386-pc-linux-gnu) Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Delivered-To: [EMAIL PROTECTED] X-Spam-Checker-Version: SpamAssassin 2.60-bugs.debian.org_2005_01_02 (1.212-2003-09-23-exp) on spohr.debian.org X-Spam-Level: X-Spam-Status: No, hits=-5.1 required=4.0 tests=BAYES_00,HAS_PACKAGE, HTML_40_50,HTML_MESSAGE autolearn=no version=2.60-bugs.debian.org_2005_01_02 package: sqwebmail severity: important tags: security Secunia Research has discovered a vulnerability in SqWebMail, which can be exploited by malicious people to conduct script insertion attacks. The vulnerability is caused due to SqWebMail allowing usage of e.g. the "<script>" tag within an HTML comment. This, combined with "Conditional Comments" in Internet Explorer, can be exploited to execute arbitrary script code in a user's browser session in context of a vulnerable site when a malicious email is viewed. Successful exploitation requires that the user is using Internet Explorer. Example in an HTML email: <!--[if IE]> <script>alert("Vulnerable!");</script> <![endif]--> See http://secunia.com/secunia_research/2005-44/advisory/ for more information. -- LinuXia Systems => http://www.linuxia.de/ Expert Interchange Consulting and System Administration ICDEVGROUP => http://www.icdevgroup.org/ Interchange Development Team --------------------------------------- Received: (at 327181-close) by bugs.debian.org; 12 Sep 2005 15:38:03 +0000 >From [EMAIL PROTECTED] Mon Sep 12 08:38:03 2005 Return-path: <[EMAIL PROTECTED]> Received: from katie by spohr.debian.org with local (Exim 3.36 1 (Debian)) id 1EEqHw-0007zH-00; Mon, 12 Sep 2005 08:32:08 -0700 From: Stefan Hornburg (Racke) <[EMAIL PROTECTED]> To: [EMAIL PROTECTED] X-Katie: $Revision: 1.56 $ Subject: Bug#327181: fixed in courier 0.47-9 Message-Id: <[EMAIL PROTECTED]> Sender: Archive Administrator <[EMAIL PROTECTED]> Date: Mon, 12 Sep 2005 08:32:08 -0700 Delivered-To: [EMAIL PROTECTED] X-Spam-Checker-Version: SpamAssassin 2.60-bugs.debian.org_2005_01_02 (1.212-2003-09-23-exp) on spohr.debian.org X-Spam-Level: X-Spam-Status: No, hits=-4.2 required=4.0 tests=BAYES_00,HAS_BUG_NUMBER,MLM autolearn=no version=2.60-bugs.debian.org_2005_01_02 X-CrossAssassin-Score: 2 Source: courier Source-Version: 0.47-9 We believe that the bug you reported is fixed in the latest version of courier, which is due to be installed in the Debian FTP archive: courier-authdaemon_0.47-9_i386.deb to pool/main/c/courier/courier-authdaemon_0.47-9_i386.deb courier-authmysql_0.47-9_i386.deb to pool/main/c/courier/courier-authmysql_0.47-9_i386.deb courier-authpostgresql_0.47-9_i386.deb to pool/main/c/courier/courier-authpostgresql_0.47-9_i386.deb courier-base_0.47-9_i386.deb to pool/main/c/courier/courier-base_0.47-9_i386.deb courier-doc_0.47-9_all.deb to pool/main/c/courier/courier-doc_0.47-9_all.deb courier-faxmail_0.47-9_i386.deb to pool/main/c/courier/courier-faxmail_0.47-9_i386.deb courier-imap-ssl_3.0.8-9_i386.deb to pool/main/c/courier/courier-imap-ssl_3.0.8-9_i386.deb courier-imap_3.0.8-9_i386.deb to pool/main/c/courier/courier-imap_3.0.8-9_i386.deb courier-ldap_0.47-9_i386.deb to pool/main/c/courier/courier-ldap_0.47-9_i386.deb courier-maildrop_0.47-9_i386.deb to pool/main/c/courier/courier-maildrop_0.47-9_i386.deb courier-mlm_0.47-9_i386.deb to pool/main/c/courier/courier-mlm_0.47-9_i386.deb courier-mta-ssl_0.47-9_i386.deb to pool/main/c/courier/courier-mta-ssl_0.47-9_i386.deb courier-mta_0.47-9_i386.deb to pool/main/c/courier/courier-mta_0.47-9_i386.deb courier-pcp_0.47-9_i386.deb to pool/main/c/courier/courier-pcp_0.47-9_i386.deb courier-pop-ssl_0.47-9_i386.deb to pool/main/c/courier/courier-pop-ssl_0.47-9_i386.deb courier-pop_0.47-9_i386.deb to pool/main/c/courier/courier-pop_0.47-9_i386.deb courier-ssl_0.47-9_i386.deb to pool/main/c/courier/courier-ssl_0.47-9_i386.deb courier-webadmin_0.47-9_i386.deb to pool/main/c/courier/courier-webadmin_0.47-9_i386.deb courier_0.47-9.diff.gz to pool/main/c/courier/courier_0.47-9.diff.gz courier_0.47-9.dsc to pool/main/c/courier/courier_0.47-9.dsc sqwebmail_0.47-9_i386.deb to pool/main/c/courier/sqwebmail_0.47-9_i386.deb A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to [EMAIL PROTECTED], and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Stefan Hornburg (Racke) <[EMAIL PROTECTED]> (supplier of updated courier package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing [EMAIL PROTECTED]) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Format: 1.7 Date: Mon, 12 Sep 2005 16:29:35 +0200 Source: courier Binary: courier-authpostgresql courier-ldap courier-faxmail courier-pcp courier-authmysql courier-imap courier-authdaemon courier-base sqwebmail courier-ssl courier-pop courier-mta courier-webadmin courier-imap-ssl courier-doc courier-mlm courier-maildrop courier-mta-ssl courier-pop-ssl Architecture: source i386 all Version: 0.47-9 Distribution: unstable Urgency: high Maintainer: Stefan Hornburg (Racke) <[EMAIL PROTECTED]> Changed-By: Stefan Hornburg (Racke) <[EMAIL PROTECTED]> Description: courier-authdaemon - Courier Mail Server - Authentication daemon courier-authmysql - Courier Mail Server - MySQL authentication courier-authpostgresql - Courier Mail Server - PostgreSQL Authentication courier-base - Courier Mail Server - Base system courier-doc - Courier Mail Server - Additional documentation courier-faxmail - Courier Mail Server - Faxmail gateway courier-imap - Courier Mail Server - IMAP server courier-imap-ssl - Courier Mail Server - IMAP over SSL courier-ldap - Courier Mail Server - LDAP support courier-maildrop - Courier Mail Server - Mail delivery agent courier-mlm - Courier Mail Server - Mailing list manager courier-mta - Courier Mail Server - ESMTP daemon courier-mta-ssl - Courier Mail Server - ESMTP over SSL courier-pcp - Courier Mail Server - PCP server courier-pop - Courier Mail Server - POP3 server courier-pop-ssl - Courier Mail Server - POP3 over SSL courier-ssl - Courier Mail Server - SSL/TLS Support courier-webadmin - Courier Mail Server - Web-based administration frontend sqwebmail - Courier Mail Server - Webmail server Closes: 327162 327181 327727 Changes: courier (0.47-9) unstable; urgency=high . * applied extended patch for cross-side scripting issues in sqwebmail to filter out certain MSIE-only scripting constructs (Closes: #327181, thanks to Martin Schulze <[EMAIL PROTECTED]> for the original report), also fixes the issue described in [CAN-2005-2769] (Closes: #327727) * fix FTBFS due to changed behaviour of find binary (Closes: #327162, thanks to Matt Kraai <[EMAIL PROTECTED]> for the report and Willi Mann <[EMAIL PROTECTED]> for the patch) Files: 7a27993758a665b13e0b5987f168ab1a 1204 mail optional courier_0.47-9.dsc b4ddeb073853383802ccbd64cfde0c1f 96316 mail optional courier_0.47-9.diff.gz 955317454bc303bfe9165c7b1357de20 370728 doc optional courier-doc_0.47-9_all.deb db5edb0aeba8f4d5ee58ed855adb5bf4 233322 mail optional courier-base_0.47-9_i386.deb bad49d635ad244af873b3fd300054572 931692 mail optional courier-maildrop_0.47-9_i386.deb cae0359903dcb8bf9f03390a1c69629a 109462 mail optional courier-mlm_0.47-9_i386.deb acc637e9e98346d5e879cb052b01fcb4 2077492 mail extra courier-mta_0.47-9_i386.deb b807bde7714b913d9cc30767a1bb7829 28992 mail optional courier-faxmail_0.47-9_i386.deb 89ab2373983705d3d22508bb384838df 34940 mail optional courier-webadmin_0.47-9_i386.deb 71a4f410b0a23391d12e476392216c07 779502 mail optional sqwebmail_0.47-9_i386.deb f4edbeab7549b60afa9bf6b9ed1d0398 60836 mail optional courier-pcp_0.47-9_i386.deb 6627882a81be5571fae7a05945f3cd69 417414 mail extra courier-pop_0.47-9_i386.deb 458c519419b6cb1f7cdcb2b98c1cd0bb 66746 mail optional courier-ldap_0.47-9_i386.deb ae25dc1fab7810fadbe1165e77a60c64 55698 mail optional courier-authdaemon_0.47-9_i386.deb 35a2614a18926fa9c44556ef6a41c17e 51954 mail optional courier-authmysql_0.47-9_i386.deb f51bd30184158a75c40f6c572c3ffc20 192176 mail optional courier-ssl_0.47-9_i386.deb 4c8159ce12e441860b900f76035cdcd3 19456 mail extra courier-mta-ssl_0.47-9_i386.deb b72d696ca176a0c114717d4ed3ba7666 21060 mail optional courier-pop-ssl_0.47-9_i386.deb dd0c4c846fd6a72dbf0a6c831f23164f 52032 mail optional courier-authpostgresql_0.47-9_i386.deb 982eb51b165fc0613ba9e02e47a00ba1 938980 mail extra courier-imap_3.0.8-9_i386.deb b52fd6d2fa9b54846d8562e86bc6e4d6 21266 mail extra courier-imap-ssl_3.0.8-9_i386.deb -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.1 (GNU/Linux) iD8DBQFDJZswjgVfE5tya3ERAncHAJ9T1MZFbNGipc6fif3BvtDIFRXMbgCePwJ/ YumpQfn4xNOxhhRF3Ks2J18= =5+NS -----END PGP SIGNATURE----- -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]