Your message dated Mon, 12 Sep 2005 08:32:08 -0700
with message-id <[EMAIL PROTECTED]>
and subject line Bug#327181: fixed in courier 0.47-9
has caused the attached Bug report to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what I am
talking about this indicates a serious mail system misconfiguration
somewhere. Please contact me immediately.)
Debian bug tracking system administrator
(administrator, Debian Bugs database)
--------------------------------------
Received: (at submit) by bugs.debian.org; 8 Sep 2005 08:07:07 +0000
>From [EMAIL PROTECTED] Thu Sep 08 01:07:07 2005
Return-path: <[EMAIL PROTECTED]>
Received: from mail.cobolt.net (mustang.cobolt.net) [213.180.160.231]
by spohr.debian.org with esmtp (Exim 3.36 1 (Debian))
id 1EDHR5-0001K5-00; Thu, 08 Sep 2005 01:07:07 -0700
Received: from a81-14-176-156.net-htp.de ([81.14.176.156]
helo=coldhand.linuxia.de)
by mustang.cobolt.net with esmtpa (Exim 4.50)
id 1EDHQx-0002UH-Rj; Thu, 08 Sep 2005 10:07:00 +0200
Date: Thu, 8 Sep 2005 10:06:53 +0200
From: Stefan Hornburg <[EMAIL PROTECTED]>
To: [EMAIL PROTECTED]
Cc: [EMAIL PROTECTED]
Subject: SqWebMail Conditional Comments Script Insertion Vulnerability
Message-Id: <[EMAIL PROTECTED]>
Organization: LinuXia Systems
X-Mailer: Sylpheed version 1.0.4 (GTK+ 1.2.10; i386-pc-linux-gnu)
Mime-Version: 1.0
Content-Type: text/plain; charset=US-ASCII
Content-Transfer-Encoding: 7bit
Delivered-To: [EMAIL PROTECTED]
X-Spam-Checker-Version: SpamAssassin 2.60-bugs.debian.org_2005_01_02
(1.212-2003-09-23-exp) on spohr.debian.org
X-Spam-Level:
X-Spam-Status: No, hits=-5.1 required=4.0 tests=BAYES_00,HAS_PACKAGE,
HTML_40_50,HTML_MESSAGE autolearn=no
version=2.60-bugs.debian.org_2005_01_02
package: sqwebmail
severity: important
tags: security
Secunia Research has discovered a vulnerability in SqWebMail, which
can be exploited by malicious people to conduct script insertion
attacks.
The vulnerability is caused due to SqWebMail allowing usage of e.g.
the "<script>" tag within an HTML comment. This, combined with
"Conditional Comments" in Internet Explorer, can be exploited to
execute arbitrary script code in a user's browser session in context
of a vulnerable site when a malicious email is viewed.
Successful exploitation requires that the user is using Internet
Explorer.
Example in an HTML email:
<!--[if IE]>
<script>alert("Vulnerable!");</script>
<![endif]-->
See http://secunia.com/secunia_research/2005-44/advisory/ for more information.
--
LinuXia Systems => http://www.linuxia.de/
Expert Interchange Consulting and System Administration
ICDEVGROUP => http://www.icdevgroup.org/
Interchange Development Team
---------------------------------------
Received: (at 327181-close) by bugs.debian.org; 12 Sep 2005 15:38:03 +0000
>From [EMAIL PROTECTED] Mon Sep 12 08:38:03 2005
Return-path: <[EMAIL PROTECTED]>
Received: from katie by spohr.debian.org with local (Exim 3.36 1 (Debian))
id 1EEqHw-0007zH-00; Mon, 12 Sep 2005 08:32:08 -0700
From: Stefan Hornburg (Racke) <[EMAIL PROTECTED]>
To: [EMAIL PROTECTED]
X-Katie: $Revision: 1.56 $
Subject: Bug#327181: fixed in courier 0.47-9
Message-Id: <[EMAIL PROTECTED]>
Sender: Archive Administrator <[EMAIL PROTECTED]>
Date: Mon, 12 Sep 2005 08:32:08 -0700
Delivered-To: [EMAIL PROTECTED]
X-Spam-Checker-Version: SpamAssassin 2.60-bugs.debian.org_2005_01_02
(1.212-2003-09-23-exp) on spohr.debian.org
X-Spam-Level:
X-Spam-Status: No, hits=-4.2 required=4.0 tests=BAYES_00,HAS_BUG_NUMBER,MLM
autolearn=no version=2.60-bugs.debian.org_2005_01_02
X-CrossAssassin-Score: 2
Source: courier
Source-Version: 0.47-9
We believe that the bug you reported is fixed in the latest version of
courier, which is due to be installed in the Debian FTP archive:
courier-authdaemon_0.47-9_i386.deb
to pool/main/c/courier/courier-authdaemon_0.47-9_i386.deb
courier-authmysql_0.47-9_i386.deb
to pool/main/c/courier/courier-authmysql_0.47-9_i386.deb
courier-authpostgresql_0.47-9_i386.deb
to pool/main/c/courier/courier-authpostgresql_0.47-9_i386.deb
courier-base_0.47-9_i386.deb
to pool/main/c/courier/courier-base_0.47-9_i386.deb
courier-doc_0.47-9_all.deb
to pool/main/c/courier/courier-doc_0.47-9_all.deb
courier-faxmail_0.47-9_i386.deb
to pool/main/c/courier/courier-faxmail_0.47-9_i386.deb
courier-imap-ssl_3.0.8-9_i386.deb
to pool/main/c/courier/courier-imap-ssl_3.0.8-9_i386.deb
courier-imap_3.0.8-9_i386.deb
to pool/main/c/courier/courier-imap_3.0.8-9_i386.deb
courier-ldap_0.47-9_i386.deb
to pool/main/c/courier/courier-ldap_0.47-9_i386.deb
courier-maildrop_0.47-9_i386.deb
to pool/main/c/courier/courier-maildrop_0.47-9_i386.deb
courier-mlm_0.47-9_i386.deb
to pool/main/c/courier/courier-mlm_0.47-9_i386.deb
courier-mta-ssl_0.47-9_i386.deb
to pool/main/c/courier/courier-mta-ssl_0.47-9_i386.deb
courier-mta_0.47-9_i386.deb
to pool/main/c/courier/courier-mta_0.47-9_i386.deb
courier-pcp_0.47-9_i386.deb
to pool/main/c/courier/courier-pcp_0.47-9_i386.deb
courier-pop-ssl_0.47-9_i386.deb
to pool/main/c/courier/courier-pop-ssl_0.47-9_i386.deb
courier-pop_0.47-9_i386.deb
to pool/main/c/courier/courier-pop_0.47-9_i386.deb
courier-ssl_0.47-9_i386.deb
to pool/main/c/courier/courier-ssl_0.47-9_i386.deb
courier-webadmin_0.47-9_i386.deb
to pool/main/c/courier/courier-webadmin_0.47-9_i386.deb
courier_0.47-9.diff.gz
to pool/main/c/courier/courier_0.47-9.diff.gz
courier_0.47-9.dsc
to pool/main/c/courier/courier_0.47-9.dsc
sqwebmail_0.47-9_i386.deb
to pool/main/c/courier/sqwebmail_0.47-9_i386.deb
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [EMAIL PROTECTED],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Stefan Hornburg (Racke) <[EMAIL PROTECTED]> (supplier of updated courier
package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [EMAIL PROTECTED])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.7
Date: Mon, 12 Sep 2005 16:29:35 +0200
Source: courier
Binary: courier-authpostgresql courier-ldap courier-faxmail courier-pcp
courier-authmysql courier-imap courier-authdaemon courier-base sqwebmail
courier-ssl courier-pop courier-mta courier-webadmin courier-imap-ssl
courier-doc courier-mlm courier-maildrop courier-mta-ssl courier-pop-ssl
Architecture: source i386 all
Version: 0.47-9
Distribution: unstable
Urgency: high
Maintainer: Stefan Hornburg (Racke) <[EMAIL PROTECTED]>
Changed-By: Stefan Hornburg (Racke) <[EMAIL PROTECTED]>
Description:
courier-authdaemon - Courier Mail Server - Authentication daemon
courier-authmysql - Courier Mail Server - MySQL authentication
courier-authpostgresql - Courier Mail Server - PostgreSQL Authentication
courier-base - Courier Mail Server - Base system
courier-doc - Courier Mail Server - Additional documentation
courier-faxmail - Courier Mail Server - Faxmail gateway
courier-imap - Courier Mail Server - IMAP server
courier-imap-ssl - Courier Mail Server - IMAP over SSL
courier-ldap - Courier Mail Server - LDAP support
courier-maildrop - Courier Mail Server - Mail delivery agent
courier-mlm - Courier Mail Server - Mailing list manager
courier-mta - Courier Mail Server - ESMTP daemon
courier-mta-ssl - Courier Mail Server - ESMTP over SSL
courier-pcp - Courier Mail Server - PCP server
courier-pop - Courier Mail Server - POP3 server
courier-pop-ssl - Courier Mail Server - POP3 over SSL
courier-ssl - Courier Mail Server - SSL/TLS Support
courier-webadmin - Courier Mail Server - Web-based administration frontend
sqwebmail - Courier Mail Server - Webmail server
Closes: 327162 327181 327727
Changes:
courier (0.47-9) unstable; urgency=high
.
* applied extended patch for cross-side scripting issues in sqwebmail
to filter out certain MSIE-only scripting constructs (Closes: #327181,
thanks to Martin Schulze <[EMAIL PROTECTED]> for the original report),
also fixes the issue described in [CAN-2005-2769] (Closes: #327727)
* fix FTBFS due to changed behaviour of find binary (Closes: #327162,
thanks to Matt Kraai <[EMAIL PROTECTED]> for the report and Willi Mann
<[EMAIL PROTECTED]> for the patch)
Files:
7a27993758a665b13e0b5987f168ab1a 1204 mail optional courier_0.47-9.dsc
b4ddeb073853383802ccbd64cfde0c1f 96316 mail optional courier_0.47-9.diff.gz
955317454bc303bfe9165c7b1357de20 370728 doc optional courier-doc_0.47-9_all.deb
db5edb0aeba8f4d5ee58ed855adb5bf4 233322 mail optional
courier-base_0.47-9_i386.deb
bad49d635ad244af873b3fd300054572 931692 mail optional
courier-maildrop_0.47-9_i386.deb
cae0359903dcb8bf9f03390a1c69629a 109462 mail optional
courier-mlm_0.47-9_i386.deb
acc637e9e98346d5e879cb052b01fcb4 2077492 mail extra courier-mta_0.47-9_i386.deb
b807bde7714b913d9cc30767a1bb7829 28992 mail optional
courier-faxmail_0.47-9_i386.deb
89ab2373983705d3d22508bb384838df 34940 mail optional
courier-webadmin_0.47-9_i386.deb
71a4f410b0a23391d12e476392216c07 779502 mail optional sqwebmail_0.47-9_i386.deb
f4edbeab7549b60afa9bf6b9ed1d0398 60836 mail optional
courier-pcp_0.47-9_i386.deb
6627882a81be5571fae7a05945f3cd69 417414 mail extra courier-pop_0.47-9_i386.deb
458c519419b6cb1f7cdcb2b98c1cd0bb 66746 mail optional
courier-ldap_0.47-9_i386.deb
ae25dc1fab7810fadbe1165e77a60c64 55698 mail optional
courier-authdaemon_0.47-9_i386.deb
35a2614a18926fa9c44556ef6a41c17e 51954 mail optional
courier-authmysql_0.47-9_i386.deb
f51bd30184158a75c40f6c572c3ffc20 192176 mail optional
courier-ssl_0.47-9_i386.deb
4c8159ce12e441860b900f76035cdcd3 19456 mail extra
courier-mta-ssl_0.47-9_i386.deb
b72d696ca176a0c114717d4ed3ba7666 21060 mail optional
courier-pop-ssl_0.47-9_i386.deb
dd0c4c846fd6a72dbf0a6c831f23164f 52032 mail optional
courier-authpostgresql_0.47-9_i386.deb
982eb51b165fc0613ba9e02e47a00ba1 938980 mail extra
courier-imap_3.0.8-9_i386.deb
b52fd6d2fa9b54846d8562e86bc6e4d6 21266 mail extra
courier-imap-ssl_3.0.8-9_i386.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (GNU/Linux)
iD8DBQFDJZswjgVfE5tya3ERAncHAJ9T1MZFbNGipc6fif3BvtDIFRXMbgCePwJ/
YumpQfn4xNOxhhRF3Ks2J18=
=5+NS
-----END PGP SIGNATURE-----
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
