Re: FWD: Squirrelmail XSS + SQL security bug?
> I completely agree with Matt. This was the idea I wanted to say in my > former post. Don't mix development docs (like changelog) with security ones > (security advisories, etc). IMHO, the correct procedure for > SquirrelMail (or other important project) would be to open a security > section where security announcements were placed and sending _also_ these > announcements to security lists (at least, Bugtraq). I'm not a developper > but this is exactly what I usually do if I discover a security related bug > in any piece of software. I agree that a separate security section on our website could aid in the communication of security issues. I will bring this up within the project, I think there won't be much protest against that. Thijs -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: FWD: Squirrelmail XSS + SQL security bug?
On Sat, 31 Jul 2004 21:53:25 -0700, you wrote: >The Debian security team cannot monitor the mailing lists for every project >in Debian: there are literally thousands. We rely on channels which are >explicitly devoted to the dissemination of security announcements (e.g., >BUGTRAQ), and communication through the Debian package maintainer (who >should follow the relevant mailing lists for the project). > >I do not think I have ever seen a security announcement from the >Squirrelmail project on a public mailing list. I completely agree with Matt. This was the idea I wanted to say in my former post. Don't mix development docs (like changelog) with security ones (security advisories, etc). IMHO, the correct procedure for SquirrelMail (or other important project) would be to open a security section where security announcements were placed and sending _also_ these announcements to security lists (at least, Bugtraq). I'm not a developper but this is exactly what I usually do if I discover a security related bug in any piece of software. Saludos, --Roman -- PGP Fingerprint: 09BB EFCD 21ED 4E79 25FB 29E1 E47F 8A7D EAD5 6742 [Key ID: 0xEAD56742. Available at KeyServ]
Re: FWD: Squirrelmail XSS + SQL security bug?
On Thu, Jul 29, 2004 at 11:27:55AM +0200, Roman Medina-Heigl Hernandez wrote: > On Thu, 22 Jul 2004 20:28:23 +0200 (CEST), you wrote: > > >About security fixes in the SquirrelMail code; SquirrelMail does not > >(contrary to Roman's standpoint) adhere to a obscurity-policy but in > >stead openly discloses any security fix in our code. In the changelog and > >in the announcement of the recent 1.4.3 release it's clearly stated that > >this closes a security hole. If the Debian project wants to we can of > >course notify them if we patch something but it is principally their > >responsibility to monitor our lists, announcements and bugtraq. The Debian security team cannot monitor the mailing lists for every project in Debian: there are literally thousands. We rely on channels which are explicitly devoted to the dissemination of security announcements (e.g., BUGTRAQ), and communication through the Debian package maintainer (who should follow the relevant mailing lists for the project). I do not think I have ever seen a security announcement from the Squirrelmail project on a public mailing list. -- - mdz -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: FWD: Squirrelmail XSS + SQL security bug?
Hi all. Sorry for my late response. I'm on vacation. Comments inline. On Thu, 22 Jul 2004 20:28:23 +0200 (CEST), you wrote: >About security fixes in the SquirrelMail code; SquirrelMail does not (contrary to >Roman's standpoint) adhere to a obscurity-policy but in stead openly discloses any >security fix in our code. In the changelog and in the announcement of the recent >1.4.3 release it's clearly stated that this closes a security hole. If the Debian >project wants to we can of course notify them if we patch something but it is >principally their responsibility to monitor our lists, announcements and bugtraq. I practically agree but I think SquirrelMail's site should have a "security" section where security announcements could be placed. I don't like to mix a changelog (which is usually more development-oriented) with security advisories. In the later anyone could easily check which version is or not vulnerable to a given or several bugs in a clear way. Thus I don't consider a changelog to be sufficient to be considered as "open disclose" compliant. Also, in SM web version 1.4.3 was announced as security fix in the news section (which is good), but again news are being rotated and sooner or later the announcement will disappear (and you're mixing news of different nature with security stuff). This was (and is) my standpoint. Saludos, --Roman -- PGP Fingerprint: 09BB EFCD 21ED 4E79 25FB 29E1 E47F 8A7D EAD5 6742 [Key ID: 0xEAD56742. Available at KeyServ]
Squirrelmail maint+security (Was: Re: FWD: Squirrelmail XSS + SQL security bug?)
On Thu, Jul 22, 2004 at 08:28:23PM +0200, Thijs Kinkhorst wrote: > Hello People, > > I'm part of the SquirrelMail development team and have assisted Jeroen > in preparing the recent upload of a new SquirrelMail package. > > Let me comment on some of the issues raised. (...) > About the SquirrelMail Debian maintainership; this hasn't been up to > par for the last half year (and before that was also not very active). > A development version (1.5.0) was added to Debian (why??) and bug > reports were not attended to, mail was not replied to at all(!). > Debian should have some kind of mechanism to prevent this from > happening in the future. Perhaps there should be a policy that each > package has at least two maintainers? For the SquirrelMail package I'd > say that Jeroen and Sam become co-maintainers. For the general case: it's a known problem, and is being discussed. Solutions are however not very easy. For the case at hand: I've asked Sam numerous times, and NMU'd, with as only reaction a quote from db.debian.org at the time he was marked on vacation. Sam, you're not marked as 'on vacation' anymore, can you please reply to it? In absence of any real progress in squirrelmail packaging, I'll still take over the package (and put you as co-maintainer if you wish so) in about two weeks. The reason why I think this is important is outlined below. > About security fixes in the SquirrelMail code; SquirrelMail does not > (contrary to Roman's standpoint) adhere to a obscurity-policy but in > stead openly discloses any security fix in our code. In the changelog > and in the announcement of the recent 1.4.3 release it's clearly > stated that this closes a security hole. If the Debian project wants > to we can of course notify them if we patch something but it is > principally their responsibility to monitor our lists, announcements > and bugtraq. Thijs and I agreed that he forwards me any cvs commit messages that deals with security, I will then verify and file an appropriate bug report and/or notify the Debian security team. Security issues are the main reason I think it's important that an active maintainer exists for squirrelmail, in #257973 for example are quite some issues that are now next-to-impossible to track down completely, but if these issues were tracked from the beginning, there wouldn't have been any problem. Of course, it's not just for security issues that I believe a maintainer should actively follow upstream. > The bottom line is that in my opinion the quality of the Debian > package "stands or falls" with the activity of the maintainer. Every > package should have two active maintainers as a rule, not as an > exception. > > I hope we can continue the collaboration like Jeroen and I did when > preparing the recent upload. The close contact between development > team and Debian maintainer turned out to be very efficient. Indeed. --Jeroen -- Jeroen van Wolffelaar [EMAIL PROTECTED] (also for Jabber & MSN; ICQ: 33944357) http://Jeroen.A-Eskwadraat.nl -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: FWD: Squirrelmail XSS + SQL security bug?
Hello People, I'm part of the SquirrelMail development team and have assisted Jeroen in preparing the recent upload of a new SquirrelMail package. Let me comment on some of the issues raised. First off, Debian is using an archaic version of SquirrelMail, being more than two years old (which is a lot for a product that is under active development). I would advise the Debian project of upgrading their packages more often; for example targeting for a yearly new stable release. The current policy harms Debian users: in these two years we've fixed hundreds of bugs (if not more) and made huge improvements to the code. I guess this goes for many more of the packages in Woody. Security fixes are not easily backportable to code that has changed so much since then. About the SquirrelMail Debian maintainership; this hasn't been up to par for the last half year (and before that was also not very active). A development version (1.5.0) was added to Debian (why??) and bug reports were not attended to, mail was not replied to at all(!). Debian should have some kind of mechanism to prevent this from happening in the future. Perhaps there should be a policy that each package has at least two maintainers? For the SquirrelMail package I'd say that Jeroen and Sam become co-maintainers. About security fixes in the SquirrelMail code; SquirrelMail does not (contrary to Roman's standpoint) adhere to a obscurity-policy but in stead openly discloses any security fix in our code. In the changelog and in the announcement of the recent 1.4.3 release it's clearly stated that this closes a security hole. If the Debian project wants to we can of course notify them if we patch something but it is principally their responsibility to monitor our lists, announcements and bugtraq. The bottom line is that in my opinion the quality of the Debian package "stands or falls" with the activity of the maintainer. Every package should have two active maintainers as a rule, not as an exception. I hope we can continue the collaboration like Jeroen and I did when preparing the recent upload. The close contact between development team and Debian maintainer turned out to be very efficient. Thijs >>> Sam, could you please forward you incoming mail about security issues >>> to someone who has more time to look into it? >> >> Well, I wouldn't lose time doing so. Better to upgrade to latest >> 1.4.3a. >> Yes, contrary to the Debian "backporting" policy, but in this case there >> are sufficient reasons to make the exception (and it's less >> "intrusive" >> than completely removing SM from Woody, as I listened before). I >> wouldn't trust an old 1.2.6 version; not without some guarantees than SM >> team would provide a detailed info of applied security fixes. And that's >> not the case, as stated by Matt. In this case, I agree with him: SM team >> should make a little effort to document such bugs instead of silently >> patching. I told this to SM developpers when I contacted them one month >> ago. Security through obscurity is not good at all. > > I agree with what you say about the SM team, as much as getting a > cc/forward of commit mails that fix a security issue, would already be > great. > > Simply putting a new major upstream release (1.4.x instead of 1.2.x) > won't be accepted for a security update, and also because XSS issues are > not that a severe issue, I don't think there is any reason to remove 1.2.x > from woody. Those XSS, and especially the SQL injection needs to be fixed > though. > > Thanks for your very detailed mail, I'll look into it w.r.t. remaining > woody issues. I also saw three CVE's assigned to squirrelmail in 2004, none > of them have been patched by Debian. I'll trace that down. > I disclosed in a _detailed way_ several bugs: [RS-2004-1] http://www.rs-labs.com/adv/RS-Labs-Advisory-2004-1.txt >>> >>> This wasn't reported in the Debian BTS. >>> >> >> I was unaware of Debian BTS when I reported the vuln. Anyway, it should >> be sufficient to notify it to security email address. People who reports >> security bugs doesn't necesarily need to know about bug tracking >> systems or the way a "vendor" archives or deals with a reported bug. >> >> Moreover, security teams should monitorize public security >> mailing-lists like Bugtraq. So if the usual communication channels fail >> (for instance, >> e-mail to security address), at least you are aware of public vulns) >> (and >> then you can feed your internal / external BTS, or act as whatever you >> want). > > I fully agree with you, sorry, I didn't intend to 'blame' you for not > reporting it in the BTS. It would have made things easier/go faster, but I > agree, it is by no means your fault it didn't happen. It'd be appreciated > if you could do so though. > >>> I (the person uploading that version) was not aware of this, partly >>> because you didn't file a bug in the BTS about this. Note however that >>> >> >> As I have told, t
Re: FWD: Squirrelmail XSS + SQL security bug?
On Tue, Jul 06, 2004 at 12:47:21PM +0200, Rom?n Medina wrote:
>
> Hi Jeroen,
>
> > Sam, could you please forward you incoming mail about security issues to
> > someone who has more time to look into it?
>
> Well, I wouldn't lose time doing so. Better to upgrade to latest 1.4.3a.
> Yes, contrary to the Debian "backporting" policy, but in this case there
> are sufficient reasons to make the exception (and it's less "intrusive"
> than completely removing SM from Woody, as I listened before). I wouldn't
> trust an old 1.2.6 version; not without some guarantees than SM team would
> provide a detailed info of applied security fixes. And that's not the
> case, as stated by Matt. In this case, I agree with him: SM team should
> make a little effort to document such bugs instead of silently patching. I
> told this to SM developpers when I contacted them one month ago. Security
> through obscurity is not good at all.
I agree with what you say about the SM team, as much as getting a
cc/forward of commit mails that fix a security issue, would already be
great.
Simply putting a new major upstream release (1.4.x instead of 1.2.x)
won't be accepted for a security update, and also because XSS issues
are not that a severe issue, I don't think there is any reason to remove
1.2.x from woody. Those XSS, and especially the SQL injection needs to
be fixed though.
Thanks for your very detailed mail, I'll look into it w.r.t. remaining
woody issues. I also saw three CVE's assigned to squirrelmail in 2004,
none of them have been patched by Debian. I'll trace that down.
> >> I disclosed in a _detailed way_ several bugs:
> >> [RS-2004-1] http://www.rs-labs.com/adv/RS-Labs-Advisory-2004-1.txt
> >
> > This wasn't reported in the Debian BTS.
>
> I was unaware of Debian BTS when I reported the vuln. Anyway, it should be
> sufficient to notify it to security email address. People who reports
> security bugs doesn't necesarily need to know about bug tracking systems
> or the way a "vendor" archives or deals with a reported bug.
>
> Moreover, security teams should monitorize public security mailing-lists
> like Bugtraq. So if the usual communication channels fail (for instance,
> e-mail to security address), at least you are aware of public vulns) (and
> then you can feed your internal / external BTS, or act as whatever you
> want).
I fully agree with you, sorry, I didn't intend to 'blame' you for not
reporting it in the BTS. It would have made things easier/go faster, but
I agree, it is by no means your fault it didn't happen. It'd be
appreciated if you could do so though.
> > I (the person uploading that version) was not aware of this, partly
> > because you didn't file a bug in the BTS about this. Note however that
>
> As I have told, to "file a bug" is not my duty (although I would have made
> it if I had known of BTS' existence). I reported the bug to SM developpers
> (_before_ making it public, that's important, and letting sufficient time
> for the bug to be fixed) and also to Debian maintainer _as a courtesy_ (I
> don't have the time nor resources to notify all distros which use SM; I
> did the exception with Debian because I use Debian and I like it).
Then the problem was with Debian internally, that this wasn't
forwarded/fixed... again, sorry for insinuating you should have filed a
bug :)
> >> - I don't know whether or not the old XSS bugs which I reported to
> >> affect
> >> Debian Woody (read RS-2004-1) are still uncovered. I'm afraid it is...
> >
> > Thanks for the direct pointer, I assume you did contact
> > [EMAIL PROTECTED] about this?
>
> I should check my outbox to verify this (I think I placed
> [EMAIL PROTECTED] in cc). In all cases:
> - You can assume _at least_ Debian maintainer (Sam) was notified.
...
> - I recall to have talked about this with Matt, so I assume he is / was
> also aware of this. Indeed he replied in a public mailing-list to my
> advisory post so he should read it:
> http://seclists.org/lists/fulldisclosure/2004/Jun/0029.html
I don't know what happened to this. In answer to this question of yours:
http://seclists.org/lists/fulldisclosure/2004/Jun/0046.html
|
| #ifdef _security_perspective_
| #define usual_channels bugtraq other_lists
| #endif
| #ifdef _devel_perspective_
| #define usual_channels changelog_file
| #endif
| printf("My usual channels are: %s", usual_channels);
|
| It was some kind of pseudocode :-) Question: which perspective are
| using Debian maintainers to monitorize their packages? In the
| particular case of SM, the old XSS issues were listed in ChangeLog,
| but .deb package was not updated. Why?
Debian maintainers should monitor upstream, especially changelogs of new
versions, and preferable also upstream devel mailinglists.
The .deb package was not updated because the Debian maintainer for
squirrelmail was too busy, why the security team didn't update woody
yet, maybe they were too busy too. I have a suggestion how to
potentially improve this, I'll s
Re: FWD: Squirrelmail XSS + SQL security bug?
Hi Jeroen, > Sam, could you please forward you incoming mail about security issues to > someone who has more time to look into it? Well, I wouldn't lose time doing so. Better to upgrade to latest 1.4.3a. Yes, contrary to the Debian "backporting" policy, but in this case there are sufficient reasons to make the exception (and it's less "intrusive" than completely removing SM from Woody, as I listened before). I wouldn't trust an old 1.2.6 version; not without some guarantees than SM team would provide a detailed info of applied security fixes. And that's not the case, as stated by Matt. In this case, I agree with him: SM team should make a little effort to document such bugs instead of silently patching. I told this to SM developpers when I contacted them one month ago. Security through obscurity is not good at all. >> I disclosed in a _detailed way_ several bugs: >> [RS-2004-1] http://www.rs-labs.com/adv/RS-Labs-Advisory-2004-1.txt > > This wasn't reported in the Debian BTS. I was unaware of Debian BTS when I reported the vuln. Anyway, it should be sufficient to notify it to security email address. People who reports security bugs doesn't necesarily need to know about bug tracking systems or the way a "vendor" archives or deals with a reported bug. Moreover, security teams should monitorize public security mailing-lists like Bugtraq. So if the usual communication channels fail (for instance, e-mail to security address), at least you are aware of public vulns) (and then you can feed your internal / external BTS, or act as whatever you want). > I (the person uploading that version) was not aware of this, partly > because you didn't file a bug in the BTS about this. Note however that As I have told, to "file a bug" is not my duty (although I would have made it if I had known of BTS' existence). I reported the bug to SM developpers (_before_ making it public, that's important, and letting sufficient time for the bug to be fixed) and also to Debian maintainer _as a courtesy_ (I don't have the time nor resources to notify all distros which use SM; I did the exception with Debian because I use Debian and I like it). >> - I don't know whether or not the old XSS bugs which I reported to >> affect >> Debian Woody (read RS-2004-1) are still uncovered. I'm afraid it is... > > Thanks for the direct pointer, I assume you did contact > [EMAIL PROTECTED] about this? I should check my outbox to verify this (I think I placed [EMAIL PROTECTED] in cc). In all cases: - You can assume _at least_ Debian maintainer (Sam) was notified. - I recall to have talked about this with Matt, so I assume he is / was also aware of this. Indeed he replied in a public mailing-list to my advisory post so he should read it: http://seclists.org/lists/fulldisclosure/2004/Jun/0029.html > Also, statements like this won't help you very much if you want a > serious resonse: > > | Please, learn the lesson and repeat with me: "Debian stable software > | is not always as secure as we usually thought". Oddly enough, Debian > | unstable was free of these bugs :-) This is my personal opinion and I'm free to think like this. I'm not imposing anything. > But Debian unstable keeps getting lots of other bugs, so is often no > alternative :) Well, from security perspective I prefer unstable. Same applies to "usability" perspective (I don't like outdated versions of certain software). Again this is my personal opinion. I respect Debian Woody policy but I don't support it. Better not to speak about this (flame-war risk! :-)). > If Debian isn't notified of security bugs, they can't fix them. Weird Don't blame me. Your statement is easily refutable: "If Debian maintainers don't answer to important mails (I know the email address was fine because I previosly had contacted Sam using the same method; and I insisted trying to re-contact) and Debian security team is unaware of public security mailing-lists (or they answer to certain threads without reading the original post :-?) it's not my fault". Please, don't start the war. I'm only defending my position :) > that you here claim unstable was free of these bugs, while above you > claim Debian unstable _had_ these bugs at the time of your advisory. So, > which one of the two is it? Or are there more issues involved than the > ones detailed in RS-2004-1? Please, read my adv with more attention. Let's quote from it: * From "summary" part: "A vulnerability has been discovered in SM..." ---> This is the NEW bug. "As a side effect of my research I discovered that older known SM flaws were still present in latest Debian stable (Woody) package. I will also discuss them here (there is no need to issue another advisory only for that ;-)). But _please note_ that if I don't explicitly mention it, I will always be referring to the new (and recently discovered) bug." ---> I mention the old bugs too and clearly referred to Woody. * From "Affected versions": "The (new) bug could be reproduced with latest version of S
Re: FWD: Squirrelmail XSS + SQL security bug?
On Tue, Jul 06, 2004 at 10:48:46AM +0200, Rom?n Medina wrote: > I must add the following comments: > - On May'04, I contacted Sam and some of the SquirrelMail developpers > regarding several security bugs in SquirrelMail (one of them being new > -present in all SM versions- and other being old *but present in Woody* > package). After exchanging various mails with both, I lost communication > with Sam (:-?). I also notified [EMAIL PROTECTED] As I told to Matt (privately) I > haven't seen any Debian security advisory from that. He pointed me to a > bug correction page but no public announce was made by means of Debian > Security Team. Which criteria does Debian have to publish security > advisories? Sam, could you please forward you incoming mail about security issues to someone who has more time to look into it? > - Only SquirrelMail developpers fixed the bug and nobody from Debian > contacted me to ask for more info (if it was really needed) or tell me > that the bug was fixed/unresolved in Debian. No response in that sense > (Matt briefly answered some direct questions I did but no particular > response to my advisory or the bug itself was provided). As a courtesy, > when somebody reports a security bug, the minimun action to be taken is to > notify him/her of fixes. I haven't received any notification on this. > - Matt has said in this thread that he'd have fixed some bugs if SM would > have provided more precise info. Well, I do _not_ represent SM at all, but > I disclosed in a _detailed way_ several bugs: > [RS-2004-1] http://www.rs-labs.com/adv/RS-Labs-Advisory-2004-1.txt This wasn't reported in the Debian BTS. > - I must also say that Marc and SM devel. team 's response was > professional and efficient. They notified me when they fixed the bug and > they publicly gave me credit in SM's page. Nevertheless, I'm not quite > happy with Debian in that sense. I'm currently using patched SM 1.5.0 for > tarball since I discovered the bugs with international packages (yes, it > should be downloaded apart from the main.tgz and merge accordingly; this > is the reason why unstable .deb package was broken regarding > internalization). True, a reported and meanwhile fixed bug. > - I have just performed a search and found: > http://packages.debian.org/changelogs/pool/main/s/squirrelmail/squirrelmail_1.4.3a-0.1/changelog > 1.4.3a indeed fixes all security holes discovered, included the one I > reported. I didn't read it in the changelog: no security fixes info is > included here!! 1.5.0 from Unstable was vulnerable (yes, all Debian users > still using 1.5.0 .deb package ARE vulnerable). I think it should be noted > in the changelog so that users could evaluate the need to "upgrade" its > .deb package to 1.4.3a (IMHO, highly recommendable; 1.4.3a is stable and > secure). I (the person uploading that version) was not aware of this, partly because you didn't file a bug in the BTS about this. Note however that the upstream changelog does mention: - Fixed XSS vulnarability in content-type display in the attachment area of read_body.php discovered by Roman Medina. Since I didn't realize these issues might still also be in the 1.5.0 package, I didn't separately mention that in the Debian changelog, nor set urgency to high (and make more haste with the upload...) > - I don't know whether or not the old XSS bugs which I reported to affect > Debian Woody (read RS-2004-1) are still uncovered. I'm afraid it is... Thanks for the direct pointer, I assume you did contact [EMAIL PROTECTED] about this? Also, statements like this won't help you very much if you want a serious resonse: | Please, learn the lesson and repeat with me: "Debian stable software | is not always as secure as we usually thought". Oddly enough, Debian | unstable was free of these bugs :-) But Debian unstable keeps getting lots of other bugs, so is often no alternative :) If Debian isn't notified of security bugs, they can't fix them. Weird that you here claim unstable was free of these bugs, while above you claim Debian unstable _had_ these bugs at the time of your advisory. So, which one of the two is it? Or are there more issues involved than the ones detailed in RS-2004-1? > I don't want some kind of flame-war. Please, take this mail as a > constructive response. My constructive tips in return are: - once security bugs are made public, file them in the Debian BTS with tag security and (if only in woody) tag woody, and severity serious (for RS-2004-1, I'll do so myself in a minute) - Draw Debian QA's attention via [EMAIL PROTECTED] (public mailinglist) to it if it doesn't seem to get fixed in a timely matter or there is no maintainer response at all, and/or the security team's attention if this vulnerability is still unfixed in woody) - If they are not yet public, contact the Debian security team with precise references and possibly patches/fixes - Since I'm a PHP developer and use squirrelmail too, you might also in
Re: FWD: Squirrelmail XSS + SQL security bug?
I must add the following comments: - On May'04, I contacted Sam and some of the SquirrelMail developpers regarding several security bugs in SquirrelMail (one of them being new -present in all SM versions- and other being old *but present in Woody* package). After exchanging various mails with both, I lost communication with Sam (:-?). I also notified [EMAIL PROTECTED] As I told to Matt (privately) I haven't seen any Debian security advisory from that. He pointed me to a bug correction page but no public announce was made by means of Debian Security Team. Which criteria does Debian have to publish security advisories? - Only SquirrelMail developpers fixed the bug and nobody from Debian contacted me to ask for more info (if it was really needed) or tell me that the bug was fixed/unresolved in Debian. No response in that sense (Matt briefly answered some direct questions I did but no particular response to my advisory or the bug itself was provided). As a courtesy, when somebody reports a security bug, the minimun action to be taken is to notify him/her of fixes. I haven't received any notification on this. - Matt has said in this thread that he'd have fixed some bugs if SM would have provided more precise info. Well, I do _not_ represent SM at all, but I disclosed in a _detailed way_ several bugs: [RS-2004-1] http://www.rs-labs.com/adv/RS-Labs-Advisory-2004-1.txt - I must also say that Marc and SM devel. team 's response was professional and efficient. They notified me when they fixed the bug and they publicly gave me credit in SM's page. Nevertheless, I'm not quite happy with Debian in that sense. I'm currently using patched SM 1.5.0 for tarball since I discovered the bugs with international packages (yes, it should be downloaded apart from the main.tgz and merge accordingly; this is the reason why unstable .deb package was broken regarding internalization). - I have just performed a search and found: http://packages.debian.org/changelogs/pool/main/s/squirrelmail/squirrelmail_1.4.3a-0.1/changelog 1.4.3a indeed fixes all security holes discovered, included the one I reported. I didn't read it in the changelog: no security fixes info is included here!! 1.5.0 from Unstable was vulnerable (yes, all Debian users still using 1.5.0 .deb package ARE vulnerable). I think it should be noted in the changelog so that users could evaluate the need to "upgrade" its .deb package to 1.4.3a (IMHO, highly recommendable; 1.4.3a is stable and secure). - I don't know whether or not the old XSS bugs which I reported to affect Debian Woody (read RS-2004-1) are still uncovered. I'm afraid it is... I don't want some kind of flame-war. Please, take this mail as a constructive response. Regards, -Román > On Mon, Jul 05, 2004 at 01:38:45PM -0700, Matt Zimmerman wrote: >> On Mon, Jul 05, 2004 at 12:05:23PM -0700, [EMAIL PROTECTED] >> wrote: >> >> > Long ago and far away, I sent this message to security@, and a small >> > amount of conversation occured, but I never heard back from Sam >> Johnston >> > or Matt Zimmerman (the two parties present in the discussion in >> addition >> > to myself), and I've sent a total of two messages since then to no >> avail. >> > I'm guessing they are both quite busy and unable to get to it, so I >> > thought I would ask here in case the discussion occured elsewhere and >> I >> > missed it. >> >> You did receive responses. In fact, I have in front of me right now at >> a >> copy of a message from you where you quote _both_ my reply and Sam >> Johnston's. What would you hope to gain by misrepresenting the >> situation? > > You're right; I apologize. I had a serious brain misfire, I was worried > about sending that without your permission, but instead I made it sound > like I'd received no response. I apologize a second time. Furthermore, I > should have been more clear about why I was concerned --- it looked to me > that the initial discussion hadn't gotten to more than discussion. And > now it is fairly clear to me that there are (as I expected) other issues > existing with regard to squirrelmail developers that I don't know. I did, > however, send followup messages on 3 June and 29 June to which I have not > received a response, and that is why I contacted [EMAIL PROTECTED] That > said, we have had intermittent power problems, so it is possible that the > responses were never delivered, and therefore I will apologize in advance > if that is the case. > > -quote original discussion > > Date: Wed, 26 May 2004 17:05:55 +1000 > From: Sam Johnston <[EMAIL PROTECTED]> > To: Matt Zimmerman <[EMAIL PROTECTED]> > CC: Adam Morley <[EMAIL PROTECTED]> > Subject: Re: Squirrelmail XSS + SQL security bug? > > Matt Zimmerman wrote: > >>On Sat, May 22, 2004 at 08:13:48AM -0700, Adam Morley wrote: >> >> >> >>>I noticed recently that squirrelmail released a new version to fix a few >>>bugs in its code base: >>> >>>http://sourceforge.net/mailarchive/forum.php?thread_id=4199060&forum_id=1988 >>>http://www
Re: FWD: Squirrelmail XSS + SQL security bug?
On Mon, Jul 05, 2004 at 01:38:45PM -0700, Matt Zimmerman wrote: > On Mon, Jul 05, 2004 at 12:05:23PM -0700, [EMAIL PROTECTED] wrote: > > > Long ago and far away, I sent this message to security@, and a small > > amount of conversation occured, but I never heard back from Sam Johnston > > or Matt Zimmerman (the two parties present in the discussion in addition > > to myself), and I've sent a total of two messages since then to no avail. > > I'm guessing they are both quite busy and unable to get to it, so I > > thought I would ask here in case the discussion occured elsewhere and I > > missed it. > > You did receive responses. In fact, I have in front of me right now at a > copy of a message from you where you quote _both_ my reply and Sam > Johnston's. What would you hope to gain by misrepresenting the situation? You're right; I apologize. I had a serious brain misfire, I was worried about sending that without your permission, but instead I made it sound like I'd received no response. I apologize a second time. Furthermore, I should have been more clear about why I was concerned --- it looked to me that the initial discussion hadn't gotten to more than discussion. And now it is fairly clear to me that there are (as I expected) other issues existing with regard to squirrelmail developers that I don't know. I did, however, send followup messages on 3 June and 29 June to which I have not received a response, and that is why I contacted [EMAIL PROTECTED] That said, we have had intermittent power problems, so it is possible that the responses were never delivered, and therefore I will apologize in advance if that is the case. -quote original discussion Date: Wed, 26 May 2004 17:05:55 +1000 From: Sam Johnston <[EMAIL PROTECTED]> To: Matt Zimmerman <[EMAIL PROTECTED]> CC: Adam Morley <[EMAIL PROTECTED]> Subject: Re: Squirrelmail XSS + SQL security bug? Matt Zimmerman wrote: >On Sat, May 22, 2004 at 08:13:48AM -0700, Adam Morley wrote: > > > >>I noticed recently that squirrelmail released a new version to fix a few >>bugs in its code base: >> >>http://sourceforge.net/mailarchive/forum.php?thread_id=4199060&forum_id=1988 >>http://www.securityfocus.com/bid/10246/ >> >>But I haven't seen anything from Debian --- and I'm wondering where >>exactly I should ask the question, "Is Debian's squirrelmail vulnerable to >>this?" I noticed a debian-security, but its listed as a "Developer" >>mailing list on lists.debian.org, and -user doesn't seem like a place I >>should go for security information (or is it?). >> >>I read the FAQ, but that wasn't helpful in this case (or maybe I'm missing >>something!) --- it strikes me that it was not immediately obvious to me, a >>new user of Debian, where to go to find out about a possible security >>problem, that may or may not affect Debian. Am I to always assume the >>Security Team will never "miss" a security update? Or is there a forum >>where this should be directed? >> >> > >In general, inquiries like this should go to the security team and the >package maintainer (CCed). > >At this time the best answer I have is that squirrelmail in stable contains >at least some of the bugs, but more investigation is needed. > >Sam: can you assist with this? > > Yes. Thanks Adam. Courtesy Marc Groot Koercamp: Regarding 1.4.3 and the debian release policy, I do not understand how debian can think that 1.2.6 is stable and safe. There have been many security related fixes since the 1.2.6 release and we never explained in release notes what the specific fixes were. By stating that Debian backports security fixes to 1.2.6. I get curious how they do that. Do they follow every cvs commit? Did you know that working with a php version with register globals = off is seen as insecure? SquirrelMail 1.2.6 cannot work with the register globals = off setting. SquirrelMail 1.4.x and 1.2.8 works with register globals - off. Don't get me wrong, I do understand that customers don't like to update packages every 3 month, but even Redhat ships newer SquirrelMail versions. What is your take on this? Sam -- Sam Johnston, Director Australian Online Solutions 1300 132 809 -end quote-- -beging quote--- Date: Thu, 3 Jun 2004 23:54:32 -0700 [snip] > What is your take on this? I wasn't sure if this was directed at me, but since I haven't heard anything I thought I'd chime in. I know I need the newer squirrelmail and will probably stop using the Debian package for that reason, at least unless I hear otherwise at some point. I find it rather disconcerting that the Squirrelmail team recommended a release candidate as "stable" software in order to fix the problem. Granted, new stable is out, but. . . I constantly wish that patches for security fixes would be released on some sort of long-lived stable branch by open source projects, but I'm guessing that's too much work and not exciting. I am amazed at how Debian does this, and sometimes wonder if something
Re: FWD: Squirrelmail XSS + SQL security bug?
On Mon, Jul 05, 2004 at 06:05:34PM -0300, Henrique de Moraes Holschuh wrote: > Isn't this enough reason to demote squirrelmail to an "unstable-only" > package? I use it everywhere, and it will be an extereme hindrance to > me, but we have to be realistic on these issues... Without cooperation with upstream, yes, I would suggest that it is not feasible for us to support squirrelmail in stable. Fortunately, however, it appears that there is hope for cooperation yet. -- - mdz -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: FWD: Squirrelmail XSS + SQL security bug?
On Mon, Jul 05, 2004 at 10:57:16PM +0200, Jeroen van Wolffelaar wrote: > I've done a squirrelmail NMU in fruitful cooperation with one of the > upstream squirrelmail maintainers, former stable release manager Thijs > Kinkhorst, who happens to also be a personal friend of mine. Thanks ver ymuch for your efforts. Would Thijs Kinkhorst be willing to act as a point of contact for the Debian Security Team on squirrelmail issues? I think Debian would benefit greatly from such a resource. > I'm forwarding this conversation to him, in the hope that he can comment > on it. Since he is a Debian user himself, I'm sure he understands our > situation, but of course, I don't know how much time he'd like to allocate > for the 1.2.x branch that's in woody now -- don't count on anything. I do not expect him to spend time directly on the 1.2.x branch. It is enough to provide specific information about the vulnerabilities: that is, sufficient information for us to understand which code is affected and the nature of the fix. The patches used in the 1.4.x series (or pointers to the relevant CVS commits) are ideal. Given this information, we can adapt the fix as necessary to 1.2.x. We do not expect upstream to do our backporting work for us, only to cooperate with us by providing the information needed to make it possible. > Meanwhile, I guess it'd be useful to have specific references to issues... > Adam, do you have them? Anyway, I'll ask Thijs about the 1.4.x issues, and > get back to it (in private if there are unsolved issues involved). Thanks again. -- - mdz -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: FWD: Squirrelmail XSS + SQL security bug?
On Mon, 05 Jul 2004, Matt Zimmerman wrote: > Refer to DSA 191-1, DSA 191-2 and DSA 220-1 for examples of past bugs fixed > in the squirrelmail package in woody. Let me assure you, it is no pleasure > to support a project like squirrelmail, where new cross-site scripting bugs > are discovered on a regular basis (the past three release announcements > mention XSS bugs), and at least one of the upstream developers (Marc Groot > Koercamp) demonstrates outright hostility toward the Security Team's efforts > to support squirrelmail for Debian users. > > It is very time-consuming work to assess these vulnerabilities and backport > fixes for them. When the upstream developers refuse to provide details of > the vulnerabilities, and instead try to force a new upstream release on us, > this creates _much_ more work for the security team, who are already > overloaded volunteers. The fact that the squirrelmail 1.4.3 release turned > out to have a critical bug which caused it to be recalled by the developers > further emphasizes the problems with upstream's security procedures. > > If anyone can provide precise details of the vulnerabilities fixed in > 1.4.3-RC1, 1.4.3 and 1.4.3a (yes, all three are said to have contained some > unknown number of security fixes to unknown parts of the code), or convince > squirrelmail upstream to provide such details, then that would provide some > hope for its support in Debian stable. Isn't this enough reason to demote squirrelmail to an "unstable-only" package? I use it everywhere, and it will be an extereme hindrance to me, but we have to be realistic on these issues... -- "One disk to rule them all, One disk to find them. One disk to bring them all and in the darkness grind them. In the Land of Redmond where the shadows lie." -- The Silicon Valley Tarot Henrique Holschuh -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: FWD: Squirrelmail XSS + SQL security bug?
I've done a squirrelmail NMU in fruitful cooperation with one of the upstream squirrelmail maintainers, former stable release manager Thijs Kinkhorst, who happens to also be a personal friend of mine. I'm forwarding this conversation to him, in the hope that he can comment on it. Since he is a Debian user himself, I'm sure he understands our situation, but of course, I don't know how much time he'd like to allocate for the 1.2.x branch that's in woody now -- don't count on anything. Meanwhile, I guess it'd be useful to have specific references to issues... Adam, do you have them? Anyway, I'll ask Thijs about the 1.4.x issues, and get back to it (in private if there are unsolved issues involved). --Jeroen On Mon, Jul 05, 2004 at 01:38:45PM -0700, Matt Zimmerman wrote: > On Mon, Jul 05, 2004 at 12:05:23PM -0700, [EMAIL PROTECTED] wrote: > (...) > > > Effectively, I'm questioning the version of squirrelmail included with > > woody, as it is quite old, and theoretically contains vulnerabilities. > > Debian's stable release is quite old, and there is nothing that the Security > Team can do about that. Let's confine our discussion to vulnerabilities. > > > I'd like to know whether it is indeed audited separate from the current, > > "secure" version of squirrelmail, as I maintain the current version > > instead of the Debian version --- because the debian version supposedly > > contains some of the security bugs. > > Refer to DSA 191-1, DSA 191-2 and DSA 220-1 for examples of past bugs fixed > in the squirrelmail package in woody. Let me assure you, it is no pleasure > to support a project like squirrelmail, where new cross-site scripting bugs > are discovered on a regular basis (the past three release announcements > mention XSS bugs), and at least one of the upstream developers (Marc Groot > Koercamp) demonstrates outright hostility toward the Security Team's efforts > to support squirrelmail for Debian users. > > It is very time-consuming work to assess these vulnerabilities and backport > fixes for them. When the upstream developers refuse to provide details of > the vulnerabilities, and instead try to force a new upstream release on us, > this creates _much_ more work for the security team, who are already > overloaded volunteers. The fact that the squirrelmail 1.4.3 release turned > out to have a critical bug which caused it to be recalled by the developers > further emphasizes the problems with upstream's security procedures. > > If anyone can provide precise details of the vulnerabilities fixed in > 1.4.3-RC1, 1.4.3 and 1.4.3a (yes, all three are said to have contained some > unknown number of security fixes to unknown parts of the code), or convince > squirrelmail upstream to provide such details, then that would provide some > hope for its support in Debian stable. > > -- > - mdz > > > -- > To UNSUBSCRIBE, email to [EMAIL PROTECTED] > with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED] > -- Jeroen van Wolffelaar [EMAIL PROTECTED] (also for Jabber & MSN; ICQ: 33944357) http://Jeroen.A-Eskwadraat.nl -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: FWD: Squirrelmail XSS + SQL security bug?
On Mon, Jul 05, 2004 at 12:05:23PM -0700, [EMAIL PROTECTED] wrote: > Long ago and far away, I sent this message to security@, and a small > amount of conversation occured, but I never heard back from Sam Johnston > or Matt Zimmerman (the two parties present in the discussion in addition > to myself), and I've sent a total of two messages since then to no avail. > I'm guessing they are both quite busy and unable to get to it, so I > thought I would ask here in case the discussion occured elsewhere and I > missed it. You did receive responses. In fact, I have in front of me right now at a copy of a message from you where you quote _both_ my reply and Sam Johnston's. What would you hope to gain by misrepresenting the situation? > Effectively, I'm questioning the version of squirrelmail included with > woody, as it is quite old, and theoretically contains vulnerabilities. Debian's stable release is quite old, and there is nothing that the Security Team can do about that. Let's confine our discussion to vulnerabilities. > I'd like to know whether it is indeed audited separate from the current, > "secure" version of squirrelmail, as I maintain the current version > instead of the Debian version --- because the debian version supposedly > contains some of the security bugs. Refer to DSA 191-1, DSA 191-2 and DSA 220-1 for examples of past bugs fixed in the squirrelmail package in woody. Let me assure you, it is no pleasure to support a project like squirrelmail, where new cross-site scripting bugs are discovered on a regular basis (the past three release announcements mention XSS bugs), and at least one of the upstream developers (Marc Groot Koercamp) demonstrates outright hostility toward the Security Team's efforts to support squirrelmail for Debian users. It is very time-consuming work to assess these vulnerabilities and backport fixes for them. When the upstream developers refuse to provide details of the vulnerabilities, and instead try to force a new upstream release on us, this creates _much_ more work for the security team, who are already overloaded volunteers. The fact that the squirrelmail 1.4.3 release turned out to have a critical bug which caused it to be recalled by the developers further emphasizes the problems with upstream's security procedures. If anyone can provide precise details of the vulnerabilities fixed in 1.4.3-RC1, 1.4.3 and 1.4.3a (yes, all three are said to have contained some unknown number of security fixes to unknown parts of the code), or convince squirrelmail upstream to provide such details, then that would provide some hope for its support in Debian stable. -- - mdz -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
