- ------------------------------------------------------------------------ Debian Security Advisory DSA-1770-1 security@debian.org https://www.debian.org/security/ Steffen Joeris April 13, 2009 https://www.debian.org/security/faq - ------------------------------------------------------------------------ Package : imp4 Vulnerability : Insufficient input sanitising Problem type : remote Debian-specific: no CVE Ids : CVE-2008-4182 CVE-2009-0930 Debian Bugs : 500114 500553 513266 Several vulnerabilities have been found in imp4, a webmail component for the horde framework. The Common Vulnerabilities and Exposures project identifies the following problems: CVE-2008-4182 It was discovered that imp4 suffers from a cross-site scripting (XSS) attack via the user field in an IMAP session, which allows attackers to inject arbitrary HTML code. CVE-2009-0930 It was discovered that imp4 is prone to several cross-site scripting (XSS) attacks via several vectors in the mail code allowing attackersto inject arbitrary HTML code. For the oldstable distribution (etch), these problems have been fixed in version 4.1.3-4etch1. For the stable distribution (lenny), these problems have been fixed in version 4.2-4, which was already included in the lenny release. For the testing distribution (squeeze) and the unstable distribution (sid), these problems have been fixed in version 4.2-4. We recommend that you upgrade your imp4 packages. Upgrade instructions - -------------------- wget url will fetch the file for you dpkg -i file.deb will install the referenced file. If you are using the apt-get package manager, use the line for sources.list as given below: apt-get update will update the internal database apt-get upgrade will install corrected packages You may use an automated update by adding the resources from the footer to the proper configuration. Debian GNU/Linux 4.0 alias etch - ------------------------------- Debian (oldstable) - --------------- Stable updates are available for alpha, amd64, arm, hppa, i386, ia64, mips, mipsel, powerpc, s390 and sparc. Source archives: Size/MD5 checksum: 1059 2502fe9fc8aceeb3bd3492b739a6c53a Size/MD5 checksum: 4178089 91fb63a44805bdff178c39c9bd1c73c5 Size/MD5 checksum: 10716 156684bbc1de0c24a44ccef4b979d10a Architecture independent packages: Size/MD5 checksum: 4167730 fc8bbcc5348d4548bf9c707bbad8aec7 These files will probably be moved into the stable distribution on its next update. - --------------------------------------------------------------------------------- For apt-get: deb https://security.debian.org/ stable/updates main For dpkg-ftp: dists/stable/updates/main Mailing list: debian-security-announce@lists.debian.org Package info: `apt-cache show' and https://packages.debian.org/