- ------------------------------------------------------------------------
Debian Security Advisory DSA-1770-1 security@debian.org
https://www.debian.org/security/ Steffen Joeris
April 13, 2009 https://www.debian.org/security/faq
- ------------------------------------------------------------------------
Package : imp4
Vulnerability : Insufficient input sanitising
Problem type : remote
Debian-specific: no
CVE Ids : CVE-2008-4182 CVE-2009-0930
Debian Bugs : 500114 500553 513266
Several vulnerabilities have been found in imp4, a webmail component for
the horde framework. The Common Vulnerabilities and Exposures project
identifies the following problems:
CVE-2008-4182
It was discovered that imp4 suffers from a cross-site scripting (XSS)
attack via the user field in an IMAP session, which allows attackers to
inject arbitrary HTML code.
CVE-2009-0930
It was discovered that imp4 is prone to several cross-site scripting
(XSS) attacks via several vectors in the mail code allowing attackersto inject arbitrary HTML code.
For the oldstable distribution (etch), these problems have been fixed in
version 4.1.3-4etch1.
For the stable distribution (lenny), these problems have been fixed in
version 4.2-4, which was already included in the lenny release.
For the testing distribution (squeeze) and the unstable distribution
(sid), these problems have been fixed in version 4.2-4.
We recommend that you upgrade your imp4 packages.
Upgrade instructions
- --------------------
wget url
will fetch the file for you
dpkg -i file.deb
will install the referenced file.
If you are using the apt-get package manager, use the line for
sources.list as given below:
apt-get update
will update the internal database
apt-get upgrade
will install corrected packages
You may use an automated update by adding the resources from the
footer to the proper configuration.
Debian GNU/Linux 4.0 alias etch
- -------------------------------
Debian (oldstable)
- ---------------
Stable updates are available for alpha, amd64, arm, hppa, i386, ia64, mips, mipsel, powerpc, s390 and sparc.
Source archives:
Size/MD5 checksum: 1059 2502fe9fc8aceeb3bd3492b739a6c53a
Size/MD5 checksum: 4178089 91fb63a44805bdff178c39c9bd1c73c5
Size/MD5 checksum: 10716 156684bbc1de0c24a44ccef4b979d10a
Architecture independent packages:
Size/MD5 checksum: 4167730 fc8bbcc5348d4548bf9c707bbad8aec7
These files will probably be moved into the stable distribution on
its next update.
- ---------------------------------------------------------------------------------
For apt-get: deb https://security.debian.org/ stable/updates main
For dpkg-ftp: dists/stable/updates/main
Mailing list: debian-security-announce@lists.debian.org
Package info: `apt-cache show ' and https://packages.debian.org/
Debian: DSA-1770-1: New imp4 packages fix cross-site scripting
April 14, 2009
Several vulnerabilities have been found in imp4, a webmail component for the horde framework
Summary
CVE-2008-4182
It was discovered that imp4 suffers from a cross-site scripting (XSS)
attack via the user field in an IMAP session, which allows attackers to
inject arbitrary HTML code.
CVE-2009-0930
It was discovered that imp4 is prone to several cross-site scripting
(XSS) attacks via several vectors in the mail code allowing attackersto inject arbitrary HTML code.
For the oldstable distribution (etch), these problems have been fixed in
version 4.1.3-4etch1.
For the stable distribution (lenny), these problems have been fixed in
version 4.2-4, which was already included in the lenny release.
For the testing distribution (squeeze) and the unstable distribution
(sid), these problems have been fixed in version 4.2-4.
We recommend that you upgrade your imp4 packages.
Upgrade instructions
- --------------------
wget url
will fetch the file for you
dpkg -i file.deb
will install the referenced file.
If you are using the apt-get package manager, use the line for
sources.list as given below:
apt-get update
will update the internal database
apt-get upgrade
will install corrected packages
You may use an automated update by adding the resources from the
footer to the proper configuration.
Debian GNU/Linux 4.0 alias etch
Debian (oldstable)
- ---------------
Stable updates are available for alpha, amd64, arm, hppa, i386, ia64, mips, mipsel, powerpc, s390 and sparc.
Source archives:
Size/MD5 checksum: 1059 2502fe9fc8aceeb3bd3492b739a6c53a
Size/MD5 checksum: 4178089 91fb63a44805bdff178c39c9bd1c73c5
Size/MD5 checksum: 10716 156684bbc1de0c24a44ccef4b979d10a
Architecture independent packages:
Size/MD5 checksum: 4167730 fc8bbcc5348d4548bf9c707bbad8aec7
These files will probably be moved into the stable distribution on
its next update.
For apt-get: deb https://security.debian.org/ stable/updates main
For dpkg-ftp: dists/stable/updates/main
Mailing list: debian-security-announce@lists.debian.org
Package info: `apt-cache show
Severity
Several vulnerabilities have been found in imp4, a webmail component for
the horde framework. The Common Vulnerabilities and Exposures project
identifies the following problems:
News
HOWTOs
About Us
Powered By
