Explore top 10 tips to secure your open-source projects now. Read More

×
Alerts This Week
Warning Icon 1 591
Alerts This Week
Warning Icon 1 591

Red Hat: RHSA-2009-0057-01 Important: SquirrelMail Session Hijack Threat

red hat
Calendar Grey January 19, 2009
Dist Redhat Esm H88
The recent update for SquirrelMail resolves a critical vulnerability in session management for Red Hat platforms, which poses significant risks to security.
An updated squirrelmail package that fixes a security issue is now available for Red Hat Enterprise Linux 3, 4 and 5

Solution

Before applying this update, make sure that all previously-released errata relevant to your system have been applied.

This update is available via Red Hat Network. Details on how to use the Red Hat Network to apply this update are available at

Summary

SquirrelMail is an easy-to-configure, standards-based, webmail package written in PHP. It includes built-in PHP support for the IMAP and SMTP protocols, and pure HTML 4.0 page-rendering (with no JavaScript required) for maximum browser-compatibility, strong MIME support, address books, and folder manipulation.
The Red Hat SquirrelMail packages provided by the RHSA-2009:0010 advisory introduced a session handling flaw. Users who logged back into SquirrelMail without restarting their web browsers were assigned fixed session identifiers. A remote attacker could make use of that flaw to hijack user sessions. (CVE-2009-0030)
SquirrelMail users should upgrade to this updated package, which contains a patch to correct this issue. As well, all users who used affected versions of SquirrelMail should review their preferences.

References

https://www.cve.org/CVERecord?id=CVE-2009-0030 https://access.redhat.com/security/updates/classification#important

Package List

Red Hat Enterprise Linux AS version 3:
Source:
noarch: squirrelmail-1.4.8-9.el3.noarch.rpm
Red Hat Desktop version 3:
Source:
noarch: squirrelmail-1.4.8-9.el3.noarch.rpm
Red Hat Enterprise Linux ES version 3:
Source:
noarch: squirrelmail-1.4.8-9.el3.noarch.rpm
Red Hat Enterprise Linux WS version 3:
Source:
noarch: squirrelmail-1.4.8-9.el3.noarch.rpm
Red Hat Enterprise Linux AS version 4:
Source:
noarch: squirrelmail-1.4.8-5.el4_7.3.noarch.rpm
Red Hat Enterprise Linux Desktop version 4:
Source:
noarch: squirrelmail-1.4.8-5.el4_7.3.noarch.rpm
Red Hat Enterprise Linux ES version 4:
Source:
noarch: squirrelmail-1.4.8-5.el4_7.3.noarch.rpm
Red Hat Enterprise Linux WS version 4:
Source:
noarch: squirrelmail-1.4.8-5.el4_7.3.noarch.rpm
RHEL Desktop Workstation (v. 5 client):
Source:
noarch: squirrelmail-1.4.8-5.el5_2.3.noarch.rpm
Red Hat Enterprise Linux (v. 5 server):
Source:
noarch: squirrelmail-1.4.8-5.el5_2.3.noarch.rpm
These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key#package


Severity
important
Lowest
Low
Medium
High
Critical

Advisory ID: RHSA-2009:0057-01
Product: Red Hat Enterprise Linux
Issue date: 2009-01-19

Topic

An updated squirrelmail package that fixes a security issue is nowavailable for Red Hat Enterprise Linux 3, 4 and 5.This update has been rated as having important security impact by the RedHat Security Response Team.

Relevant Releases Architectures

Red Hat Enterprise Linux AS version 3 - noarch

Red Hat Desktop version 3 - noarch

Red Hat Enterprise Linux ES version 3 - noarch

Red Hat Enterprise Linux WS version 3 - noarch

Red Hat Enterprise Linux AS version 4 - noarch

Red Hat Enterprise Linux Desktop version 4 - noarch

Red Hat Enterprise Linux ES version 4 - noarch

Red Hat Enterprise Linux WS version 4 - noarch

RHEL Desktop Workstation (v. 5 client) - noarch

Red Hat Enterprise Linux (v. 5 server) - noarch

Bugs Fixed

480224 - Squirrelmail session management broken by security backport

480488 - CVE-2009-0030 squirrelmail: session management flaw

Get the latest News and Insights

Get the latest Linux and open source security news straight to your inbox.