stable

squirrelmail-1.4.22-19.fc26

FEDORA-2017-a7161eb173 created by mhlavink 7 years ago for Fedora 26

fix insufficient escaping of user-supplied data (CVE-2017-7692)

How to install

Updates may require up to 24 hours to propagate to mirrors. If the following command doesn't work, please retry later:

sudo dnf upgrade --refresh --advisory=FEDORA-2017-a7161eb173

This update has been submitted for testing by mhlavink.

7 years ago
User Icon anonymous commented & provided feedback 7 years ago

does this include the patch from 1.4.23 release 20170424_0200-SVN.stable? according to (Dawid Golunski)

https://legalhackers.com/advisories/SquirrelMail-Exploit-Remote-Code-Exec-CVE-2017-7692-Vuln.html

the first patch released did not solve the issue

Update 27.04.2017: Vendor has issued version squirrelmail-20170427_0200-SVN.stable that contains a patch for this vulnerability.

and

22.04.2017 - Advisory released 24.04.2017 - Revision 2.0 (updated references and SquirrelMail version to 1.4.23 which is still vulnerable) 27.04.2017 - Revision 3.0 (update Solution and Affected versions sections)

This update has been pushed to testing.

7 years ago

This update has reached 3 days in testing and can be pushed to stable now if the maintainer wishes

7 years ago
User Icon mhlavink commented & provided feedback 7 years ago

yes, it includes this patch https://sourceforge.net/p/squirrelmail/code/14649/ from 2017-04-24

This update has been submitted for stable by mhlavink.

7 years ago

This update has been pushed to stable.

7 years ago

Please login to add feedback.

Metadata
Type
security
Severity
high
Karma
0
Signed
Content Type
RPM
Test Gating
Settings
Unstable by Karma
-3
Stable by Karma
3
Stable by Time
disabled
Dates
submitted
7 years ago
in testing
7 years ago
in stable
7 years ago
BZ#1445165 CVE-2017-7692 squirrelmail: Insufficient escaping of user-supplied data
0
0
BZ#1445167 CVE-2017-7692 squirrelmail: Insufficient escaping of user-supplied data [fedora-all]
0
0

Automated Test Results