Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2007.1012 -- [UNIX/Linux]
SquirrelMail 1.4.12 Package Compromise
17 December 2007
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: SquirrelMail 1.4.12
Publisher: SquirrelMail
Operating System: UNIX variants (UNIX, Linux, OSX)
Impact: Reduced Security
Comment: SquirrelMail 1.4.13 has been released to alleviate any confusion
between the real 1.4.12 and the compromised version.
Note that the compromised code in version 1.4.12 has been shown
to be a much higher risk than previously stated by SquirrelMail.
Revision History: December 17 2007: Version 1.4.13 released to fix any
confusion, and the changes made to
1.4.12 are now considered high-risk
December 14 2007: Initial Release
- --------------------------BEGIN INCLUDED TEXT--------------------
All,
Due to the package compromise of 1.4.11, and 1.4.12, we are forced to
release 1.4.13 to ensure no confusions. While initial review didn't
uncover a need for concern, several proof of concepts show that the
package alterations introduce a high risk security issue, allowing
remote inclusion of files. These changes would allow a remote user the
ability to execute exploit code on a victim machine, without any user
interaction on the victim's server. This could grant the attacker the
ability to deploy further code on the victim's server.
We *STRONGLY* advise all users of 1.4.11, and 1.4.12 upgrade
immediately.
Package MD5s
============
1a1bdad6245aaabcdd23d9402acb388e squirrelmail-1.4.13.tar.bz2
51ddd67a7ff9272f5a6e1da0b9dfbf18 squirrelmail-1.4.13.tar.gz
ed8871a693cc57d5a0d511f7b89f8781 squirrelmail-1.4.13.zip
We apologies for the inconvenience this may have caused.
- --
Happy SquirrelMailing!
The SquirrelMail Development Team
- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
All,
It has been brought to our attention that the MD5 sums for the 1.4.12
package were not matching the actual package. We've been
investigating this issue, and uncovered that the package was modified
post release. This was believed to have been caused by a compromised
account from one of our release maintainers.
Further investigations show that the modifications to the code should
have little to no impact at this time. Modifications seemed to be
based around a PHP global variable which we cannot track down. The
changes made will most likely generate an error, rather than a
compromise of a system in the event the code does get executed.
Original packages, stored on secure media, have been restored to the
Sourceforge download servers, and additional signatures for the
packages are now available on the SquirrelMail download page at
http://www.squirrelmail.org/download.php
While we believe the changes made should have little impact, we
strongly recommend everybody that has downloaded the 1.4.12 package
after the 8th December, to redownload the package.
The code modifications did not made it into our source control, just
the final package. We are currently investigating older packages to
see if they were also compromised.
Once again, the original package MD5s are:
ea5e750797628c9f0f247009f8ae0e14 squirrelmail-1.4.12.tar.bz2
d17c1d9f1ee3dde2c1c21a22fc4f9d0e squirrelmail-1.4.12.tar.gz
3f6514939ea1ebf69f6f8c92781886ab squirrelmail-1.4.12.zip
We apologies for the inconvenience this may have caused.
For any further issues, please contact myself, or the security list
security@squirrelmail.org
- - --
Happy SquirrelMailing!
The SquirrelMail Development Team
- -----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.7 (MingW32)
iD8DBQFHYWKoK4PoFPj9H3MRAjfTAKC0EFUlROK6RLvKy/jdfFjrl3t3hACcDc77
XBPILcvZEu4nNbemwxU8j1I=
=FJzo
- -----END PGP SIGNATURE-----
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
http://www.auscert.org.au/render.html?cid=1980
If you believe that your computer system has been compromised or attacked in
any way, we encourage you to let us know by completing the secure National IT
Incident Reporting Form at:
http://www.auscert.org.au/render.html?it=3192
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQCVAwUBR2XG3yh9+71yA2DNAQK/8QP/b3yE7ehZBQ7LDJX/2A/avMixpjOorMZL
Po34JQKgA9DKeavAFrgfx9QkMsjsDbJ3raedCCafkuGZIfxW32OSqleYaNpL6mG8
/hgtbCSNvukg5f+tNQrt3iiuGwygACu+4PM6k6r8/Pn65PQjtZT4MnwK/UflF+tG
XLOW0iU0WCk=
=dHnk
-----END PGP SIGNATURE-----