An updated squirrelmail package that fixes two security issues is now
This update has been rated as having moderate security impact by the Red
Hat Security Response Team.
[Updated 04 Aug 2005]
The previous SquirrelMail package released with this errata contained a bug
which rendered the addressbook unusable. The erratum has been updated with
a package which corrects this issue.
SquirrelMail is a standards-based webmail package written in PHP4.
A bug was found in the way SquirrelMail handled the $_POST variable. If a
user is tricked into visiting a malicious URL, the user's SquirrelMail
preferences could be read or modified. The Common Vulnerabilities and
Exposures project assigned the name CAN-2005-2095 to this issue.
Several cross-site scripting bugs were discovered in SquirrelMail. An
SquirrelMail pages by tricking a user into visiting a carefully crafted
URL, or by sending them a carefully constructed HTML email message. The
Common Vulnerabilities and Exposures project assigned the name
CAN-2005-1769 to this issue.
All users of SquirrelMail should upgrade to this updated package, which
contains backported patches that resolve these issues.