Please Install the Updated Packages.

SquirrelMail is an easy-to-configure, standards-based, webmail package written in PHP. It includes built-in PHP support for the IMAP and SMTP protocols, and pure HTML 4.0 page-rendering (with no JavaScript required) for maximum browser-compatibility, strong MIME support, address books, and folder manipulation. Ivan Markovic discovered a cross-site scripting (XSS) flaw in SquirrelMail caused by insufficient HTML mail sanitization. A remote attacker could send a specially-crafted HTML mail or attachment that could cause a user's Web browser to execute a malicious script in the context of the SquirrelMail session when that email or attachment was opened by the user. (CVE-2008-2379) It was discovered that SquirrelMail allowed cookies over insecure connections (ie did not restrict cookies to HTTPS connections). An attacker who controlled the communication channel between a user and the SquirrelMail server, or who was able to sniff the user's network communication, could use this flaw to obtain the user's session cookie, if a user made an HTTP request to the server. (CVE-2008-3663) Note: After applying this update, all session cookies set for SquirrelMail sessions started over HTTPS connections will have the &quot secure&quot flag set. That is, browsers will only send such cookies over an HTTPS connection. If needed, you can revert to the previous behavior by setting the configuration option &quot $only_secure_cookies&quot to &quot false&quot in SquirrelMail's /etc/squirrelmail/config.php configuration file. Users of squirrelmail should upgrade to this updated package, which contains backported patches to correct these issues.

squirrelmail on CentOS 4

• http://lists.centos.org/pipermail/centos-announce/2009-January/015554.html

---

Updated on 2015-03-25