Debian Security Advisory DSA 662-2 (squirrelmail)

Summary
The remote host is missing an update to squirrelmail announced via advisory DSA 662-2.
Solution
https://secure1.securityspace.com/smysecure/catid.html?in=DSA%20662-2
Insight
Andrew Archibald discovered that the last update to squirrelmail which was intended to fix several problems caused a regression which got exposed when the user hits a session timeout. For completeness below is the original advisory text: Several vulnerabilities have been discovered in Squirrelmail, a commonly used webmail system. The Common Vulnerabilities and Exposures project identifies the following problems: CVE-2005-0104 Upstream developers noticed that an unsanitised variable could lead to cross site scripting. CVE-2005-0152 Grant Hollingworth discovered that under certain circumstances URL manipulation could lead to the execution of arbitrary code with the privileges of www-data. This problem only exists in version 1.2.6 of Squirrelmail. For the stable distribution (woody) these problems have been fixed in version 1.2.6-3. The correction in the unstable distribution (sid) is not affected by this regression. We recommend that you upgrade your squirrelmail package.