Mailinglist Archive: opensuse-security (757 mails)

< Previous Next >
[Fwd: IMP 2.2.7 (SECURITY) released]
  • From: Martin Sckopke <m.sckopke@xxxxxxxxxxxxxxxxx>
  • Date: Wed, 09 Jan 2002 08:36:56 +0100
  • Message-id: <3C3BF318.3040406@xxxxxxxxxxxxxxxxx>
The following mail was sent to suse-security a while ago.
Today I looked up the patches on the update directory and still
no IMP 2.2.7 :-(

Is anything wrong with the patch or is there any other reason
not to supply a patch to a security problem?

While I'm at it: the recommended kernel for Suse EMail Server II
still seems to be 2.2.16. Version 2.2.19 never seems to have made
it to the update directory. Any reason?

Keep up the (otherwise) good work,

Martin

-------- Original-Nachricht --------
Betreff: [Fwd: IMP 2.2.7 (SECURITY) released]
Datum: Fri, 16 Nov 2001 09:02:40 +0100
Von: Martin Sckopke <m.sckopke@xxxxxxxxxxxxxxxxx>
Firma: GiS
An: suse-security@xxxxxxxx

I found the following message on Bugtraq.
Is suse working on a fix for Suse EMail-Server II?
The patch on the update-server is still 2.2.6.

Martin

"Brent J. Nordquist" wrote:
>
> The Horde team announces the availability of IMP 2.2.7, which fixes a
> potential session hijacking vulnerability using a cross-site scripting
> (CSS) attack. We recommend that all sites running IMP 2.2.x upgrade to
> this version.
>
> The Horde Project would like to thank João Pedro Gonçalves from the
> Phibernet Information Network <megas@xxxxxxxxxxxxx> for discovering this
> problem and alerting us. From his description:
>
> > - It's possible to hijack an imp/horde session using a cross-site
> > script attack, quite similar to the one explored by Marc Slemko in his
> > "Microsoft Passport to Trouble" paper.
> >
> > - After hijacking the cookies, the attacker can use the session and read
> > the victim's mail.
> >
> > - All stable imp webmail versions, up to 2.2.6 including are vulnerable,
> > the devel version, 2.3 and 3.0 Release Candidate 1 are not affected by
> > this vulnerability.
>
> This release also has a new Chinese (Simplified) translation.
>

--
The three golden rules to ensure computer security are:
Do not own a computer; do not power it on; and do not use it
(Robert (Bob) T.Morris)

GiS - Gesellschaft fuer integrierte Systemplanung mbH
Martin Sckopke Tel. +49-6201-503-74
Junkersstr. 2 Fax +49-6201-503-66
D-69469 Weinheim m.sckopke@xxxxxxxxxxxxxxxxx


< Previous Next >
This Thread
  • No further messages