Two Cross-site scripting vulnerabilities have been found that affect SquirrelMail version 1.2.7 and earlier.
Comment
Updated mailman packages are now available for Red Hat Secure Web Server3.2 (U.S.). These updates resolve a cross-site scripting vulnerabilitypresent in versions of Mailman prior to 2.0.11.
This vulnerability makes it easy to perform various denial-of-service attacks against such programs. It is also possible that an attacker could manage a more significant exploit, such as running arbitrary code on the affected system.
The problemcan be used to bypass access restrictions in the web server. Anattacker can view the contents of directories and download filesdirectly rather then receiving their HTML output.
New util-linux packages are available that fix a problem with /bin/login’sPAM implementation. This could, in some non-default setups, cause users toreceive credentials of other users. It is recommended that all usersupdate to the fixed packages.