Mandrake Security Advisory MDVSA-2009:122 (squirrelmail)

The remote host is missing an update to squirrelmail announced via advisory MDVSA-2009:122.
To upgrade automatically use MandrakeUpdate or urpmi. The verification of md5 checksums and GPG signatures is performed automatically for you.
A vulnerability has been identified and corrected in squirrelmail: The map_yp_alias function in functions/imap_general.php in SquirrelMail before 1.4.19 allows remote attackers to execute arbitrary commands via shell metacharacters in a username string that is used by the ypmatch program. NOTE: this issue exists because of an incomplete fix for CVE-2009-1579. (CVE-2009-1381) Basically this is a syncronization with the latest squirrelmail package found in Mandriva Cooker. The rpm changelog will reveal all the changes (rpm -q --changelog squirrelmail). The updated packages have been upgraded to the latest version of squirrelmail to prevent this. Affected: Corporate 4.0