Debian Security Advisory 662-2 - Andrew Archibald discovered that the last update to squirrelmail which was intended to fix several problems caused a regression which got exposed when the user hits a session timeout.
30570cad6d9a79ce284b36f9cf85e7b18ef089817e6634baac61546c0fb4cb6e
Debian Security Advisory 662-1 - Several vulnerabilities have been discovered in Squirrelmail, a commonly used webmail system. Upstream developers noticed that an unsanitized variable could lead to cross site scripting. Grant Hollingworth discovered that under certain circumstances URL manipulation could lead to the execution of arbitrary code with the privileges of www-data. This problem only exists in version 1.2.6 of Squirrelmail.
2f1b470ff1e1b6b6d1992aa09267ff6a4ccd36243f44f033382e76d37b0a7dff