From: Paul L. <pa...@sq...> - 2006-12-02 22:23:06
|
All, Minor typo: This release is version 1.4.9 of course, not 1.4.7. It addresses issues contained in version 1.4.8 and lower. :-) Happy Squirreling! Paul Lesniewski SquirrelMail Project Team > The SquirrelMail Project Team is proud to announce the release of > SquirrelMail 1.4.7. This version is a maintenance release, addressing > the following problems since 1.4.6: > - Some security fixes (see below) > - Small enhancements > - A collection of bugfixes (see ChangeLog) > > Security issues > =============== > > This release addresses security issues found since the release of 1.4.8: > > Cross site scripting via malicious input the mailto parameter of > webmail.php, the session and delete_draft parameters of compose.php and > via a shortcoming in the magicHTML filter. > > This is CVE-2006-6142. Thanks for Martijn Brinkers for his continued > research that uncovered these issues. > > We've also changed SquirrelMail attachment handling to work around an > issue in Internet Explorer: the browser will attempt to guess the MIME > type of attachments based on content, not the MIME header we send. > Attachments could fake to be an 'harmless' image/jpeg, while they were > in fact HTML that Internet Explorer would render. > > Further details on SquirrelMail vulnerabilities can be found at the > following address: > > http://www.squirrelmail.org/security/ > > We strongly encourage any persons uncovering security issues to > contact the SquirrelMail team via security <at> squirrelmail.org. > > Package md5sums > =============== > > b3dc6e3c5accb9b88bf6ebfd87336b96 squirrelmail-1.4.9.tar.bz2 > 5a3ecbda6d8378c68fa40b4ac5b2d487 squirrelmail-1.4.9.tar.gz > 875848f25d481b59552d4e93aaacba4c squirrelmail-1.4.9.zip > > > Download at: > > http://www.squirrelmail.org/download.php > > Happy SquirrelMailing! > > -- > Thijs Kinkhorst > SquirrelMail Project Team |