[SM-DEVEL] SquirrelMail 1.4.10 Released

[Thijs K. <ki...@sq...>]

Hello All,

The SquirrelMail Project Team is proud to announce the release of
SquirrelMail 1.4.10. This version is a security release.

This version, 1.4.10 is a maintenance release, addressing
the following problems since 1.4.9a:
=2D Some security fixes (see below)
=2D Small enhancements
=2D A collection of bugfixes and stability enhancements
(see ChangeLog for a full list)

Security issues
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D

This release addresses security issues found since the release of 1.4.9a:

There's an ongoing battle to further secure the HTML filter against malicio=
us
HTML mail and the browsers that accept almost any malformed piece of HTML.

This release contains fixes for the following:
=2D HTML attachments containing "data:" URLs;
=2D Internet Explorer in various versions accepts many permutations of HTML
  and JavaScript in many charsets. We now properly canonicalize the incoming
  HTML to us-ascii before applying further filters. IE only.
=2D Request forgery through images. It was possible to include "images" in
  HTML mails which were in fact GET requests for the compose.php page sendi=
ng
  mail. These images are now properly detected, and the compose form will o=
nly
  send mail through a POST request.

Thanks to Mikhail Markin, Tomas Kuliavas and Michael Jordon for reporting
(parts of) these issues and working with us to get them resolved.

These are known as CVE-2007-1262. Further details on SquirrelMail=20
vulnerabilities can be found at the following address:

  http://www.squirrelmail.org/security/


Package md5sums
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D

1c40402a805ee316c157f7ae71d653d6  squirrelmail-1.4.10.tar.gz
6e3ab93e8c3854ba84a03df256ed0f7d  squirrelmail-1.4.10.tar.bz2
0768994841d87fe07bd04df0edb15bea  squirrelmail-1.4.10.zip


Download at:

  http://www.squirrelmail.org/download.php

Happy SquirrelMailing!

=2D-=20
Thijs Kinkhorst
SquirrelMail Project Team