From: Thijs K. <ki...@sq...> - 2007-05-09 15:34:22
|
Hello All, The SquirrelMail Project Team is proud to announce the release of SquirrelMail 1.4.10. This version is a security release. This version, 1.4.10 is a maintenance release, addressing the following problems since 1.4.9a: =2D Some security fixes (see below) =2D Small enhancements =2D A collection of bugfixes and stability enhancements (see ChangeLog for a full list) Security issues =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D This release addresses security issues found since the release of 1.4.9a: There's an ongoing battle to further secure the HTML filter against malicio= us HTML mail and the browsers that accept almost any malformed piece of HTML. This release contains fixes for the following: =2D HTML attachments containing "data:" URLs; =2D Internet Explorer in various versions accepts many permutations of HTML and JavaScript in many charsets. We now properly canonicalize the incoming HTML to us-ascii before applying further filters. IE only. =2D Request forgery through images. It was possible to include "images" in HTML mails which were in fact GET requests for the compose.php page sendi= ng mail. These images are now properly detected, and the compose form will o= nly send mail through a POST request. Thanks to Mikhail Markin, Tomas Kuliavas and Michael Jordon for reporting (parts of) these issues and working with us to get them resolved. These are known as CVE-2007-1262. Further details on SquirrelMail=20 vulnerabilities can be found at the following address: http://www.squirrelmail.org/security/ Package md5sums =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D 1c40402a805ee316c157f7ae71d653d6 squirrelmail-1.4.10.tar.gz 6e3ab93e8c3854ba84a03df256ed0f7d squirrelmail-1.4.10.tar.bz2 0768994841d87fe07bd04df0edb15bea squirrelmail-1.4.10.zip Download at: http://www.squirrelmail.org/download.php Happy SquirrelMailing! =2D-=20 Thijs Kinkhorst SquirrelMail Project Team |