You can subscribe to this list here.
2001 |
Jan
|
Feb
|
Mar
|
Apr
(1) |
May
(2) |
Jun
|
Jul
(1) |
Aug
(1) |
Sep
(1) |
Oct
(2) |
Nov
(2) |
Dec
(5) |
---|---|---|---|---|---|---|---|---|---|---|---|---|
2002 |
Jan
(4) |
Feb
(2) |
Mar
(1) |
Apr
(3) |
May
|
Jun
(1) |
Jul
(1) |
Aug
(2) |
Sep
(2) |
Oct
(4) |
Nov
|
Dec
(3) |
2003 |
Jan
(1) |
Feb
(1) |
Mar
|
Apr
(1) |
May
|
Jun
|
Jul
(1) |
Aug
|
Sep
|
Oct
(1) |
Nov
|
Dec
|
2004 |
Jan
|
Feb
(1) |
Mar
|
Apr
|
May
(2) |
Jun
(1) |
Jul
|
Aug
|
Sep
|
Oct
|
Nov
(2) |
Dec
|
2005 |
Jan
(2) |
Feb
|
Mar
|
Apr
|
May
|
Jun
(3) |
Jul
(1) |
Aug
|
Sep
|
Oct
|
Nov
(1) |
Dec
(2) |
2006 |
Jan
|
Feb
(4) |
Mar
|
Apr
(2) |
May
|
Jun
|
Jul
(1) |
Aug
(1) |
Sep
(1) |
Oct
|
Nov
|
Dec
(3) |
2007 |
Jan
(1) |
Feb
|
Mar
|
Apr
|
May
(2) |
Jun
|
Jul
|
Aug
|
Sep
(1) |
Oct
|
Nov
|
Dec
(3) |
2008 |
Jan
|
Feb
|
Mar
|
Apr
|
May
(2) |
Jun
|
Jul
|
Aug
|
Sep
(1) |
Oct
|
Nov
|
Dec
(1) |
2009 |
Jan
|
Feb
|
Mar
|
Apr
|
May
(3) |
Jun
(1) |
Jul
(1) |
Aug
(2) |
Sep
|
Oct
|
Nov
|
Dec
|
2010 |
Jan
|
Feb
|
Mar
(1) |
Apr
|
May
|
Jun
|
Jul
(1) |
Aug
|
Sep
|
Oct
|
Nov
|
Dec
|
2011 |
Jan
|
Feb
|
Mar
|
Apr
|
May
|
Jun
|
Jul
(2) |
Aug
|
Sep
|
Oct
|
Nov
|
Dec
|
From: Paul L. <pa...@sq...> - 2011-07-14 15:42:18
|
Hello all, We're sorry for the annoyance, but there were two important typos in the update information that was included in the announcement of SquirrelMail 1.4.22's release two days ago... > Also, if you find that this upgrade prevents users from logging in > with an error such as "ERROR: Could not complete request. Query: > CREATE "Trash" Reason Given: Invalid mailbox name.", you will need to > correct the user preference values for the problem folders. You can > do so with commands such as the following for file-based preferences > (adjust the data directory location as needed): > > find /var/lib/squirrelmail/data/ -name *.pref -exec sed --in-place > 's/trash_folder=Trash/trash_folder=INBOX.Trash/g' {} \; > find /var/lib/squirrelmail/data/ -name *.pref -exec sed --in-place > 's/trash_folder=Drafts/trash_folder=INBOX.Drafts/g' {} \; > find /var/lib/squirrelmail/data/ -name *.pref -exec sed --in-place > 's/trash_folder=Sent/trash_folder=INBOX.Sent/g' {} \; These last two commands use "trash_folder" where they should have used "draft_folder" and "sent_folder". So the correct commands should be: find /var/lib/squirrelmail/data/ -name *.pref -exec sed --in-place 's/draft_folder=Drafts/draft_folder=INBOX.Drafts/g' {} \; find /var/lib/squirrelmail/data/ -name *.pref -exec sed --in-place 's/sent_folder=Sent/sent_folder=INBOX.Sent/g' {} \; Thanks to Fernando Gozalo for spotting these typos. -- Paul Lesniewski SquirrelMail Team Please support Open Source Software by donating to SquirrelMail! http://squirrelmail.org/donate_paul_lesniewski.php |
From: Paul L. <pa...@sq...> - 2011-07-12 22:20:55
|
Greetings all, The SquirrelMail Team is pleased to announce the release of SquirrelMail version 1.4.22. This release contains a large number of performance enhancements, stability fixes and a few bug/security fixes. The most important thing to note when upgrading to version 1.4.22 is that due to a fix made that standardizes the folder list display, administrators who had their configuration file set to work around this issue in the past will need to update their configuration. This will commonly affect those using Courier IMAP, but could affect others as well. If you have $default_sub_of_inbox set to FALSE in your main configuration (or, using the configuration tool, see "3. Folder Defaults" ===> "12. Default Sub. of INBOX"), and you find after upgrade that your special folders (e.g., Trash, Drafts, Sent) are no longer listed at the top of your folder list, please change that value to TRUE. Also, if you find that this upgrade prevents users from logging in with an error such as "ERROR: Could not complete request. Query: CREATE "Trash" Reason Given: Invalid mailbox name.", you will need to correct the user preference values for the problem folders. You can do so with commands such as the following for file-based preferences (adjust the data directory location as needed): find /var/lib/squirrelmail/data/ -name *.pref -exec sed --in-place 's/trash_folder=Trash/trash_folder=INBOX.Trash/g' {} \; find /var/lib/squirrelmail/data/ -name *.pref -exec sed --in-place 's/trash_folder=Drafts/trash_folder=INBOX.Drafts/g' {} \; find /var/lib/squirrelmail/data/ -name *.pref -exec sed --in-place 's/trash_folder=Sent/trash_folder=INBOX.Sent/g' {} \; Or, for database-based preferences: UPDATE userprefs SET prefval = 'INBOX.Trash' WHERE prefkey = 'trash_folder' AND prefval = 'Trash'; UPDATE userprefs SET prefval = 'INBOX.Drafts' WHERE prefkey = 'draft_folder' AND prefval = 'Drafts'; UPDATE userprefs SET prefval = 'INBOX.Sent' WHERE prefkey = 'sent_folder' AND prefval = 'Sent'; MAKE SURE to back up your user preferences before doing any of the above! This release also addresses several security issues, including some harsh but hard to exploit XSS bugs, a general clickjacking vulnerability, and a small problem with message sanitizing. If only for the clickjacking protection, we recommend that users of previous versions of SquirrelMail upgrade at their earliest convenience. For more complete details, see the ReleaseNotes and ChangeLog files included in this release (in the doc/ directory). The latest release can be downloaded from the SquirrelMail website: http://squirrelmail.org/download Package md5sums =============== 494016b82762e57dca009fd9cc77ac2e squirrelmail-webmail-1.4.22.tar.bz2 ae9e2bc7f4fa58162b6152fcb0cbb3a5 squirrelmail-webmail-1.4.22.tar.gz 7a54523f31cd93786115d842937390fe squirrelmail-webmail-1.4.22.zip Package sha1sums ================ 46819275be27e9119e9a2fd976d441cee261ea55 squirrelmail-webmail-1.4.22.tar.bz2 c8c3ffba141d067acaeb14dbd22a8d6bedb39267 squirrelmail-webmail-1.4.22.tar.gz f14ff878c492cdfb9e0eae1e9d2a860113268f24 squirrelmail-webmail-1.4.22.zip **** The SquirrelMail team can use your help! **** Attention all users of SquirrelMail: SquirrelMail is currently celebrating 12 years of providing free, Open Source Software to the world. We have a lot to be grateful for and many people to thank for how successful we've been! But running a high-profile project with all-volunteer labor means that the mundane chores gradually consume all our effort and sideline our visionary initiatives for our next big release. We feel that the time is right, after so many years of free service, to ask our community to contribute to the project and support us in keeping up with ongoing maintenance and development, and in speeding up the release of our new, fully-skinable "Web 2.0" version. Please visit our donations and bounties page here: http://squirrelmail.org/donations.php Or send us your old hardware! Some SquirrelMail development takes place on hardware that's probably older than the computer you just retired. :-) Get in touch if you can help. Attention developers: We consist of volunteers developing the most popular open source webmail client available. We're looking for people to join our team to help keep our product quality high and to continue to deliver new and enhanced features. Our project offers an interesting challenge at the intersection of the IMAP, SMTP and HTTP protocols. What can you do to help? Any of the following: * Develop new features: help out adding new technologies to SquirrelMail * Help sort and fix bugs: interact with submitters, find test cases and solutions to bugs * Support our users by answering questions on the mailing lists or the IRC channel * Translate SquirrelMail into your language * Donate to the developers: feed us nuts or send us your old hardware! For more details, please refer to http://squirrelmail.org/howtohelp Happy SquirrelMailing! The SquirrelMail Project Team -- Paul Lesniewski SquirrelMail Team Please support Open Source Software by donating to SquirrelMail! http://squirrelmail.org/donate_paul_lesniewski.php |
From: Paul L. <pa...@sq...> - 2010-07-23 06:08:48
|
Greetings, The SquirrelMail Team is pleased to announce the release of SquirrelMail version 1.4.21. This is primarily a maintenance release which addresses a smattering of small issues and adds some fine-tuning of recent changes. It also closes two relatively low-risk security issues. Before this release, for environments with highly active users, the number of security tokens could have bloated user session (and preference) files to an unacceptable size, hurting overall responsiveness. This release scales back the default validity period of security tokens from 30 days to two days, which should fix this problem in most cases. The administrator is always free to change this value by specifying $max_token_age_days in config/config_local.php. There are also fixes for minor issues related to header folding, faster and more resilient display of encoded subjects, quoting of encoded addresses upon reply, provision of a subject when using forward-as-attachment, and a few other tidbits. This release also includes fixes for two low-risk vulnerabilities. The first, CVE-2010-1637, allows authenticated users to use the Mail Fetch plugin as a network/port/DNS scanner. The second, CVE-2010-2813, poses a denial-of-service risk when passwords containing 8-bit characters are used to log in. While we characterize these issues as fairly low risk, it is nevertheless recommended that users of previous versions of SquirrelMail upgrade at their earliest convenience. For more complete details, see the ReleaseNotes and ChangeLog files included in this release (in the doc/ directory). The latest release can be downloaded from the SquirrelMail website: http://squirrelmail.org/download Package md5sums =============== 44d2fe85d6fc3092bf4f11e6e928f9dc squirrelmail-1.4.21.tar.bz2 1e53a47b0544c37705079cb961ef05dc squirrelmail-1.4.21.tar.gz 5d58d37b14ca391dc3043afdcdfdf66d squirrelmail-1.4.21.zip Package sha1sums ================ 8a125ceca939fd4dd957491d17263b1857ddff60 squirrelmail-1.4.21.tar.bz2 7c3ca74aa748cef1d6dc6a0617b2c0554b1d6af0 squirrelmail-1.4.21.tar.gz 3619efc7692e52bd2a33df1f9c39e453b66eac1f squirrelmail-1.4.21.zip **** The SquirrelMail team can use your help! **** Attention all users of SquirrelMail: SquirrelMail is currently celebrating 11 years of providing free, Open Source Software to the world. We have a lot to be grateful for and many people to thank for how successful we've been! But running a high-profile project with all-volunteer labor means that the mundane chores gradually consume all our effort and sideline our visionary initiatives for our next big release. We feel that the time is right, after so many years of free service, to ask our community to contribute to the project and support us in keeping up with ongoing maintenance and development, and in speeding up the release of our new, fully-skinable "Web 2.0" version. Please visit our donations and bounties page here: http://squirrelmail.org/donations.php Attention developers: We consist of volunteers developing the most popular open source webmail client available. We're looking for people to join our team to help keep our product quality high and to continue to deliver new and enhanced features. Our project offers an interesting challenge at the intersection of the IMAP, SMTP and HTTP protocols. What can you do to help? Any of the following: * Develop new features: help out on making SquirrelMail "skinnable" or work with new technologies * Help sort and fix bugs: interact with submitters, find test cases and solutions to bugs * Support our users by answering questions on the mailing lists or the IRC channel * Translate SquirrelMail into your language * Donate to the developers: feed us nuts! For more details, please refer to http://squirrelmail.org/howtohelp Happy SquirrelMailing! The SquirrelMail Project Team -- Paul Lesniewski SquirrelMail Team Please support Open Source Software by donating to SquirrelMail! http://squirrelmail.org/donate_paul_lesniewski.php |
From: Paul L. <pa...@sq...> - 2010-03-07 03:01:07
|
Greetings, The SquirrelMail Team is pleased to announce the release of SquirrelMail version 1.4.20. This release makes final the changes implemented in our last two release candidates and adds several smaller fixes and feature improvements. Of those new fixes and improvements not included in our last release candidate, the most notable fix is that for the formerly broken search page, but we've also fixed sorting in the Sent folder, handling of complex mailto: addresses, display of multibyte subjects, quoting of encoded headers, automatic installation address detection (especially useful for lighttpd environments), a privacy issue related to DNS prefetching of email content, and added unread links in the message view and a Gmail IMAP configuration option. For more complete details, see the ReleaseNotes and ChangeLog files included in this release (in the doc/ directory). Due to the security fixes included in our last two release candidate packages, we advise all users of SquirrelMail versions 1.4.19 and below to upgrade. The latest release can be downloaded from the SquirrelMail website: http://squirrelmail.org/download Package md5sums =============== 76aa7963e67edc7cea2be919f51ded72 squirrelmail-1.4.20.tar.bz2 60ffedc61b295650c7695c2b74209294 squirrelmail-1.4.20.tar.gz 4257db0bd5edb84082fbcc3ef0fac818 squirrelmail-1.4.20.zip Package sha1sums ================ ea1f8911961685393da2872739a060e0cf1f03f3 squirrelmail-1.4.20.tar.bz2 234ecf942e7a8fc4baedb9690ec58215ae3a5d95 squirrelmail-1.4.20.tar.gz fc12b8992113f17318a7a0c3a7cbea892b4f85e4 squirrelmail-1.4.20.zip **** The SquirrelMail team can use your help! **** Attention all users of SquirrelMail: SquirrelMail is currently celebrating 10 years of providing free, Open Source Software to the world. We have a lot to be grateful for and many people to thank for how successful we've been! But running a high-profile project with all-volunteer labor means that the mundane chores gradually consume all our effort and sideline our visionary initiatives for our next big release. We feel that the time is right, after so many years of free service, to ask our community to contribute to the project and support us in keeping up with ongoing maintenance and development, and in speeding up the release of our new, fully-skinable "Web 2.0" version. Please visit our donations and bounties page here: http://squirrelmail.org/donations.php Attention developers: We consist of volunteers developing the most popular open source webmail client available. We're looking for people to join our team to help keep our product quality high and to continue to deliver new and enhanced features. Our project offers an interesting challenge at the intersection of the IMAP, SMTP and HTTP protocols. What can you do to help? Any of the following: * Develop new features: help out on making SquirrelMail "skinnable" or work with new technologies * Help sort and fix bugs: interact with submitters, find test cases and solutions to bugs * Support our users by answering questions on the mailing lists or the IRC channel * Translate SquirrelMail into your language * Donate to the developers: feed us nuts! For more details, please refer to http://squirrelmail.org/howtohelp Happy SquirrelMailing! The SquirrelMail Project Team -- Paul Lesniewski SquirrelMail Team Please support Open Source Software by donating to SquirrelMail! http://squirrelmail.org/donate_paul_lesniewski.php |
From: Paul L. <pa...@sq...> - 2009-08-18 01:00:40
|
Hello, The SquirrelMail Team is pleased to bring you the second release candidate ahead of our next SquirrelMail version: 1.4.20-RC2. Hot on the coattails of 1.4.20 release candidate 1, we received some helpful feedback from our friends at Secunia Research and have followed up with another release candidate. The risk of using the 1.4.20 release candidate 1 package instead of this one is very low, but we encourage the community to help test code that we hope to release as officially stable in the near future. Those who can upgrade to release candidate 2 are encouraged to do so! For more complete details, see the ReleaseNotes and ChangeLog files included in this release (in the doc/ directory). This release can be downloaded from the SquirrelMail website: http://squirrelmail.org/download Package md5sums =============== 94015fb018cb2165fdfb3c41fd2b8065 squirrelmail-1.4.20-RC2.tar.bz2 03523e8c7ad9d630988d5001c5743b69 squirrelmail-1.4.20-RC2.tar.gz 0fbceec5b9775e72be2b42d197761bc0 squirrelmail-1.4.20-RC2.zip Package sha1sums ================ f1cdccfdd17d8974adc0b79aba44b62f98f78f64 squirrelmail-1.4.20-RC2.tar.bz2 11e1d8142d371f169bf14deec13659847e81b67b squirrelmail-1.4.20-RC2.tar.gz f5db20f0bb4fa822c5733fde2e08b7cadb9c67ea squirrelmail-1.4.20-RC2.zip **** The SquirrelMail team can use your help! **** Attention all users of SquirrelMail: SquirrelMail is currently celebrating 10 years of providing free, Open Source Software to the world. We have a lot to be grateful for and many people to thank for how successful we've been! But running a high-profile project with all-volunteer labor means that the mundane chores gradually consume all our effort and sideline our visionary initiatives for our next big release. We feel that the time is right, after so many years of free service, to ask our community to contribute to the project and support us in keeping up with ongoing maintenance and development, and in speeding up the release of our new, fully-skinable "Web 2.0" version. Please visit our donations and bounties page here: http://squirrelmail.org/donations.php Attention developers: We consist of volunteers developing the most popular open source webmail client available. We're looking for people to join our team to help keep our product quality high and to continue to deliver new and enhanced features. Our project offers an interesting challenge at the intersection of the IMAP, SMTP and HTTP protocols. What can you do to help? Any of the following: * Develop new features: help out on making SquirrelMail "skinnable" or work with new technologies * Help sort and fix bugs: interact with submitters, find test cases and solutions to bugs * Support our users by answering questions on the mailing lists or the IRC channel * Translate SquirrelMail into your language * Donate to the developers: feed us nuts! For more details, please refer to http://squirrelmail.org/howtohelp Happy SquirrelMailing! The SquirrelMail Project Team -- Paul Lesniewski SquirrelMail Team Please support Open Source Software by donating to SquirrelMail! http://squirrelmail.org/donate_paul_lesniewski.php |
From: Paul L. <pa...@sq...> - 2009-08-12 10:47:12
|
Greetings, The SquirrelMail Team is pleased to bring you the first release candidate ahead of our next SquirrelMail version: 1.4.20RC1. Because of the somewhat invasive nature of some of the changes we have recently made, we are issuing a "release candidate" before we officially move to version 1.4.20. While we have been very careful to ensure the stability of SquirrelMail, this version, 1.4.20 release candidate 1, has undergone limited testing, and we'd like to have more feedback before we make version 1.4.20 final. The most notable changes for this version are the addition of two security mechanisms that fight cross-site request forgeries (CSRF), the removal of some deprecated PHP functions, some minor fixes in the filters plugin, and increased user privacy. For more complete details, see the ReleaseNotes and ChangeLog files included in this release (in the doc/ directory). Due to the security issues fixed herein, we'd like to advise all users of SquirrelMail software to upgrade. However, because this is technically a "release candidate", it may be most prudent to to test your upgrade before putting it into production use. We are confident that most systems will not experience any trouble, but we'll be happy to work with you to resolve any issues that do arise. Your feedback is highly appreciated. This release can be downloaded from the SquirrelMail website: http://squirrelmail.org/download Package md5sums =============== 7632177bd3618cd9965e548fd196f737 squirrelmail-1.4.20RC1.tar.bz2 18149da193218202cfb33cc45301761a squirrelmail-1.4.20RC1.tar.gz e18b6d7c29cff9c7f48eea74b12b78c0 squirrelmail-1.4.20RC1.zip Package sha1sums ================ 30b1645a8bec60c1a932e02a36745e1bc51d0f8a squirrelmail-1.4.20RC1.tar.bz2 f62ca9cf53ab7c4d7d9bcce656206006c2c0b909 squirrelmail-1.4.20RC1.tar.gz 114c571367c44db271646df98db73146e93e12e1 squirrelmail-1.4.20RC1.zip **** The SquirrelMail team can use your help! **** Attention all users of SquirrelMail: SquirrelMail is currently celebrating 10 years of providing free, Open Source Software to the world. We have a lot to be grateful for and many people to thank for how successful we've been! But running a high-profile project with all-volunteer labor means that the mundane chores gradually consume all our effort and sideline our visionary initiatives for our next big release. We feel that the time is right, after so many years of free service, to ask our community to contribute to the project and support us in keeping up with ongoing maintenance and development, and in speeding up the release of our new, fully-skinable "Web 2.0" version. Please visit our donations and bounties page here: http://squirrelmail.org/donations.php Attention developers: We consist of volunteers developing the most popular open source webmail client available. We're looking for people to join our team to help keep our product quality high and to continue to deliver new and enhanced features. Our project offers an interesting challenge at the intersection of the IMAP, SMTP and HTTP protocols. What can you do to help? Any of the following: * Develop new features: help out on making SquirrelMail "skinnable" or work with new technologies * Help sort and fix bugs: interact with submitters, find test cases and solutions to bugs * Support our users by answering questions on the mailing lists or the IRC channel * Translate SquirrelMail into your language * Donate to the developers: feed us nuts! For more details, please refer to http://squirrelmail.org/howtohelp Happy SquirrelMailing! The SquirrelMail Project Team |
From: Jon A. <jo...@sq...> - 2009-07-31 04:42:48
|
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 All, We apologies for the extended downtime for the SquirrelMail plugins repository, and some of the SquirrelMail site documentation. Unfortunately due to conflicting time schedules, and some miss-communications amongst the team (mostly my fault), the server was unavailable for an extended length of time. Server Status - ------------- This evening, after an extended downtime, we finally rolled to using the new server. XS4All.nl were gracious in loaning us an additional server whilst we migrated our data, to the new server. All documentation should now be online again, and active. If you notice any issues with the site, please feel free to email me directly, I'll get onto it as soon as I can. Plugins Compromise - ------------------ During the initial announcement, we'd mentioned that we did not believe that any of the plugins had been compromised. Further investigation has shown that the following plugins were indeed compromised: - sasql-3.2.0 - multilogin-2.4-1.2.9 - change_pass-3.0-1.4.0 Parts of these code changes attempts to send mail to an offsite server containing passwords. We cannot establish a timeline of when these plugins were compromised. If you are a user of these plugins, it is strongly recommended you download a fresh copy from the plugins repository. MD5s for the good versions are below: a492922e5b0d2245d4e9bc255a7c5755 sasql-3.2.0.tar.gz b143f2dc82f9e98dd43c632855255075 multilogin-2.4-1.2.9.tar.gz 2cff7c5d4f6f5d8455683bb5d96bb9fe change_pass-3.0-1.4.0.tar.gz Plugins Availability - -------------------- As of now, the plugins are available to download again. I personally apologies for the extended outage of this, as I know some of you have been eager to get these back up and running again. Once again, if you notice any issues with the site, feel free to email. - -- Jon Angliss <jo...@sq...> -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAkpydjMACgkQK4PoFPj9H3PXcQCgjKcpMMV4Whra4iRANBkr2Heg 6rcAoJ4CDtSwI9/E1lTtcsxaUf9QS9BK =qs+a -----END PGP SIGNATURE----- |
From: Jon A. <jo...@sq...> - 2009-06-18 17:50:46
|
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 It was recently discovered that the SquirrelMail webserver had been compromised. The project administrators took immediate action to mitigate any futher compromises, locking all accounts out, and resetting critical passwords. At this time, the SquirrelMail project administrators have shut down access to the original server, and put a temporary hold on access to the plugins. It is believed that none of the plugins have been compromised, but further investigations are still being executed. The compromise of this server does not include a compromise of the source control, which is hosted on a separate repository managed by SourceForge. Further details will be published as soon as the details have been uncovered. - -- Jon Angliss SquirrelMail Team -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (MingW32) - GPGshell v3.71 iEYEARECAAYFAko6fXcACgkQK4PoFPj9H3NFWQCgmmU3bLvfH0hN8HGag8VsdJs+ s40AoO5VNVv1HKKDxYVrXDdpzX0778Ii =h/ct -----END PGP SIGNATURE----- |
From: Thijs K. <ki...@sq...> - 2009-05-21 18:02:49
|
Greetings, The security fix to map_yp_alias in 1.4.18 turned out to be incomplete. We also expierenced some regressions in the updated filter plugin. Both are addressed in this new release 1.4.19 which contains a few other small fixes aswell. If you do not use map_yp_alias or the filters plugin there's no urgent need to upgrade now if you already installed 1.4.18. If you are still on an older release than 1.4.18 (or use the mentioned functionality) we do urge you to upgrade as soon as possible as 1.4.18 and 1.4.19 combined fix some important security issues. Those using the development branch (1.5.x) should install a recent SVN snapshot. The latest release can be downloaded from the SquirrelMail website: http://squirrelmail.org/download Package md5sums =============== b7c5ebf0a57fe3511042a740ff1b5710 squirrelmail-1.4.19.tar.bz2 bf71b282361cd9fe65781bb17ecd7704 squirrelmail-1.4.19.tar.gz 30a69a3e37d493bd915e47dc6cda9f9a squirrelmail-1.4.19.zip Package sha1sums ================ 14b66bd470a36750ed4d4a0c8bfc27523639dd5d squirrelmail-1.4.19.tar.bz2 673e5da4018c854ff6e8a7ea24ce754d28ce7fc3 squirrelmail-1.4.19.tar.gz a041c0fdb8b41455daefe2d31d2bb268210d14c0 squirrelmail-1.4.19.zip Attention all users of SquirrelMail: SquirrelMail is currently celebrating 10 years of providing free, Open Source Software to the world. We have a lot to be grateful for and many people to thank for how successful we've been! But running a high-profile project with all-volunteer labor means that the mundane chores gradually consume all our effort and sideline our visionary initiatives for our next big release. We feel that the time is right, after so many years of free service, to ask our community to contribute to the project and support us in keeping up with ongoing maintenance and development, and in speeding up the release of our new, fully-skinable "Web 2.0" version. Please visit our donations and bounties page here: http://squirrelmail.org/donations.php Attention developers: We consist of volunteers developing the most popular open source webmail client available. We're looking for people to join our team to help keep our product quality high and to continue to deliver new and enhanced features. Our project offers an interesting challenge at the intersection of the IMAP, SMTP and HTTP protocols. What can you do to help? Any of the following: * Develop new features: help out on making SquirrelMail "skinnable" or work with new technologies * Help sort and fix bugs: interact with submitters, find test cases and solutions to bugs * Support our users by answering questions on the mailing lists or the IRC channel * Translate SquirrelMail into your language * Donate to the developers: feed us nuts! For more details, please refer to http://squirrelmail.org/howtohelp Happy SquirrelMailing! The SquirrelMail Project Team |
From: Paul L. <pa...@sq...> - 2009-05-18 08:52:32
|
Dear Friends, SquirrelMail is currently celebrating 10 years of providing free, Open Source Software to the world. We have a lot to be grateful for and many people to thank for how successful we've been! SquirrelMail is included in most major Linux distributions and is independently downloaded by tens of thousands of people every month, which might even make it more widespread than some of the biggest free webmail providers. And, proving that Open Source really works, our popularity has allowed us to collaborate with countless talented individuals who have helped us keep SquirrelMail safe, up to date and full of new features. But fame has its price. ;-) SquirrelMail has always been run by a small group of volunteers, and we've never been paid for our efforts. We do it because this is our passion; we do it for the love and the fun. But running a high-profile project means that there is a plethora of work from which no one gets much fun (or love). That's taken its toll -- our numbers have dwindled and our visionary initiatives for our next big release have had to take a back seat to ongoing maintenance, such as responding to bug reports, looking over plugin and patch submissions, fixing security vulnerabilities, answering voluminous amounts of email on our mailing lists, and a slew of other responsibilities. Oh, and then there's paying the bills, family time, and cleaning the kitchen.... So it's time to ask our community to give back just a little bit. In the best scenario, SquirrelMail should be able to support one or two people working full time. To some, this may seem overly ambitious, but we don't think so. Think of the good money that has been raised by projects that can be considered far less mission-critical than an email system. We don't think any other projects are less deserving than SquirrelMail; only that SquirrelMail is quite worthy of your support, especially after 10 years of doing it all gratis. With support on a significant scale, the project will regain momentum, that "Web 2.0" fully-skinable release will be out in no time, and the squirrels will feel appreciated! We'd like to have you show your support by simply donating whatever you feel you can afford. Currently, you can choose to donate to any of us individually (if you have stipulations about how the money should be used/shared, let us know and we will be happy to oblige). We are also trying out a primitive bounty system, in case you want to target your money for a specific feature or improvement. If you need a US tax exemption for your donation, please contact us directly. As always, we'd like to encourage you to use our official SquirrelMail support (see http://squirrelmail.org/wiki/OfficialSupport ), and if you're hiring for work projects you should consider our professional, dependable team members, since some of them make a living as consultants. To donate to SquirrelMail, please visit our new donations and bounties page here: http://squirrelmail.org/donations.php Thanks in advance for your generosity! For the SquirrelMail Team, Paul Lesniewski |
From: Paul L. <pa...@sq...> - 2009-05-12 06:49:08
|
Greetings, The SquirrelMail Team is pleased to announce the release of SquirrelMail version 1.4.18. The most notable changes for this version are several security fixes, including a couple XSS exploits, a session fixation issue, and an obscure but dangerous server-side code execution hole. However, this version also includes three new languages and more than a few enhancements to things such as the filters plugin, the address book system and other things under the hood. For more complete details, see the ReleaseNotes and ChangeLog files included in this release (they have moved to the doc/ directory). We advise all users of SquirrelMail software to upgrade. The latest release can be downloaded from the SquirrelMail website: http://squirrelmail.org/download Package md5sums =============== 2df99afc1bc3b121296af65f52fbc5cc squirrelmail-1.4.18.tar.bz2 5e870d2f5b57b4b0e42497cb0a0fae5e squirrelmail-1.4.18.tar.gz b7b87b73797633c8d92d3da95d7e97c9 squirrelmail-1.4.18.zip Package sha1sums ================ 18872d8ad72f3415672344318901beb9d4d8a860 squirrelmail-1.4.18.tar.bz2 25be33dec86419f07ab8d5b8d41d0e3eed7d2c52 squirrelmail-1.4.18.tar.gz eb600ab91f78dc6dbbfb029c6521b728f0e624f7 squirrelmail-1.4.18.zip **** The SquirrelMail team can use your help! **** Attention all users of SquirrelMail: SquirrelMail is currently celebrating 10 years of providing free, Open Source Software to the world. We have a lot to be grateful for and many people to thank for how successful we've been! But running a high-profile project with all-volunteer labor means that the mundane chores gradually consume all our effort and sideline our visionary initiatives for our next big release. We feel that the time is right, after so many years of free service, to ask our community to contribute to the project and support us in keeping up with ongoing maintenance and development, and in speeding up the release of our new, fully-skinable "Web 2.0" version. Please visit our donations and bounties page here: http://squirrelmail.org/donations.php Attention developers: We consist of volunteers developing the most popular open source webmail client available. We're looking for people to join our team to help keep our product quality high and to continue to deliver new and enhanced features. Our project offers an interesting challenge at the intersection of the IMAP, SMTP and HTTP protocols. What can you do to help? Any of the following: * Develop new features: help out on making SquirrelMail "skinnable" or work with new technologies * Help sort and fix bugs: interact with submitters, find test cases and solutions to bugs * Support our users by answering questions on the mailing lists or the IRC channel * Translate SquirrelMail into your language * Donate to the developers: feed us nuts! For more details, please refer to http://squirrelmail.org/howtohelp Happy SquirrelMailing! The SquirrelMail Project Team |
From: Paul L. <pa...@sq...> - 2008-12-04 05:53:23
|
Hello All, The SquirrelMail team is happy to announce the release of version 1.4.17. The most notable change is a security fix that prevents certain specially-crafted hyperlinks within messages from executing cross-site scripting attacks. For other details, see the ReleaseNotes file included in this release. We advise all users of SquirrelMail software to upgrade. The latest release can be downloaded from the SquirrelMail website at http://www.squirrelmail.org/download Package md5sums =============== 6ff0df8ae0e7f13418ed37ea1c93f6f3 squirrelmail-1.4.17.tar.bz2 97a492c0cfed90679ce6683d7760d68e squirrelmail-1.4.17.tar.gz 0e22297e91e97a4714263ee718f9ae78 squirrelmail-1.4.17.zip Package sha1sums ================ da21a447ada4e120b82210e93a737bb4c4509c34 squirrelmail-1.4.17.tar.bz2 ac2ed4ac009405b3ab256b3b6724d7368082bee1 squirrelmail-1.4.17.tar.gz 23702cee04ebb347f5b105b60f11cff7f8dae03f squirrelmail-1.4.17.zip *** The SquirrelMail team can use your help! *** We consist of volunteers developing the most popular open source webmail client available. We're looking for people to join our team to help keep our product quality high and to continue to deliver new and enhanced features. Our project offers an interesting challenge at the intersection of the IMAP, SMTP and HTTP protocols. What can you do to help? Any of the following: * Develop new features: help out on making SquirrelMail "skinnable" or work with new technologies * Help sort and fix bugs: interact with submitters, find test cases and solutions to bugs * Support our users by answering questions on the mailing lists or the IRC channel * Translate SquirrelMail into your language * Donate to the developers: feed us nuts! For more details, please refer to www.squirrelmail.org/howtohelp Happy SquirrelMailing! The SquirrelMail Development Team |
From: Thijs K. <ki...@sq...> - 2008-09-28 14:23:55
|
Hello All, The SquirrelMail team is happy to announce the release 1.4.16. The most notable change is that cookies are now sent with the secure attribute set for HTTPS-connections, meaning that they cannot leak to an HTTP-connection on the same SquirrelMail installation. For details see the included ReleaseNotes. We advise users that offer their SquirrelMail both over HTTP and HTTPS to upgrade. The latest release can be downloaded from the SquirrelMail website at http://www.squirrelmail.org/download Package md5sums =============== 22dcf999941e644edc3ea467ed3b9e24 squirrelmail-1.4.16.tar.bz2 301657fb532a3351ccffbabed4c0ae54 squirrelmail-1.4.16.tar.gz 707a851edb673c28ef96904250cd3a8f squirrelmail-1.4.16.zip Package sha1sums ================ 61c6676c33209addfc2a33d5db26433ed2a3072a squirrelmail-1.4.16.tar.bz2 5e0d76c9409f0c6d7e85d745ab407981a41a018f squirrelmail-1.4.16.tar.gz 021a928021bf1df67f3900dada9e95e3cee6c365 squirrelmail-1.4.16.zip *** The SquirrelMail team can use your help! *** We consist of volunteers developing the most popular open source webmail client available. To keep up with this quality and to prepare it for the future, we're looking for people to join or team! The project offers an interesting challenge on the intersection of the IMAP, SMTP and HTTP protocols. What can you do to help? Any of the following: * Develop new features: help out on making SquirrelMail "skinnable" or work with new technologies; * Help sort and fix bugs: interact with submitters, find testcases and solutions to bugs; * Support our users by answering questions on the mailinglist or IRC channel; * Translate SquirrelMail into your language. For more details, please refer to www.squirrelmail.org/howtohelp Happy SquirrelMailing! The SquirrelMail development Team |
From: Thijs K. <ki...@sq...> - 2008-05-23 17:56:42
|
Hello All, It's a pleasure to be able to announce the release of SquirrelMail 1.4.15, which is a bugfix release. It contains an assortment of bugfixes that have been made during the past months by the SquirrelMail team. The latest release can be downloaded from the SquirrelMail website at http://www.squirrelmail.org/download *** The SquirrelMail team can use your help! *** We consist of volunteers developing the most popular open source webmail client available. To keep up with this quality and to prepare it for the future, we're looking for people to join or team! The project offers an interesting challenge on the intersection of the IMAP, SMTP and HTTP protocols. What can you do to help? Any of the following: * Develop new features: help out on making SquirrelMail "skinnable" or work with new technologies; * Help sort and fix bugs: interact with submitters, find testcases and solutions to bugs; * Support our users by answering questions on the mailinglist or IRC channel; * Translate SquirrelMail into your language. For more details, please refer to www.squirrelmail.org/howtohelp Package md5sums =============== 87b466fef98e770307afffd75fe25589 squirrelmail-1.4.15.tar.gz 22164ce827edafd0afd65763d2a0f096 squirrelmail-1.4.15.tar.bz2 8fca8c24a133313fa3cbeb91217301d8 squirrelmail-1.4.15.zip Package sha1sums ================ fbccc42433dddfc85842e51e27e25d9f98b84547 squirrelmail-1.4.15.tar.gz 5387e8647ada27d9850c5d2f6a5fdf7dbb6b5862 squirrelmail-1.4.15.tar.bz2 c9b4fd1610abfe76eaa327b133f10df098c7a701 squirrelmail-1.4.15.zip Happy SquirrelMailing! The SquirrelMail development Team |
From: Thijs K. <ki...@sq...> - 2008-05-12 18:39:57
|
Hello All, It's a pleasure to be able to announce the availability of the first Release Candidate of SquirrelMail 1.4.15. A release candidate is intended as the final public verification that a version is all right before it's declared "stable". Please try it out and report any bugs to us. The release candidate can be downloaded from the SquirrelMail website at http://www.squirrelmail.org/download.php Package md5sums =============== eae23ab4bd3bbaa4a0bdbb7ca22f3fab squirrelmail-1.4.15-rc1.tar.bz2 7f747408ea0ed206dae244c592e9d33c squirrelmail-1.4.15-rc1.tar.gz 7e9bca65e3ff677bfa6d8825e6e754b9 squirrelmail-1.4.15-rc1.zip Happy SquirrelMailing! The SquirrelMail development Team |
From: Jon A. <jo...@sq...> - 2007-12-14 18:59:21
|
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 All, Due to the package compromise of 1.4.11, and 1.4.12, we are forced to release 1.4.13 to ensure no confusions. While initial review didn't uncover a need for concern, several proof of concepts show that the package alterations introduce a high risk security issue, allowing remote inclusion of files. These changes would allow a remote user the ability to execute exploit code on a victim machine, without any user interaction on the victim's server. This could grant the attacker the ability to deploy further code on the victim's server. We *STRONGLY* advise all users of 1.4.11, and 1.4.12 upgrade immediately. Package MD5s ============ 1a1bdad6245aaabcdd23d9402acb388e squirrelmail-1.4.13.tar.bz2 51ddd67a7ff9272f5a6e1da0b9dfbf18 squirrelmail-1.4.13.tar.gz ed8871a693cc57d5a0d511f7b89f8781 squirrelmail-1.4.13.zip We apologies for the inconvenience this may have caused. - -- Happy SquirrelMailing! The SquirrelMail Development Team -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.7 (MingW32) iD8DBQFHYtKBK4PoFPj9H3MRAjiUAKDxM5V8J6vLEUAn7dfiIa1HYwKIWQCfYTbA 3nk8LOfqcBHfZ3IvEOXoOCo= =USb7 -----END PGP SIGNATURE----- |
From: Jon A. <jo...@sq...> - 2007-12-13 16:49:53
|
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 All, It has been brought to our attention that the MD5 sums for the 1.4.12 package were not matching the actual package. We've been investigating this issue, and uncovered that the package was modified post release. This was believed to have been caused by a compromised account from one of our release maintainers. Further investigations show that the modifications to the code should have little to no impact at this time. Modifications seemed to be based around a PHP global variable which we cannot track down. The changes made will most likely generate an error, rather than a compromise of a system in the event the code does get executed. Original packages, stored on secure media, have been restored to the Sourceforge download servers, and additional signatures for the packages are now available on the SquirrelMail download page at http://www.squirrelmail.org/download.php While we believe the changes made should have little impact, we strongly recommend everybody that has downloaded the 1.4.12 package after the 8th December, to redownload the package. The code modifications did not made it into our source control, just the final package. We are currently investigating older packages to see if they were also compromised. Once again, the original package MD5s are: ea5e750797628c9f0f247009f8ae0e14 squirrelmail-1.4.12.tar.bz2 d17c1d9f1ee3dde2c1c21a22fc4f9d0e squirrelmail-1.4.12.tar.gz 3f6514939ea1ebf69f6f8c92781886ab squirrelmail-1.4.12.zip We apologies for the inconvenience this may have caused. For any further issues, please contact myself, or the security list sec...@sq... - -- Happy SquirrelMailing! The SquirrelMail Development Team -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.7 (MingW32) iD8DBQFHYWKoK4PoFPj9H3MRAjfTAKC0EFUlROK6RLvKy/jdfFjrl3t3hACcDc77 XBPILcvZEu4nNbemwxU8j1I= =FJzo -----END PGP SIGNATURE----- |
From: Jon A. <jo...@sq...> - 2007-12-05 05:45:40
|
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hello All, It's my pleasure to announce the release of SquirrelMail 1.4.12. This release is a bug fix release, including a critical bug in the handling of attachments. The latest release can be downloaded from the SquirrelMail website at http://www.squirrelmail.org/download.php Package md5sums =============== ea5e750797628c9f0f247009f8ae0e14 squirrelmail-1.4.12.tar.bz2 d17c1d9f1ee3dde2c1c21a22fc4f9d0e squirrelmail-1.4.12.tar.gz 3f6514939ea1ebf69f6f8c92781886ab squirrelmail-1.4.12.zip - -- Happy SquirrelMailing! The SquirrelMail development team -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.7 (MingW32) iD8DBQFHVjr7K4PoFPj9H3MRAu0ZAJwOOSZ7pog6I3ydQXPWod+xiHZA/wCgg4AL TFxQQ53Vaph8FsLf6LskKMY= =6DYd -----END PGP SIGNATURE----- |
From: Thijs K. <ki...@sq...> - 2007-09-29 08:24:47
|
Hello All, It's a pleasure to be able to announce the release of SquirrelMail 1.4.11,= =20 which is a bugfix and stability release. It contains an assortment of=20 bugfixes that have been made during the past months by the SquirrelMail tea= m,=20 and improves the handling of strangely-formed mail messages or picky=20 mailservers. The latest release can be downloaded from the SquirrelMail website at http://www.squirrelmail.org/download.php Package md5sums =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D 486fb27a6ab306088603163160dbc8ca squirrelmail-1.4.11.tar.bz2 869bece15e1aefe3769269e222bf7e0f squirrelmail-1.4.11.tar.gz 7db9ce40d2995031ec7a5eaa0d32c230 squirrelmail-1.4.11.zip Happy SquirrelMailing! The SquirrelMail development Team |
From: Thijs K. <ki...@sq...> - 2007-05-10 09:09:14
|
Hello All, Shortly after the release of SquirrelMail 1.4.10, a regression in the compo= se=20 form was discovered. Unfortunately the limited disclosure of security patch= es=20 does not allow for public testing, so this regression went unnoticed. We're= =20 sorry for the inconvenience. If you've already downloaded and installed version 1.4.10, a patch for 1.4.= 10a=20 is available here: http://www.squirrelmail.org/patches/1.4.10-security/1.4.10-1.4.10a.patch If you've not yet updated to 1.4.10, you can continue straigt on to 1.4.10a. Package md5sums =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D d06c473c83e756493ad8ebe94d8d803b squirrelmail-1.4.10a.tar.gz 298aaa1811b3fb40a803a6f57b22be20 squirrelmail-1.4.10a.tar.bz2 feedb1456d03c4e9723e9b32318aa636 squirrelmail-1.4.10a.zip Download at: http://www.squirrelmail.org/download.php Happy SquirrelMailing! =2D-=20 Thijs Kinkhorst SquirrelMail Project Team |
From: Thijs K. <ki...@sq...> - 2007-05-09 15:34:22
|
Hello All, The SquirrelMail Project Team is proud to announce the release of SquirrelMail 1.4.10. This version is a security release. This version, 1.4.10 is a maintenance release, addressing the following problems since 1.4.9a: =2D Some security fixes (see below) =2D Small enhancements =2D A collection of bugfixes and stability enhancements (see ChangeLog for a full list) Security issues =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D This release addresses security issues found since the release of 1.4.9a: There's an ongoing battle to further secure the HTML filter against malicio= us HTML mail and the browsers that accept almost any malformed piece of HTML. This release contains fixes for the following: =2D HTML attachments containing "data:" URLs; =2D Internet Explorer in various versions accepts many permutations of HTML and JavaScript in many charsets. We now properly canonicalize the incoming HTML to us-ascii before applying further filters. IE only. =2D Request forgery through images. It was possible to include "images" in HTML mails which were in fact GET requests for the compose.php page sendi= ng mail. These images are now properly detected, and the compose form will o= nly send mail through a POST request. Thanks to Mikhail Markin, Tomas Kuliavas and Michael Jordon for reporting (parts of) these issues and working with us to get them resolved. These are known as CVE-2007-1262. Further details on SquirrelMail=20 vulnerabilities can be found at the following address: http://www.squirrelmail.org/security/ Package md5sums =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D 1c40402a805ee316c157f7ae71d653d6 squirrelmail-1.4.10.tar.gz 6e3ab93e8c3854ba84a03df256ed0f7d squirrelmail-1.4.10.tar.bz2 0768994841d87fe07bd04df0edb15bea squirrelmail-1.4.10.zip Download at: http://www.squirrelmail.org/download.php Happy SquirrelMailing! =2D-=20 Thijs Kinkhorst SquirrelMail Project Team |
From: Fredrik J. <jer...@sq...> - 2007-01-06 19:03:29
|
The SquirrelMail Project Team released the new translation packages for SquirrelMail 1.4.9 and 1.4.9a. You can download packages at the SquirrelMail site <http://www.squirrelmail.org/download.php>. Checksums of main packages: MD5 sums: eaa0e8835b8d7d451500aad907c22e24 all_locales-1.4.9-20070106.tar.bz2 1bc96d64a6d7904d454540209534c10a all_locales-1.4.9-20070106.tar.gz c12e2b4615cdcf9e0bf60b00b71f121a all_locales-1.4.9-20070106.zip b59be8696cbdb05a7684f8a53466e8b8 locales-1.4.9-20070106-src.tar.bz2 b2742f9a0030df68c0918a2ed604cbe8 locales-1.4.9-20070106-src.tar.gz 884775cdfdc01e07c6d590a13d278b2e locales-1.4.9-20070106-src.zip SHA1 sums: d187a9b77384b398a0945f51aaaf248379fdfa15 all_locales-1.4.9-20070106.tar.bz2 718fc4bfa9504f169f2e8498e84e1bc1831e50e6 all_locales-1.4.9-20070106.tar.gz f36c91691a948e742b32e90c821e647f3ab462be all_locales-1.4.9-20070106.zip 3cf37fd93ec81c9a694617dc20781434564d17a7 locales-1.4.9-20070106-src.tar.bz2 8d1b4bfdca2a157e5f424b7ec1cace6f6a33540b locales-1.4.9-20070106-src.tar.gz 817a8f8c6eb3b19e0919ce8130d4b0de50f6fb5f locales-1.4.9-20070106-src.zip |
From: Marc G. K. <ma...@sq...> - 2006-12-04 01:26:00
|
Hello All, The SquirrelMail Project Team is proud to announce the release of SquirrelMail 1.4.9a. This version is a security release. The day after we released SquirrelMail 1.4.9 new cross site scripting issues were reported and immediately fixed. Therefor the decision to release 1.4.9a so short after the 1.4.9 release. 1.4.9 and 1.4.9a is addressing the following problems since 1.4.8: - Some security fixes (see below) - Small enhancements - A collection of bugfixes (see ChangeLog) Security issues =============== This release addresses security issues found since the release of 1.4.8: Cross site scripting via malicious input the mailto parameter of webmail.php, the session and delete_draft parameters of compose.php and via a shortcoming in the magicHTML filter. This is CVE-2006-6142. Thanks for Martijn Brinkers for his continued research that uncovered these issues. We've also changed SquirrelMail attachment handling to work around an issue in Internet Explorer: the browser will attempt to guess the MIME type of attachments based on content, not the MIME header we send. Attachments could fake to be an 'harmless' image/jpeg, while they were in fact HTML that Internet Explorer would render. After release 1.4.9 Martijn Brinkers again discovered new cross site scripting issues in the magicHtml filter. The new discovered security issues have to do with the wide intepretation of the words expression and url by IE browsers. As second issue Martijn Brinkers that the @import statement in stylesheets could be misused. Further details on SquirrelMail vulnerabilities can be found at the following address: http://www.squirrelmail.org/security/ Package md5sums =============== 3adf66bfe2e816ba8375cf811d8ef3f6 squirrelmail-1.4.9a.tar.bz2 5b19f8cc5badef91d1f2410df41564bc squirrelmail-1.4.9a.tar.gz a9e108418b0a42763a1d29a267fa7168 squirrelmail-1.4.9a.zip Download at: http://www.squirrelmail.org/download.php Happy SquirrelMailing! -- Marc Groot Koerkamp SquirrelMail Project Team |
From: Paul L. <pa...@sq...> - 2006-12-02 22:23:06
|
All, Minor typo: This release is version 1.4.9 of course, not 1.4.7. It addresses issues contained in version 1.4.8 and lower. :-) Happy Squirreling! Paul Lesniewski SquirrelMail Project Team > The SquirrelMail Project Team is proud to announce the release of > SquirrelMail 1.4.7. This version is a maintenance release, addressing > the following problems since 1.4.6: > - Some security fixes (see below) > - Small enhancements > - A collection of bugfixes (see ChangeLog) > > Security issues > =============== > > This release addresses security issues found since the release of 1.4.8: > > Cross site scripting via malicious input the mailto parameter of > webmail.php, the session and delete_draft parameters of compose.php and > via a shortcoming in the magicHTML filter. > > This is CVE-2006-6142. Thanks for Martijn Brinkers for his continued > research that uncovered these issues. > > We've also changed SquirrelMail attachment handling to work around an > issue in Internet Explorer: the browser will attempt to guess the MIME > type of attachments based on content, not the MIME header we send. > Attachments could fake to be an 'harmless' image/jpeg, while they were > in fact HTML that Internet Explorer would render. > > Further details on SquirrelMail vulnerabilities can be found at the > following address: > > http://www.squirrelmail.org/security/ > > We strongly encourage any persons uncovering security issues to > contact the SquirrelMail team via security <at> squirrelmail.org. > > Package md5sums > =============== > > b3dc6e3c5accb9b88bf6ebfd87336b96 squirrelmail-1.4.9.tar.bz2 > 5a3ecbda6d8378c68fa40b4ac5b2d487 squirrelmail-1.4.9.tar.gz > 875848f25d481b59552d4e93aaacba4c squirrelmail-1.4.9.zip > > > Download at: > > http://www.squirrelmail.org/download.php > > Happy SquirrelMailing! > > -- > Thijs Kinkhorst > SquirrelMail Project Team |
From: Thijs K. <ki...@sq...> - 2006-12-02 15:48:56
|
Hello All, The SquirrelMail Project Team is proud to announce the release of SquirrelMail 1.4.7. This version is a maintenance release, addressing the following problems since 1.4.6: - Some security fixes (see below) - Small enhancements - A collection of bugfixes (see ChangeLog) Security issues =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D This release addresses security issues found since the release of 1.4.8: Cross site scripting via malicious input the mailto parameter of webmail.php, the session and delete_draft parameters of compose.php and via a shortcoming in the magicHTML filter. This is CVE-2006-6142. Thanks for Martijn Brinkers for his continued research that uncovered these issues. We've also changed SquirrelMail attachment handling to work around an issue in Internet Explorer: the browser will attempt to guess the MIME type of attachments based on content, not the MIME header we send. Attachments could fake to be an 'harmless' image/jpeg, while they were in fact HTML that Internet Explorer would render. Further details on SquirrelMail vulnerabilities can be found at the following address: http://www.squirrelmail.org/security/ We strongly encourage any persons uncovering security issues to contact the SquirrelMail team via security <at> squirrelmail.org. Package md5sums =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D b3dc6e3c5accb9b88bf6ebfd87336b96 squirrelmail-1.4.9.tar.bz2 5a3ecbda6d8378c68fa40b4ac5b2d487 squirrelmail-1.4.9.tar.gz 875848f25d481b59552d4e93aaacba4c squirrelmail-1.4.9.zip Download at: http://www.squirrelmail.org/download.php Happy SquirrelMailing! --=20 Thijs Kinkhorst SquirrelMail Project Team |