You can subscribe to this list here.
2001 |
Jan
|
Feb
|
Mar
|
Apr
(1) |
May
(2) |
Jun
|
Jul
(1) |
Aug
(1) |
Sep
(1) |
Oct
(2) |
Nov
(2) |
Dec
(5) |
---|---|---|---|---|---|---|---|---|---|---|---|---|
2002 |
Jan
(4) |
Feb
(2) |
Mar
(1) |
Apr
(3) |
May
|
Jun
(1) |
Jul
(1) |
Aug
(2) |
Sep
(2) |
Oct
(4) |
Nov
|
Dec
(3) |
2003 |
Jan
(1) |
Feb
(1) |
Mar
|
Apr
(1) |
May
|
Jun
|
Jul
(1) |
Aug
|
Sep
|
Oct
(1) |
Nov
|
Dec
|
2004 |
Jan
|
Feb
(1) |
Mar
|
Apr
|
May
(2) |
Jun
(1) |
Jul
|
Aug
|
Sep
|
Oct
|
Nov
(2) |
Dec
|
2005 |
Jan
(2) |
Feb
|
Mar
|
Apr
|
May
|
Jun
(3) |
Jul
(1) |
Aug
|
Sep
|
Oct
|
Nov
(1) |
Dec
(2) |
2006 |
Jan
|
Feb
(4) |
Mar
|
Apr
(2) |
May
|
Jun
|
Jul
(1) |
Aug
(1) |
Sep
(1) |
Oct
|
Nov
|
Dec
(3) |
2007 |
Jan
(1) |
Feb
|
Mar
|
Apr
|
May
(2) |
Jun
|
Jul
|
Aug
|
Sep
(1) |
Oct
|
Nov
|
Dec
(3) |
2008 |
Jan
|
Feb
|
Mar
|
Apr
|
May
(2) |
Jun
|
Jul
|
Aug
|
Sep
(1) |
Oct
|
Nov
|
Dec
(1) |
2009 |
Jan
|
Feb
|
Mar
|
Apr
|
May
(3) |
Jun
(1) |
Jul
(1) |
Aug
(2) |
Sep
|
Oct
|
Nov
|
Dec
|
2010 |
Jan
|
Feb
|
Mar
(1) |
Apr
|
May
|
Jun
|
Jul
(1) |
Aug
|
Sep
|
Oct
|
Nov
|
Dec
|
2011 |
Jan
|
Feb
|
Mar
|
Apr
|
May
|
Jun
|
Jul
(2) |
Aug
|
Sep
|
Oct
|
Nov
|
Dec
|
From: Tomas K. <to...@us...> - 2006-09-03 18:14:28
|
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hello List, The SquirrelMail Project Team released new translation packages for SquirrelMail 1.4.8 version. You can find packages on SquirrelMail site (http://www.squirrelmail.org/download.php). Checksums of main packages MD5 sums: f8a042fd6b3ea68a3da49c3398224205 all_locales-1.4.8-20060903.tar.bz2 9663541d129cc00e57fac7a92378122b all_locales-1.4.8-20060903.tar.gz aea1c0a6211da5469286abc37b62a044 all_locales-1.4.8-20060903.zip 9874e86a4e2144b25d351267a8de52fd locales-1.4.8-20060903-src.tar.bz2 e185991a28949e57faee45035ecc1b38 locales-1.4.8-20060903-src.tar.gz 7cb23b64aa2bed299c1055693f517bd6 locales-1.4.8-20060903-src.zip SHA1 sums: dcfe8084c99033e12da7b813cb83fd757af7b0b6 all_locales-1.4.8-20060903.tar.bz2 5d1df8a6cefe1700b5e4c955ea93df424d11830f all_locales-1.4.8-20060903.tar.gz b698a826a7d7a62a8545b07bfd204476fc6bf5fc all_locales-1.4.8-20060903.zip 7d40e00d72a72b1b39110672e25a66c5e59040cf locales-1.4.8-20060903-src.tar.bz2 2660d6bb9d346c47fa082806ba34594b02b8a572 locales-1.4.8-20060903-src.tar.gz ed9520dedf7cf271c54de4a3cd5f625a1a490d4c locales-1.4.8-20060903-src.zip - -- Tomas Kuliavas The SquirrelMail Internationalization Team -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.1 (GNU/Linux) iD8DBQFE+xuRaYoxl8XwnvYRAsOhAKCWHwhwxm85cgwtd4/tCI3nu/iGDwCgweZn ad511ltHHlx1zojrcugqRuY= =HYJS -----END PGP SIGNATURE----- |
From: Thijs K. <ki...@sq...> - 2006-08-11 12:26:16
|
Hello all, Today SquirrelMail version 1.4.8 has been released with a collection of bugfixes and an important security fix. It was possible for an authenticated user to overwrite random variables in the compose.php script. This may open up possible attack vectors like reading or overwriting a user's preference file or attachments. We advise all current SquirrelMail users to upgrade. There's also a patch available against 1.4.7. The interesting thing is that the function that contained the flaw was actually broken. The function is used to resume a compose session of a user that is confronted with a session timeout after composing a long mail. We've got two patches available: a minimal one which just removes the code, since it was broken anyway, and a full version that repairs the functionality and closes the hole. SquirrelMail can be downloaded here: http://www.squirrelmail.org/download.php The patches can be found here: http://www.squirrelmail.org/patches/sqm1.4.7-expired-post-fix-minimal.patch http://www.squirrelmail.org/patches/sqm1.4.7-expired-post-fix-full.patch They also apply against the current development version. We'd like to thank James Bercegay of GulfTech Security Research for finding this issue and reporting it to us. Happy SquirrelMailing! Thijs Kinkhorst on behalf of the SquirrelMail team |
From: Tomas K. <to...@us...> - 2006-07-04 20:11:29
|
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hello All, The SquirrelMail Project Team is proud to announce the release of SquirrelMail 1.4.7. This version is a maintenance release, addressing the following problems since 1.4.6: - - Minor security fixes (see below) - - A lot of bugfixes (see ChangeLog) - - Added support for Ukrainian Security issues =============== This release addresses two different security issues found since the release of 1.4.6, which we consider to be of minor severity, but they have of course been fixed: - - It was possible to include a local file through functions/plugin.php with register_globals enabled, and magic_quotes disabled. However, running with register_globals enabled is completely unnecessary and a well-known security hazard. We've now changed the code such that when register_globals is enabled, all globals are deregistered. Reported by Denix Solutions, thanks! - - It was possible to steal a cookie of a user that ran on the same base domain. Since this setup is already inherently insecure we don't think the impact is big, but the code was of course fixed to also incorporate the path to SquirrelMail. Further details on SquirrelMail vulnerabilities can be found at the following address: http://www.squirrelmail.org/security/ We strongly encourage any persons uncovering security issues to contact the SquirrelMail team via security <at> squirrelmail.org. Package md5sums =============== 08301f14d71e4452e93f21b5e6747a4a squirrelmail-1.4.7.tar.bz2 f53c91d7799cd8fd9d0550f2cc7a8815 squirrelmail-1.4.7.tar.gz 32688d817c6dc537ea8d3b9e84f47d4c squirrelmail-1.4.7.zip 4b78f4612ef0a68e5a81a818a113497c all_locales-1.4.7-20060702.tar.bz2 d89415a37ebb83e5910a8f7b3219a0be all_locales-1.4.7-20060702.tar.gz 18cb3083488f26cd7e99daf16a497fc1 all_locales-1.4.7-20060702.zip - -- Tomas Kuliavas The SquirrelMail Project Team -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.1 (GNU/Linux) iD8DBQFEqst2aYoxl8XwnvYRAj02AJ0YiYIzdrh9VQTh7FdP76VEgUjO3QCfVwaL wy4ixnh6UorXuNwpQLZisgE= =VA8Q -----END PGP SIGNATURE----- |
From: Tomas K. <to...@us...> - 2006-04-10 17:48:56
|
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hello List, The SquirrelMail Project Team released new translation packages for SquirrelMail 1.4.6 version. You can find packages on SquirrelMail site (http://www.squirrelmail.org/download.php). Information about main updates: * added Ukrainian translation by Serhij Dubyk * fixed some Japanese and French translation strings * updated Geogian and Norwegian Nynorsk translations * updated some plugin translations Ukrainian translation needs some modification in stock SquirrelMail 1.4.6 functions/i18n.php file. Modified file and patch are included in package. Checksums of main packages MD5 sums: * 24528f477061400d2b457be2ee819c69 all_locales-1.4.6-20060409.tar.bz2 * 70508bf22c320103beef344591e28973 all_locales-1.4.6-20060409.tar.gz * 8cf2b7209c4c5be75418addf23440114 all_locales-1.4.6-20060409.zip * 59bf0e99dd0e57d0329e9eacb679a83c locales-1.4.6-20060409-src.tar.bz2 * ddd0e3245683ba44211d9ea49681cba1 locales-1.4.6-20060409-src.tar.gz * f406db532ecc6a09155580da9beebf39 locales-1.4.6-20060409-src.zip SHA1 sums: * 4a6b748d4558c516a0c65b6889ce4ab32876a7eb all_locales-1.4.6-20060409.tar.bz2 * 5f369e0ac3e02f265854363281ec341e4dd1a356 all_locales-1.4.6-20060409.tar.gz * 8c6989b7f0059f44c6959f70ab6e913b7c1d7f29 all_locales-1.4.6-20060409.zip * 086c206cc0d6793c966a426d6daea8d4a2e23bbe locales-1.4.6-20060409-src.tar.bz2 * 2434dcd5ca2cffc4c82c5c121f58f10386116320 locales-1.4.6-20060409-src.tar.gz * 8bf924a86b852cbba94dc01aaa2cebd6168d1a0a locales-1.4.6-20060409-src.zip - -- Tomas Kuliavas The SquirrelMail Internationalization Team -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.1 (GNU/Linux) iD8DBQFEOpqEaYoxl8XwnvYRAm7sAKCyXhoI83Z42ljbh/i6e4IOJn+ykQCfTBX7 z/uhtWCNVlrlVoayTonXQ3I= =Yigg -----END PGP SIGNATURE----- |
From: Tomas K. <to...@us...> - 2006-04-10 17:25:26
|
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hello List, The SquirrelMail Project Team released new translation packages for SquirrelMail 1.5.1 version. You can find packages on SquirrelMail site (http://www.squirrelmail.org/download.php). Checksums of main packages MD5 sums: * 739e6e1f29a8e3177b083c1971bbe358 all_locales-1.5.1-20060409.tar.bz2 * 32946a396a96c3e2c6619d07f66c2743 all_locales-1.5.1-20060409.tar.gz * c5ec37cb53047582d6cbcf181a758195 all_locales-1.5.1-20060409.zip * 3265012a6f8746d5a1949fbb3ec4a87a locales-1.5.1-20060409-src.tar.bz2 * a1ebe91fa403dc2451c0ee8d9d9408e6 locales-1.5.1-20060409-src.tar.gz * f05e444c769825831c75048d62669b74 locales-1.5.1-20060409-src.zip SHA1 sums: * 74c5321f5269f980e7e7adb33b376a0637798e9f all_locales-1.5.1-20060409.tar.bz2 * 150aed5c7b27009c6a0073a44cb6fa0a9fcf3561 all_locales-1.5.1-20060409.tar.gz * cb2b972ade07abd78c8ad4bb22b45135c803ac04 all_locales-1.5.1-20060409.zip * a1a7c8d348e5c67c1e9b3688d8d2f36fc8167bcf locales-1.5.1-20060409-src.tar.bz2 * 00b19f6189aab6e68af54013fa88388b40a754a6 locales-1.5.1-20060409-src.tar.gz * cbf77ba11d89ba647d8f3ce732f875199ce797e6 locales-1.5.1-20060409-src.zip - -- Tomas Kuliavas The SquirrelMail Internationalization Team -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.1 (GNU/Linux) iD8DBQFEOpUJaYoxl8XwnvYRAu+eAKCdLuR7PnFSCTfawiAAs3CNS73NZwCgupHf Tv8/SElWxOUUay8Jlmiysfs= =qINo -----END PGP SIGNATURE----- |
From: Tomas K. <to...@us...> - 2006-02-24 18:50:07
|
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hello List, The SquirrelMail Project Team released translation packages for SquirrelMail 1.4.6 version. You can find packages on SquirrelMail site (http://www.squirrelmail.org/download.php). Checksums of main packages MD5 sums: * 29dfec2e0f71fba368a89c36c51881c2 all_locales-1.4.6-20060221.tar.bz2 * d80e36431440eafdbc3142dd71811b5a all_locales-1.4.6-20060221.tar.gz * 5f934b7cdee22042bc2fef6178ec5135 all_locales-1.4.6-20060221.zip * 55964cd68f93dd2fe0eba19e1d2b6b0b locales-1.4.6-20060221-src.tar.bz2 * 0dfa7bc01e77d5eec9aba176b1465025 locales-1.4.6-20060221-src.tar.gz * eb3e17ac4f1141b3fd04a108c7a21e6e locales-1.4.6-20060221-src.zip SHA1 sums: * 110dbcd216005138fd8415b569b5b93fb929977e all_locales-1.4.6-20060221.tar.bz2 * 5c53ed7fc3b3a8ae0521e48ad70455eb500d0ae9 all_locales-1.4.6-20060221.tar.gz * 74e79ef72b3e9f8fcdadccf1cfb0802d4c485c5a all_locales-1.4.6-20060221.zip * b6a0c19834a54de2e42428207ddb258b5e1fcfa4 locales-1.4.6-20060221-src.tar.bz2 * c68aa1612d730077889379b5f35b1e7e5d3b40ab locales-1.4.6-20060221-src.tar.gz * 27105602db65cc289aafdfa475053d2b78c7e2ad locales-1.4.6-20060221-src.zip - -- Tomas Kuliavas The SquirrelMail Internationalization Team -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.1 (GNU/Linux) iD8DBQFD/1UGaYoxl8XwnvYRAvm8AKCJ3OiAcF1BR4zB2gpUUHBWKEttYQCbB2lu 6wYDlK3wftewrxAMEYuenbk= =LvX5 -----END PGP SIGNATURE----- |
From: Thijs K. <ki...@sq...> - 2006-02-23 22:02:03
|
Hello All, It is my proud pleasure to announce the final release of SquirrelMail 1.4.6. This release is very important, and we strongly advise everybody to update to the latest release. Security Update =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D This version contains a number of security updates that were brought to our attention via a number of sources. - In webmail.php, the right_frame parameter was not properly sanitized to deal with very lenient browsers, which allowed for cross site scripting or frame replacing. [CVE-2006-0188] - In the MagicHTML function, some very obscure constructs were discovered to be exploitable: 'u\rl' was interpreted as 'url' (privacy concern), and comments could be inside keywords (allows for cross site scripting). Both only affect Internet Explorer users. Found by Martijn Brinkers and Scott Hughes. [CVE-2006-0195] - The function sqimap_mailbox_select did not strip newlines from the mailbox parameter, and thereby allowed for IMAP command injection. Found by Vicente Aguilera. [CVE-2006-0377] Further details on SquirrelMail vulnerabilities can be found at the following address: http://www.squirrelmail.org/security/ We strongly encourage any persons uncovering Security issues to contact the SquirrelMail team via sec...@sq.... In This Release =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D This release contains mostly bug fixes, including corrections for PHP behaviour changes in file handling, and some data types. Especially running SquirrelMail on the most recent PHP versions should be much improved. For further information about the changes involved in this release, please see the ChangeLog and ReleaseNotes files included with the release. The latest release can be downloaded from the SquirrelMail website at http://www.squirrelmail.org/download.php Happy SquirrelMailing The SquirrelMail development Team |
From: Tomas K. <to...@us...> - 2006-02-19 15:00:34
|
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hello List, The SquirrelMail Project Team released translation packages for SquirrelMail 1.5.1 version. You can find packages on SquirrelMail site (http://www.squirrelmail.org/download.php). Checksums of main packages MD5 sums: * ea311416ba9a96352a0728f5a7611102 all_locales-1.5.1-20060219.tar.bz2 * 10d7e98bfacb3f000e7402ea8e19368e all_locales-1.5.1-20060219.tar.gz * e2860bb07371764e8696ca46694eecc1 all_locales-1.5.1-20060219.zip * 1e20ae4b083decc33057dab44676dc87 locales-1.5.1-20060219-src.tar.bz2 * 9d456578819212263185c77997023e82 locales-1.5.1-20060219-src.tar.gz * 7ab7255ba2074e32a337723e6f951d63 locales-1.5.1-20060219-src.zip SHA1 sums: * 77d2f0f4328ff546076181fa5c54b64ce8994888 all_locales-1.5.1-20060219.tar.bz2 * 0bd8fa9db4712235d358640d1b5999b4db67bb77 all_locales-1.5.1-20060219.tar.gz * 0f5f3b077bbd729aa3733d67bf2ed107b9eb0a8f all_locales-1.5.1-20060219.zip * 268cedbda5cce88521b354babd70aaa079455518 locales-1.5.1-20060219-src.tar.bz2 * 90317abccc3a44ae493cbed35d11855a09dd701e locales-1.5.1-20060219-src.tar.gz * f6d62a78afef392be00d4de96329e10e065cd660 locales-1.5.1-20060219-src.zip - - -- Tomas Kuliavas The SquirrelMail Internationalization Team -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.1 (GNU/Linux) iD8DBQFD+IgFaYoxl8XwnvYRAgY5AJ9PINdBAD1UvMS35CwK0SUa+a0W4QCeOkKO viriavY8gN9HgvK0m9LGuPw= =+0AE -----END PGP SIGNATURE----- |
From: Marc G. K. <ma...@sq...> - 2006-02-19 13:26:22
|
Hello List, The SquirrelMail Team is proud to announce the release of SquirrelMail 1.5.1! This is the second release of the development 1.5.x series. This release contains many updates like improved performance, PHP5 support, interface tweaks and preliminary template support. For more info see the release notes (http://sourceforge.net/project/shownotes.php?group_id=311&release_id=394739). To grab your copy, go to http://www.squirrelmail.org/download.php. Regards, Marc Groot Koerkamp Squirrelmail Development Leader. |
From: Jonathan A. <jo...@sq...> - 2005-12-13 03:37:47
|
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 SquirrelMail Internationalization Team released translation package for SquirrelMail 1.4.6rc1 version. This version contains updates in Dutch, Estonian and Faroese translations and plugin string updates. Special thanks to Tanel Kindsigo for Estonian translation updates. Other pending translation updates should be available in newer 1.4.6 translation packages. Main package md5sums: * all_locales-1.4.6rc1-20051212.tar.bz2 016f41abaee2c1a9d9f4b3c0bd8efbea * all_locales-1.4.6rc1-20051212.tar.gz a4cea13ede50a1ed1de23f75c73bdf66 * all_locales-1.4.6rc1-20051212.zip 11e960843f11616e328d532a780d266a Main package sha1sums: * all_locales-1.4.6rc1-20051212.tar.bz2 9cbbdc38b3cd391fc5e21e704e0199cf90d8d906 * all_locales-1.4.6rc1-20051212.tar.gz 9ea569368a5887b5618fe426c5cd5335de9e57ba * all_locales-1.4.6rc1-20051212.zip 646c0479afefc4e31d606f9800f4f04b3a51dd25 Other packages can be found on SquirrelMail SourceForge file repository. http://sourceforge.net/project/showfiles.php?group_id=3D311&package_id=3D11= 0388&release_id=3D377647 Md5sums and sha1sums are attached to this email. They can also be found on http://www.squirrelmail.org/sums/all_locales-1.4.6rc1-20051212.md5 http://www.squirrelmail.org/sums/all_locales-1.4.6rc1-20051212.sha1 - -- SquirrelMail Development Team -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.2 (MingW32) iD8DBQFDnkH6K4PoFPj9H3MRAsXKAKDKMu+MuXuZkmkgOL0MfP+6NaD21QCeLKzY 9MgOPI5zCj2ysmOg7OuTPTs=3D =3DWIED -----END PGP SIGNATURE----- |
From: Thijs K. <ki...@sq...> - 2005-12-10 21:44:12
|
The SquirrelMail team is happy to announce that a testing version has been released for the stable series: 1.4.6 Release Candidate 1. This release candidate addresses many bugs found since the release of our previous version. Details on all the changes in this release can be found in the ChangeLog: http://www.squirrelmail.org/changelog.pgp To grab your copy, go to the Download page at: http://www.squirrelmail.org/download.php A package for Debian will be available shortly in Debian's 'experimental' distribution. Please let us know how this RC works for you, so we can fix any problems in time for 1.4.6-release. You can use our bugtracker at http://www.squirrelmail.org/bugs , IRC #squirrelmail at irc.freenode.org, or post to our development mailinglist at squ...@li.... Happy SquirrelMailing! The SquirrelMail development team |
From: Jonathan A. <jo...@sq...> - 2005-11-09 04:15:37
|
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 The SquirrelMail Project Team released Extra decoding library. This is the first stable extra decoding library package release. SquirrelMail decoding functions are used to display and convert messages encoded in different character sets. Extra decoding library provides supp= ort of some complex Eastern character sets and some rarely used Apple charact= er sets. Current release supports Big5, Windows-874 (cp874, Thai), Windows-9= 49 (UHC, Korean), EUC-CN, EUC-JP, EUC-KR, EUC-TW, GB18030, GB2312, ISO-2022-= CN, ISO-2022-JP, ISO-2022-JP-2, ISO-2022-KR, Shift_JIS and various x-mac-* character sets. Extra decoding library can be used in SquirrelMail 1.4.4 or newer. It depends on sq_is8bit() function. In order to optimize decoding of Eastern character sets, PHP installation needs recode (http://www.php.net/recode) or iconv (http://www.php.net/iconv) support. Some decoding functions can use mbstring functions present in php 4.3.0. Mbstring decoding needs sq_mb_list_encodings() function from SquirrelMail 1.5.1 or 1.4.6. Some decoding code that be activated only when $aggressive_decoding varia= ble is set to true. This variable should be enabled only on smaller systems, that don't call aggressive decoding functions very often. Turning on $aggressive_decoding variable by default in packaged SquirrelMail version= s is not recommended. If you find bugs in this library, report them in SquirrelMail bug tracker (http://www.squirrelmail.org/bugs). Developers will need information abou= t PHP version, PHP recode, iconv and mbstring extensions, used SquirrelMail version, any modification made in functions/i18n.php and mbstring extension settings. You can find packages on the Download page. Package md5sums: 4793c94361d448831f28dcaab7ce5ad2 squirrelmail-decode-1.0.tar.bz2 2474774d0fee733d518b64f881a0f587 squirrelmail-decode-1.0.tar.gz 3396e9734f8de2b5dd0e96d3ce4e72ec squirrelmail-decode-1.0.zip Package sha1sums: 5a8942d9b058feaa756d3d04bb47719acc1201c6 squirrelmail-decode-1.0.tar.bz2 93afe60bbbf1a050d3e1b7bbcbeaa38447439669 squirrelmail-decode-1.0.tar.gz c47aa5ae421b0208bb3fb42021b3eddf9760f1af squirrelmail-decode-1.0.zip - -- The SquirrelMail Project Team -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.1 (GNU/Linux) iEYEARECAAYFAkNxd7kACgkQK4PoFPj9H3PRMQCg7e3wt0eRwNDc52LzgPomVhTn erEAoK1csAYa3AM1TFP7RVjr7ire9lGp =3DdYUB -----END PGP SIGNATURE----- |
From: Jonathan A. <jo...@sq...> - 2005-07-13 19:12:42
|
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hello All, It is my proud pleasure to announce the final release of SquirrelMail 1.4.5. This release is very important, and we strongly advise everybody to update to the latest release. Security Update =============== This version contains a number of security updates that were brought to our attention via a number of sources. Several cross site scripting exploits were uncovered by Martijn Brinkers and have been assigned the CAN-2005-1769. Another vulnerability was uncovered by James Bercegay, from GulfTech Security Research, which would allow a user to craft a special page that might permit them to overwrite other user settings. This has been assigned the ID CAN-2005-2095. Further details on SquirrelMail vulnerabilities can be found at the following address: http://www.squirrelmail.org/security/ We strongly encourage any persons uncovering Security issues to contact the SquirrelMail team via sec...@sq.... In This Release =============== This release contains mostly bug fixes, including corrections for PHP behaviour changes in file handling, and some data types. We've also added support for the SquirrelSpell plugin under safe_mode if using PHP 4.3.0 or higher. Other changes include support for Priority headers, new Tahoma style sheets, and fixes in saving of searches. For further information about the changes involved in this release, please see the ChangeLog and ReleaseNotes files included with the release. The latest release can be downloaded from the SquirrelMail website at http://www.squirrelmail.org/download.php Happy SquirrelMailing The SquirrelMail development Team -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.1 (MingW32) iD8DBQFC1WeJK4PoFPj9H3MRAhBUAJ0TJK6Ci9yUKAyPZM3SNwbdXo4onwCeMhAS pTVmDIRR9Cd1njje8UWbIBY= =HoSJ -----END PGP SIGNATURE----- |
From: Jonathan A. <jo...@sq...> - 2005-06-16 03:43:26
|
Good evening all, I'm pleased to announce the release of SquirrelMail 1.4.5-RC1. This is a long awaited preparation for the final release of 1.4.5 and there is lots packed into this release. In This Release =============== This release contains a large number of bug fixes, a couple of features enhancements, and a few security fixes. We'd like to pay special thanks to Martijn Brinkers for assistance in this release as he reported multiple cross-site scripting (XSS) issues which are detailed in the security update posted here at the URL below. http://www.squirrelmail.org/security/issue/2005-06-15 Bug fixes in this release include folder handling, attachment handling fixes relating to a change in PHP code behaviour, fixes in the Search pages, and a lot more. Enhancements in this release include the new font sheets, the ability to hide the SquirrelMail headers with more private information, attempts to detect users' language preferences from browser settings, and a few more. Further details on what has been changed can be seen in the ChangeLog. Reporting Issues ================ As always, we like to fix issues. Please let us know, either on the lists, or via the bug tracker (please create an account so we can get feedback). How to Get It ============= As with all releases, this can be downloaded from the SquirrelMail download page at http://www.squirrelmail.org/download.php. Happy Squirrelling SquirrelMail Development Team |
From: Konstantin R. <ic...@li...> - 2005-06-15 23:51:06
|
On Thu, 2005-06-16 at 00:12 +0200, Thijs Kinkhorst wrote: > [1] http://prdownloads.sourceforge.net/squirrelmail/sqm-144-xss.patch RPM packages incorporating this patch have been published on the site (release identifier 1.4.4-2 or 1.4.4-0.2.7.x). Please see http://squirrelmail.org/download.php to get them and then apply using "rpm -Uvh". Kind regards, -- Konstantin ("Icon") Ryabitsev Duke University Physics Sysadmin |
From: Thijs K. <ki...@sq...> - 2005-06-15 22:12:55
|
Dear SquirrelMail users, Several cross site scripting (XSS) vulnerabilties have been discovered in SquirrelMail versions 1.4.0 - 1.4.4. These have been addressed in a patch that can be found at [1]. We advise all our users to apply this patch. We're also releasing SquirrelMail 1.4.5 release candidate 1 today. We expect version 1.4.5 to be out within two weeks from now. The vulnerabilities are in two categories: the majority can be exploited through URL manipulation, and some by sending a specially crafted email to a victim. When done very carefully, this can cause the session of the user to be hijacked. We know that versions 1.4.0 to 1.4.3a are vulnerable to most of the issues. The 1.2.x series is not supported anymore; we advise users of that series to upgrade to 1.4.4 with the patch applied. Credits: we would like to thank Martijn Brinkers who helped a lot in finding these vulnerabilities, and Cor Bosman of XS4ALL who helped in testing the proposed fixes. If you have any questions or concerns, please turn to the squ...@li... mailinglist or the #squirrelmail channel on irc.freenode.net. Safe SquirrelMailing! The SquirelMail Project Team [1] http://prdownloads.sourceforge.net/squirrelmail/sqm-144-xss.patch |
From: Jonathan A. <jo...@sq...> - 2005-01-22 17:03:26
|
Good Morning Everybody, We are pleased to announce the release of SquirrelMail 1.4.4. This release is a strongly recommended upgrade due to a number of security issues that have been resolved since 1.4.3a. About This Release ------------------ This release contains a number of bug fixes, and security updates. The list is very long, as this version has been hiding in the trees for a while. For a full list of the changes, you can see the changelog here: http://www.squirrelmail.org/changelog.php A general summary of updates includes a few cross site scripting issues, and two possible file inclusion issue (one remote, one local). Better IMAP handling introduced for certain IMAP servers that advertise LOGINDISABLED, folder handling, and a number of locales issues. Locales ------- Shortly after the release of 1.4.3, the locales were broken out of the main branch into their own branch. This makes the SquirrelMail package itself a lot smaller, along with allowing administrators to download just the packages they need. Details on this change can be found in the ReleaseNotes and the INSTALL files. Reporting Bugs -------------- We like to squash bugs, but we need your help when it comes to them. Ful= l details on their behaviour is a must. This includes what versions of packages you have installed, such as web services, php services, your ima= p server, plugins, etc. If you provide this kind of information when you report a bug, it'll better help us to resolve the problem. Our bug tracker is currently located at: https://sourceforge.net/tracker/?group_id=3D311&atid=3D100311 We suggest creating a login so we can inform you of updates and request further information. How to get it ------------- You can get the latest release by going to: http://www.squirrelmail.org/download.php Special Thanks -------------- Special thanks goes out to the people reporting security issues directly to us, and not disclosing the information to the general public before we were able to investigate the issue, and come up with a proper solution. Happy Squirreling The SquirrelMail Stable Development Team |
From: Jonathan A. <jo...@sq...> - 2005-01-01 04:41:12
|
Hello All, I'm pleased to announce we have released SquirrelMail 1.4.4 Release Candidate 1 for testing. In this release there is a long list of fixes, updates, and changes, including some security updates. This release also introduces a shift in release stragegy. The locales packages are no longer shipped with the main SquirrelMail download, and a= s such, the download sizes are much smaller. Seperate locales will be available for each language shortly. For a list of changes in this release, you can see the ChangeLog on the SquirrelMail home page, which you can find here: http://www.squirrelmail.org/changelog.php As always, bug reports, and enhancements can be submitted to us. It is best done via the bug tracker, it helps us keep a handle on things, and allows you to track the progress. Our bug tracker resides on sourceforge at: https://sourceforge.net/tracker/?group_id=3D311&atid=3D100311 While not required, it is STRONGLY suggested you use an account to report bugs as it allows you to keep us up to date, as well as us keep you up to date on what is going on. You can download the latest release from: http://www.squirrelmail.org/download.php Thank you all, and happy Squirrelling The SquirrelMail Development Team |
From: Konstantin R. <ic...@li...> - 2004-11-18 14:29:19
|
Hello, everyone: I have released a new RPM for 1.4.3a that incorporates the XSS patch. The RPMs in question are: squirrelmail-1.4.3a-2.noarch.rpm -- For Fedora Core and RHEL 3 squirrelmail-1.4.3a-0.2.7.x.noarch.rpm -- For RHL 7.x and RHEL 2 Download: http://squirrelmail.org/download.php Kind regards, --icon |
From: Jonathan A. <jo...@sq...> - 2004-11-10 06:05:08
|
SquirrelMail Security Notice ============================ About ----- SquirrelMail is a standards-based webmail package written in PHP4. It includes built-in pure PHP support for the IMAP and SMTP protocols, and all pages render in pure HTML 4.0 (with no JavaScript required) for maximum compatibility across browsers. It has very few requirements and is very easy to configure and install. SquirrelMail has all the functionality you would want from an email client, including strong MIME support, address books, and folder manipulation. Details ------- There is a cross site scripting issue in the decoding of encoded text in certain headers. SquirrelMail correctly decodes the specially crafted header, but doesn't sanitize the decoded strings. Affected -------- SquirrelMail 1.4.3a and earlier SquirrelMail 1.5.1-cvs before 23rd October 2004 Resolution ---------- A patch has been published to resolve this issue for the SquirrelMail 1.4.3a branch, and can be downloaded from here: http://prdownloads.sourceforge.net/squirrelmail/sm143a-xss.diff?download To apply this patch, copy the sm143a-xss.diff file into the base SquirrelMail directory, and follow the command: patch -p0 < sm143a-xss.diff Those using SquirrelMail 1.5.1-cvs should update using CVS, or use a copy of the latest snapshot downloadable from the SquirrelMail website at: http://www.squirrelmail.org Acknowledgements ---------------- Special thanks goes to Joost Pol for notifying us about this issue. Comments -------- The SquirrelMail development team work hard with people reporting security issues in an attempt to resolve issues. We appreciate those that are willing to dedicate the time to work with us on any issue they uncover in the SquirrelMail project. If any further issues are uncovered, a dedicated mail address can be used to report the issue. The address is sec...@sq.... -- Jonathan Angliss (jo...@sq...) |
From: Jonathan A. <jo...@sq...> - 2004-06-03 06:09:49
|
The SquirrelMail team are pleased to announce the release of SquirrelMail 1.4.3a. This is a minor release, and contains only one change over the 1.4.3 release. This is to fix the compose issue that was accidentally introduced. You can get your copy of this release from the website at: http://www.squirrelmail.org/download.php Happy Squirrelling. SquirrelMail Development Team |
From: Jonathan A. <jo...@sq...> - 2004-05-30 19:14:05
|
The SquirrelMail development team are proud to announce the release of SquirrelMail 1.4.3 to the public. Changes In This Release: ------------------------ This release contains a large number of bug fixes, along with some critical XSS (cross site scripting) issues that prompt the development team to STRONGLY advise all users running versions prior to the 1.4.3 release to upgrade. For further information on what has changed in this release, please see the ChangeLog file. Special Thanks: --------------- Special thanks this release go to Roman Medina, Eyal Udassin, and others for working with the SquirrelMail team on several issues. Happy Squirrelling. The SquirrelMail Development Team |
From: Jonathan A. <jo...@sq...> - 2004-05-11 02:30:03
|
Good Evening all, I'd like to introduce the SquirrelMail 1.4.3 Release Candidate 1 to the general public. This is a testing release before the final version. In This Release --------------- This release contains a number of bug fixes, including a number of XSS fixes, and a well hidden SQL injection issue discovered by Eyal Udassin (eyal [at] bazman.co.il). There are also a number of minor user interface tweaks and some minor feature enhancements, including some things around date handling of incoming emails. More details on updates are in the ChangeLog which can be seen here: http://www.squirrelmail.org/changelog.php We'd like all to test as soon as possible. To emphasis again, this is a release candidate. A proper release note will be included with the final release. Thanks All, The SquirrelMail Development Team |
From: Erin S. <ebu...@sq...> - 2004-02-02 16:17:10
|
The Development team has released 1.5.0, which includes the integration of the delete-move-next plugin, some interface tweaks, and too many bugfixes to be mentioned. More details in the ChangeLog: https://sourceforge.net/project/shownotes.php?group_id=311&release_id=214342 Thanks to all the developers and users that contributed their time, their comments, their patches, and their testing to this release! Happy SquirrelMailing! The SquirrelMail Development Team |
From: Erin S. <ebu...@sq...> - 2003-10-07 00:10:32
|
ANNOUNCE: SquirrelMail 1.4.2 released Oct 01, 2003 by Chris Hilts After a long and (frequently extended) wait, SquirrelMail version 1.4.2 has been released. This is the latest and greatest version of the stable source tree, and we recommend that all production sites upgrade to this version. Links: SquirrelMail 1.4.2 Download: http://squirrelmail.org/countdl.php?fileurl=3Dhttp%3A%2F%2Fprdownloads.sf= .net%2Fsquirrelmail%2Fsquirrelmail-1.4.2.tar.gz SquirrelMail 1.4.2 ChangeLog: http://squirrelmail.org/changelog.php |