SquirrelMail 1.4.21 Released

The SquirrelMail Team is pleased to announce the release of SquirrelMail version 1.4.21. This is primarily a maintenance release which addresses a smattering of small issues and adds some fine-tuning of recent changes. It also closes two relatively low-risk security issues.

Before this release, for environments with highly active users, the number of security tokens could have bloated user session (and preference) files to an unacceptable size, hurting overall responsiveness. This release scales back the default validity period of security tokens from 30 days to two days, which should fix this problem in most cases. The administrator is always free to change this value by specifying $max_token_age_days in config/config_local.php.

There are also fixes for minor issues related to header folding, faster and more resilient display of encoded subjects, quoting of encoded addresses upon reply, provision of a subject when using forward-as-attachment, and a few other tidbits.

This release also includes fixes for two low-risk vulnerabilities. The first, CVE-2010-1637, allows authenticated users to use the Mail Fetch plugin as a network/port/DNS scanner. The second, CVE-2010-2813, poses a denial-of-service risk when passwords containing 8-bit characters are used to log in. While we characterize these issues as fairly low risk, it is nevertheless recommended that users of previous versions of SquirrelMail upgrade at their earliest convenience.

For more complete details, see the ReleaseNotes and ChangeLog files included in this release (in the doc/ directory).

Posted by Paul Lesniewski 2010-07-23