Thijs Kinkhorst | 23 May 19:55

[SM-ANNOUNCE] ANNOUNCE: SquirrelMail 1.4.15 Released

Hello All,

It's a pleasure to be able to announce the release of SquirrelMail 1.4.15, 
which is a bugfix release. It contains an assortment of bugfixes that have 
been made during the past months by the SquirrelMail team.

The latest release can be downloaded from the SquirrelMail website at
http://www.squirrelmail.org/download

*** The SquirrelMail team can use your help! ***
We consist of volunteers developing the most popular open source webmail 
client available. To keep up with this quality and to prepare it for the 
future, we're looking for people to join or team! The project offers an 
interesting challenge on the intersection of the IMAP, SMTP and HTTP 
protocols.

What can you do to help? Any of the following:
 * Develop new features: help out on making SquirrelMail "skinnable" or work 
   with new technologies;
 * Help sort and fix bugs: interact with submitters, find testcases and 
   solutions to bugs;
 * Support our users by answering questions on the mailinglist or IRC channel;
 * Translate SquirrelMail into your language.

For more details, please refer to www.squirrelmail.org/howtohelp

Package md5sums
===============
87b466fef98e770307afffd75fe25589  squirrelmail-1.4.15.tar.gz
22164ce827edafd0afd65763d2a0f096  squirrelmail-1.4.15.tar.bz2
(Continue reading)

Thijs Kinkhorst | 12 May 20:35

[SM-ANNOUNCE] ANNOUNCE: SquirrelMail 1.4.15 Release Candidate 1 available

Hello All,

It's a pleasure to be able to announce the availability of the first Release 
Candidate of SquirrelMail 1.4.15. A release candidate is intended as the 
final public verification that a version is all right before it's 
declared "stable". Please try it out and report any bugs to us.

The release candidate can be downloaded from the SquirrelMail website at
http://www.squirrelmail.org/download.php

Package md5sums
===============
eae23ab4bd3bbaa4a0bdbb7ca22f3fab  squirrelmail-1.4.15-rc1.tar.bz2
7f747408ea0ed206dae244c592e9d33c  squirrelmail-1.4.15-rc1.tar.gz
7e9bca65e3ff677bfa6d8825e6e754b9  squirrelmail-1.4.15-rc1.zip

Happy SquirrelMailing!
The SquirrelMail development Team
-------------------------------------------------------------------------
This SF.net email is sponsored by: Microsoft 
Defy all challenges. Microsoft(R) Visual Studio 2008. 
http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/
-------------------------------------------------------------------------
This SF.net email is sponsored by: Microsoft 
Defy all challenges. Microsoft(R) Visual Studio 2008. 
http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/
Jon Angliss | 14 Dec 19:57

[SM-ANNOUNCE] ANNOUNCE: SquirrelMail 1.4.13 Released


All,

Due to the package compromise of 1.4.11, and 1.4.12, we are forced to
release 1.4.13 to ensure no confusions. While initial review didn't
uncover a need for concern, several proof of concepts show that the
package alterations introduce a high risk security issue, allowing
remote inclusion of files. These changes would allow a remote user the
ability to execute exploit code on a victim machine, without any user
interaction on the victim's server. This could grant the attacker the
ability to deploy further code on the victim's server.

We *STRONGLY* advise all users of 1.4.11, and 1.4.12 upgrade
immediately.

Package MD5s
============
1a1bdad6245aaabcdd23d9402acb388e  squirrelmail-1.4.13.tar.bz2
51ddd67a7ff9272f5a6e1da0b9dfbf18  squirrelmail-1.4.13.tar.gz
ed8871a693cc57d5a0d511f7b89f8781  squirrelmail-1.4.13.zip

We apologies for the inconvenience this may have caused.

--
Happy SquirrelMailing!
The SquirrelMail Development Team
Jon Angliss | 13 Dec 17:46

[SM-ANNOUNCE] SECURITY: 1.4.12 Package Compromise


All,

It has been brought to our attention that the MD5 sums for the 1.4.12
package were not matching the actual package.  We've been
investigating this issue, and uncovered that the package was modified
post release.  This was believed to have been caused by a compromised
account from one of our release maintainers.

Further investigations show that the modifications to the code should
have little to no impact at this time.  Modifications seemed to be
based around a PHP global variable which we cannot track down.  The
changes made will most likely generate an error, rather than a
compromise of a system in the event the code does get executed.

Original packages, stored on secure media, have been restored to the
Sourceforge download servers, and additional signatures for the
packages are now available on the SquirrelMail download page at
http://www.squirrelmail.org/download.php

While we believe the changes made should have little impact, we
strongly recommend everybody that has downloaded the 1.4.12 package
after the 8th December, to redownload the package.

The code modifications did not made it into our source control, just
the final package.  We are currently investigating older packages to
see if they were also compromised.

Once again, the original package MD5s are:
ea5e750797628c9f0f247009f8ae0e14  squirrelmail-1.4.12.tar.bz2
(Continue reading)

Jon Angliss | 5 Dec 06:41

[SM-ANNOUNCE] RELEASE: SquirrelMail 1.4.12


Hello All,

It's my pleasure to announce the release of SquirrelMail 1.4.12.  This
release is a bug fix release, including a critical bug in the handling
of attachments.

The latest release can be downloaded from the SquirrelMail website at
http://www.squirrelmail.org/download.php

Package md5sums
===============
ea5e750797628c9f0f247009f8ae0e14  squirrelmail-1.4.12.tar.bz2
d17c1d9f1ee3dde2c1c21a22fc4f9d0e  squirrelmail-1.4.12.tar.gz
3f6514939ea1ebf69f6f8c92781886ab  squirrelmail-1.4.12.zip

--
Happy SquirrelMailing!
The SquirrelMail development team
Thijs Kinkhorst | 29 Sep 10:21

[SM-ANNOUNCE] ANNOUNCE: SquirrelMail 1.4.11 Released

Hello All,

It's a pleasure to be able to announce the release of SquirrelMail 1.4.11, 
which is a bugfix and stability release. It contains an assortment of 
bugfixes that have been made during the past months by the SquirrelMail team, 
and improves the handling of strangely-formed mail messages or picky 
mailservers.

The latest release can be downloaded from the SquirrelMail website at
http://www.squirrelmail.org/download.php

Package md5sums
===============
486fb27a6ab306088603163160dbc8ca  squirrelmail-1.4.11.tar.bz2
869bece15e1aefe3769269e222bf7e0f  squirrelmail-1.4.11.tar.gz
7db9ce40d2995031ec7a5eaa0d32c230  squirrelmail-1.4.11.zip

Happy SquirrelMailing!
The SquirrelMail development Team
-------------------------------------------------------------------------
This SF.net email is sponsored by: Microsoft
Defy all challenges. Microsoft(R) Visual Studio 2005.
http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/
-------------------------------------------------------------------------
This SF.net email is sponsored by: Microsoft
Defy all challenges. Microsoft(R) Visual Studio 2005.
http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/
(Continue reading)

Thijs Kinkhorst | 10 May 11:08

[SM-ANNOUNCE] SquirrelMail 1.4.10 Updated (1.4.10a)

Hello All,

Shortly after the release of SquirrelMail 1.4.10, a regression in the compose 
form was discovered. Unfortunately the limited disclosure of security patches 
does not allow for public testing, so this regression went unnoticed. We're 
sorry for the inconvenience.

If you've already downloaded and installed version 1.4.10, a patch for 1.4.10a 
is available here:
http://www.squirrelmail.org/patches/1.4.10-security/1.4.10-1.4.10a.patch
If you've not yet updated to 1.4.10, you can continue straigt on to 1.4.10a.

Package md5sums
===============

d06c473c83e756493ad8ebe94d8d803b  squirrelmail-1.4.10a.tar.gz
298aaa1811b3fb40a803a6f57b22be20  squirrelmail-1.4.10a.tar.bz2
feedb1456d03c4e9723e9b32318aa636  squirrelmail-1.4.10a.zip

Download at:

  http://www.squirrelmail.org/download.php

Happy SquirrelMailing!

--

-- 
Thijs Kinkhorst
SquirrelMail Project Team
(Continue reading)

Thijs Kinkhorst | 9 May 17:30

[SM-ANNOUNCE] SquirrelMail 1.4.10 Released

Hello All,

The SquirrelMail Project Team is proud to announce the release of
SquirrelMail 1.4.10. This version is a security release.

This version, 1.4.10 is a maintenance release, addressing
the following problems since 1.4.9a:
- Some security fixes (see below)
- Small enhancements
- A collection of bugfixes and stability enhancements
(see ChangeLog for a full list)

Security issues
===============

This release addresses security issues found since the release of 1.4.9a:

There's an ongoing battle to further secure the HTML filter against malicious
HTML mail and the browsers that accept almost any malformed piece of HTML.

This release contains fixes for the following:
- HTML attachments containing "data:" URLs;
- Internet Explorer in various versions accepts many permutations of HTML
  and JavaScript in many charsets. We now properly canonicalize the incoming
  HTML to us-ascii before applying further filters. IE only.
- Request forgery through images. It was possible to include "images" in
  HTML mails which were in fact GET requests for the compose.php page sending
  mail. These images are now properly detected, and the compose form will only
  send mail through a POST request.

(Continue reading)

Fredrik Jervfors | 6 Jan 20:01

[SM-ANNOUNCE] SquirrelMail 1.4.9 translations released

The SquirrelMail Project Team released the new translation packages for
SquirrelMail 1.4.9 and 1.4.9a. You can download packages at the
SquirrelMail site <http://www.squirrelmail.org/download.php>.

Checksums of main packages:

MD5 sums:
eaa0e8835b8d7d451500aad907c22e24  all_locales-1.4.9-20070106.tar.bz2
1bc96d64a6d7904d454540209534c10a  all_locales-1.4.9-20070106.tar.gz
c12e2b4615cdcf9e0bf60b00b71f121a  all_locales-1.4.9-20070106.zip
b59be8696cbdb05a7684f8a53466e8b8  locales-1.4.9-20070106-src.tar.bz2
b2742f9a0030df68c0918a2ed604cbe8  locales-1.4.9-20070106-src.tar.gz
884775cdfdc01e07c6d590a13d278b2e  locales-1.4.9-20070106-src.zip

SHA1 sums:
d187a9b77384b398a0945f51aaaf248379fdfa15  all_locales-1.4.9-20070106.tar.bz2
718fc4bfa9504f169f2e8498e84e1bc1831e50e6  all_locales-1.4.9-20070106.tar.gz
f36c91691a948e742b32e90c821e647f3ab462be  all_locales-1.4.9-20070106.zip
3cf37fd93ec81c9a694617dc20781434564d17a7  locales-1.4.9-20070106-src.tar.bz2
8d1b4bfdca2a157e5f424b7ec1cace6f6a33540b  locales-1.4.9-20070106-src.tar.gz
817a8f8c6eb3b19e0919ce8130d4b0de50f6fb5f  locales-1.4.9-20070106-src.zip

-------------------------------------------------------------------------
Take Surveys. Earn Cash. Influence the Future of IT
Join SourceForge.net's Techsay panel and you'll get the chance to share your
opinions on IT & business topics through brief surveys - and earn cash
http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV

[SM-ANNOUNCE] SquirrelMail 1.4.9a Released

Hello All,

The SquirrelMail Project Team is proud to announce the release of
SquirrelMail 1.4.9a. This version is a security release.

The day after we released SquirrelMail 1.4.9 new cross site scripting
issues were reported and immediately fixed. Therefor the decision to
release 1.4.9a so short after the 1.4.9 release.

1.4.9 and 1.4.9a is addressing
the following problems since 1.4.8:
- Some security fixes (see below)
- Small enhancements
- A collection of bugfixes (see ChangeLog)

Security issues
===============
This release addresses security issues found since the release of 1.4.8:

Cross site scripting via malicious input the mailto parameter of
webmail.php, the session and delete_draft parameters of compose.php and
via a shortcoming in the magicHTML filter.

This is CVE-2006-6142. Thanks for Martijn Brinkers for his continued research
that uncovered these issues.

We've also changed SquirrelMail attachment handling to work around an issue
in Internet Explorer: the browser will attempt to guess the MIME type of
attachments based on content, not the MIME header we send. Attachments could
fake to be an 'harmless' image/jpeg, while they were in fact HTML that
(Continue reading)

Thijs Kinkhorst | 2 Dec 16:47

[SM-ANNOUNCE] SquirrelMail 1.4.9 Released

Hello All,

The SquirrelMail Project Team is proud to announce the release of
SquirrelMail 1.4.7. This version is a maintenance release, addressing
the following problems since 1.4.6:
- Some security fixes (see below)
- Small enhancements
- A collection of bugfixes (see ChangeLog)

Security issues
===============

This release addresses security issues found since the release of 1.4.8:

Cross site scripting via malicious input the mailto parameter of
webmail.php, the session and delete_draft parameters of compose.php and
via a shortcoming in the magicHTML filter.

This is CVE-2006-6142. Thanks for Martijn Brinkers for his continued
research that uncovered these issues.

We've also changed SquirrelMail attachment handling to work around an
issue in Internet Explorer: the browser will attempt to guess the MIME
type of attachments based on content, not the MIME header we send.
Attachments could fake to be an 'harmless' image/jpeg, while they were
in fact HTML that Internet Explorer would render.

Further details on SquirrelMail vulnerabilities can be found at the
following address:

(Continue reading)


Gmane