headers
Paul Lesniewski | 13 Jul 2011 00:20
Favicon

[SM-ANNOUNCE] ANNOUNCE: SquirrelMail 1.4.22 Released

Greetings all,

The SquirrelMail Team is pleased to announce the release of
SquirrelMail version 1.4.22.  This release contains a large number of
performance enhancements, stability fixes and a few bug/security
fixes.

The most important thing to note when upgrading to version 1.4.22 is
that due to a fix made that standardizes the folder list display,
administrators who had their configuration file set to work around
this issue in the past will need to update their configuration.  This
will commonly affect those using Courier IMAP, but could affect others
as well.

If you have $default_sub_of_inbox set to FALSE in your main
configuration (or, using the configuration tool, see "3. Folder
Defaults" ===> "12. Default Sub. of INBOX"), and you find after
upgrade that your special folders (e.g., Trash, Drafts, Sent) are no
longer listed at the top of your folder list, please change that value
to TRUE.

Also, if you find that this upgrade prevents users from logging in
with an error such as "ERROR: Could not complete request.  Query:
CREATE "Trash" Reason Given: Invalid mailbox name.", you will need to
correct the user preference values for the problem folders.  You can
do so with commands such as the following for file-based preferences
(adjust the data directory location as needed):

   find /var/lib/squirrelmail/data/ -name *.pref -exec sed --in-place
's/trash_folder=Trash/trash_folder=INBOX.Trash/g' {} \;
(Continue reading)

Permalink | Reply | 0 comments |
headers
Paul Lesniewski | 23 Jul 2010 08:08
Favicon

[SM-ANNOUNCE] ANNOUNCE: SquirrelMail 1.4.21 Released

Greetings,

The SquirrelMail Team is pleased to announce the release of
SquirrelMail version 1.4.21.  This is primarily a maintenance release
which addresses a smattering of small issues and adds some fine-tuning
of recent changes.  It also closes two relatively low-risk security
issues.

Before this release, for environments with highly active users, the
number of security tokens could have bloated user session (and
preference) files to an unacceptable size, hurting overall
responsiveness.  This release scales back the default validity period
of security tokens from 30 days to two days, which should fix this
problem in most cases.  The administrator is always free to change
this value by specifying $max_token_age_days in
config/config_local.php.

There are also fixes for minor issues related to header folding,
faster and more resilient display of encoded subjects, quoting of
encoded addresses upon reply, provision of a subject when using
forward-as-attachment, and a few other tidbits.

This release also includes fixes for two low-risk  vulnerabilities.
The first, CVE-2010-1637, allows authenticated users to use the Mail
Fetch plugin as a network/port/DNS scanner.  The second,
CVE-2010-2813, poses a denial-of-service risk when passwords
containing 8-bit characters are used to log in.  While we characterize
these issues as fairly low risk, it is  nevertheless recommended that
users of previous versions of SquirrelMail upgrade at their earliest
convenience.
(Continue reading)

Permalink | Reply | 0 comments |
headers
Paul Lesniewski | 7 Mar 2010 04:00
Favicon

[SM-ANNOUNCE] ANNOUNCE: SquirrelMail 1.4.20 Released

Greetings,

The SquirrelMail Team is pleased to announce the release of
SquirrelMail version 1.4.20.  This release makes final the changes
implemented in our last two release candidates and adds several
smaller fixes and feature improvements.

Of those new fixes and improvements not included in our last release
candidate, the most notable fix is that for the formerly broken search
page, but we've also fixed sorting in the Sent folder, handling of
complex mailto: addresses, display of multibyte subjects, quoting of
encoded headers, automatic installation address detection (especially
useful for lighttpd environments), a privacy issue related to DNS
prefetching of email content, and added unread links in the message
view and a Gmail IMAP configuration option.

For more complete details, see the ReleaseNotes and ChangeLog files
included in this release (in the doc/ directory).

Due to the security fixes included in our last two release candidate
packages, we advise all users of SquirrelMail versions 1.4.19 and
below to upgrade.

The latest release can be downloaded from the SquirrelMail website:

   http://squirrelmail.org/download

Package md5sums
===============
76aa7963e67edc7cea2be919f51ded72  squirrelmail-1.4.20.tar.bz2
(Continue reading)

Permalink | Reply | 0 comments |
headers
Paul Lesniewski | 18 Aug 2009 03:00
Favicon

[SM-ANNOUNCE] ANNOUNCE: SquirrelMail 1.4.20 Release Candidate 2 Now Available

Hello,

The SquirrelMail Team is pleased to bring you the second release
candidate ahead of our next SquirrelMail version: 1.4.20-RC2.  Hot on
the coattails of 1.4.20 release candidate 1, we received some helpful
feedback from our friends at Secunia Research and have followed up
with another release candidate.  The risk of using the 1.4.20 release
candidate 1 package instead of this one is very low, but we encourage
the community to help test code that we hope to release as officially
stable in the near future.  Those who can upgrade to release candidate
2 are encouraged to do so!

For more complete details, see the ReleaseNotes and ChangeLog files
included in this release (in the doc/ directory).

This release can be downloaded from the SquirrelMail website:

   http://squirrelmail.org/download

Package md5sums
===============
94015fb018cb2165fdfb3c41fd2b8065  squirrelmail-1.4.20-RC2.tar.bz2
03523e8c7ad9d630988d5001c5743b69  squirrelmail-1.4.20-RC2.tar.gz
0fbceec5b9775e72be2b42d197761bc0  squirrelmail-1.4.20-RC2.zip

Package sha1sums
================
f1cdccfdd17d8974adc0b79aba44b62f98f78f64  squirrelmail-1.4.20-RC2.tar.bz2
11e1d8142d371f169bf14deec13659847e81b67b  squirrelmail-1.4.20-RC2.tar.gz
f5db20f0bb4fa822c5733fde2e08b7cadb9c67ea  squirrelmail-1.4.20-RC2.zip
(Continue reading)

Permalink | Reply | 0 comments |
headers
Paul Lesniewski | 12 Aug 2009 12:47
Favicon

[SM-ANNOUNCE] ANNOUNCE: SquirrelMail 1.4.20 Release Candidate 1 Now Available

Greetings,

The SquirrelMail Team is pleased to bring you the first release
candidate ahead of our next SquirrelMail version: 1.4.20RC1.  Because
of the somewhat invasive nature of some of the changes we have
recently made, we are issuing a "release candidate" before we
officially move to version 1.4.20.  While we have been very careful to
ensure the stability of SquirrelMail, this version, 1.4.20 release
candidate 1, has undergone limited testing, and we'd like to have more
feedback before we make version 1.4.20 final.

The most notable changes for this version are the addition of two
security mechanisms that fight cross-site request forgeries (CSRF),
the removal of some deprecated PHP functions, some minor fixes in the
filters plugin, and increased user privacy.  For more complete
details, see the ReleaseNotes and ChangeLog files included in this
release (in the doc/ directory).

Due to the security issues fixed herein, we'd like to advise all users
of SquirrelMail software to upgrade.  However, because this is
technically a "release candidate", it may be most prudent to to test
your upgrade before putting it into production use.  We are confident
that most systems will not experience any trouble, but we'll be happy
to work with you to resolve any issues that do arise.  Your feedback
is highly appreciated.

This release can be downloaded from the SquirrelMail website:

   http://squirrelmail.org/download
(Continue reading)

Permalink | Reply | 0 comments |
headers
Jon Angliss | 31 Jul 2009 06:42
Favicon

[SM-ANNOUNCE] SECURITY: SquirrelMail Web Server Status, and Plugins Update


All,

We apologies for the extended downtime for the SquirrelMail plugins
repository, and some of the SquirrelMail site documentation.
Unfortunately due to conflicting time schedules, and some
miss-communications amongst the team (mostly my fault), the server
was unavailable for an extended length of time.

Server Status
-------------
This evening, after an extended downtime, we finally rolled to using
the new server.  XS4All.nl were gracious in loaning us an additional
server whilst we migrated our data, to the new server.  All
documentation should now be online again, and active.  If you notice
any issues with the site, please feel free to email me directly,
I'll get onto it as soon as I can.

Plugins Compromise
------------------
During the initial announcement, we'd mentioned that we did not
believe that any of the plugins had been compromised.  Further
investigation has shown that the following plugins were indeed
compromised:

  - sasql-3.2.0
  - multilogin-2.4-1.2.9
  - change_pass-3.0-1.4.0

Parts of these code changes attempts to send mail to an offsite
(Continue reading)

Permalink | Reply | 0 comments |
headers
Jon Angliss | 18 Jun 2009 19:50
Favicon

[SM-ANNOUNCE] SECURITY: SquirrelMail Web Server Compromise


It was recently discovered that the SquirrelMail webserver had
been compromised. The project administrators took immediate
action to mitigate any futher compromises, locking all accounts
out, and resetting critical passwords.

At this time, the SquirrelMail project administrators have shut
down access to the original server, and put a temporary hold on
access to the plugins. It is believed that none of the plugins
have been compromised, but further investigations are still
being executed.

The compromise of this server does not include a compromise of
the source control, which is hosted on a separate repository
managed by SourceForge.

Further details will be published as soon as the details have
been uncovered.

--
Jon Angliss
   SquirrelMail Team
Permalink | Reply | 0 comments |
headers
Thijs Kinkhorst | 21 May 2009 20:02
Favicon

[SM-ANNOUNCE] ANNOUNCE: SquirrelMail 1.4.19 Released

Greetings,

The security fix to map_yp_alias in 1.4.18 turned out to be incomplete. We 
also expierenced some regressions in the updated filter plugin. Both are 
addressed in this new release 1.4.19 which contains a few other small fixes 
aswell.

If you do not use map_yp_alias or the filters plugin there's no urgent need to 
upgrade now if you already installed 1.4.18. If you are still on an older 
release than 1.4.18 (or use the mentioned functionality) we do urge you to 
upgrade as soon as possible as 1.4.18 and 1.4.19 combined fix some important 
security issues. Those using the development branch (1.5.x) should install a 
recent SVN snapshot.

The latest release can be downloaded from the SquirrelMail website:

   http://squirrelmail.org/download

Package md5sums
===============
b7c5ebf0a57fe3511042a740ff1b5710  squirrelmail-1.4.19.tar.bz2
bf71b282361cd9fe65781bb17ecd7704  squirrelmail-1.4.19.tar.gz
30a69a3e37d493bd915e47dc6cda9f9a  squirrelmail-1.4.19.zip

Package sha1sums
================
14b66bd470a36750ed4d4a0c8bfc27523639dd5d  squirrelmail-1.4.19.tar.bz2
673e5da4018c854ff6e8a7ea24ce754d28ce7fc3  squirrelmail-1.4.19.tar.gz
a041c0fdb8b41455daefe2d31d2bb268210d14c0  squirrelmail-1.4.19.zip
(Continue reading)

Permalink | Reply | 0 comments |
headers
Paul Lesniewski | 18 May 2009 10:52
Favicon

[SM-ANNOUNCE] ANNOUNCE: SquirrelMail Needs Your Help - Please Donate!

Dear Friends,

SquirrelMail is currently celebrating 10 years of providing free, Open
Source Software to the world.  We have a lot to be grateful for and
many people to thank for how successful we've been!  SquirrelMail is
included in most major Linux distributions and is independently
downloaded by tens of thousands of people every month, which might
even make it more widespread than some of the biggest free webmail
providers.  And, proving that Open Source really works, our popularity
has allowed us to collaborate with countless talented individuals who
have helped us keep SquirrelMail safe, up to date and full of new
features.

But fame has its price.  ;-)  SquirrelMail has always been run by a
small group of volunteers, and we've never been paid for our efforts.
We do it because this is our passion; we do it for the love and the
fun.  But running a high-profile project means that there is a
plethora of work from which no one gets much fun (or love).  That's
taken its toll -- our numbers have dwindled and our visionary
initiatives for our next big release have had to take a back seat to
ongoing maintenance, such as responding to bug reports, looking over
plugin and patch submissions, fixing security vulnerabilities,
answering voluminous amounts of email on our mailing lists, and a slew
of other responsibilities.  Oh, and then there's paying the bills,
family time, and cleaning the kitchen....

So it's time to ask our community to give back just a little bit.  In
the best scenario, SquirrelMail should be able to support one or two
people working full time.  To some, this may seem overly ambitious,
but we don't think so.  Think of the good money that has been raised
(Continue reading)

Permalink | Reply | 0 comments |
headers
Paul Lesniewski | 12 May 2009 08:48
Favicon

[SM-ANNOUNCE] ANNOUNCE: SquirrelMail 1.4.18 Released

Greetings,

The SquirrelMail Team is pleased to announce the release of
SquirrelMail version 1.4.18.  The most notable changes for this
version are several security fixes, including a couple XSS exploits, a
session fixation issue, and an obscure but dangerous server-side code
execution hole.  However, this version also includes three new
languages and more than a few enhancements to things such as the
filters plugin, the address book system and other things under the
hood.  For more complete details, see the ReleaseNotes and ChangeLog
files included in this release (they have moved to the doc/
directory).  We advise all users of SquirrelMail software to upgrade.

The latest release can be downloaded from the SquirrelMail website:

   http://squirrelmail.org/download

Package md5sums
===============
2df99afc1bc3b121296af65f52fbc5cc  squirrelmail-1.4.18.tar.bz2
5e870d2f5b57b4b0e42497cb0a0fae5e  squirrelmail-1.4.18.tar.gz
b7b87b73797633c8d92d3da95d7e97c9  squirrelmail-1.4.18.zip

Package sha1sums
================
18872d8ad72f3415672344318901beb9d4d8a860  squirrelmail-1.4.18.tar.bz2
25be33dec86419f07ab8d5b8d41d0e3eed7d2c52  squirrelmail-1.4.18.tar.gz
eb600ab91f78dc6dbbfb029c6521b728f0e624f7  squirrelmail-1.4.18.zip

**** The SquirrelMail team can use your help! ****
(Continue reading)

Permalink | Reply | 0 comments |
headers
Paul Lesniewski | 4 Dec 2008 06:53
Favicon

[SM-ANNOUNCE] ANNOUNCE: SquirrelMail 1.4.17 Released

Hello All,

The SquirrelMail team is happy to announce the release of version 1.4.17.  The
most notable change is a security fix that prevents certain specially-crafted
hyperlinks within messages from executing cross-site scripting attacks.  For
other details, see the ReleaseNotes file included in this release.  We advise
all users of SquirrelMail software to upgrade.

The latest release can be downloaded from the SquirrelMail website at
http://www.squirrelmail.org/download

Package md5sums
===============
6ff0df8ae0e7f13418ed37ea1c93f6f3  squirrelmail-1.4.17.tar.bz2
97a492c0cfed90679ce6683d7760d68e  squirrelmail-1.4.17.tar.gz
0e22297e91e97a4714263ee718f9ae78  squirrelmail-1.4.17.zip

Package sha1sums
================
da21a447ada4e120b82210e93a737bb4c4509c34  squirrelmail-1.4.17.tar.bz2
ac2ed4ac009405b3ab256b3b6724d7368082bee1  squirrelmail-1.4.17.tar.gz
23702cee04ebb347f5b105b60f11cff7f8dae03f  squirrelmail-1.4.17.zip

*** The SquirrelMail team can use your help! ***
We consist of volunteers developing the most popular open source webmail
client available.  We're looking for people to join our team to help keep
our product quality high and to continue to deliver new and enhanced features.
Our project offers an interesting challenge at the intersection of the IMAP,
SMTP and HTTP protocols.
(Continue reading)

Permalink | Reply | 0 comments |

Gmane