All, Minor typo: This release is version 1.4.9 of course, not 1.4.7. It addresses issues contained in version 1.4.8 and lower. :-) Happy Squirreling! Paul Lesniewski SquirrelMail Project Team > The SquirrelMail Project Team is proud to announce the release of > SquirrelMail 1.4.7. This version is a maintenance release, addressing > the following problems since 1.4.6: > - Some security fixes (see below) > - Small enhancements > - A collection of bugfixes (see ChangeLog) > > Security issues > =============== > > This release addresses security issues found since the release of 1.4.8: > > Cross site scripting via malicious input the mailto parameter of > webmail.php, the session and delete_draft parameters of compose.php and > via a shortcoming in the magicHTML filter. > > This is CVE-2006-6142. Thanks for Martijn Brinkers for his continued > research that uncovered these issues. > > We've also changed SquirrelMail attachment handling to work around an > issue in Internet Explorer: the browser will attempt to guess the MIME > type of attachments based on content, not the MIME header we send. > Attachments could fake to be an 'harmless' image/jpeg, while they were > in fact HTML that Internet Explorer would render. > > Further details on SquirrelMail vulnerabilities can be found at the > following address: > > http://www.squirrelmail.org/security/ > > We strongly encourage any persons uncovering security issues to > contact the SquirrelMail team via security <at> squirrelmail.org. > > Package md5sums > =============== > > b3dc6e3c5accb9b88bf6ebfd87336b96 squirrelmail-1.4.9.tar.bz2 > 5a3ecbda6d8378c68fa40b4ac5b2d487 squirrelmail-1.4.9.tar.gz > 875848f25d481b59552d4e93aaacba4c squirrelmail-1.4.9.zip > > > Download at: > > http://www.squirrelmail.org/download.php > > Happy SquirrelMailing! > > -- > Thijs Kinkhorst > SquirrelMail Project Team ------------------------------------------------------------------------- Take Surveys. Earn Cash. Influence the Future of IT Join SourceForge.net's Techsay panel and you'll get the chance to share your opinions on IT & business topics through brief surveys - and earn cash http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV -- squirrelmail-users mailing list Posting Guidelines: http://www.squirrelmail.org/wiki/MailingListPostingGuidelines List Address: squirrelmail-users@xxxxxxxxxxxxxxxxxxxxx List Archives: http://news.gmane.org/thread.php?group=gmane.mail.squirrelmail.user List Archives: http://sourceforge.net/mailarchive/forum.php?forum_id=2995 List Info: https://lists.sourceforge.net/lists/listinfo/squirrelmail-users
