Hello All, The SquirrelMail Project Team is proud to announce the release of SquirrelMail 1.4.9a. This version is a security release. The day after we released SquirrelMail 1.4.9 new cross site scripting issues were reported and immediately fixed. Therefor the decision to release 1.4.9a so short after the 1.4.9 release. 1.4.9 and 1.4.9a is addressing the following problems since 1.4.8: - Some security fixes (see below) - Small enhancements - A collection of bugfixes (see ChangeLog) Security issues =============== This release addresses security issues found since the release of 1.4.8: Cross site scripting via malicious input the mailto parameter of webmail.php, the session and delete_draft parameters of compose.php and via a shortcoming in the magicHTML filter. This is CVE-2006-6142. Thanks for Martijn Brinkers for his continued research that uncovered these issues. We've also changed SquirrelMail attachment handling to work around an issue in Internet Explorer: the browser will attempt to guess the MIME type of attachments based on content, not the MIME header we send. Attachments could fake to be an 'harmless' image/jpeg, while they were in fact HTML that Internet Explorer would render. After release 1.4.9 Martijn Brinkers again discovered new cross site scripting issues in the magicHtml filter. The new discovered security issues have to do with the wide intepretation of the words expression and url by IE browsers. As second issue Martijn Brinkers that the @import statement in stylesheets could be misused. Further details on SquirrelMail vulnerabilities can be found at the following address: http://www.squirrelmail.org/security/ Package md5sums =============== 3adf66bfe2e816ba8375cf811d8ef3f6 squirrelmail-1.4.9a.tar.bz2 5b19f8cc5badef91d1f2410df41564bc squirrelmail-1.4.9a.tar.gz a9e108418b0a42763a1d29a267fa7168 squirrelmail-1.4.9a.zip Download at: http://www.squirrelmail.org/download.php Happy SquirrelMailing! -- Marc Groot Koerkamp SquirrelMail Project Team ------------------------------------------------------------------------- Take Surveys. Earn Cash. Influence the Future of IT Join SourceForge.net's Techsay panel and you'll get the chance to share your opinions on IT & business topics through brief surveys - and earn cash http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV -- squirrelmail-users mailing list Posting Guidelines: http://www.squirrelmail.org/wiki/MailingListPostingGuidelines List Address: squirrelmail-users@xxxxxxxxxxxxxxxxxxxxx List Archives: http://news.gmane.org/thread.php?group=gmane.mail.squirrelmail.user List Archives: http://sourceforge.net/mailarchive/forum.php?forum_id=2995 List Info: https://lists.sourceforge.net/lists/listinfo/squirrelmail-users
