Hello All, The SquirrelMail Project Team is proud to announce the release of SquirrelMail 1.4.10. This version is a security release. This version, 1.4.10 is a maintenance release, addressing the following problems since 1.4.9a: - Some security fixes (see below) - Small enhancements - A collection of bugfixes and stability enhancements (see ChangeLog for a full list) Security issues =============== This release addresses security issues found since the release of 1.4.9a: There's an ongoing battle to further secure the HTML filter against malicious HTML mail and the browsers that accept almost any malformed piece of HTML. This release contains fixes for the following: - HTML attachments containing "data:" URLs; - Internet Explorer in various versions accepts many permutations of HTML and JavaScript in many charsets. We now properly canonicalize the incoming HTML to us-ascii before applying further filters. IE only. - Request forgery through images. It was possible to include "images" in HTML mails which were in fact GET requests for the compose.php page sending mail. These images are now properly detected, and the compose form will only send mail through a POST request. Thanks to Mikhail Markin, Tomas Kuliavas and Michael Jordon for reporting (parts of) these issues and working with us to get them resolved. These are known as CVE-2007-1262. Further details on SquirrelMail vulnerabilities can be found at the following address: http://www.squirrelmail.org/security/ Package md5sums =============== 1c40402a805ee316c157f7ae71d653d6 squirrelmail-1.4.10.tar.gz 6e3ab93e8c3854ba84a03df256ed0f7d squirrelmail-1.4.10.tar.bz2 0768994841d87fe07bd04df0edb15bea squirrelmail-1.4.10.zip Download at: http://www.squirrelmail.org/download.php Happy SquirrelMailing! -- Thijs Kinkhorst SquirrelMail Project Team
Attachment:
pgpQ2MatsHANy.pgp
Description: PGP signature
------------------------------------------------------------------------- This SF.net email is sponsored by DB2 Express Download DB2 Express C - the FREE version of DB2 express and take control of your XML. No limits. Just data. Click to get it now. http://sourceforge.net/powerbar/db2/
-- squirrelmail-users mailing list Posting Guidelines: http://www.squirrelmail.org/wiki/MailingListPostingGuidelines List Address: squirrelmail-users@xxxxxxxxxxxxxxxxxxxxx List Archives: http://news.gmane.org/thread.php?group=gmane.mail.squirrelmail.user List Archives: http://sourceforge.net/mailarchive/forum.php?forum_id=2995 List Info: https://lists.sourceforge.net/lists/listinfo/squirrelmail-users
