Notification of Issue Registration
| Project: | ThreatManagement |
| Issue: | SECURITY: 1.4.12 Package Compromise |
| Issue Number: | 9272 |
| Priority: | 1 | Status: | Request | |
| Date: | 12/13/2007 | Time: | 14:15:12 | |
| Created By: | jon@xxxxxxxxxxxxxxxx |
Description:
Entered on 12/13/2007 at 14:15:12 by jon@xxxxxxxxxxxxxxxx:
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
All,
It has been brought to our attention that the MD5 sums for the 1.4.12
package were not matching the actual package. We've been
investigating this issue, and uncovered that the package was modified
post release. This was believed to have been caused by a compromised
account from one of our release maintainers.
Further investigations show that the modifications to the code should
have little to no impact at this time. Modifications seemed to be
based around a PHP global variable which we cannot track down. The
changes made will most likely generate an error, rather than a
compromise of a system in the event the code does get executed.
Original packages, stored on secure media, have been restored to the
Sourceforge download servers, and additional signatures for the
packages are now available on the SquirrelMail download page at
http://www.squirrelmail.org/download.php
While we believe the changes made should have little impact, we
strongly recommend everybody that has downloaded the 1.4.12 package
after the 8th December, to redownload the package.
The code modifications did not made it into our source control, just
the final package. We are currently investigating older packages to
see if they were also compromised.
Once again, the original package MD5s are:
ea5e750797628c9f0f247009f8ae0e14 squirrelmail-1.4.12.tar.bz2
d17c1d9f1ee3dde2c1c21a22fc4f9d0e squirrelmail-1.4.12.tar.gz
3f6514939ea1ebf69f6f8c92781886ab squirrelmail-1.4.12.zip
We apologies for the inconvenience this may have caused.
For any further issues, please contact myself, or the security list
security@xxxxxxxxxxxxxxxx
- --
Happy SquirrelMailing!
The SquirrelMail Development Team
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.7 (MingW32)
iD8DBQFHYWKoK4PoFPj9H3MRAjfTAKC0EFUlROK6RLvKy/jdfFjrl3t3hACcDc77
XBPILcvZEu4nNbemwxU8j1I=
=FJzo
-----END PGP SIGNATURE-----
Current Assignees:
-- The sender of this email subscribes to Perimeter eSecurity's email anti-virus service. This email has been scanned for malicious code and is believed to be virus free. For more information on email security please visit: http://www.perimeterusa.com/email-defense-content.html This communication is confidential, intended only for the named recipient(s) above and may contain trade secrets or other information that is exempt from disclosure under applicable law. Any use, dissemination, distribution or copying of this communication by anyone other than the named recipient(s) is strictly prohibited. If you have received this communication in error, please delete the email and immediately notify our Command Center at 203-541-3444. Thanks
------------------------------------------------------------------------- SF.Net email is sponsored by: Check out the new SourceForge.net Marketplace. It's the best place to buy or sell services for just about anything Open Source. http://ad.doubleclick.net/clk;164216239;13503038;w?http://sf.net/marketplace
----- squirrelmail-users mailing list Posting guidelines: http://squirrelmail.org/postingguidelines List address: squirrelmail-users@xxxxxxxxxxxxxxxxxxxxx List archives: http://news.gmane.org/gmane.mail.squirrelmail.user List info (subscribe/unsubscribe/change options): https://lists.sourceforge.net/lists/listinfo/squirrelmail-users
