On 7/31/09, Jim McIntyre <jmcintyre@xxxxxxxxxxxxxxxxxxxxx> wrote: > First, thanks very much, as others have said, for the thorough and > thoughtful way you handled this situation. Thanks for your understanding. >> Plugins Compromise >> - ------------------ >> During the initial announcement, we'd mentioned that we did not >> believe that any of the plugins had been compromised. Further >> investigation has shown that the following plugins were indeed >> compromised: >> >> - sasql-3.2.0 >> - multilogin-2.4-1.2.9 >> - change_pass-3.0-1.4.0 >> >> Parts of these code changes attempts to send mail to an offsite >> server containing passwords. We cannot establish a timeline of when >> these plugins were compromised. > > Are you able to ascertain whether only that version of Change Password > was compromised? As far as we know, only version 3.0 was compromised. We'd say so if we knew otherwise. > I'm using Change Password 2.7a-1.4.x - although I don't > know when I downloaded it, it was before version 3 was released - should > I be concerned about its integrity? Is there a specific place I could > look in its code for a possible exploit? As we can't be responsible for servers that we are unfamiliar with, the only thing we can say in this regard is to check file modification dates and execute your own code review if you have reason to believe you have any malicious code on your system. > I just want to be able to notify users if in fact there may have been a > risk of passwords being compromised. > > Thanks, > Jim -- Paul Lesniewski SquirrelMail Team Please support Open Source Software by donating to SquirrelMail! http://squirrelmail.org/donate_paul_lesniewski.php ------------------------------------------------------------------------------ Let Crystal Reports handle the reporting - Free Crystal Reports 2008 30-Day trial. Simplify your report design, integration and deployment - and focus on what you do best, core application coding. Discover what's new with Crystal Reports now. http://p.sf.net/sfu/bobj-july ----- squirrelmail-users mailing list Posting guidelines: http://squirrelmail.org/postingguidelines List address: squirrelmail-users@xxxxxxxxxxxxxxxxxxxxx List archives: http://news.gmane.org/gmane.mail.squirrelmail.user List info (subscribe/unsubscribe/change options): https://lists.sourceforge.net/lists/listinfo/squirrelmail-users
