On Tue, Jan 19, 2010 at 7:10 AM, <dwnek@xxxxxxxxxxxxxx> wrote: > > I would like to know if version 1.4.20RC2 will be dropping off the RC > extension and be officially released any time soon. I have been running > 1.4.19 in production since mid-2009, but it has some serious security > vulnerabilities listed against it going back to 04/2009. One source to view > them is, http://seclists.org/fulldisclosure/2010/Jan/232 This link lists the vulnerabilities that were fixed as of 1.4.19. If you are running 1.4.19, you are not vulnerable to any of them. There is only one security-related fix in 1.4.20 (actually 1.4.20-RC1), and it may be less likely to be used as an attack vector (but who knows). The long incubation of 1.4.20 was due to the more invasive changes to the code, however I expect to be releasing it officially in the next week or two. You are always welcome to try a 1.4.20 snapshot on our downloads page (not the release candidate package). > Although, I would like to upgrade in order to remove these vulnerabilities, > I am not comfortable in upgrading to a version still only listed as a > Release Candidate. -- Paul Lesniewski SquirrelMail Team Please support Open Source Software by donating to SquirrelMail! http://squirrelmail.org/donate_paul_lesniewski.php ------------------------------------------------------------------------------ Throughout its 18-year history, RSA Conference consistently attracts the world's best and brightest in the field, creating opportunities for Conference attendees to learn about information security's most important issues through interactions with peers, luminaries and emerging and established companies. http://p.sf.net/sfu/rsaconf-dev2dev ----- squirrelmail-users mailing list Posting guidelines: http://squirrelmail.org/postingguidelines List address: squirrelmail-users@xxxxxxxxxxxxxxxxxxxxx List archives: http://news.gmane.org/gmane.mail.squirrelmail.user List info (subscribe/unsubscribe/change options): https://lists.sourceforge.net/lists/listinfo/squirrelmail-users
