« Return to Thread: SquirrelMail 1.4.9 Released
Re: [SM-DEVEL] SquirrelMail 1.4.9 Released
by Paul Lesniewski
::
Rate this Message:
All,
Minor typo: This release is version 1.4.9 of course, not 1.4.7. It
addresses issues contained in version 1.4.8 and lower. :-)
Happy Squirreling!
Paul Lesniewski
SquirrelMail Project Team
> The SquirrelMail Project Team is proud to announce the release of
> SquirrelMail 1.4.7. This version is a maintenance release, addressing
> the following problems since 1.4.6:
> - Some security fixes (see below)
> - Small enhancements
> - A collection of bugfixes (see ChangeLog)
>
> Security issues
> ===============
>
> This release addresses security issues found since the release of 1.4.8:
>
> Cross site scripting via malicious input the mailto parameter of
> webmail.php, the session and delete_draft parameters of compose.php and
> via a shortcoming in the magicHTML filter.
>
> This is CVE-2006-6142. Thanks for Martijn Brinkers for his continued
> research that uncovered these issues.
>
> We've also changed SquirrelMail attachment handling to work around an
> issue in Internet Explorer: the browser will attempt to guess the MIME
> type of attachments based on content, not the MIME header we send.
> Attachments could fake to be an 'harmless' image/jpeg, while they were
> in fact HTML that Internet Explorer would render.
>
> Further details on SquirrelMail vulnerabilities can be found at the
> following address:
>
> http://www.squirrelmail.org/security/
>
> We strongly encourage any persons uncovering security issues to
> contact the SquirrelMail team via security <at> squirrelmail.org.
>
> Package md5sums
> ===============
>
> b3dc6e3c5accb9b88bf6ebfd87336b96 squirrelmail-1.4.9.tar.bz2
> 5a3ecbda6d8378c68fa40b4ac5b2d487 squirrelmail-1.4.9.tar.gz
> 875848f25d481b59552d4e93aaacba4c squirrelmail-1.4.9.zip
>
>
> Download at:
>
> http://www.squirrelmail.org/download.php
>
> Happy SquirrelMailing!
>
> --
> Thijs Kinkhorst
> SquirrelMail Project Team
-------------------------------------------------------------------------
Take Surveys. Earn Cash. Influence the Future of IT
Join SourceForge.net's Techsay panel and you'll get the chance to share your
opinions on IT & business topics through brief surveys - and earn cash
http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV
--
squirrelmail-announce mailing list
List Address: squirrelmail-announce@...
List Info: https://lists.sourceforge.net/lists/listinfo/squirrelmail-announce
Minor typo: This release is version 1.4.9 of course, not 1.4.7. It
addresses issues contained in version 1.4.8 and lower. :-)
Happy Squirreling!
Paul Lesniewski
SquirrelMail Project Team
> The SquirrelMail Project Team is proud to announce the release of
> SquirrelMail 1.4.7. This version is a maintenance release, addressing
> the following problems since 1.4.6:
> - Some security fixes (see below)
> - Small enhancements
> - A collection of bugfixes (see ChangeLog)
>
> Security issues
> ===============
>
> This release addresses security issues found since the release of 1.4.8:
>
> Cross site scripting via malicious input the mailto parameter of
> webmail.php, the session and delete_draft parameters of compose.php and
> via a shortcoming in the magicHTML filter.
>
> This is CVE-2006-6142. Thanks for Martijn Brinkers for his continued
> research that uncovered these issues.
>
> We've also changed SquirrelMail attachment handling to work around an
> issue in Internet Explorer: the browser will attempt to guess the MIME
> type of attachments based on content, not the MIME header we send.
> Attachments could fake to be an 'harmless' image/jpeg, while they were
> in fact HTML that Internet Explorer would render.
>
> Further details on SquirrelMail vulnerabilities can be found at the
> following address:
>
> http://www.squirrelmail.org/security/
>
> We strongly encourage any persons uncovering security issues to
> contact the SquirrelMail team via security <at> squirrelmail.org.
>
> Package md5sums
> ===============
>
> b3dc6e3c5accb9b88bf6ebfd87336b96 squirrelmail-1.4.9.tar.bz2
> 5a3ecbda6d8378c68fa40b4ac5b2d487 squirrelmail-1.4.9.tar.gz
> 875848f25d481b59552d4e93aaacba4c squirrelmail-1.4.9.zip
>
>
> Download at:
>
> http://www.squirrelmail.org/download.php
>
> Happy SquirrelMailing!
>
> --
> Thijs Kinkhorst
> SquirrelMail Project Team
-------------------------------------------------------------------------
Take Surveys. Earn Cash. Influence the Future of IT
Join SourceForge.net's Techsay panel and you'll get the chance to share your
opinions on IT & business topics through brief surveys - and earn cash
http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV
--
squirrelmail-announce mailing list
List Address: squirrelmail-announce@...
List Info: https://lists.sourceforge.net/lists/listinfo/squirrelmail-announce
« Return to Thread: SquirrelMail 1.4.9 Released
| Free embeddable forum powered by Nabble | Forum Help |
