SquirrelMail 1.4.6 Released

Hello All,

It is my proud pleasure to announce the final release of SquirrelMail
1.4.6.

This release is very important, and we strongly advise everybody to
update to the latest release.

Security Update
===============
This version contains a number of security updates that were brought
to our attention via a number of sources.

- In webmail.php, the right_frame parameter was not properly sanitized
  to deal with very lenient browsers, which allowed for cross site
  scripting or frame replacing. [CVE-2006-0188]

- In the MagicHTML function, some very obscure constructs were
  discovered to be exploitable: 'u\rl' was interpreted as 'url' (privacy
  concern), and comments could be inside keywords (allows for cross site
  scripting). Both only affect Internet Explorer users. Found by Martijn
  Brinkers and Scott Hughes. [CVE-2006-0195]

- The function sqimap_mailbox_select did not strip newlines from the
  mailbox parameter, and thereby allowed for IMAP command injection.
  Found by Vicente Aguilera. [CVE-2006-0377]

Further details on SquirrelMail vulnerabilities can be found at the
following address:

  http://www.squirrelmail.org/security/

We strongly encourage any persons uncovering Security issues to
contact the SquirrelMail team via security@....


In This Release
===============
This release contains mostly bug fixes, including corrections for PHP
behaviour changes in file handling, and some data types. Especially
running SquirrelMail on the most recent PHP versions should be much
improved.

For further information about the changes involved in this release,
please see the ChangeLog and ReleaseNotes files included with the
release.


The latest release can be downloaded from the SquirrelMail website at
http://www.squirrelmail.org/download.php

Happy SquirrelMailing
The SquirrelMail development Team