ANNOUNCE: SquirrelMail 1.4.15 RC 1 Released
May 12, 2008 by Thijs Kinkhorst
|
|
The SquirrelMail developers are happy to release the first Release Candidate for the upcoming 1.4.15 stable release. A release candidate is intended as the final public verification that a version is all right before it's declared "stable". Please try it out and report any bugs to us. See our download page for more information. |
SECURITY: Spam Alert Update
Mar 27, 2008 by Fredrik Jervfors
|
|
Apparently the spammer mentioned in the previous news item has taken things a step further. Now mails about upgrading to SquirrelMail 1.4.14-rc1 are being sent out. Note that there's no such version available at this project's download page, simply because we haven't released such a version! Don't fall for the scam and install software written by a spammer. We cannot stress this enough. Installing software modified by a spammer is harmful for your system, so just don't do it. Always use our download page or your distribution's package manager to get ahold of updated versions of SquirrelMail. |
SECURITY: Spam Alert
Mar 05, 2008 by Paul Lesniewski
|
|
We'd like to alert the community to the fact that, along with the long-standing spam issue detailed in our Administrator's Manual, there has been some spam circulating in the last several days that claims to be a package update notification from the SquirrelMail Team similar to the previous news item below. The message contains a link to a spoofed SquirrelMail login page that appears to harvest email addresses and passwords and then redirect back to squirrelmail.org. Please note that the SquirrelMail Team NEVER sends out direct, unsolicited messages, and will NEVER ask for your username, email address, or password. The only messages you'll ever get directly from the SquirrelMail Team are ones that come on one of our several mailing lists that require subscription. |
ANNOUNCE: SquirrelMail 1.4.13 Released
Dec 14, 2007 by Jonathan Angliss
|
|
Due to the package compromise of 1.4.11, and 1.4.12, we are forced to
release 1.4.13 to ensure no confusions. While initial review didn't
uncover a need for concern, several proof of concepts show that the
package alterations introduce a high risk security issue, allowing
remote inclusion of files. These changes would allow a remote user the
ability to execute exploit code on a victim machine, without any user
interaction on the victim's server. This could grant the attacker the
ability to deploy further code on the victim's server.
We STRONGLY advise all users of 1.4.11, and 1.4.12 upgrade
immediately. |
SECURITY: 1.4.12 Package Compromise
Dec 13, 2007 by Jonathan Angliss
|
|
It has been brought to our attention that the MD5 sums for the 1.4.12
package were not matching the actual package. We've been
investigating this issue, and uncovered that the package was modified
post release. This was believed to have been caused by a compromised
account from one of our release maintainers.
Further investigations show that the modifications to the code should
have little to no impact at this time. Modifications seemed to be
based around a PHP global variable which we cannot track down. The
changes made will most likely generate an error, rather than a
compromise of a system in the event the code does get executed.
Original packages, stored on secure media, have been restored to the
Sourceforge download servers, and additional signatures for the
packages are now available on the SquirrelMail download page at
http://www.squirrelmail.org/download.php
While we believe the changes made should have little impact, we
strongly recommend everybody that has downloaded the 1.4.12 package
after the 8th December, to redownload the package.
The code modifications did not made it into our source control, just
the final package. We are currently investigating older packages to
see if they were also compromised.
Once again, the original package MD5s are:
ea5e750797628c9f0f247009f8ae0e14 squirrelmail-1.4.12.tar.bz2
d17c1d9f1ee3dde2c1c21a22fc4f9d0e squirrelmail-1.4.12.tar.gz
3f6514939ea1ebf69f6f8c92781886ab squirrelmail-1.4.12.zip
We apologies for the inconvenience this may have caused. |
ANNOUNCE: SquirrelMail 1.4.12 Released
Dec 05, 2007 by Jonathan Angliss
|
|
We are proud to release SquirrelMail 1.4.12, containing an assortment of bugfixes, including a critical attachments issue and stability enhancements. Please see our download page. Happy SquirrelMailing! |
|
Plugin Updates
Select Range
v3.7 on May 12, 2008
Email Footer
v0.5 on Apr 20, 2008
Lockout
v1.6 on Apr 12, 2008
Restrict Senders
v1.4 on Apr 12, 2008
Squirrel Logger
v2.2 on Apr 12, 2008
Compatibility
v2.0.11 on Mar 11, 2008
Lockout
v1.5 on Mar 11, 2008
Virtual Keyboard
v0.9.1 on Mar 4, 2008
CAPTCHA
v1.1 on Feb 13, 2008
Compatibility
v2.0.10 on Feb 13, 2008
Restrict Senders
v1.3 on Feb 13, 2008
Squirrel Logger
v2.1 on Feb 13, 2008
|
|
|
