ANNOUNCE: SquirrelMail 1.4.15 Released
May 23, 2008 by Thijs Kinkhorst
|
|
We are proud to release SquirrelMail 1.4.15, containing an assortment of bugfixes accumulated since the release of 1.4.13. We've skipped the 1.4.14 version number because that one has been abused by spammers (see below). This release can as usual be found on our download page. Happy SquirrelMailing! |
ANNOUNCE: SquirrelMail 1.4.15 RC 1 Released
May 12, 2008 by Thijs Kinkhorst
|
|
The SquirrelMail developers are happy to release the first Release Candidate for the upcoming 1.4.15 stable release. A release candidate is intended as the final public verification that a version is all right before it's declared "stable". Please try it out and report any bugs to us. See our download page for more information. |
SECURITY: Spam Alert Update
Mar 27, 2008 by Fredrik Jervfors
|
|
Apparently the spammer mentioned in the previous news item has taken things a step further. Now mails about upgrading to SquirrelMail 1.4.14-rc1 are being sent out. Note that there's no such version available at this project's download page, simply because we haven't released such a version! Don't fall for the scam and install software written by a spammer. We cannot stress this enough. Installing software modified by a spammer is harmful for your system, so just don't do it. Always use our download page or your distribution's package manager to get ahold of updated versions of SquirrelMail. |
SECURITY: Spam Alert
Mar 05, 2008 by Paul Lesniewski
|
|
We'd like to alert the community to the fact that, along with the long-standing spam issue detailed in our Administrator's Manual, there has been some spam circulating in the last several days that claims to be a package update notification from the SquirrelMail Team similar to the previous news item below. The message contains a link to a spoofed SquirrelMail login page that appears to harvest email addresses and passwords and then redirect back to squirrelmail.org. Please note that the SquirrelMail Team NEVER sends out direct, unsolicited messages, and will NEVER ask for your username, email address, or password. The only messages you'll ever get directly from the SquirrelMail Team are ones that come on one of our several mailing lists that require subscription. |
ANNOUNCE: SquirrelMail 1.4.13 Released
Dec 14, 2007 by Jonathan Angliss
|
|
Due to the package compromise of 1.4.11, and 1.4.12, we are forced to
release 1.4.13 to ensure no confusions. While initial review didn't
uncover a need for concern, several proof of concepts show that the
package alterations introduce a high risk security issue, allowing
remote inclusion of files. These changes would allow a remote user the
ability to execute exploit code on a victim machine, without any user
interaction on the victim's server. This could grant the attacker the
ability to deploy further code on the victim's server.
We STRONGLY advise all users of 1.4.11, and 1.4.12 upgrade
immediately. |
SECURITY: 1.4.12 Package Compromise
Dec 13, 2007 by Jonathan Angliss
|
|
It has been brought to our attention that the MD5 sums for the 1.4.12
package were not matching the actual package. We've been
investigating this issue, and uncovered that the package was modified
post release. This was believed to have been caused by a compromised
account from one of our release maintainers.
Further investigations show that the modifications to the code should
have little to no impact at this time. Modifications seemed to be
based around a PHP global variable which we cannot track down. The
changes made will most likely generate an error, rather than a
compromise of a system in the event the code does get executed.
Original packages, stored on secure media, have been restored to the
Sourceforge download servers, and additional signatures for the
packages are now available on the SquirrelMail download page at
http://www.squirrelmail.org/download.php
While we believe the changes made should have little impact, we
strongly recommend everybody that has downloaded the 1.4.12 package
after the 8th December, to redownload the package.
The code modifications did not made it into our source control, just
the final package. We are currently investigating older packages to
see if they were also compromised.
Once again, the original package MD5s are:
ea5e750797628c9f0f247009f8ae0e14 squirrelmail-1.4.12.tar.bz2
d17c1d9f1ee3dde2c1c21a22fc4f9d0e squirrelmail-1.4.12.tar.gz
3f6514939ea1ebf69f6f8c92781886ab squirrelmail-1.4.12.zip
We apologies for the inconvenience this may have caused. |
|
Plugin Updates
Mark Read
v2.0 on Aug 27, 2008
Empty Folders
v2.0 on Aug 18, 2008
Compatibility
v2.0.13 on Jul 27, 2008
Login Manager
v3.10 on Jul 27, 2008
Multilogin
v2.4 on Jul 27, 2008
Address Book Grouping and Pagination
v1.1 on Jul 20, 2008
Message Flags & Icons
v1.4.15a on Jul 19, 2008
Add Address
v1.0 on Jul 12, 2008
Compatibility
v2.0.12 on Jul 12, 2008
Same IP
v1.1 on Jul 3, 2008
Canadian Weather
v3.2.0 on Jun 27, 2008
Login: HTTP Authentication
v2.1 on Jun 23, 2008
|
|
|
