The security fix to map_yp_alias in 1.4.18 turned out to be incomplete. We also experienced some regressions in the updated filter plugin. Both are addressed in this new release 1.4.19 which contains a few other small fixes aswell. If you do not use map_yp_alias or the filters plugin there's no urgent need to upgrade now if you already installed 1.4.18.
- Removed use of session_unregister() for compatibility with PHP 5.3.0 and PHP 6.
- Fixed the Filters plugin to allow commas in filter criteria text and not to error out when spam-scanning only unread mail.
- Resend cookie to browser after session ID regeneration so it gets the right cookie parameters.
- In SMTP, when we EHLO with an IP, wrap it in brackets (#2793154).
- The shell escaping fix in map_yp_alias (CVE-2009-1579) was incomplete. Thanks Michal Hlavinka for noticing this. [CVE-2009-1381]
The most notable changes for this version are several security fixes, including a couple XSS exploits, a session fixation issue, and an obscure but dangerous server-side code execution hole. However, this version also includes three new languages and more than a few enhancements to things such as the filters plugin, the address book system and other things under the hood.
- Fixed port detection in automatic base URL detection scheme (get_location()). (#2388423)
- Added informational type option widget.
- Added password type option widget.
- Fixed filters plugin to allow spam filters to scan multiple messages, rather than the first message returned. (#1634735)
- Removed code from spam filters plugin to stop if falling back to searching all messages when there was no new messages.
- Altered filters plugin to issue single move/delete statement for multiple messages.
- Updated some core code, and several plugins, to not use code marked as obsolete.
- Corrected sqimap_msgs_list_copy to actually copy messages, rather than move.
- Created new sqimap_msgs_list_move to move messages.
- Migrated some fetch handling code from dev branch in plans to update some core functionality to allow reusability of code.
- Make address book file permissions 0600 - same as preference files.
- Fix for address book nicknames that contain the : character.
- Ensure that hash directory computation is the same on both 32 and 64 bit architectures. (#2596879)
- Allow multiple addresses in one abook entry (separate with commas), although we HIGHLY DISCOURAGE grouping in this manner - note amongst other issues that can come up, sizing for large groups will be a problem. (#2611967)
- Added Tamil translation (Thanks to Kengatharaiyer Sarveswaran).
- Added Bengali (Bangladesh) translation (Thanks to Jamil Ahmed).
- Moved documentation to doc/ directory and added example .htaccess files in all directories to which browsers don't need direct access.
- Date headers in outgoing messages have been brought into RFC 822 compliance (removed time zone name). (#1849410)
- Default Content-Transfer-Encoding is now RFC-compliant "7bit" instead of "us-ascii". (#1942060)
- Outgoing attachments that have lines longer than allowed per RFC are now encoded so they are not corrupted by artificial line folds. Thanks to Kelly Fallon. (#2226470, $1473714)
- Converted Italian (it_IT) to UTF-8.
- Converted Czech (cs_CZ) to UTF-8.
- Converted Hungarian (hu_HU) to UTF-8.
- Added Khmer translation (Thanks to Khoem Sokhem).
- Remove ability for HTML emails to use CSS positioning to overlay SquirrelMail content (Thanks to Luc Beurton). (#2723196) [CVE-2009-1581]
- Fixed improper sanitizing of PHP_SELF and the lack of sanitizing of QUERY_STRING server environment variables (Thanks to Niels Teusink and Christian Balzer). [CVE-2009-1578]
- Fixed the lack of sanitizing of contrib/decrypt_headers.php input; also includes general cleanup of that page (Thanks to Niels Teusink). [also CVE-2009-1578]
- Fixed unsanitized shell command in example IMAP username mapping function (map_yp_alias) (Thanks to Niels Teusink). [CVE-2009-1579]
- Fixed session fixation issues where someone who can modify a user's cookies could gain control of their login session. The SquirrelMail base URI is now uniformly generated, extraneous cookies are cleaned up and session IDs are regenerated upon every login (Thanks to Tomas Hoger). [CVE-2009-1580]