SquirrelMail is een PHP e-mail client, welke veel wordt gebruikt om web-based e-mail aan te bieden. Het ontwikkelteam heeft onlangs versie 1.4.3 stable verklaard waarin een aantal beveiligingslekken zijn gedicht en de interface hier en daar is verbeterd. De release notes en het changelog zien er als volgt uit:
We are pleased to announce the release of SquirrelMail 1.4.3. This is a very important release as there was a number of XSS issues uncovered, and resolved. Many thanks to Eyal Udassin, Roman Medina and others for reporting the issues. As the previous release contained issues, it is STRONGLY advised that all users should upgrade to the latest release. This release contains a number of bug fixes (including security based issues), and some minor user interface tweaks.
- Fix form functions default parameter.
- Disabled Korean extra functions, because they don't provide all required options and message composition is broken.
- Added Basque translation support.
- Fixed XSS vulnarability in content-type display in the attachment area of read_body.php discovered by Roman Medina.
[break]De volgende drie downloads staan klaar:
- Added new preference that determines cursor focus when replying.
- HTML Filter bugfixes and further strengthening in response to some findings reported by stardust.
- Display total number of new messages in newmail-plugin popup window.
- Disabled Vietnamese and Ukrainian translations. They are done in different language.
- Ported charset decoding support functions from SM head. Increases number of readable charsets.
- Fix SquirrelMail to work with PHP5.
- Reintroduce alternating row colors in addressbook, which has accidentally disappeared somewhere in the dark past.
- Disabled Quick-email-reporting feature in spamcop plugin. (#809452). Admin can enable it by setting variable in plugins/spamcop/setup.php
- Fix again for Internet Explorer's stupidity of decoding characters, then executing it blindly. See http://www.securityfocus.com/archive/1/340118.
- Replaced obsolete 2mbit.com RBL with ahbl.org RBL (#829887).
- Fixed sorting of sent_subfolders. Sent_subfolder plugin is hooked to special_mailbox hook. Stable 1.4 tracker #699920.
- New hook function: boolean_hook_function() Used for true/false hooks.
- Fixed special_mailbox hook to allow more than one hooked plugin (#870365).
- Added new reply citation to include date and author.
- Fix some XSS issues.
- Norwegian Bokmal translation uses nb_NO.
- Improve display of some unparsable/absent dates (#891354).
- Added non-anonymous LDAP bind and bind protocol patches from devel.
- Add comment (Highest,Normal,Lowest) to X-Priority header.
- Make writing of preferences, abook, calendars fail better when disk full (#915527).
- Fix quoteimap() regex escaping problem (#921291).
- Added international date format support (#927264).
- Fixed "Resume Draft" to use correct identity (#845290).
- Fixed RFC2821 incompliancy by adding a fallback mechanism to HELO if EHLO is not supported.
- Fixed RFC2298 incompliancy by setting envelope sender to null.
- Allow single quotes to be used in theme name in conf.pl (#805309).
- Do not present special folders as renameable/deleteable (#816881).
- Fixed on the fly decoding of base64 encoded attachments.
- Fixed message rejects by the postfix sendmail wrapper when attachments were involved.
- Fixed scenario where just created special folders were not displayed on first login.
- Fixed wrong folding of headerlines in composed messages containing long email addresses.
- Fixed date display bug for messages of today. Show short format in case of long format. (only occures in the timeframe around 0:00 AM till timezone).
- Use Special Folder Color config option works again (#931956).
- In POP3-class, be more liberal regarding RFC-incompliant POP3-servers