/***************************************************************** * Release Notes: SquirrelMail 1.4.10a * * The "Visculamia Reloaded" Release * * 10 May 2007 * *****************************************************************/ In this edition of SquirrelMail Release Notes: * All about this Release! * Locales / Translations / Charsets * Security issues * Major updates * A note on plugins * Reporting my favorite SquirrelMail 1.4 bug All about this release ====================== This version, 1.4.10a is a maintenance release, addressing the following problems since 1.4.9a: - Some security fixes (see below) - Small enhancements - A collection of bugfixes and stability enhancements (see ChangeLog for a full list) Version 1.4.10a was released shortly after 1.4.10 which had a regression in compose with just one identity defined. Locales / Translations / Charsets ================================= Since the release of 1.4.4, the the translations for SquirrelMail are no longer part of the main package but have to be downloaded separately; either in one large file or an individual language. You can find these packages through our homepage. They also contain instructions on how to install. That release also introduced a backport of the new Character set decoding functions from the development branch, vastly increasing the number of supported character sets and decoding performance. Security issues =============== This release addresses security issues found since the release of 1.4.9a: There's an ongoing battle to further secure the HTML filter against malicious HTML mail and the browsers that accept almost any malformed piece of HTML. This release contains fixes for the following: - HTML attachments containing "data:" URLs; - Internet Explorer in various versions accepts many permutations of HTML and JavaScript in many charsets. We now properly canonicalize the incoming HTML to us-ascii before applying further filters. IE only. - Request forgery through images. It was possible to include "images" in HTML mails which were in fact GET requests for the compose.php page sending mail. These images are now properly detected, and the compose form will only send mail through a POST request. Thanks to Mikhail Markin, Tomas Kuliavas and Michael Jordon for reporting (parts of) these issues and working with us to get them resolved. These are known as CVE-2007-1262 and CVE-2007-2589. Major updates in 1.4 ==================== The 1.4.x series (as a result of 1.3 developent series) brings: * A complete rewrite of the way we send mail (Deliver-class), and of the way we parse mail (MIME-bodystructure parsing). This makes SquirrelMail more reliable and more efficient at the same time! * Support for IMAP UID which makes SquirrelMail more reliable. * Optimizations to code and the number of IMAP calls; SquirrelMail is now a very scalable webmail solution. * Support for a wider range of authentication mechanisms. * Lots of bugfixes, some new features and a couple of UI-tweaks. A note on plugins ================= There have been major plugin architecture improvements since 1.2.x. Lots of plugins have not yet been adapted to this. Plugins which are distributed with this release (eg. in the same .tar.gz file) should work. Plugin authors will need some time to adapt their plugins, so quite a few plugins that did work with 1.2.x might not work with 1.4.x. So if you have ANY problem at all, first try turning off all plugins. If one plugin seems to be the culprit, contact the author to see if a 1.4.x version is underway. Plugins that worked with previous 1.4.x versions should continue to work without changes with this version. Reporting my favorite SquirrelMail 1.4 bug ========================================== We constantly aim to make SquirrelMail even better. So we need you to submit any bug you come across! Also, please mention that the bug is in this 1.4.9a release, and list your IMAP server and webserver details. http://www.squirrelmail.org/bugs Thanks for your cooperation with this. That helps us to make sure nothing slips through the cracks. Also, it would help if people would check existing tracker items for a bug before reporting it again. This would help to eliminate duplicate reports, and increase the time we can spend CODING by DECREASING the time we spend sorting through bug reports. And remember, check not only OPEN bug reports, but also closed ones as a bug that you report MAY have been fixed in our source code repository already. Any questions about installing or using SquirrelMail can be directed to our user support list: squirrelmail-users@lists.sourceforge.net If you want to join us in coding SquirrelMail, or have other things to share with the developers, join the development mailinglist: squirrelmail-devel@lists.sourceforge.net Happy SquirrelMailing! - The SquirrelMail Project Team