/***************************************************************** * Release Notes: SquirrelMail 1.4.18 * * The "Karate Kid" Release * * 11 May 2009 * *****************************************************************/ In this edition of SquirrelMail Release Notes: * All about this Release! * Locales / Translations / Charsets * Security issues * Major updates * Reporting your favorite SquirrelMail bug All about this release ====================== This release addresses some security problems in SquirrelMail, adds several new language translations, makes some improvements to the filters plugin and the address book system, and addresses several other small bug fixes and improvements. Notable changes: * Security fixes - see below. * New languages: Bangladeshi Bengali, Khmer, Tamil For a more complete list of changes, please see the file "ChangeLog" in the doc/ directory. Security issues =============== Two issues were fixed that both allowed an attacker to run arbitrary script (XSS) on most any SquirrelMail page by getting the user to click on specially crafted SquirrelMail links. We would like to thank Niels Teusink and Christian Balzer for reporting these issues to us. These are tracked as CVE-2009-1578. An issue was fixed wherein input to the contrib/decrypt_headers.php script was not sanitized and allowed arbitrary script execution upon submission of certain values. We would like to thank Niels Teusink for reporting this issue to us. This is also tracked as CVE-2009-1578. An issue was fixed that allowed arbitrary server-side code execution when SquirrelMail was configured to use the example "map_yp_alias" username mapping functionality. We would like to thank Niels Teusink for reporting this issue to us. This is tracked as CVE-2009-1579. An issue was fixed that allowed an attacker to possibly steal user data by hijacking the SquirrelMail login session. We would like to thank Tomas Hoger for reporting this issue to us. This is tracked as CVE-2009-1580. An issue was fixed that allowed phishing and cross-site scripting (XSS) attacks to be run by surreptitious placement of content in specially-crafted emails sent to SquirrelMail users. We would like to thank Luc Beurton for reporting this issue to us. This is tracked as CVE-2009-1581. Locales / Translations / Charsets ================================= Since the release of SquirrelMail 1.4.4, translations are no longer a part of the main package. They are now downloaded separately; you can obtain all languages in one package or get an individual language. You can find these packages on our web site. They also contain installation instructions. The release of SquirrelMail 1.4.4 also introduced a backport of the new Character set decoding functions from our development code branch, vastly increasing the decoding performance and the number of supported character sets. Major updates in 1.4 ==================== The 1.4.x series (as a result of 1.3 developent series) brings: * A complete rewrite of the way we send mail (Deliver class), and of the way we parse mail (MIME bodystructure parsing). This makes SquirrelMail more reliable and more efficient at the same time! * Support for IMAP UID which makes SquirrelMail more reliable. * Optimizations to code and the number of IMAP calls; SquirrelMail is now a very scalable webmail solution. * Support for a wider range of authentication mechanisms. * Lots of bugfixes, some new features and a couple of UI-tweaks. Reporting your favorite SquirrelMail bug ======================================== We constantly aim to make SquirrelMail even better. So we need you to submit any bug you come across! However, before you do so, please have a look at our various support resources to make sure the issue isn't already known or solved: http://squirrelmail.org/docs/admin/admin-10.html http://squirrelmail.org/docs/admin/admin-12.html http://squirrelmail.org/wiki/KnownBugs http://squirrelmail.org/wiki/SolvingProblems You should also search existing tracker items for your issue (remember to check for CLOSED and PENDING items as well as OPEN ones) - if you find such an (open) item, please do add any more details you have to it to help us fix and close the bug report. When reporting a new bug, please mention what SquirrelMail release(s) it pertains to, and list as many details about your system as possible, including your IMAP server and web server details. http://squirrelmail.org/bugs Thanks for your cooperation! This helps us to make sure nothing slips through the cracks. Any questions about installing or using SquirrelMail can be directed to our user support list: squirrelmail-users@lists.sourceforge.net When posting support requests there, please carefully follow our posting guidelines: http://squirrelmail.org/postingguidelines If you want to join us in coding SquirrelMail, or have other things to share with the developers, join the development mailinglist: squirrelmail-devel@lists.sourceforge.net Happy SquirrelMailing! - The SquirrelMail Project Team