/***************************************************************** * Release Notes: SquirrelMail 1.4.9a * * The "Brinky Brinkers Reloaded" Release * * 3 December 2006 * *****************************************************************/ In this edition of SquirrelMail Release Notes: * All about this Release! * Locales / Translations / Charsets * Security issues * Major updates * A note on plugins * Reporting my favorite SquirrelMail 1.4 bug All about this release ====================== This version, 1.4.9a is a maintenance release, addressing the following problems since 1.4.8: - Some security fixes (see below) - Small enhancements - A collection of bugfixes (see ChangeLog for a full list) Locales / Translations / Charsets ================================= Since the release of 1.4.4, the the translations for SquirrelMail are no longer part of the main package but have to be downloaded separately; either in one large file or an individual language. You can find these packages through our homepage. They also contain instructions on how to install. That release also introduced a backport of the new Character set decoding functions from the development branch, vastly increasing the number of supported character sets and decoding performance. Security issues =============== This release addresses security issues found since the release of 1.4.8: Cross site scripting via malicious input the mailto parameter of webmail.php, the session and delete_draft parameters of compose.php and via a shortcoming in the magicHTML filter. This is CVE-2006-6142. Thanks for Martijn Brinkers for his continued research that uncovered these issues. We've also changed SquirrelMail attachment handling to work around an issue in Internet Explorer: the browser will attempt to guess the MIME type of attachments based on content, not the MIME header we send. Attachments could fake to be an 'harmless' image/jpeg, while they were in fact HTML that Internet Explorer would render. After release 1.4.9 Martijn Brinkers again discovered new cross site scripting issues in the magicHtml filter. The new discovered security issues have to do with the wide intepretation of the words expression and url by IE browsers. As second issue Martijn Brinkers that the @import statement in stylesheets could be misused. Major updates in 1.4 ==================== The 1.4.x series (as a result of 1.3 developent series) brings: * A complete rewrite of the way we send mail (Deliver-class), and of the way we parse mail (MIME-bodystructure parsing). This makes SquirrelMail more reliable and more efficient at the same time! * Support for IMAP UID which makes SquirrelMail more reliable. * Optimizations to code and the number of IMAP calls; SquirrelMail is now a very scalable webmail solution. * Support for a wider range of authentication mechanisms. * Lots of bugfixes, some new features and a couple of UI-tweaks. A note on plugins ================= There have been major plugin architecture improvements since 1.2.x. Lots of plugins have not yet been adapted to this. Plugins which are distributed with this release (eg. in the same .tar.gz file) should work. Plugin authors will need some time to adapt their plugins, so quite a few plugins that did work with 1.2.x might not work with 1.4.x. So if you have ANY problem at all, first try turning off all plugins. If one plugin seems to be the culprit, contact the author to see if a 1.4.x version is underway. Plugins that worked with previous 1.4.x versions should continue to work without changes with this version. Reporting my favorite SquirrelMail 1.4 bug ========================================== We constantly aim to make SquirrelMail even better. So we need you to submit any bug you come across! Also, please mention that the bug is in this 1.4.9a release, and list your IMAP server and webserver details. http://www.squirrelmail.org/bugs Thanks for your cooperation with this. That helps us to make sure nothing slips through the cracks. Also, it would help if people would check existing tracker items for a bug before reporting it again. This would help to eliminate duplicate reports, and increase the time we can spend CODING by DECREASING the time we spend sorting through bug reports. And remember, check not only OPEN bug reports, but also closed ones as a bug that you report MAY have been fixed in CVS already. Any questions about installing or using SquirrelMail can be directed to our user support list: squirrelmail-users@lists.sourceforge.net If you want to join us in coding SquirrelMail, or have other things to share with the developers, join the development mailinglist: squirrelmail-devel@lists.sourceforge.net Happy SquirrelMailing! - The SquirrelMail Project Team