Sophie: squirrelmail-1.4.20-0.RC2.2mdv2010.0 noarch

squirrelmail-1.4.20-0.RC2.2mdv2010.0.noarch.rpm

/*****************************************************************
 * Release Notes: SquirrelMail 1.4.18                            *
 * The "Karate Kid" Release                                      *
 * 11 May 2009                                                   *
 *****************************************************************/

In this edition of SquirrelMail Release Notes:
   * All about this Release!
   * Locales / Translations / Charsets
   * Security issues
   * Major updates
   * Reporting your favorite SquirrelMail bug


All about this release
======================

This release addresses some security problems in SquirrelMail, adds
several new language translations, makes some improvements to the
filters plugin and the address book system, and addresses several
other small bug fixes and improvements.

Notable changes:
 * Security fixes - see below.
 * New languages: Bangladeshi Bengali, Khmer, Tamil

For a more complete list of changes, please see the file "ChangeLog"
in the doc/ directory.

Security issues
===============

Two issues were fixed that both allowed an attacker to run arbitrary
script (XSS) on most any SquirrelMail page by getting the user to
click on specially crafted SquirrelMail links.  We would like to thank
Niels Teusink and Christian Balzer for reporting these issues to us.
These are tracked as CVE-2009-1578.

An issue was fixed wherein input to the contrib/decrypt_headers.php
script was not sanitized and allowed arbitrary script execution upon
submission of certain values. We would like to thank Niels Teusink for
reporting this issue to us.  This is also tracked as CVE-2009-1578.

An issue was fixed that allowed arbitrary server-side code execution
when SquirrelMail was configured to use the example "map_yp_alias"
username mapping functionality.  We would like to thank Niels Teusink
for reporting this issue to us.  This is tracked as CVE-2009-1579.

An issue was fixed that allowed an attacker to possibly steal user
data by hijacking the SquirrelMail login session.  We would like to
thank Tomas Hoger for reporting this issue to us.  This is tracked
as CVE-2009-1580.

An issue was fixed that allowed phishing and cross-site scripting
(XSS) attacks to be run by surreptitious placement of content in
specially-crafted emails sent to SquirrelMail users.  We would like to
thank Luc Beurton for reporting this issue to us.  This is tracked
as CVE-2009-1581.

Locales / Translations / Charsets
=================================

Since the release of SquirrelMail 1.4.4, translations are no longer
a part of the main package.  They are now downloaded separately; you
can obtain all languages in one package or get an individual language.
You can find these packages on our web site. They also contain
installation instructions.

The release of SquirrelMail 1.4.4 also introduced a backport of the
new Character set decoding functions from our development code branch,
vastly increasing the decoding performance and the number of supported
character sets.


Major updates in 1.4
====================

The 1.4.x series (as a result of 1.3 developent series) brings:

* A complete rewrite of the way we send mail (Deliver class),
  and of the way we parse mail (MIME bodystructure parsing).
  This makes SquirrelMail more reliable and more efficient
  at the same time!
* Support for IMAP UID which makes SquirrelMail more reliable.
* Optimizations to code and the number of IMAP calls; SquirrelMail
  is now a very scalable webmail solution.
* Support for a wider range of authentication mechanisms.
* Lots of bugfixes, some new features and a couple of UI-tweaks.


Reporting your favorite SquirrelMail bug
========================================

We constantly aim to make SquirrelMail even better. So we need you to
submit any bug you come across! However, before you do so, please have
a look at our various support resources to make sure the issue isn't
already known or solved:

   http://squirrelmail.org/docs/admin/admin-10.html
   http://squirrelmail.org/docs/admin/admin-12.html
   http://squirrelmail.org/wiki/KnownBugs
   http://squirrelmail.org/wiki/SolvingProblems

You should also search existing tracker items for your issue (remember
to check for CLOSED and PENDING items as well as OPEN ones) - if you
find such an (open) item, please do add any more details you have to
it to help us fix and close the bug report.

When reporting a new bug, please mention what SquirrelMail release(s)
it pertains to, and list as many details about your system as possible,
including your IMAP server and web server details.

   http://squirrelmail.org/bugs

Thanks for your cooperation! This helps us to make sure nothing slips
through the cracks. 

Any questions about installing or using SquirrelMail can be directed
to our user support list:

   squirrelmail-users@lists.sourceforge.net

When posting support requests there, please carefully follow our posting
guidelines:

   http://squirrelmail.org/postingguidelines

If you want to join us in coding SquirrelMail, or have other things to
share with the developers, join the development mailinglist:

   squirrelmail-devel@lists.sourceforge.net


                  Happy SquirrelMailing!

                    - The SquirrelMail Project Team