Sophie

Sophie

distrib > Mandriva > 2010.0 > i586 > media > contrib-release > by-pkgid > 1c025f937a77546674c04f23aa8ed60a > files > 217

squirrelmail-1.4.20-0.RC2.2mdv2010.0.noarch.rpm

/*****************************************************************
 * Release Notes: SquirrelMail 1.4.9a                            *
 * The "Brinky Brinkers Reloaded" Release                        *
 * 3 December 2006                                               *
 *****************************************************************/

In this edition of SquirrelMail Release Notes:
   * All about this Release!
   * Locales / Translations / Charsets
   * Security issues
   * Major updates
   * A note on plugins
   * Reporting my favorite SquirrelMail 1.4 bug


All about this release
======================

This version, 1.4.9a is a maintenance release, addressing
the following problems since 1.4.8:
- Some security fixes (see below)
- Small enhancements
- A collection of bugfixes
(see ChangeLog for a full list)


Locales / Translations / Charsets
=================================

Since the release of 1.4.4, the the translations for SquirrelMail are
no longer part of the main package but have to be downloaded separately;
either in one large file or an individual language. You can find these
packages through our homepage. They also contain instructions on how
to install.

That release also introduced a backport of the new Character set
decoding functions from the development branch, vastly increasing the
number of supported character sets and decoding performance.


Security issues
===============

This release addresses security issues found since the release of 1.4.8:

Cross site scripting via malicious input the mailto parameter of
webmail.php, the session and delete_draft parameters of compose.php and
via a shortcoming in the magicHTML filter.

This is CVE-2006-6142. Thanks for Martijn Brinkers for his continued research
that uncovered these issues.

We've also changed SquirrelMail attachment handling to work around an issue
in Internet Explorer: the browser will attempt to guess the MIME type of
attachments based on content, not the MIME header we send. Attachments could
fake to be an 'harmless' image/jpeg, while they were in fact HTML that
Internet Explorer would render.

After release 1.4.9 Martijn Brinkers again discovered new cross site
scripting issues in the magicHtml filter. The new discovered security issues
have to do with the wide intepretation of the words expression and url by IE
browsers. As second issue Martijn Brinkers that the @import statement in
stylesheets could be misused.


Major updates in 1.4
====================

The 1.4.x series (as a result of 1.3 developent series) brings:

* A complete rewrite of the way we send mail (Deliver-class),
  and of the way we parse mail (MIME-bodystructure parsing).
  This makes SquirrelMail more reliable and more efficient
  at the same time!
* Support for IMAP UID which makes SquirrelMail more reliable.
* Optimizations to code and the number of IMAP calls; SquirrelMail
  is now a very scalable webmail solution.
* Support for a wider range of authentication mechanisms.
* Lots of bugfixes, some new features and a couple of UI-tweaks.


A note on plugins
=================

There have been major plugin architecture improvements since 1.2.x. Lots
of plugins have not yet been adapted to this. Plugins which are
distributed with this release (eg. in the same .tar.gz file) should work.
Plugin authors will need some time to adapt their plugins, so quite a few
plugins that did work with 1.2.x might not work with 1.4.x.

So if you have ANY problem at all, first try turning off all plugins.
If one plugin seems to be the culprit, contact the author to see if
a 1.4.x version is underway.

Plugins that worked with previous 1.4.x versions should continue to work
without changes with this version.


Reporting my favorite SquirrelMail 1.4 bug
==========================================

We constantly aim to make SquirrelMail even better. So we need you to
submit any bug you come across! Also, please mention that the bug is
in this 1.4.9a release, and list your IMAP server and webserver details.

   http://www.squirrelmail.org/bugs

Thanks for your cooperation with this. That helps us to make
sure nothing slips through the cracks. Also, it would help if
people would check existing tracker items for a bug before reporting
it again. This would help to eliminate duplicate reports, and
increase the time we can spend CODING by DECREASING the time we
spend sorting through bug reports. And remember, check not only OPEN
bug reports, but also closed ones as a bug that you report MAY have
been fixed in CVS already.

Any questions about installing or using SquirrelMail can be directed
to our user support list:

    squirrelmail-users@lists.sourceforge.net

If you want to join us in coding SquirrelMail, or have other
things to share with the developers, join the development mailinglist:

   squirrelmail-devel@lists.sourceforge.net

                  Happy SquirrelMailing!
                    - The SquirrelMail Project Team

Perl :: Catalyst :: PostgreSQL :: RPM Valid HTML 4.01 Transitional