Due to the package compromise of 1.4.11, and 1.4.12, we are forced to
release 1.4.13 to ensure no confusions. While initial review didn't
uncover a need for concern, several proof of concepts show that the
package alterations introduce a high risk security issue, allowing
remote inclusion of files. These changes would allow a remote user the
ability to execute exploit code on a victim machine, without any user
interaction on the victim's server. This could grant the attacker the
ability to deploy further code on the victim's server.
We *STRONGLY* advise all users of 1.4.11, and 1.4.12 upgrade
immediately.
Due to the package compromise of 1.4.11, and 1.4.12, we are forced to
release 1.4.13 to ensure no confusions. While initial review didn't
uncover a need for concern, several proof of concepts show that the
package alterations introduce a high risk security issue, allowing
remote inclusion of files. These changes would allow a remote user the
ability to execute exploit code on a victim machine, without any user
interaction on the victim's server. This could grant the attacker the
ability to deploy further code on the victim's server.
We *STRONGLY* advise all users of 1.4.11, and 1.4.12 upgrade
immediately.
Package MD5s
============
1a1bdad6245aaabcdd23d9402acb388e squirrelmail-1.4.13.tar.bz2
51ddd67a7ff9272f5a6e1da0b9dfbf18 squirrelmail-1.4.13.tar.gz
ed8871a693cc57d5a0d511f7b89f8781 squirrelmail-1.4.13.zip
We apologies for the inconvenience this may have caused.
--
Happy SquirrelMailing!
The SquirrelMail Development Team-----BEGIN PGP MESSAGE-----
Version: GnuPG v1.4.7 (MingW32)
iD8DBQFHYrvlK4PoFPj9H3MRAhwwAJ4y66m/hf/7mxiNJy0zVLpgKiG9lQCg+aUm
86RdS1Uap+6A4IT+ifc2jLc=
=MQra
-----END PGP MESSAGE-----
[ reply ]