|| ||Jon Angliss <jon-AT-netdork.net>|
|| ||ANNOUNCE: SquirrelMail 1.4.13 Released|
|| ||Fri, 14 Dec 2007 11:22:45 -0600|
Due to the package compromise of 1.4.11, and 1.4.12, we are forced to
release 1.4.13 to ensure no confusions. While initial review didn't
uncover a need for concern, several proof of concepts show that the
package alterations introduce a high risk security issue, allowing
remote inclusion of files. These changes would allow a remote user the
ability to execute exploit code on a victim machine, without any user
interaction on the victim's server. This could grant the attacker the
ability to deploy further code on the victim's server.
We *STRONGLY* advise all users of 1.4.11, and 1.4.12 upgrade
We apologies for the inconvenience this may have caused.
The SquirrelMail Development Team
to post comments)