Fixed session fixation issues where someone who can modify a user’s cookies could gain control of their login session.Fixed unsanitized shell command in example IMAP username mapping function (map_yp_alias) (Thanks to Niels Teusink). ![]() Fixed the lack of sanitizing of contrib/decrypt_headers.php input also includes general cleanup of that page (Thanks to Niels Teusink).Fixed improper sanitizing of PHP_SELF and the lack of sanitizing of QUERY_STRING server environment variables (Thanks to Niels Teusink and Christian Balzer).Remove ability for HTML emails to use CSS positioning to overlay SquirrelMail content (Thanks to Luc Beurton).Added Khmer translation (Thanks to Khoem Sokhem).Outgoing attachments that have lines longer than allowed per RFC are now encoded so they are not corrupted by artificial line folds.Default Content-Transfer-Encoding is now RFC-compliant “7bit” instead of “us-ascii”.Date headers in outgoing messages have been brought into RFC 822 compliance (removed time zone name).htaccess files in all directories to which browsers don’t need direct access. Moved documentation to doc/ directory and added example.Added Bengali (Bangladesh) translation (Thanks to Jamil Ahmed).Added Tamil translation (Thanks to Kengatharaiyer Sarveswaran).Allow multiple addresses in one abook entry (separate with commas), although we HIGHLY DISCOURAGE grouping in this manner – note amongst other issues that can come up, sizing for large groups will be a problem.Ensure that hash directory computation is the same on both 32 and 64 bit architectures.Fix for address book nicknames that contain the : character.Make address book file permissions 0600 – same as preference files.Migrated some fetch handling code from dev branch in plans to update some core functionality to allow reusability of code.Created new sqimap_msgs_list_move to move messages.Corrected sqimap_msgs_list_copy to actually copy messages, rather than move.Updated some core code, and several plugins, to not use code marked as obsolete.Altered filters plugin to issue single move/delete statement for multiple messages.Removed code from spam filters plugin to stop if falling back to searching all messages when there was no new messages.Fixed filters plugin to allow spam filters to scan multiple messages, rather than the first message returned.Added informational type option widget.Fixed port detection in automatic base URL detection scheme (get_location()).However, this version also includes three new languages and more than a few enhancements to things such as the filters plugin, the address book system and other things under the hood. The most notable changes for this version are several security fixes, including a couple XSS exploits, a session fixation issue, and an obscure but dangerous server-side code execution hole. Thanks Michal Hlavinka for notifying this. The shell escaping fix in map_yp_alias (CVE-2009-1579) was incomplete.In SMTP, when we EHLO with an IP, wrap it in brackets (#2793154).Resend cookie to browser after session ID regeneration so it gets the right cookie parameters.Fixed the Filters plugin to allow commas in filter criteria text and not to error out when spam-scanning only unread mail.Removed use of session_unregister() for compatibility with PHP 5.3.0 and PHP 6.If you do not use map_yp_alias or the filters plugin there’s no urgent need to upgrade now if you already installed 1.4.18. Both are addressed in this new release 1.4.19 which contains a few other small fixes aswell. We also experienced some regressions in the updated filter plugin. The security fix to map_yp_alias in 1.4.18 turned out to be incomplete. The developers have released version 1.4.19 with the following announcement and list of changes since the previous entry in the Meuktracker: ![]() The program has support for the imap and smtp protocols and all screens are built in html 4.0, without the need for Javascript. It is used by various ISPs to provide webmail functionality. SquirrelMail is a program written in PHP to enable web-based e-mail.
0 Comments
Leave a Reply. |