Software Update: SquirrelMail 1.4.10a

SquirrelMail is a program written in PHP to enable web-based e-mail. It is used by various internet providers to provide webmail functionalities. The program has support for the IMAP and SMTP protocols and all screens are built in HTML 4.0, without the need for JavaScript. The developers have released version 1.4.10a with the following announcement and list of changes since the previous entry in the junk tracker:

The SquirrelMail Project Team is proud to announce the release of SquirrelMail 1.4.10a. The 1.4.10 release contains multiple fixes for cross site scripting issues triggered by viewing HTML mail. Besides that it contains bug fixes and stability enhancements.

Happy Squirrel Mailing!

NOTE: 1.4.10a was released to fix a regression in the compose form, shortly after the 1.4.10 release.

Version 1.4.10a:

• Fix regression in compose: when no alternative identities have been defined, the From header would be incorrect.

Version 1.4.10:

• Drop obsolete ORDB RBL from filters plugin (#1629398).
• Fix HTML glitches (#1608798, #1628639, #1521389, #1548394, #1704686).
• Reduce (largely theoretical) chance of reusing existing attachment filenames.
• Fix weird bug in forwarding as attachment from some search results.
• Add warning about magic_quotes_* in configtest.
• Unify accepted versions for imap_server_type and set_defaults (#1629722).
• Fix for wrong $_SERVER[‘REQUEST_URI’] value causing wrong links in the [more] and [less] links in read_body.php.
• Update for switch from CVS to Subversion.
• Fix URL to send read receipts from read_body (#1637572).
• Fix for high memory usage when forwarding messages with attachments.
• Fix for filename extraction from attachments.
• Fix reply to all duplicating the address from Reply-To.
• Drop redundant call to session_register, which could trigger a segfault in PHP 4.4.5 (#1664155).
• Make compose use get_identities() rather than fiddling with identities by itself, resolving a problem in the listcommands plugin (#1663762).
• If a date-header cannot be parsed, display the unparsed version as a better-than-nothing alternative.
• Fix “Unknown Sender” on message after reading a digest (#1673047).
• Fix Priority and Receipt compose options being reset after return from HTML addressbook (#1673056).
• Fix sorting of folder list with non-. delimiter (#1593229).
• Only display “+” symbol on multipart/mixed messages, eg those with real attachments.
• Fixes for issues with filters plugin (#1634735).
• Session not correctly handled on webmail.php (#1685031).
• session_id reporting session id when no active session (#1685031).
• sqm_baseuri moved to strings.php (#1685114).
• Added sq_change_text_domain() for plugins to use when switching text domains. If plugins use this function, it fixes #1434043.
• Added new language: Frisian, thanks to Rinse de Vries.
• Security: fixes for the HTML filter to counter further XSS exploits: HTML attachments containing ‘data:’ URLs, Internet Explorer-specifc charset conversion exploits, and request forgery through included images. Thanks to Mikhail Markin, Tomas Kuliavas and Michael Jordon for reporting these issues. [CVE-2007-1262]