From: Jon Angliss <jon@squirrelmail.org> Subject: [SM-ANNOUNCE] RELEASE: SquirrelMail 1.4.12 Hello All, It's my pleasure to announce the release of SquirrelMail 1.4.12. This release is a bug fix release, including a critical bug in the handling of attachments. The latest release can be downloaded from the SquirrelMail website at http://www.squirrelmail.org/download.php Package md5sums =============== ea5e750797628c9f0f247009f8ae0e14 squirrelmail-1.4.12.tar.bz2 d17c1d9f1ee3dde2c1c21a22fc4f9d0e squirrelmail-1.4.12.tar.gz 3f6514939ea1ebf69f6f8c92781886ab squirrelmail-1.4.12.zip -- Happy SquirrelMailing! The SquirrelMail development team
I should have the new version up this weekend
From: jon@squirrelmail.org Subject: [SM-ANNOUNCE] ANNOUNCE: SquirrelMail 1.4.13 Released Date: December 14, 2007 1:59:08 PM EST To: squirrelmail-announce@lists.sourceforge.net Security: Signed -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 All, Due to the package compromise of 1.4.11, and 1.4.12, we are forced to release 1.4.13 to ensure no confusions. While initial review didn't uncover a need for concern, several proof of concepts show that the package alterations introduce a high risk security issue, allowing remote inclusion of files. These changes would allow a remote user the ability to execute exploit code on a victim machine, without any user interaction on the victim's server. This could grant the attacker the ability to deploy further code on the victim's server. We *STRONGLY* advise all users of 1.4.11, and 1.4.12 upgrade immediately. Package MD5s ============ 1a1bdad6245aaabcdd23d9402acb388e squirrelmail-1.4.13.tar.bz2 51ddd67a7ff9272f5a6e1da0b9dfbf18 squirrelmail-1.4.13.tar.gz ed8871a693cc57d5a0d511f7b89f8781 squirrelmail-1.4.13.zip We apologies for the inconvenience this may have caused. - -- Happy SquirrelMailing! The SquirrelMail Development Team -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.7 (MingW32) iD8DBQFHYtKBK4PoFPj9H3MRAjiUAKDxM5V8J6vLEUAn7dfiIa1HYwKIWQCfYTbA 3nk8LOfqcBHfZ3IvEOXoOCo= =USb7 -----END PGP SIGNATURE-----
Hi, it was reported on the SM mailing list that the source package of 1.4.11 and 1.4.12 seem to have been modified. See this: Date: Fri, 14 Dec 2007 12:59:08 -0600 From: Jon Angliss <jon@squirrelmail.org> To: SquirrelMail - Announce <squirrelmail-announce@lists.sourceforge.net> Subject: [SM-ANNOUNCE] ANNOUNCE: SquirrelMail 1.4.13 Released -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 All, Due to the package compromise of 1.4.11, and 1.4.12, we are forced to release 1.4.13 to ensure no confusions. While initial review didn't uncover a need for concern, several proof of concepts show that the package alterations introduce a high risk security issue, allowing remote inclusion of files. These changes would allow a remote user the ability to execute exploit code on a victim machine, without any user interaction on the victim's server. This could grant the attacker the ability to deploy further code on the victim's server. We *STRONGLY* advise all users of 1.4.11, and 1.4.12 upgrade immediately. Package MD5s ============ 1a1bdad6245aaabcdd23d9402acb388e squirrelmail-1.4.13.tar.bz2 51ddd67a7ff9272f5a6e1da0b9dfbf18 squirrelmail-1.4.13.tar.gz ed8871a693cc57d5a0d511f7b89f8781 squirrelmail-1.4.13.zip We apologies for the inconvenience this may have caused. - -- Happy SquirrelMailing! The SquirrelMail Development Team -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.7 (MingW32) iD8DBQFHYtKBK4PoFPj9H3MRAjiUAKDxM5V8J6vLEUAn7dfiIa1HYwKIWQCfYTbA 3nk8LOfqcBHfZ3IvEOXoOCo= =USb7 -----END PGP SIGNATURE----- Would be better to update right to 1.4.13 as the email says.
As for security being in CC here: This does not affect Gentoo, as the checksum distributed on our rsync mirrors and the file on our distfiles mirrors is original and the mirroring happened before the file compromise: 486fb27a6ab306088603163160dbc8ca squirrelmail-1.4.11.tar.bz2 The only way this could hit Gentoo users is when they cannot contact Gentoo mirrors and get a compromised copy from an outdated Sourceforge mirror. That would not cross the user's checksum verification though.
In portage.