Hello Darrell, On Tuesday, June 01, 2004, Darrell Burkey wrote... > The squirrelmail site states:
> "We are pleased to announce the release of SquirrelMail 1.4.3. This is a very > important release as there was a number of XSS issues uncovered, and > resolved. Many thanks to Eyal Udassin, Roman Medina and others for reporting > the issues. As the previous release contained issues, it is STRONGLY advised > that all users should upgrade to the latest release." > But a more recent message from Roman Medina states: > "I discovered a new XSS vuln in SquirrelMail which is quite dangerous > since it could be exploited simply by sending a specially crafted mail > to the victim. The victim only has to read the email in order to > trigger the exploit. This bug is present in latest versions (as well > as older ones)." > Given the last sentence doesn't mention a version number I'm not sure if I > should install version 1.43 now or wait for version 1.4.4. I think if you re-read his advisory, it SHOULD tell you that 1.4.3 is NOT vulnerable... He notified us of the issue, and we resolved it 2 weeks ago... we then coordinated with him on a release, so he could publish his advisory. -- Jonathan Angliss ([EMAIL PROTECTED]) Posting Hints: http://www.squirrelmail.org/wiki/en_US/MailingListPostingGuidelines ------------------------------------------------------- This SF.Net email is sponsored by: Oracle 10g Get certified on the hottest thing ever to hit the market... Oracle 10g. Take an Oracle 10g class now, and we'll give you the exam FREE. http://ads.osdn.com/?ad_id=3149&alloc_id=8166&op=click -- squirrelmail-users mailing list List Address: [EMAIL PROTECTED] List Archives: http://sourceforge.net/mailarchive/forum.php?forum_id=2995 List Info: https://lists.sourceforge.net/lists/listinfo/squirrelmail-users
