An updated 3.4.0 tarball, tagged as 3.4.0.20021026, is now on the download
page. For those using Sourceforge's release system, this is still the 3.4
release.
This update fixes a exploitable bug that's been brought to my attention
today; where a local shell user can coax the sqwebmail binary to read an
arbitrary file on the local filesystem. If your web server has login shell
access, you should install this tarball, or apply the patch at
http://www.courier-mta.org/beta/patches/sqwebmail-readfile-fix/.
Bad timing. If I knew this yesterday, this would've gone into the 3.4
build, and eliminate today's tarball juggling act.
--
Sam
