Description of problem: Squirrelmail 1.4.12 was released some time ago - it is only a bugfix release. When downloading it, please verify, that the md5sum matches with the official ones, because the Squirrelmail Project had a compromised package on the servers for some time. Version-Release number of selected component (if applicable): squirrelmail-1.4.11-1 Expected results: Upgrade to 1.4.12 or newer... ;-)
ANNOUNCE: SquirrelMail 1.4.13 Released Dec 14, 2007 by Jonathan Angliss Due to the package compromise of 1.4.11, and 1.4.12, we are forced to release 1.4.13 to ensure no confusions. While initial review didn't uncover a need for concern, several proof of concepts show that the package alterations introduce a high risk security issue, allowing remote inclusion of files. These changes would allow a remote user the ability to execute exploit code on a victim machine, without any user interaction on the victim's server. This could grant the attacker the ability to deploy further code on the victim's server. We STRONGLY advise all users of 1.4.11, and 1.4.12 upgrade immediately.
Squirrelmail packages as shipped with Fedora 7, Fedora 8 and Fedora development are all based on clean and uncompromised tarball, therefore they are not vulnerable to this issue. An update to 1.4.13 might be issued to avoid confusion and ensure users that their installation is not backdoored. *** This bug has been marked as a duplicate of 425291 ***