Squirrelmail versions 1.4.11 and 1.4.12 have been compromised on the upstream server. These releases contain an inserted backdoor which could allow a remote user to execute arbitrary code on the squirrelmail server. The project has released version 1.4.13 which does not contain the backdoor.
This flaw does not affect any version of Squirrelmail shipped in Red Hat Enterprise Linux.
It also does not affect Fedora or EPEL. I would suggest to mark this bug report as duplicate of bug #424791 (or other way round, even if mine was before yours).
Squirrelmail packages as shipped with Fedora 7, Fedora 8 and Fedora development are all based on clean and uncompromised tarball, therefore they are not vulnerable to this issue. An update to 1.4.13 might be issued to avoid confusion and ensure users that their installation is not backdoored.
*** Bug 424791 has been marked as a duplicate of this bug. ***