Squirrelmail versions 1.4.11 and 1.4.12 have been compromised on the upstream
server. These releases contain an inserted backdoor which could allow a remote
user to execute arbitrary code on the squirrelmail server.
The project has released version 1.4.13 which does not contain the backdoor.
This flaw does not affect any version of Squirrelmail shipped in Red Hat
It also does not affect Fedora or EPEL. I would suggest to mark this bug report
as duplicate of bug #424791 (or other way round, even if mine was before yours).
Squirrelmail packages as shipped with Fedora 7, Fedora 8 and Fedora development
are all based on clean and uncompromised tarball, therefore they are not
vulnerable to this issue.
An update to 1.4.13 might be issued to avoid confusion and ensure users that
their installation is not backdoored.
*** Bug 424791 has been marked as a duplicate of this bug. ***