Could you do an updated squirrelmail package? 1.4.5 was released in july. Or is 1.4.6 already around the corner?

Thanks in advance.

Sure, thanks for the heads up. I'll take a look at making an update.

Hi Scott, June 15th the SquirrelMail team announced several cross site scripting vulnerabilities exist in SquirrelMail 1.4.0-1.4.4. There's a patch and info available at http://www.squirrelmail.org/security/issue/2005-06-15 or is that patch already applied in the current version you have in your repository?

Anyway, an update to 1.4.5 would still be very welcome.

Thanks.

Yep its on my list

Is this coming any time soon? It's been nearly 6 months since 1.4.5 was released.

It is actually really simple to update the installation to 1.4.5. This is how I did it. I'm not a sys admin. I just play one on forums, so YMMV.

Backup /etc/squirrelmail/config.php and /etc/squirrelmail/config_local.php - I usually make a directory called "old" and stuff 'em in there.

Go to where squirrelmail is: cd /usr/share
Backup original directory: mv squirrelmail squirrelmail.old

I link a directory for installs because I like directories that show me the version:
tar -zxf squirrelmail-1.4.5.tar.gz
ln -s squirrelmail-1.4.5 squirrelmail

I also like the idea of having all the config files in /etc - much easier to back up that way.
cd /usr/share/squirrelmail/config
mv config.php /etc/squirrelmail/
mv config_local.php /etc/squirrelmail/

There is a "." at the end of the ln statements, so don't omit!!
cd /usr/share/squirrelmail/config/
ln -s /etc/squirrelmail/config.php .
ln -s /etc/squirrelmail/config_local.php .

Run conf.pl and set it up like you would normally. The only real gotchas are to remember to set up the IMAP server to be courier (option D to set) and to note the locations of the following directories(option 4 to set):
data: /var/lib/squirrelmail/prefs/
attachments: /var/spool/squirrelmail/attach/

Sure it's a bit more work than an rpm file, but it gets you updated!

I'm managing multiple servers and like to stick to using rpms. But thanks anyway. I just read squirrelmail 1.4.6 RC1 is out by the way.

Story of my life

What exactly is the story of your life, Scott? Sticking to rpms?

Also I found on the Squirrelmail homepage is this tidbit about PHP 4.4.1 (which is the current ART release) issues:

Squirrelmail 1.4.6 final is released with a bunch of security fixes. Could you please update your packages to this release? The last version you did was 1.4.4.

How is 1.4.6 coming, Scott? I read so much about XSS vulnerabilities and the like in previous versions of SquirrelMail I'm getting a bit nervous about still running 1.4.4.

I havent even been to the website in about a year

What do you mean? To what website? 1.4.6 was released a month ago.

Your 1.4.4 build is from 21 April 2005, so I guess a lot vulnerabilities are still present in your package.

I see Fedora Legacy has a package built in August 2005 (http://download.fedoralegacy.org/fedora/2/updates/i386/), but since your package is 1.4.4-4 and theirs is 1.4.4-2 yum chooses your package. Maybe I should install Fedora Legacy's version as it probably has more patches applied?