Slashdot Mirror

← Back to Domains

Domain: squirrelmail.org

Stories and comments across the archive that link to squirrelmail.org.

Stories · 4

  1. SquirrelMail Repository Poisoned

    It · Security · · posted by kdawson · from the nuts-to-that dept. · 182 comments
    SkiifGeek writes "Late last week the SquirrelMail team posted information on their site about a compromise to the main download repository for SquirrelMail that resulted in a critical flaw being introduced into two versions of the webmail application (1.4.11 and 1.4.12). After gaining access to the repository through a release maintainer's compromised account (it is believed), the attackers made a slight modification to the release packages, modifying how a PHP global variable was handled. This introduced a remote file inclusion bug — leading to an arbitrary code execution risk on systems running the vulnerable versions of the software. The poisoning was identified by a difference in MD5 signatures for version 1.4.12. Version 1.4.13 is now available."

  2. Apple's First 2005 Mac OS X Security Update Is Out

    It · Security · · posted by timothy · from the prosit dept. · 91 comments
    ollie_ob writes "Security Update 2005-001 has just hit Software Update for Mac OS X users, for those running 10.3.7 and 10.2.8 in both normal and server flavours of the OS. The update includes patches for: at commands, ColorSync, libxml2, Mail, PHP, Safari and SquirrelMail. Details are here. One of these fixes -- a modification to Apple Mail so it stops broadcasting your MAC address in plain text every time you send an email - will come as a welcome relief to those trying to keep their WEP-based wireless networks secure. Other highlights are PHP 4.3.10, and a Safari fix so that pop-up windows can't mislead users as to their apparent origin. The Mac OS X Server version of the patch also includes an update to SquirrelMail that stops browsers from executing scripted content in emails viewed(!). Interesting to note Apple's new naming scheme for the updates (last year, some updates came out dated days into the future - or past.) Also, there's a unified page for all future security updates."

  3. Researching The Open Source Way

    Gnu · · posted by ryuzaki0 · from the charting-the-methods dept. · 50 comments
    A reader writes: "Eugene Eric Kim, who also writes on the webservices channel on DevChannel.org, has posted a research report on open source communities. The two projects/communities studied were Touchgraph and Squirrelmail, examining how they work together." Looking at it, I think the research report was sponsored by The Omidyar Foundation, who are the EBay founders; and the report is also licensed under the Creative Commons license.

  4. Nurturing Ideas Into Open Source Projects?

    Ask · News · · posted by Cliff · from the birthing-the-code dept. · 109 comments
    lkehresman asks: "Over the course of the past few years, I have been involved in numerous open source projects and have been discovering the wonderful oddities with this development model. However, I am perplexed as to how one would go about starting a project with the bazaar model, and if it's even possible. Indeed, ESR states, "One can test, debug and improve in bazaar style, but it would be very hard to originate a project in the bazaar mode." Is this true? Can anyone give any personal testimony to projects that have succeeded being built like this from the ground up?"

    "Until recently, I was the leader of the SquirrelMail project. When it started, we released version 0.1 and people started hacking on it. However, when we decided to do a rewrite, we attempted to start over using the bazaar model from the ground up, allowing for group discussions and decisions. We got caught in a years worth of discussion before any code was actually developed (now, however, its development is well under way and flourishing). I've seen this through personal experiece with countless other projects as well.

    As I am venturing into this territory once again with a new project, I'm wondering if anyone in the community has had personal experience with this, and can lend advice as to how to avoid endless bickering about trivial issues. Having a code base to release is obviously a key factor, but in this case, that simply isn't possible due to the magnitude of the task at hand. Advice?"