A commonly deployed ass ugly webmail software application, SquirrelMail, is in the news this morning. Apparently the version 1.4.12 package was compromised. This came to light when it was noticed that the MD5 checksums were not matching up. This was the result of a compromised release maintainers account according to the notice published on the SquirrelMail site.
From SquirrelMail:
Further investigations show that the modifications to the code should have little to no impact at this time. Modifications seemed to be based around a PHP global variable which we cannot track down. The changes made will most likely generate an error, rather than a compromise of a system in the event the code does get executed.
Original packages, stored on secure media, have been restored to the Sourceforge download servers, and additional signatures for the packages are now available on the SquirrelMail download page at http://www.squirrelmail.org/download.php
While we believe the changes made should have little impact, we strongly recommend everybody that has downloaded the 1.4.12 package after the 8th December, to redownload the package.
So. If you are using version 1.4.12 get on yer bike. You have some patching to do.
[tags]Webmail, SquirrelMail, Web Base Email, SquirrelMail Compromised[/tags]
