In association with heise online

14 December 2007, 15:17

Compromised SquirrelMail packages discovered

  • Twitter
  • Facebook
  • submit to slashdot
  • StumbleUpon
  • submit to reddit

Packages for the SquirrelMail webmail system were modified after their official release on December 5. According to the developers, the package compromise happened on December 8 and was just recently discovered because of mismatching MD5 checksums. However, only the packages of the current stable version 1.4.12 seem to have been affected.

While the developers trace the modifications back to a potentially compromised maintainer account, they believe that the unauthorised modifications have "little to no impact". According to their analysis, a program error is the worst possible consequence. However, they also state that they cannot follow the modifications completely.

Therefore, the developers recommend for security reasons that all SquirrelMail admins who downloaded their installation archives from the project page between December 8 and 13 reinstall the original packages now available for download. The MD5 checksums of the unmodified archives are:

ea5e750797628c9f0f247009f8ae0e14  squirrelmail-1.4.12.tar.bz2
d17c1d9f1ee3dde2c1c21a22fc4f9d0e squirrelmail-1.4.12.tar.gz


Print Version | Send by email | Permalink:

  • July's Community Calendar

The H Open

The H Security

The H Developer

The H Internet Toolkit