On Fri, May 29, 2020 at 10:08:50AM +0930, Mike O'Connor via luv-main wrote: > Roundcube, seems to be ok.
Every instance of Squirrelmail I've seen has migrated to Roundcube. After a quick look through their documentation; the former doesn't appear to require a relational database, while the latter does. Let that be MySQL, PostgreSQL, or sqlite. I wouldn't trust any PHP or SQL stack but I don't have any better suggestions for webmail. Attached below, major security update just a month ago. If you install Roundcube, be careful with the versions. --- https://roundcube.net/news/2020/04/29/security-updates-1.4.4-1.3.11-and-1.2.10 = Security updates 1.4.4, 1.3.11 and 1.2.10 released 29 April 2020 We just published service and security updates to the stable version 1.4 and the LTS versions 1.3 and 1.2 of Roundcube Webmail. They contain four fixes for recently reported security vulnerabilities as well a number of general improvements from our issue tracker. == Security fixes * CSRF attack can cause an authenticated user to be logged out * Cross-Site Scripting (XSS) via malicious HTML content (CVE-2020-12625)+ * Remote code execution via crafted config options (CVE-2020-12641)+ * Path traversal vulnerability allowing local file inclusion via crafted ‘plugins’ option (CVE-2020-12640)+ The latter two vulnerabilities are classified minor because they only affect Roundcube installations with public access to the Roundcube installer. That’s generally a high-risk situation and is expected to be rare or practically non-existent in productive Roundcube deployments. However, the fixes are done in core in order to also prevent from future and yet unknown attack vectors. See the full changelogs in the release notes on the Github download pages for the updated versions 1.4.4, 1.3.11 and 1.2.10. We strongly recommend to update all productive installations of Roundcube with this new versions. + Credits to the security researchers: Matei “Mal” Badanoiu and <Other_Guy/Girl> _______________________________________________ luv-main mailing list [email protected] https://lists.luv.asn.au/cgi-bin/mailman/listinfo/luv-main
