NaSMail

This release includes fixes and security updates backported from NaSMail trunk. It fixes header unfolding, attachment encoding, and newer Dovecot CAPABILITY issues, corrects cumulative counts in left folder listing, and improves the speed of mailbox listing. It fixes a possible denial-of-service bug. If NaSMail 1.3-1.7 versions are used in setups with some PHP versions, an attacker can use a PHP mbstring extension quirk to block mailbox listing and exhaust the Web server's CPU resources.

This release adds IMAP literal strings support to basic IMAP commands, fixes some security issues, and adds other small bugfixes and code improvements.

Incompatibilities with older PHP versions were fixed.

This release improves address book layout and navigation. It also tightens security of session and password cookies. HTML filters are modified to remove HTML5 media objects. This release adds security fixes for vulnerabilities reported in the SquirrelMail CVE-2008-3663 report. Fixes are applied only when the Web server supports them. NaSMail 1.5 and later packages are not affected by issues reported in the SquirrelMail CVE-2008-2379 report.

This release includes security updates in HTML email sanitizing. These updates prevent some interface abuse with CSS. This release adds SASL PLAIN support to IMAP and SMTP authentication functions, has optimizations in IMAP EXPUNGE commands and UIDPLUS support, and has many updates in RBL filtering options. It contains other small bugfixes and code cleanup.