Article title is misleading
Makes it sound like there is a remote exploit in sendmail, when the problem is 100% confined to SquirrelMail.
Security researchers have uncovered a critical security hole in SquirrelMail, the open-source webmail project. Filippo Cavallarin and Dawid Golunski independently discovered a remote code execution hole in SquirrelMail version 1.4.22 and likely prior. That's the latest version, by the way, and is dated July 2011. The bug is a …
I agree should say something like "Do you use squirrelmail with sendmail.."
on that note, as a squirrelmail user for 17 years now(even though I use roundcube today I still have SM installed for some family members who use it, last used SM in an office environment probably 2002), even back in the days when I did use sendmail I have always had squirrelmail just use smtp to localhost to send email. Not sure what the advantage ever might of been to using a local binary instead of smtp. I certainly never got any complaints.
https://sourceforge.net/p/squirrelmail/code/14651/
- Fixed insufficient sendmail command argument escaping (thanks
to Mitchel Sahertian, Maor Shwartz, Dawid Golunski and Filippo
Cavallarin for bringing this to our attention). [CVE-2017-7692]
Squirrelmail has been around for years, and trouble free in my case, and this vulnerability doesn't affect me as I use SMTP/IMAP as the front/back ends for it. As with others, I try to keep personal and family communications away from corporate data mining and branding. I've heard of Roundcube, but as I've been successful with Squirrelmail/Postfix/Mailman and others, which have been relatively straightforward to setup , configure and maintain compared to Sendmail which I used in the past. So I've had no reason to try Roundcube as Squirrelmail just works. Can you provide one ? It's Dovecote and trying to get proper email clients working sensibly on all sorts of tablet/phone platforms that have me tearing my hair out, so maintaining webmail for this kind of application (other than on proper desktops which have proper email clients) makes more sense as I only need to do it once for many client platforms.