Squirrelmail Compromise
It seems that some of the squirrelmail 1.4.11 and 1.4.12 releases have been compromised. The problem only exists in their releases, not in CVS, which is good. This is still a rather scary scenario though.
http://marc.info/?l=squirrelmail-announce&m=119757931707501&w=2
We looked through the version being shipped in Fedora and didn't find the backdoor, but we will still upgrade to version 1.4.13 for peace of mind and to reduce confusion.
Linux Virus Scanner
And what better to end 2007 with than a story about virus scanners on Linux:
http://www.informationweek.com/blog/main/archives/2007/12/would_we_need_a.html
The Top 5 Most Overlooked Open Source Vulnerabilities for 2007
This story is most interesting, but a little confusing if you don't understand what Palamida does.
http://www.palamida.com/node/513
Palamida specializes in inspecting source repositories and finding embedded source. A good example of this is projects that like to include source copies of zlib, rather than linking against a system version. It's no secret that there are significant benefits to using system libraries rather than including your own. Any project that includes a copy of an upstream library, needs to track the security flaws that affect that source. Most do not do this, which ends up leaving their users vulnerable.
