From December 2008, I maintain the atmailopen Debian package. This is a nice webmail in PHP and Ajax , it aim to provide an elegant Ajax webmail client for existing IMAP mailservers, with less bloat and a focus on an intuitive, simple user interface.
I was very happy when it was accepted in Debian, but I was wrong:
On 19/04/2009 I noticed a Secunia advisory about @Mail (SA34704) ,and the same day I mailed upstream and asked if atmailopen is affected by the same security vulnerability. No answer as of today, 2009-05-22 …
While checking about SA34704, I discovered that atmailopen is using the vulnerable version of html2text, which could lead to code execution attacks, the same of CVE-2008-5619 in roundcube.
On 26/04/2009 I mailed upstream to inform about this issue, but as usual, nothing… no answer as of today, 2009-05-22 …
Is clearly evident, upstream doesn’t take care about security in his atmail open source version, and doesn’t provide security support.
This is not acceptable for a software in Debian, I will request a removal.
P.S. If you aren’t using the debian package, I really suggest you to patch your atmailopen version, or better, switch to another webmail.
UPDATE: atmailopen was removed from Debian
ItalianPopularity: 2% [?]
Related posts: