chuck | 11 Dec 20:29 2005

Horde H3 (3.0.8) (final)

The Horde Team is pleased to announce the final release of the Horde
Application Framework version 3.0.8.

This is a security release that fixes cross site scripting
vulnerabilities in several of Horde's templates. None of the
vulnerabilities can be exploited by unauthenticated users; however, we
strongly recommend that all users of Horde 3.0.7 upgrade to 3.0.8 as
soon as possible.

Many thanks to Johannes Greil of SEC Consult
(http://www.sec-consult.com/) for reporting these problems and working
with us to test the fixes.

The Horde Application Framework is a modular, general-purpose web applicatio=
n
framework written in PHP.  It provides an extensive array of classes that ar=
e
targeted at the common problems and tasks involved in developing modern web
applications.

Major changes compared to the Horde version 3.0.7 are:
    * Fix escaping of data in the preferences templates.
    * Fix escaping of data in the data import templates.
    * Fix output escaping of Horde_Form_Type_cellphone in UI_VarRenderer_htm=
l.
    * Close several XSS problems in the share edit window.
    * When deleting an identity, don't show the deleted identity
      in the default identity select dropdown on the next page load.
    * Fix weather.com portal block.

(Continue reading)

chuck | 11 Dec 20:32 2005

Kronolith H3 (2.0.6) (final)

The Horde Team is pleased to announce the final release of the Kronolith
Calendar Application version H3 (2.0.6).

This is a security release that fixes cross site scripting
vulnerabilities in several of the calendar name and event data
fields. None of the vulnerabilities can be exploited by
unauthenticated users; however, we strongly recommend that all users
of Kronolith 2.0.5 upgrade to 2.0.6 as soon as possible.

Many thanks to Johannes Greil of SEC Consult
(http://www.sec-consult.com/) for reporting these problems and working
with us to test the fixes.

Kronolith is the Horde calendar application.  It provides web-based calendar=
s
backed by a SQL database, the MCAL library, or a Kolab server.  Supported
features include shared calendars, remote calendars, meeting management,
alarms, recurring events, and a sophisticated day/week view which handles
arbitrary numbers of overlapping events.

Major changes compared to the Kronolith version H3 (2.0.5) are:
    * Close several XSS problems with calendar and event fields.

The full list of changes (from version H3 (2.0.5)) can be viewed here:

http://cvs.horde.org/diff.php/kronolith/docs/CHANGES?r1=3D1.165.2.69.2.1&r2=
=3D1.165.2.69.2.5&ty=3Dh

The Kronolith H3 (2.0.6) distribution is available from the following locati=
ons:
(Continue reading)

chuck | 11 Dec 20:36 2005

Turba H3 (2.0.5) (final)

The Horde Team is pleased to announce the final release of the Turba Contact
Manager version H3 (2.0.5).

This is a security release that fixes cross site scripting
vulnerabilities in several of the address book name and contact data
fields. None of the vulnerabilities can be exploited by
unauthenticated users; however, we strongly recommend that all users
of Turba 2.0.4 upgrade to 2.0.5 as soon as possible.

Many thanks to Johannes Greil of SEC Consult
(http://www.sec-consult.com/) for reporting these problems and working
with us to test the fixes.

Turba is the Horde contact management application. It is a production level
address book, and makes heavy use of the Horde framework to provide
integration with IMP and other Horde applications.

Major changes compared to the Turba version H3 (2.0.4) are:
    * Close several XSS vulnerabilities with address book and contact data.

The full list of changes (from version H3 (2.0.4)) can be viewed here:

http://cvs.horde.org/diff.php/turba/docs/CHANGES?r1=3D1.181.2.50&r2=3D1.181.=
2.51.2.2&ty=3Dh

The Turba H3 (2.0.5) distribution is available from the following locations:

    ftp://ftp.horde.org/pub/turba/turba-h3-2.0.5.tar.gz
    http://ftp.horde.org/pub/turba/turba-h3-2.0.5.tar.gz

(Continue reading)

chuck | 11 Dec 20:40 2005

Nag H3 (2.0.4) (final)

The Horde Team is pleased to announce the final release of the Nag Task List
Manager version H3 (2.0.4).

This is a security release that fixes cross site scripting
vulnerabilities in several of the tasklist name and task data
fields. None of the vulnerabilities can be exploited by
unauthenticated users; however, we strongly recommend that all users
of Nag 2.0.3 upgrade to 2.0.4 as soon as possible.

Many thanks to Johannes Greil of SEC Consult
(http://www.sec-consult.com/) for reporting these problems and working
with us to test the fixes.

Nag is a web-based application built upon the Horde Application Framework wh=
ich
provides a simple, clean interface for managing online task lists (i.e., TOD=
O
lists).  It also includes strong integration with the other Horde applicatio=
ns
and offers shared task lists.

The major changes compared to the Nag H3 (2.0.3) version are:
    * Close several XSS vulnerabilities with task and tasklist data.

The full list of changes (from version H3 (2.0.3)) can be viewed here:

http://cvs.horde.org/diff.php/nag/docs/CHANGES?r1=3D1.115.2.20&r2=3D1.115.2.=
21.2.2&ty=3Dh

The Nag H3 (2.0.4) distribution is available from the following locations:
(Continue reading)

chuck | 11 Dec 20:44 2005

Mnemo H3 (2.0.3) (final)

The Horde Team is pleased to announce the final release of the Mnemo Note
Manager version H3 (2.0.3).

This is a security release that fixes cross site scripting
vulnerabilities in several of the notepad name and note data
fields. None of the vulnerabilities can be exploited by
unauthenticated users; however, we strongly recommend that all users
of Mnemo 2.0.2 upgrade to 2.0.3 as soon as possible.

Many thanks to Johannes Greil of SEC Consult
(http://www.sec-consult.com/) for reporting these problems and working
with us to test the fixes.

The Mnemo Note Manager is the Horde notes/memos application.  It provides
web-based notes and freeform text, similar to the PalmOS Note application an=
d
shared notepads.  It requires the Horde Application Framework and an SQL
database for backend storage.

Major changes compared to the Mnemo version H3 (2.0.2) are:
    * Close several XSS vulnerabilities with note and notepad data.

The full list of changes (from version H3 (2.0.2)) can be viewed here:

http://cvs.horde.org/diff.php/mnemo/docs/CHANGES?r1=3D1.63.2.16&r2=3D1.63.2.=
17.2.2&ty=3Dh

The Mnemo H3 (2.0.3) distribution is available from the following locations:

    ftp://ftp.horde.org/pub/mnemo/mnemo-h3-2.0.3.tar.gz
(Continue reading)

chuck | 11 Dec 20:50 2005

Horde 3.0.8 (final)

The Horde Team is pleased to announce the final release of the Horde
Application Framework version 3.0.8.

This is a security release that fixes cross site scripting
vulnerabilities in several of Horde's templates. None of the
vulnerabilities can be exploited by unauthenticated users; however, we
strongly recommend that all users of Horde 3.0.7 upgrade to 3.0.8 as
soon as possible.

Many thanks to Johannes Greil of SEC Consult
(http://www.sec-consult.com/) for reporting these problems and working
with us to test the fixes.

The Horde Application Framework is a modular, general-purpose web applicatio=
n
framework written in PHP.  It provides an extensive array of classes that ar=
e
targeted at the common problems and tasks involved in developing modern web
applications.

Major changes compared to the Horde version 3.0.7 are:
    * Fix escaping of data in the preferences templates.
    * Fix escaping of data in the data import templates.
    * Fix output escaping of Horde_Form_Type_cellphone in UI_VarRenderer_htm=
l.
    * Close several XSS problems in the share edit window.
    * When deleting an identity, don't show the deleted identity
      in the default identity select dropdown on the next page load.
    * Fix weather.com portal block.

(Continue reading)

Chuck Hagenbuch | 11 Dec 21:43 2005

Re: Horde 3.0.8 (final)

Quoting chuck <at> horde.org:

> The Horde Team is pleased to announce the final release of the Horde
> Application Framework version 3.0.8.

My apologies for the multiple Horde announcements. This is the correct one.

-chuck

-- 
"So we're talking near-sonic speeds for a vegetable."
Reasons to go to the Punkin Chunkin World Championships

--

-- 
Horde announcements mailing list
You are subscribed to this list as: gcha-announce <at> m.gmane.org
To unsubscribe, mail: announce-unsubscribe <at> lists.horde.org

chuck | 14 Dec 21:31 2005

Horde 3.0.9 (final)

The Horde Team is pleased to announce the final release of the Horde
Application Framework version 3.0.9.

This is a bugfix release that fixes a bug in all Horde_Form generated
select fields that was introduced in the 3.0.8 security release. All
users of Horde 3.0.x are encouraged to upgrade to 3.0.9 immediately
for the security fixes that were in 3.0.7 and 3.0.8.

The Horde Application Framework is a modular, general-purpose web applicatio=
n
framework written in PHP.  It provides an extensive array of classes that ar=
e
targeted at the common problems and tasks involved in developing modern web
applications.

Major changes compared to the Horde version 3.0.8 are:
    * Fix showstopper bug in Horde_Form select fields (Bug #3123).

The full list of changes (from version 3.0.8) can be viewed here:

http://cvs.horde.org/diff.php/horde/docs/CHANGES?r1=3D1.515.2.167.2.14&r2=3D=
1.515.2.167.2.16&ty=3Dh

The Horde 3.0.9 distribution is available from the following locations:

    ftp://ftp.horde.org/pub/horde/horde-3.0.9.tar.gz
    http://ftp.horde.org/pub/horde/horde-3.0.9.tar.gz

Patches against version 3.0.8 are available at:

(Continue reading)


Gmane