Jan Schneider | 14 Sep 10:17 2009

[SECURITY] Horde 3.2.5 (final)

The Horde Team is pleased to announce the final release of the Horde
Application Framework version 3.2.5.

This is a major security release that fixes a vulnerability in the form
library that allows overwriting of arbitrary local files with the permissions
of the web server user. It also fixes two XSS vulnerabilities in the
preference system and the MIME viewer library. The local file vulnerability
can only be exploited when running an application that uses image form fields,
like Turba H3 (2.3) or Ansel, and only by users who have write permissions to
those applications. All users are encouraged to upgrade to this release.

Thanks to Stefan Esser from SektionEins for finding the local file issue in a
code audit, and Martin Geisler and David Wharton for finding the XSS issues.

The Horde Application Framework is a modular, general-purpose web application
framework written in PHP.  It provides an extensive array of classes that are
targeted at the common problems and tasks involved in developing modern web
applications.

The major changes compared to the Horde version 3.2.4 are:
     * Fixed vulnerability in image form fields that allows overwriting of
       arbitrary local files.
     * Fixed validation of "number" type preferences.
     * Fixed displaying unknown text MIME parts inline.

The full list of changes (from version 3.2.4) can be viewed here:

http://cvs.horde.org/diff.php/horde/docs/CHANGES?r1=1.515.2.413.2.5&r2=1.515.2.413.2.8&ty=h

The Horde 3.2.5 distribution is available from the following locations:
(Continue reading)

Jan Schneider | 14 Sep 11:33 2009

Horde Groupware 1.1.6 (final)

The Horde Team is pleased to announce the final release of the Horde Groupware
version 1.1.6.

This is a major security release that fixes a vulnerability in the form
library that allows overwriting of arbitrary local files with the permissions
of the web server user. It also fixes two XSS vulnerabilities in the
preference system and the MIME viewer library. The local file vulnerability
can not be exploited with any application bundled with Horde Groupware
1.1.x. All users are encouraged to upgrade to this release.

Thanks to Stefan Esser from SektionEins for finding the local file issue in a
code audit, and Martin Geisler and David Wharton for finding the XSS issues.

Horde Groupware is a free, enterprise ready, browser based collaboration
suite. Users can manage and share calendars, contacts, tasks and notes  
with the
standards compliant components from the Horde Project.

The major changes compared to the Horde Groupware version 1.1.5 are:
     * Fixed unescaped output in the tag cloud block.
     * Fixed unvalidated Horde_Image driver name.

The full list of changes (from version 1.1.5) can be viewed here:

http://cvs.horde.org/diff.php/groupware/docs/groupware/CHANGES?r1=1.28.2.5&r2=1.28.2.7&ty=h

The Horde Groupware 1.1.6 distribution is available from the following  
locations:

     ftp://ftp.horde.org/pub/horde-groupware/horde-groupware-1.1.6.tar.gz
(Continue reading)

Jan Schneider | 14 Sep 12:11 2009

Horde Groupware Webmail Edition 1.1.6 (final)

The Horde Team is pleased to announce the final release of the Horde Groupware
Webmail Edition version 1.1.6.

This is a major security release that fixes a vulnerability in the form
library that allows overwriting of arbitrary local files with the permissions
of the web server user. It also fixes two XSS vulnerabilities in the
preference system and the MIME viewer library. The local file vulnerability
can not be exploited with any application bundled with Horde Groupware Webmail
Edition 1.1.x. All users are encouraged to upgrade to this release.

Thanks to Stefan Esser from SektionEins for finding the local file issue in a
code audit, and Martin Geisler and David Wharton for finding the XSS issues.

Horde Groupware Webmail Edition is a free, enterprise ready, browser based
communication suite. Users can read, send and organize email messages with
three different webmail interfaces and manage and share calendars, contacts,
tasks and notes with the standards compliant components from the Horde
Project.

The major changes compared to the Horde Groupware Webmail Edition  
version 1.1.5
are:
     * Fixed vulnerability in image form fields that allows overwriting of
       arbitrary local files.
     * Fixed validation of "number" type preferences.
     * Fixed displaying unknown text MIME parts inline.

The full list of changes (from version 1.1.5) can be viewed here:

http://cvs.horde.org/diff.php/groupware/docs/webmail/CHANGES?r1=1.25.2.6&r2=1.25.2.7&ty=h
(Continue reading)

Jan Schneider | 14 Sep 12:16 2009

[SECURITY] Horde 3.3.5 (final)

The Horde Team is pleased to announce the final release of the Horde
Application Framework version 3.3.5.

This is a major security release that fixes a vulnerability in the form
library that allows overwriting of arbitrary local files with the permissions
of the web server user. It also fixes two XSS vulnerabilities in the
preference system and the MIME viewer library. The local file vulnerability
can only be exploited when running an application that uses image form fields,
like Turba H3 (2.3) or Ansel, and only by users who have write permissions to
those applications. All users are encouraged to upgrade to this release.

Thanks to Stefan Esser from SektionEins for finding the local file issue in a
code audit, and Martin Geisler and David Wharton for finding the XSS issues.

The Horde Application Framework is a modular, general-purpose web application
framework written in PHP.  It provides an extensive array of classes that are
targeted at the common problems and tasks involved in developing modern web
applications.

The major changes compared to Horde version 3.3.4 are:
     * Fixed vulnerability in image form fields that allows overwriting of
       arbitrary local files.
     * Fixed validation of "number" type preferences.
     * Fixed displaying unknown text MIME parts inline.
     * Many synchronization improvements.
     * Improved signup support.
     * Releasing memcache lock no longer takes 1 second.
     * Fixes when resetting passwords.
     * Export current locale to the environment.
     * Multiple other small bug fixes and improvements.
(Continue reading)

Jan Schneider | 14 Sep 14:32 2009

Kronolith H3 (2.3.2) (final)

The Horde Team is pleased to announce the final release of the Kronolith
Calendar Application version H3 (2.3.2).

Kronolith is the Horde calendar application.  It provides web-based calendars
backed by a SQL database or a Kolab server.  Supported features include shared
calendars, remote calendars, meeting management, alarms, recurring events, and
a sophisticated day/week view which handles arbitrary numbers of overlapping
events.

The major changes compared to the Kronolith version H3 (2.3.1) are:
     * Improved synchronization support.
     * Allow to add address lists as attendees through the address book popup.
     * Fixed several issues with all-day events.
     * Many minor bug fixes.

The full list of changes (from version H3 (2.3.1)) can be viewed here:

http://cvs.horde.org/diff.php/kronolith/docs/CHANGES?r1=1.165.2.258&r2=1.165.2.270&ty=h

The Kronolith H3 (2.3.2) distribution is available from the following  
locations:

     ftp://ftp.horde.org/pub/kronolith/kronolith-h3-2.3.2.tar.gz
     http://ftp.horde.org/pub/kronolith/kronolith-h3-2.3.2.tar.gz

Patches against version H3 (2.3.1) are available at:

      
ftp://ftp.horde.org/pub/kronolith/patches/patch-kronolith-h3-2.3.1-h3-2.3.2.gz

(Continue reading)

Jan Schneider | 14 Sep 15:03 2009

Nag H3 (2.3.3) (final)

The Horde Team is pleased to announce the final release of the Nag Task List
Manager version H3 (2.3.3).

Nag is a web-based application built upon the Horde Application  
Framework which
provides a simple, clean interface for managing online task lists (i.e., todo
lists).  It also includes strong integration with the other Horde applications
and offers shared task lists.

The major changes compared to the Nag version H3 (2.3.2) are:
     * Improved synchronization support.
     * Display application name as task list name when listing external tasks.
     * Other minor bugfixes and improvements.

The full list of changes (from version H3 (2.3.2)) can be viewed here:

http://cvs.horde.org/diff.php/nag/docs/CHANGES?r1=1.115.2.113&r2=1.115.2.119&ty=h

The Nag H3 (2.3.3) distribution is available from the following locations:

     ftp://ftp.horde.org/pub/nag/nag-h3-2.3.3.tar.gz
     http://ftp.horde.org/pub/nag/nag-h3-2.3.3.tar.gz

Patches against version H3 (2.3.2) are available at:

     ftp://ftp.horde.org/pub/nag/patches/patch-nag-h3-2.3.2-h3-2.3.3.gz
     http://ftp.horde.org/pub/nag/patches/patch-nag-h3-2.3.2-h3-2.3.3.gz

Or, for quicker access, download from your nearest mirror:

(Continue reading)

Jan Schneider | 14 Sep 15:16 2009

Mnemo H3 (2.2.2) (final)

The Horde Team is pleased to announce the final release of the Mnemo Note
Manager version H3 (2.2.2).

The Mnemo Note Manager is the Horde notes/memos application.  It provides
web-based notes and freeform text, similar to the PalmOS Note application and
shared notepads.  It requires the Horde Application Framework and an SQL
database or Kolab server for backend storage.

Major changes compared to the Mnemo H3 (2.2.1) version are:
     * Improved synchronization support.
     * Added passphrase confirmation field.
     * Added a PostgreSQL-specific upgrade script.
     * Other bugfixes and improvements.

The full list of changes (from version H3 (2.2.1)) can be viewed here:

http://cvs.horde.org/diff.php/mnemo/docs/CHANGES?r1=1.63.2.68&r2=1.63.2.81&ty=h

The Mnemo H3 (2.2.2) distribution is available from the following locations:

     ftp://ftp.horde.org/pub/mnemo/mnemo-h3-2.2.2.tar.gz
     http://ftp.horde.org/pub/mnemo/mnemo-h3-2.2.2.tar.gz

Patches against version H3 (2.2.1) are available at:

     ftp://ftp.horde.org/pub/mnemo/patches/patch-mnemo-h3-2.2.1-h3-2.2.2.gz
     http://ftp.horde.org/pub/mnemo/patches/patch-mnemo-h3-2.2.1-h3-2.2.2.gz

Or, for quicker access, download from your nearest mirror:

(Continue reading)

mrubinsk | 14 Sep 17:12 2009

Ingo H3 (1.2.2) (final)

The Horde Team is pleased to announce the final release of the Ingo Email
Filter Rules Manager version H3 (1.2.2).

Ingo is an email-filter management application. It is fully internationalized,
integrated with Horde and the IMP Webmail client, and supports both
server-side (Sieve, procmail) and client-side (IMAP) rule creation.

Major changes compared to the Ingo H3 (1.2.1) version are:
     * Various fixes to the maildrop and procmail drivers.
     * Better default settings for forwards, vacation and spam rules.
     * Several VFS fixes.
     * Fixed determination of the spam folder.
     * Other bug fixes and improvements.

The full list of changes (from version H3 (1.2.1)) can be viewed here:

http://cvs.horde.org/diff.php/ingo/docs/CHANGES?r1=1.55.2.110&r2=1.55.2.125&ty=h

The Ingo H3 (1.2.2) distribution is available from the following locations:

     ftp://ftp.horde.org/pub/ingo/ingo-h3-1.2.2.tar.gz
     http://ftp.horde.org/pub/ingo/ingo-h3-1.2.2.tar.gz

Patches against version H3 (1.2.1) are available at:

     ftp://ftp.horde.org/pub/ingo/patches/patch-ingo-h3-1.2.1-h3-1.2.2.gz
     http://ftp.horde.org/pub/ingo/patches/patch-ingo-h3-1.2.1-h3-1.2.2.gz

NOTE: Patches do not contain differences between files containing binary data.
These files will need to be updated via the distribution files:
(Continue reading)

mrubinsk | 14 Sep 17:34 2009

IMP H3 (4.3.5) (final)

The Horde Team is pleased to announce the final release of the Internet
Messaging Program (IMP) version H3 (4.3.5).

IMP, the Internet Messaging Program, is one of the most popular webmail
applications available.  It allows universal, web-based access to IMAP and
POP3 mail servers and provides a full range of features normally found only in
desktop email clients.

The major changes compared to IMP version H3 (4.3.4) are:
     * Highlight signed messages depending on the signature verification.
     * Added hook examples for address book preferences.
     * Fixed some javascript if using IE 8.
     * Use correct charset when rendering inline PGP data.
     * Fixed renaming shared folders contained in empty namespaces.
     * Fixed spellcheck in text-mode for certain words in non-English locales.
     * Other minor bugfixes and improvements.

The full list of changes (from version H3 (4.3.4)) can be viewed here:

http://cvs.horde.org/diff.php/imp/docs/CHANGES?r1=1.699.2.388&r2=1.699.2.403&ty=h

The IMP H3 (4.3.5) distribution is available from the following locations:

     ftp://ftp.horde.org/pub/imp/imp-h3-4.3.5.tar.gz
     http://ftp.horde.org/pub/imp/imp-h3-4.3.5.tar.gz

Patches against version H3 (4.3.4) are available at:

     ftp://ftp.horde.org/pub/imp/patches/patch-imp-h3-4.3.4-h3-4.3.5.gz
     http://ftp.horde.org/pub/imp/patches/patch-imp-h3-4.3.4-h3-4.3.5.gz
(Continue reading)

mrubinsk | 14 Sep 17:49 2009

DIMP H3 (1.1.3) (final)

The Horde Team is pleased to announce the final release of the Dynamic
Internet Messaging Program (DIMP) version H3 (1.1.3).

DIMP (Dynamic Internet Messaging Program, or Dynamic IMP) is a PHP-based
webmail system and a component of the Horde project.  DIMP is a version of the
webmail client IMP utilizing AJAX-like technologies to allow a more dynamic
user experience than traditionally offered via IMP.

DIMP requires at least Horde version 3.2 and IMP version H3 (4.2) to run.
Although not required to upgrade either Horde or IMP, it is STRONGLY
RECOMMENDED you do as any bugfixes to core functionality will occur in
these applications.

DIMP version H3 (1.1.3) is a minor upgrade in the 1.x release series,
including these enhancements:
     * Fix deleting messages after undeleting.
     * Fix renaming folders with non-7bit characters.
     * Other bugfixes and performance/stability improvements.

The full list of changes (from version H3 (1.1.2)) can be viewed here:

http://cvs.horde.org/diff.php/dimp/docs/CHANGES?r1=1.69.2.73&r2=1.69.2.77&ty=h

The DIMP H3 (1.1.3) distribution is available from the following locations:

     ftp://ftp.horde.org/pub/dimp/dimp-h3-1.1.3.tar.gz
     http://ftp.horde.org/pub/dimp/dimp-h3-1.1.3.tar.gz

Patches against version H3 (1.1.2) are available at:

(Continue reading)


Gmane