[announce] Kronolith H3 (2.0.6) (final)

chuck@horde.org chuck at horde.org
Sun Dec 11 11:32:19 PST 2005


The Horde Team is pleased to announce the final release of the Kronolith
Calendar Application version H3 (2.0.6).

This is a security release that fixes cross site scripting
vulnerabilities in several of the calendar name and event data
fields. None of the vulnerabilities can be exploited by
unauthenticated users; however, we strongly recommend that all users
of Kronolith 2.0.5 upgrade to 2.0.6 as soon as possible.

Many thanks to Johannes Greil of SEC Consult
(http://www.sec-consult.com/) for reporting these problems and working
with us to test the fixes.

Kronolith is the Horde calendar application.  It provides web-based calendar=
s
backed by a SQL database, the MCAL library, or a Kolab server.  Supported
features include shared calendars, remote calendars, meeting management,
alarms, recurring events, and a sophisticated day/week view which handles
arbitrary numbers of overlapping events.

Major changes compared to the Kronolith version H3 (2.0.5) are:
    * Close several XSS problems with calendar and event fields.

The full list of changes (from version H3 (2.0.5)) can be viewed here:

http://cvs.horde.org/diff.php/kronolith/docs/CHANGES?r1=3D1.165.2.69.2.1&r2=
=3D1.165.2.69.2.5&ty=3Dh

The Kronolith H3 (2.0.6) distribution is available from the following locati=
ons:

    ftp://ftp.horde.org/pub/kronolith/kronolith-h3-2.0.6.tar.gz
    http://ftp.horde.org/pub/kronolith/kronolith-h3-2.0.6.tar.gz

Patches against version H3 (2.0.5) are available at:

    ftp://ftp.horde.org/pub/kronolith/patches/patch-kronolith-h3-2.0.5-h3-2.=
0.6.gz
    http://ftp.horde.org/pub/kronolith/patches/patch-kronolith-h3-2.0.5-h3-2=
.0.6.gz

Or, for quicker access, download from your nearest mirror:

    http://www.horde.org/mirrors.php

MD5 sums for the packages are as follows:

    c0c6bad037911ef689bc4f4da5be0047  kronolith-h3-2.0.6.tar.gz
    262d3f216ccac6d6ed244ba2958e112d  patch-kronolith-h3-2.0.5-h3-2.0.6.gz

Have fun!

The Horde Team.


More information about the announce mailing list