[announce] Kronolith H3 (2.0.6) (final)

chuck@horde.org chuck at horde.org
Sun Dec 11 11:32:19 PST 2005

The Horde Team is pleased to announce the final release of the Kronolith
Calendar Application version H3 (2.0.6).

This is a security release that fixes cross site scripting
vulnerabilities in several of the calendar name and event data
fields. None of the vulnerabilities can be exploited by
unauthenticated users; however, we strongly recommend that all users
of Kronolith 2.0.5 upgrade to 2.0.6 as soon as possible.

Many thanks to Johannes Greil of SEC Consult
(http://www.sec-consult.com/) for reporting these problems and working
with us to test the fixes.

Kronolith is the Horde calendar application.  It provides web-based calendar=
backed by a SQL database, the MCAL library, or a Kolab server.  Supported
features include shared calendars, remote calendars, meeting management,
alarms, recurring events, and a sophisticated day/week view which handles
arbitrary numbers of overlapping events.

Major changes compared to the Kronolith version H3 (2.0.5) are:
    * Close several XSS problems with calendar and event fields.

The full list of changes (from version H3 (2.0.5)) can be viewed here:


The Kronolith H3 (2.0.6) distribution is available from the following locati=


Patches against version H3 (2.0.5) are available at:


Or, for quicker access, download from your nearest mirror:


MD5 sums for the packages are as follows:

    c0c6bad037911ef689bc4f4da5be0047  kronolith-h3-2.0.6.tar.gz
    262d3f216ccac6d6ed244ba2958e112d  patch-kronolith-h3-2.0.5-h3-2.0.6.gz

Have fun!

The Horde Team.

More information about the announce mailing list