[announce] Nag H3 (2.0.4) (final)

chuck@horde.org chuck at horde.org
Sun Dec 11 11:40:37 PST 2005


The Horde Team is pleased to announce the final release of the Nag Task List
Manager version H3 (2.0.4).

This is a security release that fixes cross site scripting
vulnerabilities in several of the tasklist name and task data
fields. None of the vulnerabilities can be exploited by
unauthenticated users; however, we strongly recommend that all users
of Nag 2.0.3 upgrade to 2.0.4 as soon as possible.

Many thanks to Johannes Greil of SEC Consult
(http://www.sec-consult.com/) for reporting these problems and working
with us to test the fixes.

Nag is a web-based application built upon the Horde Application Framework wh=
ich
provides a simple, clean interface for managing online task lists (i.e., TOD=
O
lists).  It also includes strong integration with the other Horde applicatio=
ns
and offers shared task lists.

The major changes compared to the Nag H3 (2.0.3) version are:
    * Close several XSS vulnerabilities with task and tasklist data.

The full list of changes (from version H3 (2.0.3)) can be viewed here:

http://cvs.horde.org/diff.php/nag/docs/CHANGES?r1=3D1.115.2.20&r2=3D1.115.2.=
21.2.2&ty=3Dh

The Nag H3 (2.0.4) distribution is available from the following locations:

    ftp://ftp.horde.org/pub/nag/nag-h3-2.0.4.tar.gz
    http://ftp.horde.org/pub/nag/nag-h3-2.0.4.tar.gz

Patches against version H3 (2.0.3) are available at:

    ftp://ftp.horde.org/pub/nag/patches/patch-nag-h3-2.0.3-h3-2.0.4.gz
    http://ftp.horde.org/pub/nag/patches/patch-nag-h3-2.0.3-h3-2.0.4.gz

Or, for quicker access, download from your nearest mirror:

    http://www.horde.org/mirrors.php

MD5 sums for the packages are as follows:

    bc405088672f0118c2e27f35dfff1a67  nag-h3-2.0.4.tar.gz
    54f5e6a717031fed6c97f645f68595e3  patch-nag-h3-2.0.3-h3-2.0.4.gz

Have fun!

The Horde Team.


More information about the announce mailing list