[announce] Horde 3.0.8 (final)

chuck@horde.org chuck at horde.org
Sun Dec 11 11:50:57 PST 2005

The Horde Team is pleased to announce the final release of the Horde
Application Framework version 3.0.8.

This is a security release that fixes cross site scripting
vulnerabilities in several of Horde's templates. None of the
vulnerabilities can be exploited by unauthenticated users; however, we
strongly recommend that all users of Horde 3.0.7 upgrade to 3.0.8 as
soon as possible.

Many thanks to Johannes Greil of SEC Consult
(http://www.sec-consult.com/) for reporting these problems and working
with us to test the fixes.

The Horde Application Framework is a modular, general-purpose web applicatio=
framework written in PHP.  It provides an extensive array of classes that ar=
targeted at the common problems and tasks involved in developing modern web

Major changes compared to the Horde version 3.0.7 are:
    * Fix escaping of data in the preferences templates.
    * Fix escaping of data in the data import templates.
    * Fix output escaping of Horde_Form_Type_cellphone in UI_VarRenderer_htm=
    * Close several XSS problems in the share edit window.
    * When deleting an identity, don't show the deleted identity
      in the default identity select dropdown on the next page load.
    * Fix weather.com portal block.

The full list of changes (from version 3.0.7) can be viewed here:


The Horde 3.0.8 distribution is available from the following locations:


Patches against version 3.0.7 are available at:


Or, for quicker access, download from your nearest mirror:


MD5 sums for the packages are as follows:

    ac681a1fafa0b1f1940da15471c4637a  horde-3.0.8.tar.gz
    23a8abf448063eb428bc91429c457c1a  patch-horde-3.0.7-3.0.8.gz

Have fun!

The Horde Team.

More information about the announce mailing list