[announce] [SECURITY] Horde 3.2.2 (final)

Jan Schneider jan at horde.org
Wed Sep 10 10:40:50 UTC 2008


The Horde Team is pleased to announce the final release of the Horde
Application Framework version 3.2.2.

This is a security release that fixes unescaped output in the MIME library
(CVE-2008-3823), and further improves the XSS filter for HTML messages
(CVE-2008-3824). The unescaped output vulnerability can be triggered by
sending specially crafted e-mail messages to Horde users, if they use a Horde
mail client. All users are encouraged to upgrade to this version.

Many thanks to Alexios Fakos for detecting these vulnerabilities, and oCERT
for notifying us.

The Horde Application Framework is a modular, general-purpose web application
framework written in PHP.  It provides an extensive array of classes that are
targeted at the common problems and tasks involved in developing modern web
applications.

The major changes compared to the Horde version H3 (3.2.1) are:
     * Fixed unescaped output in the MIME library.
     * Further improved the XSS filter for HTML.

The full list of changes (from version 3.2.1) can be viewed here:

http://cvs.horde.org/diff.php/horde/docs/CHANGES?r1=1.515.2.413&r2=1.515.2.413.2.1&ty=h

The Horde 3.2.2 distribution is available from the following locations:

     ftp://ftp.horde.org/pub/horde/horde-3.2.2.tar.gz
     http://ftp.horde.org/pub/horde/horde-3.2.2.tar.gz

Patches against version 3.2.1 are available at:

     ftp://ftp.horde.org/pub/horde/patches/patch-horde-3.2.1-3.2.2.gz
     http://ftp.horde.org/pub/horde/patches/patch-horde-3.2.1-3.2.2.gz

NOTE: Patches do not contain differences between files containing binary data.
These files will need to be updated via the distribution files.

Or, for quicker access, download from your nearest mirror:

     http://www.horde.org/mirrors.php

MD5 sums for the packages are as follows:

     69bdd06641371b80762e866dbf3bd22e  horde-3.2.2.tar.gz
     0e89fd6f4319a427397e04a90389b61a  patch-horde-3.2.1-3.2.2.gz

Have fun!

The Horde Team.


More information about the announce mailing list