[announce] SECURITY: Horde_Auth 1.0.4

Jan Schneider jan at horde.org
Wed Jun 8 14:49:21 UTC 2011


The Horde Team has released version 1.0.4 of the Horde_Auth framework package.

This is an important security release that fixes a serious bug in the  
composite authentication driver that could allow a user to access the  
Horde system even though authentication failed for a sub-driver.

Affected are all versions of the Horde_Auth library from 1.0.0alpha1  
to 1.0.3. Only systems using the composite authentication driver are  
affected. Horde applications that require another login step, e.g.  
IMP, are not affected, even if this 2nd authentication is done  
transparently.

All affected systems should update the Horde_Auth package IMMEDIATELY.  
This can be done using the PEAR installer:

    pear upgrade horde/horde_auth

The Horde Team.



More information about the announce mailing list