[announce] IMP 3.2.6 (final)

Jan Schneider jan at horde.org
Mon Sep 20 08:02:31 PDT 2004


The Horde Team is pleased to announce the official release of the IMP Webmail
Client version 3.2.6.

IMP is the Internet Messaging Program. IMP allows universal, Web-based access
to IMAP and POP3 servers and provides full support for sending and receiving
attachments, and many other features normally only found in desktop email
clients.

Changes in this release:
    - SECURITY: Removed tags with -moz-binding: styles in the HTML MIME viewer.
    - SECURITY: Removed scripts from <base> tags in the HTML MIME viewer.
    - SECURITY: Removed scripts from obfuscated "on..." attributes in the HTML
      MIME viewer.
    - Updated translations: Slovak and Slovenian.

The script vulnerabilities can only be exposed with certain browsers and allow
XSS attacks when viewing HTML messages with the HTML MIME viewer.

Thanks to Martijn Brinkers and Jan Moesen for reporting the script
vulnerabilities.

The full list of changes (from version 3.2.5) can be viewed here:

http://cvs.horde.org/diff.php/imp/docs/CHANGES?r1=1.389.2.109&r2=1.389.2.111&ty=h

The IMP 3.2.6 distribution is available from the following locations:

    ftp://ftp.horde.org/pub/imp/imp-3.2.6.tar.gz
    http://ftp.horde.org/pub/imp/imp-3.2.6.tar.gz

Patches against version 3.2.5 are available at:

    ftp://ftp.horde.org/pub/imp/patches/patch-imp-3.2.5-3.2.6.gz
    http://ftp.horde.org/pub/imp/patches/patch-imp-3.2.5-3.2.6.gz

Or, for quicker access, download from your nearest mirror:

    http://www.horde.org/mirrors.php

MD5 sums for the packages are as follows:

    0a12763bef44a1928f59cc72da7d854d  imp-3.2.6.tar.gz
    0b45780a98c5483eb9cba296bdfdc029  patch-imp-3.2.5-3.2.6.gz

Have fun!

The Horde Team.


More information about the announce mailing list