[announce] Horde 3.0.7 (final)

Jan Schneider jan at horde.org
Tue Nov 22 09:09:39 PST 2005


The Horde Team is pleased to announce the final release of the Horde
Application Framework version 3.0.7.

This is a security release that fixes cross site scripting vulnerabilities in
two of Horde's MIME viewers. These holes could for example be exploited by an
attacker sending specially crafted emails to Horde's webmail client IMP. The
attack could be used to steal users' identity information, taking over users'
sessions, or changing users' settings.

As a hotfix the css and tgz MIME drivers can be disabled by removing their
entries from the $mime_drivers_map['horde']['registered'] list in
horde/config/mime_drivers.php. Alternatively these two patches could be
applied to lib/Horde/MIME/Viewer/tgz.php and lib/Horde/MIME/Viewer/css.php:
http://cvs.horde.org/diff.php/framework/MIME/MIME/Viewer/tgz.php?r1=1.37.10.9&r2=1.37.10.9.2.1&ty=u
http://cvs.horde.org/diff.php/framework/MIME/MIME/Viewer/css.php?r1=1.1.10.3&r2=1.1.10.3.2.1&ty=u

Many thanks to Daniel Schreckling who discovered this vulnerability.

The Horde Application Framework is a modular, general-purpose web application
framework written in PHP.  It provides an extensive array of classes that are
targeted at the common problems and tasks involved in developing modern web
applications.

Major changes compared to the Horde version 3.0.6 are:
    * Fixed cross site scripting vulnerabilities in the gzip/tar and css MIME
      viewers.
    * Fixed MySQL session handler.

The full list of changes (from version 3.0.6) can be viewed here:

http://cvs.horde.org/diff.php/horde/docs/CHANGES?r1=1.515.2.167.2.4&r2=1.515.2.167.2.7&ty=h

The Horde 3.0.7 distribution is available from the following locations:

    ftp://ftp.horde.org/pub/horde/horde-3.0.7.tar.gz
    http://ftp.horde.org/pub/horde/horde-3.0.7.tar.gz

Patches against version 3.0.6 are available at:

    ftp://ftp.horde.org/pub/horde/patches/patch-horde-3.0.6-3.0.7.gz
    http://ftp.horde.org/pub/horde/patches/patch-horde-3.0.6-3.0.7.gz

Or, for quicker access, download from your nearest mirror:

    http://www.horde.org/mirrors.php

MD5 sums for the packages are as follows:

    a34304b1f1e704ca745caa728c929938  horde-3.0.7.tar.gz
    d50e3d14ca1b2c3522fc4a7a0ec3c900  patch-horde-3.0.6-3.0.7.gz

Have fun!

The Horde Team.


More information about the announce mailing list