[announce] Horde H3 (3.0.8) (final)

chuck@horde.org chuck at horde.org
Sun Dec 11 11:29:32 PST 2005


The Horde Team is pleased to announce the final release of the Horde
Application Framework version 3.0.8.

This is a security release that fixes cross site scripting
vulnerabilities in several of Horde's templates. None of the
vulnerabilities can be exploited by unauthenticated users; however, we
strongly recommend that all users of Horde 3.0.7 upgrade to 3.0.8 as
soon as possible.

Many thanks to Johannes Greil of SEC Consult
(http://www.sec-consult.com/) for reporting these problems and working
with us to test the fixes.

The Horde Application Framework is a modular, general-purpose web applicatio=
n
framework written in PHP.  It provides an extensive array of classes that ar=
e
targeted at the common problems and tasks involved in developing modern web
applications.

Major changes compared to the Horde version 3.0.7 are:
    * Fix escaping of data in the preferences templates.
    * Fix escaping of data in the data import templates.
    * Fix output escaping of Horde_Form_Type_cellphone in UI_VarRenderer_htm=
l.
    * Close several XSS problems in the share edit window.
    * When deleting an identity, don't show the deleted identity
      in the default identity select dropdown on the next page load.
    * Fix weather.com portal block.

The full list of changes (from version H3 (3.0.7)) can be viewed here:

http://cvs.horde.org/diff.php/horde/docs/CHANGES?r1=3D1.515.2.167.2.7&r2=3D1=
.515.2.167.2.13&ty=3Dh

The Horde H3 (3.0.8) distribution is available from the following locations:

    ftp://ftp.horde.org/pub/horde/horde-h3-3.0.8.tar.gz
    http://ftp.horde.org/pub/horde/horde-h3-3.0.8.tar.gz

Patches against version H3 (3.0.7) are available at:

    ftp://ftp.horde.org/pub/horde/patches/patch-horde-h3-3.0.7-h3-3.0.8.gz
    http://ftp.horde.org/pub/horde/patches/patch-horde-h3-3.0.7-h3-3.0.8.gz

Or, for quicker access, download from your nearest mirror:

    http://www.horde.org/mirrors.php

MD5 sums for the packages are as follows:

    ed7db625cbe32adaf320ded5917ff491  horde-h3-3.0.8.tar.gz
    e403b1bcb4fd72a5dca0385a17ea43ee  patch-horde-h3-3.0.7-h3-3.0.8.gz

Have fun!

The Horde Team.


More information about the announce mailing list