[announce] Nag H3 (2.0.4) (final)
chuck at horde.org
Sun Dec 11 11:40:37 PST 2005
The Horde Team is pleased to announce the final release of the Nag Task List
Manager version H3 (2.0.4).
This is a security release that fixes cross site scripting
vulnerabilities in several of the tasklist name and task data
fields. None of the vulnerabilities can be exploited by
unauthenticated users; however, we strongly recommend that all users
of Nag 2.0.3 upgrade to 2.0.4 as soon as possible.
Many thanks to Johannes Greil of SEC Consult
(http://www.sec-consult.com/) for reporting these problems and working
with us to test the fixes.
Nag is a web-based application built upon the Horde Application Framework wh=
provides a simple, clean interface for managing online task lists (i.e., TOD=
lists). It also includes strong integration with the other Horde applicatio=
and offers shared task lists.
The major changes compared to the Nag H3 (2.0.3) version are:
* Close several XSS vulnerabilities with task and tasklist data.
The full list of changes (from version H3 (2.0.3)) can be viewed here:
The Nag H3 (2.0.4) distribution is available from the following locations:
Patches against version H3 (2.0.3) are available at:
Or, for quicker access, download from your nearest mirror:
MD5 sums for the packages are as follows:
The Horde Team.
More information about the announce