[announce] Nag H3 (2.0.4) (final)

chuck@horde.org chuck at horde.org
Sun Dec 11 11:40:37 PST 2005

The Horde Team is pleased to announce the final release of the Nag Task List
Manager version H3 (2.0.4).

This is a security release that fixes cross site scripting
vulnerabilities in several of the tasklist name and task data
fields. None of the vulnerabilities can be exploited by
unauthenticated users; however, we strongly recommend that all users
of Nag 2.0.3 upgrade to 2.0.4 as soon as possible.

Many thanks to Johannes Greil of SEC Consult
(http://www.sec-consult.com/) for reporting these problems and working
with us to test the fixes.

Nag is a web-based application built upon the Horde Application Framework wh=
provides a simple, clean interface for managing online task lists (i.e., TOD=
lists).  It also includes strong integration with the other Horde applicatio=
and offers shared task lists.

The major changes compared to the Nag H3 (2.0.3) version are:
    * Close several XSS vulnerabilities with task and tasklist data.

The full list of changes (from version H3 (2.0.3)) can be viewed here:


The Nag H3 (2.0.4) distribution is available from the following locations:


Patches against version H3 (2.0.3) are available at:


Or, for quicker access, download from your nearest mirror:


MD5 sums for the packages are as follows:

    bc405088672f0118c2e27f35dfff1a67  nag-h3-2.0.4.tar.gz
    54f5e6a717031fed6c97f645f68595e3  patch-nag-h3-2.0.3-h3-2.0.4.gz

Have fun!

The Horde Team.

More information about the announce mailing list