[announce] Horde 3.0.8 (final)
chuck at horde.org
Sun Dec 11 11:50:57 PST 2005
The Horde Team is pleased to announce the final release of the Horde
Application Framework version 3.0.8.
This is a security release that fixes cross site scripting
vulnerabilities in several of Horde's templates. None of the
vulnerabilities can be exploited by unauthenticated users; however, we
strongly recommend that all users of Horde 3.0.7 upgrade to 3.0.8 as
soon as possible.
Many thanks to Johannes Greil of SEC Consult
(http://www.sec-consult.com/) for reporting these problems and working
with us to test the fixes.
The Horde Application Framework is a modular, general-purpose web applicatio=
framework written in PHP. It provides an extensive array of classes that ar=
targeted at the common problems and tasks involved in developing modern web
Major changes compared to the Horde version 3.0.7 are:
* Fix escaping of data in the preferences templates.
* Fix escaping of data in the data import templates.
* Fix output escaping of Horde_Form_Type_cellphone in UI_VarRenderer_htm=
* Close several XSS problems in the share edit window.
* When deleting an identity, don't show the deleted identity
in the default identity select dropdown on the next page load.
* Fix weather.com portal block.
The full list of changes (from version 3.0.7) can be viewed here:
The Horde 3.0.8 distribution is available from the following locations:
Patches against version 3.0.7 are available at:
Or, for quicker access, download from your nearest mirror:
MD5 sums for the packages are as follows:
The Horde Team.
More information about the announce