[announce] Horde Groupware 1.1.3 (final)

Jan Schneider jan at horde.org
Wed Sep 10 12:35:52 UTC 2008

The Horde Team is pleased to announce the final release of the Horde Groupware
version 1.1.3.

This is a security release that fixes unescaped output in the MIME library
(CVE-2008-3823), and further improves the XSS filter for HTML messages
(CVE-2008-3824). The unescaped output vulnerability can be triggered by
sending specially crafted e-mail messages to Horde Groupware users, e.g. if
they use a Horde mail client. Since Horde Groupware doesn't contain a mail
client or any applications that use either of the affected libraries, users
are only vulnerable if additional applications, that use them, have been

Many thanks to Alexios Fakos for detecting these vulnerabilities, and oCERT
for notifying us.

Horde Groupware is a free, enterprise ready, browser based collaboration
suite. Users can manage and share calendars, contacts, tasks and notes  
with the
standards compliant components from the Horde Project.

The major changes compared to the Horde Groupware version 1.1.2 are:
     * Fixed unescaped output in the MIME library.
     * Further improved the XSS filter for HTML.

The full list of changes (from version 1.1.2) can be viewed here:


The Horde Groupware 1.1.3 distribution is available from the following  


Patches against version 1.1.2 are available at:


Or, for quicker access, download from your nearest mirror:


MD5 sums for the packages are as follows:

     22012f913a9d0524bab5c9bd67f5fa94  horde-groupware-1.1.3.tar.gz
     6492fc451a675cd1ca82e9a80c7e2580  patch-horde-groupware-1.1.2-1.1.3.gz

Have fun!

The Horde Team.

More information about the announce mailing list