[announce] [SECURITY] Horde Groupware Webmail Edition 1.1.3 (final)

Jan Schneider jan at horde.org
Wed Sep 10 13:08:36 UTC 2008 

The Horde Team is pleased to announce the final release of the Horde Groupware
Webmail Edition version 1.1.3.

This is a security release that fixes unescaped output in the MIME library
(CVE-2008-3823), and further improves the XSS filter for HTML messages
(CVE-2008-3824). The unescaped output vulnerability can be triggered by
sending specially crafted e-mail messages to users of Horde Groupware Webmail
Edition. All users are encouraged to upgrade to this version.

Many thanks to Alexios Fakos for detecting these vulnerabilities, and oCERT
for notifying us.

Horde Groupware Webmail Edition is a free, enterprise ready, browser based
communication suite. Users can read, send and organize email messages with
three different webmail interfaces and manage and share calendars, contacts,
tasks and notes with the standards compliant components from the Horde
Project.

The major changes compared to the Horde Groupware Webmail Edition  
version 1.1.2
are:
     * Fixed unescaped output in the MIME library.
     * Further improved the XSS filter for HTML.

The full list of changes (from version 1.1.2) can be viewed here:

http://cvs.horde.org/diff.php/groupware/docs/webmail/CHANGES?r1=1.24&r2=1.25&ty=h

The Horde Groupware Webmail Edition 1.1.3 distribution is available  
from the following locations:

     ftp://ftp.horde.org/pub/horde-webmail/horde-webmail-1.1.3.tar.gz
     http://ftp.horde.org/pub/horde-webmail/horde-webmail-1.1.3.tar.gz

Patches against version 1.1.2 are available at:

      
ftp://ftp.horde.org/pub/horde-webmail/patches/patch-horde-webmail-1.1.2-1.1.3.gz
      
http://ftp.horde.org/pub/horde-webmail/patches/patch-horde-webmail-1.1.2-1.1.3.gz

Or, for quicker access, download from your nearest mirror:

     http://www.horde.org/mirrors.php

MD5 sums for the packages are as follows:

     a7c812ae4f5e3ebe7cf86cca30981c71  horde-webmail-1.1.3.tar.gz
     5406aa41feb16b0e759ff1ba658be9b1  patch-horde-webmail-1.1.2-1.1.3.gz

Have fun!

The Horde Team.

More information about the announce mailing list