[announce] [SECURITY] Horde 3.2.5 (final)

Jan Schneider jan at horde.org
Mon Sep 14 08:17:10 UTC 2009


The Horde Team is pleased to announce the final release of the Horde
Application Framework version 3.2.5.

This is a major security release that fixes a vulnerability in the form
library that allows overwriting of arbitrary local files with the permissions
of the web server user. It also fixes two XSS vulnerabilities in the
preference system and the MIME viewer library. The local file vulnerability
can only be exploited when running an application that uses image form fields,
like Turba H3 (2.3) or Ansel, and only by users who have write permissions to
those applications. All users are encouraged to upgrade to this release.

Thanks to Stefan Esser from SektionEins for finding the local file issue in a
code audit, and Martin Geisler and David Wharton for finding the XSS issues.

The Horde Application Framework is a modular, general-purpose web application
framework written in PHP.  It provides an extensive array of classes that are
targeted at the common problems and tasks involved in developing modern web
applications.

The major changes compared to the Horde version 3.2.4 are:
     * Fixed vulnerability in image form fields that allows overwriting of
       arbitrary local files.
     * Fixed validation of "number" type preferences.
     * Fixed displaying unknown text MIME parts inline.

The full list of changes (from version 3.2.4) can be viewed here:

http://cvs.horde.org/diff.php/horde/docs/CHANGES?r1=1.515.2.413.2.5&r2=1.515.2.413.2.8&ty=h

The Horde 3.2.5 distribution is available from the following locations:

     ftp://ftp.horde.org/pub/horde/horde-3.2.5.tar.gz
     http://ftp.horde.org/pub/horde/horde-3.2.5.tar.gz

Patches against version 3.2.4 are available at:

     ftp://ftp.horde.org/pub/horde/patches/patch-horde-3.2.4-3.2.5.gz
     http://ftp.horde.org/pub/horde/patches/patch-horde-3.2.4-3.2.5.gz

Or, for quicker access, download from your nearest mirror:

     http://www.horde.org/mirrors.php

MD5 sums for the packages are as follows:

     432c065232075080867ca3bfef9b47ea  horde-3.2.5.tar.gz
     78d2c47dd6222c27a82488f0335584dc  patch-horde-3.2.4-3.2.5.gz

Have fun!

The Horde Team.


More information about the announce mailing list