Draft release announcement for 2.2.4
Brent J. Nordquist
bjn@horde.org
Thu, 1 Feb 2001 09:21:30 -0600 (CST)
[Any other "most notably" changes?]
Subject: IMP 2.2.4 (SECURITY) released
The Horde team announces the availability of IMP 2.2.4 -- this version
improves IMP's filtering of malicious HTML scripting constructs in HTML
attachments, which can be used by an attacker to run scripting code in
the user's browser. Administrators of IMP 2.2.x production systems are
encouraged to upgrade to prevent this kind of attack against your users.
This release also contains a long list of bug fixes and minor improvements,
most notably the fix for attachment downloading for IE 5.5 users. For a
complete list of changes in this release, please consult the docs/CHANGES
files.
Credits:
Thanks to Nick Cleaton <nick@cleaton.net> for reporting the HTML scripting
vulnerability. A specific exploit for this problem is known, but at
his request we are not providing details at this time. Other webmail
products are also vulnerable to a similar attack, and this will give
their developers a little more time to implement a fix.
Please notify <security@horde.org> of security issues related to Horde
and IMP.
Download:
This release can be downloaded from the following locations:
ftp://ftp.horde.org/pub/horde/
ftp://ftp.horde.org/pub/imp/
MD5 checksums:
00000000000000000000000000000000 horde-1.2.4.tar.gz
00000000000000000000000000000000 imp-2.2.4.tar.gz
00000000000000000000000000000000 patch-horde-1.2.3-1.2.4.gz
00000000000000000000000000000000 patch-imp-2.2.3-2.2.4.gz
--
Brent J. Nordquist <bjn@horde.org>
Yahoo!: Brent_Nordquist / AIM: BrentJNordquist / ICQ: 76158942
>From chuck@horde.org Date: Thu, 1 Feb 2001 10:24:04 -0500
Return-Path: <chuck@horde.org>
Mailing-List: contact dev-help@lists.horde.org; run by ezmlm
Delivered-To: mailing list dev@lists.horde.org
Received: (qmail 32293 invoked from network); 1 Feb 2001 15:24:58 -0000
Received: from r94aag005136.sbo-smr.ma.cable.rcn.com (HELO marina.horde.org) (209.6.192.126)
by horde.org with SMTP; 1 Feb 2001 15:24:58 -0000
Received: by marina.horde.org (Postfix, from userid 33)
id 96B1239F5; Thu, 1 Feb 2001 10:24:04 -0500 (EST)
Received: from 206.243.191.252 ( [206.243.191.252])
as user chuck@marina by marina.horde.org with HTTP;
Thu, 1 Feb 2001 10:24:04 -0500
Message-ID: <981041044.3a797f945ece8@marina.horde.org>
Date: Thu, 1 Feb 2001 10:24:04 -0500
From: Chuck Hagenbuch <chuck@horde.org>
To: dev@lists.horde.org
MIME-Version: 1.0
Content-Type: text/plain
Content-Transfer-Encoding: 8bit
User-Agent: Internet Messaging Program (IMP) 2.3.7-cvs
Subject: Re: [dev] Draft release announcement for 2.2.4
Quoting "Brent J. Nordquist" <bjn@horde.org>:
> The Horde team announces the availability of IMP 2.2.4 -- this version
> improves IMP's filtering of malicious HTML scripting constructs in HTML
> attachments, which can be used by an attacker to run scripting code in
> the user's browser. Administrators of IMP 2.2.x production systems are
> encouraged to upgrade to prevent this kind of attack against your users.
I'd like to see this read "Administrators of IMP 2.2.x productions systems who
have enabled reading HTML email are ...", since we do have it disabled by
default.
-chuck
--
Charles Hagenbuch, <chuck@horde.org>
"My intuitive grasp of math often leads me astray." -Me