[horde] Security patch for 2.2.3 to 2.2.4RC1?

Chuck Hagenbuch chuck at horde.org
Fri Aug 22 10:53:12 PDT 2003


Quoting M Vaidy <madhav_vaidy at yahoo.com>:

> On 2003-08-04 Horde release version 2.2.4 release
> candidate 1, which contained a security fix
> regarding session ids.

Actually, no.

1. The security report which claimed that was rather obnoxious.
2. It ignored the fact that the "vulnerability" only exists if you don't use
cookie-based sessions.
3. They didn't talk to us at all. Where they got the idea that there was a "fix"
in 2.2.4-RC1, we'll never know.

Nevertheless, the issue is fixed for GET-based sessions in HEAD and in RELENG_3,
and will be in the next rc.

> Is there a security patch available for version 2.2.3
> to fix this bug? Or do I need to upgrade to 2.2.4
> release candidate1?

1. Just use cookie-based sessions.
2. You'll have to upgrade.

-chuck

--
Charles Hagenbuch, <chuck at horde.org>
They're just looking at a wall of meat.



More information about the horde mailing list