[horde] Horde Groupware Webmail Edition 1.0.1 (final)

Jan Schneider jan at horde.org
Fri Mar 16 19:56:07 UTC 2007


The Horde Team is pleased to announce the final release of the Horde Groupware
Webmail Edition version 1.0.1.

This is a bugfix release that also fixes an arbitrary file deletion
vulnerability exploitable by local system (not Horde) users on systems using
the example cron cleanup script, and cross site scripting vulnerabilities in
the language selection and the webmail interface.

Many thanks to the iDefense Vulnerability Contributor Program for reporting
the file deletion problem, and to the "Immerda Project Group"
(http://www.immmerda.ch) and Moritz Naumann (http://moritz-naumann.com/) for
reporting the webmail problems, and working with us to test the fixes.

Horde Groupware Webmail Edition is a free, enterprise ready, browser based
communication suite. Users can read, send and organize email messages and
manage and share calendars, contacts, tasks and notes with the standards
compliant components from the Horde Project.

Major changes compared to Horde Groupware Webmail Edition 1.0 are:
    * Correctly quote file names in cleanup script for temporary files.
    * Fixed an XSS vulnerability in the language selection.
    * Fixed XSS vulnerabilities in the webmail search screen and thread view.
    * Detect unencrypted PGP messages.
    * Turned mailto: links in HTML emails into IMP compose links.
    * Rewritten Oracle session handler.
    * Added vTimezone support to iCalendar API and ORG support to vCard API.
    * Improved compatibility with Internet Explorer 7.
    * Improved virtual domain support for Cyrus SQL authentication driver.
    * Improved Samba authentication driver.
    * Improved automatic webroot detection.
    * Improved signature dimming.
    * Improved compatibility of generated ZIP files.
    * Improved calendar support for non-ascii character sets.
    * Improved vCard support.
    * Fixed blacklists and whitelists when using the IMAP driver.
    * Fixed validation of some email distribution lists.
    * Lots of small fixes and improvements.
    * Updated Brazilian Portuguese, Catalan, Dutch, Finnish, French, German,
      Portuguese and Traditional Chinese translations.

The full list of changes (from version 1.0) can be viewed here:

http://cvs.horde.org/diff.php/groupware/docs/webmail/CHANGES?r1=1.5&r2=1.10&ty=h

The Horde Groupware Webmail Edition 1.0.1 distribution is available from the following locations:

    ftp://ftp.horde.org/pub/horde-webmail/horde-webmail-1.0.1.tar.gz
    http://ftp.horde.org/pub/horde-webmail/horde-webmail-1.0.1.tar.gz

Patches against version 1.0 are available at:

    ftp://ftp.horde.org/pub/horde-webmail/patches/patch-horde-webmail-1.0-1.0.1.gz
    http://ftp.horde.org/pub/horde-webmail/patches/patch-horde-webmail-1.0-1.0.1.gz

Or, for quicker access, download from your nearest mirror:

    http://www.horde.org/mirrors.php

MD5 sums for the packages are as follows:

    7a69079a4b2be7275399cc9a7dd8a906  horde-webmail-1.0.1.tar.gz
    e88578d39139b640bcaab478a0c7460d  patch-horde-webmail-1.0-1.0.1.gz

Have fun!

The Horde Team.


More information about the horde mailing list