[horde] Horde Groupware 1.1.6 (final)

Jan Schneider jan at horde.org
Mon Sep 14 09:33:57 UTC 2009

The Horde Team is pleased to announce the final release of the Horde Groupware
version 1.1.6.

This is a major security release that fixes a vulnerability in the form
library that allows overwriting of arbitrary local files with the permissions
of the web server user. It also fixes two XSS vulnerabilities in the
preference system and the MIME viewer library. The local file vulnerability
can not be exploited with any application bundled with Horde Groupware
1.1.x. All users are encouraged to upgrade to this release.

Thanks to Stefan Esser from SektionEins for finding the local file issue in a
code audit, and Martin Geisler and David Wharton for finding the XSS issues.

Horde Groupware is a free, enterprise ready, browser based collaboration
suite. Users can manage and share calendars, contacts, tasks and notes  
with the
standards compliant components from the Horde Project.

The major changes compared to the Horde Groupware version 1.1.5 are:
     * Fixed unescaped output in the tag cloud block.
     * Fixed unvalidated Horde_Image driver name.

The full list of changes (from version 1.1.5) can be viewed here:


The Horde Groupware 1.1.6 distribution is available from the following  


Patches against version 1.1.5 are available at:


Or, for quicker access, download from your nearest mirror:


MD5 sums for the packages are as follows:

     1aaa69dd21a1331452b821ac143934f9  horde-groupware-1.1.6.tar.gz
     a5bbb3be10b6a671a82dac6db6965039  patch-horde-groupware-1.1.5-1.1.6.gz

Have fun!

The Horde Team.

More information about the horde mailing list