[horde] Horde Groupware Webmail Edition 1.1.6 (final)

Jan Schneider jan at horde.org
Mon Sep 14 10:11:58 UTC 2009


The Horde Team is pleased to announce the final release of the Horde Groupware
Webmail Edition version 1.1.6.

This is a major security release that fixes a vulnerability in the form
library that allows overwriting of arbitrary local files with the permissions
of the web server user. It also fixes two XSS vulnerabilities in the
preference system and the MIME viewer library. The local file vulnerability
can not be exploited with any application bundled with Horde Groupware Webmail
Edition 1.1.x. All users are encouraged to upgrade to this release.

Thanks to Stefan Esser from SektionEins for finding the local file issue in a
code audit, and Martin Geisler and David Wharton for finding the XSS issues.

Horde Groupware Webmail Edition is a free, enterprise ready, browser based
communication suite. Users can read, send and organize email messages with
three different webmail interfaces and manage and share calendars, contacts,
tasks and notes with the standards compliant components from the Horde
Project.

The major changes compared to the Horde Groupware Webmail Edition  
version 1.1.5
are:
     * Fixed vulnerability in image form fields that allows overwriting of
       arbitrary local files.
     * Fixed validation of "number" type preferences.
     * Fixed displaying unknown text MIME parts inline.

The full list of changes (from version 1.1.5) can be viewed here:

http://cvs.horde.org/diff.php/groupware/docs/webmail/CHANGES?r1=1.25.2.6&r2=1.25.2.7&ty=h

The Horde Groupware Webmail Edition 1.1.6 distribution is available  
from the following locations:

     ftp://ftp.horde.org/pub/horde-webmail/horde-webmail-1.1.6.tar.gz
     http://ftp.horde.org/pub/horde-webmail/horde-webmail-1.1.6.tar.gz

Patches against version 1.1.5 are available at:

      
ftp://ftp.horde.org/pub/horde-webmail/patches/patch-horde-webmail-1.1.5-1.1.6.gz
      
http://ftp.horde.org/pub/horde-webmail/patches/patch-horde-webmail-1.1.5-1.1.6.gz

Or, for quicker access, download from your nearest mirror:

     http://www.horde.org/mirrors.php

MD5 sums for the packages are as follows:

     827e21f25f5f43af3fd51959c1d02b23  horde-webmail-1.1.6.tar.gz
     faedde6cb6a5835994bfaf4faee95931  patch-horde-webmail-1.1.5-1.1.6.gz

Have fun!

The Horde Team.


More information about the horde mailing list