[horde] Horde Groupware Webmail Edition 1.2.4 (final)

Mon Sep 14 20:01:23 UTC 2009

The Horde Team is pleased to announce the final release of the Horde Groupware
Webmail Edition version 1.2.4.

This is a major security release that fixes a vulnerability in the form
library that allows overwriting of arbitrary local files with the permissions
of the web server user. It also fixes two XSS vulnerabilities in the
preference system and the MIME viewer library. The local file vulnerability
can only be exploited by users who have write permissions to the address
book. All users are encouraged to upgrade to this release.

Thanks to Stefan Esser from SektionEins for finding the local file issue in a
code audit, and Martin Geisler and David Wharton for finding the XSS issues.

Horde Groupware Webmail Edition is a free, enterprise ready, browser based
communication suite. Users can read, send and organize email messages with
three different webmail interfaces and manage and share calendars, contacts,
tasks and notes with the standards compliant components from the Horde
Project.

The major changes compared to the Horde Groupware Webmail Edition  
version 1.2.3
are:
     * Fixed vulnerability in image form fields that allows overwriting of
       arbitrary local files.
     * Fixed validation of "number" type preferences.
     * Fixed displaying unknown text MIME parts inline.
     * Many synchronization improvements.
     * Bundled a complete, working PEAR installation.
     * Improved signup support.
     * Releasing memcache lock no longer takes 1 second.
     * Fixes when resetting passwords.
     * Export current locale to the environment.
     * Highlight signed messages depending on the signature verification.
     * Automatically set address book preferences.
     * Fixed some javascript if using IE 8.
     * Use correct charset when rendering inline PGP data.
     * Fixed renaming shared folders contained in empty namespaces.
     * Fixed spellcheck in text-mode for certain words in non-English locales.
     * Fix deleting messages after undeleting in dynamic view.
     * Fix renaming folders with non-7bit characters in dynamic view.
     * Ignore 'compose_html' preference in IMP in mobile view.
     * Fix showing Cc and Bcc fields in mobile view.
     * Various fixes to the maildrop and procmail drivers.
     * Better default settings for forwards, vacation and spam rules.
     * Several VFS fixes in filters.
     * Fixed determination of the spam folder in filters.
     * Allow to add address lists as event attendees through the address book
       popup.
     * Fixed several issues with all-day events.
     * Display application name as task list name when listing external tasks.
     * Added passphrase confirmation field for encrypted notes.
     * Many further bug fixes and feature enhancements.

The full list of changes (from version 1.2.3) can be viewed here:

http://cvs.horde.org/diff.php/groupware/docs/webmail/CHANGES?r1=1.35.2.3&r2=1.35.2.8&ty=h

The Horde Groupware Webmail Edition 1.2.4 distribution is available  
from the following locations:

     ftp://ftp.horde.org/pub/horde-webmail/horde-webmail-1.2.4.tar.gz
     http://ftp.horde.org/pub/horde-webmail/horde-webmail-1.2.4.tar.gz

Patches against version 1.2.3 are available at:

ftp://ftp.horde.org/pub/horde-webmail/patches/patch-horde-webmail-1.2.3-1.2.4.gz

http://ftp.horde.org/pub/horde-webmail/patches/patch-horde-webmail-1.2.3-1.2.4.gz

Or, for quicker access, download from your nearest mirror:

     http://www.horde.org/mirrors.php

MD5 sums for the packages are as follows:

     b5f86cf7e688703d1ba99ba5335b7393  horde-webmail-1.2.4.tar.gz
     abab9c21822db5114ba369fd52241ab3  patch-horde-webmail-1.2.3-1.2.4.gz

Have fun!

The Horde Team.