[horde] SECURITY: Horde_Auth 1.0.4
Jan Schneider
jan at horde.org
Wed Jun 8 14:49:21 UTC 2011
The Horde Team has released version 1.0.4 of the Horde_Auth framework package.
This is an important security release that fixes a serious bug in the
composite authentication driver that could allow a user to access the
Horde system even though authentication failed for a sub-driver.
Affected are all versions of the Horde_Auth library from 1.0.0alpha1
to 1.0.3. Only systems using the composite authentication driver are
affected. Horde applications that require another login step, e.g.
IMP, are not affected, even if this 2nd authentication is done
transparently.
All affected systems should update the Horde_Auth package IMMEDIATELY.
This can be done using the PEAR installer:
pear upgrade horde/horde_auth
The Horde Team.
More information about the horde
mailing list