[horde] [SECURITY] Horde Groupware Webmail Edition 5.2.11 (final)

Michael J Rubinsky mrubinsk at horde.org
Mon Nov 2 15:01:28 UTC 2015


Quoting Philip Frei <pjf at gmx.de>:

> Hi,
>
> Am Wed, 21 Oct 2015 23:43:34 -0400
> schrieb Michael J Rubinsky <mrubinsk at horde.org>:
>
>> SECURITY: Protect against CSRF attacks on various admin pages.
>
> Thanks for the updated version and your great work on Horde!
>
> Unfortunately there isn't an obvios commit log releated to this point on
> Github which makes it a bit harder to backport such changes for distros
> like Debian.
> Is this[1] the relevant commit?
>
> It would be nice for the future to references security fixes in the
> commit log.
>
> regards, Philip
>
>
> [1]
> https://github.com/horde/horde/commit/a199d74932c902844514b2a83d21e7e221257dae


Yes, that is the commit.

With "normal" bugs, we reference the public bug tracker ticket number  
in the change log, which normally shows the commits. For security  
issues, we don't make it obvious that it's a security issue being  
fixed when committing since this is publicly view-able before the  
release goes out, which leaves existing installations more vulnerable.

If there is an available CVE number, we do post that in the CHANGES  
file though.

-- 
mike
The Horde Project
http://www.horde.org
https://www.facebook.com/hordeproject
https://www.twitter.com/hordeproject
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 5751 bytes
Desc: S/MIME Signature
URL: <http://lists.horde.org/archives/horde/attachments/20151102/98d95b49/attachment.bin>


More information about the horde mailing list