[horde] [SECURITY] Horde Groupware Webmail Edition 5.2.11 (final)
Michael J Rubinsky
mrubinsk at horde.org
Mon Nov 2 15:01:28 UTC 2015
Quoting Philip Frei <pjf at gmx.de>:
> Hi,
>
> Am Wed, 21 Oct 2015 23:43:34 -0400
> schrieb Michael J Rubinsky <mrubinsk at horde.org>:
>
>> SECURITY: Protect against CSRF attacks on various admin pages.
>
> Thanks for the updated version and your great work on Horde!
>
> Unfortunately there isn't an obvios commit log releated to this point on
> Github which makes it a bit harder to backport such changes for distros
> like Debian.
> Is this[1] the relevant commit?
>
> It would be nice for the future to references security fixes in the
> commit log.
>
> regards, Philip
>
>
> [1]
> https://github.com/horde/horde/commit/a199d74932c902844514b2a83d21e7e221257dae
Yes, that is the commit.
With "normal" bugs, we reference the public bug tracker ticket number
in the change log, which normally shows the commits. For security
issues, we don't make it obvious that it's a security issue being
fixed when committing since this is publicly view-able before the
release goes out, which leaves existing installations more vulnerable.
If there is an available CVE number, we do post that in the CHANGES
file though.
--
mike
The Horde Project
http://www.horde.org
https://www.facebook.com/hordeproject
https://www.twitter.com/hordeproject
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 5751 bytes
Desc: S/MIME Signature
URL: <http://lists.horde.org/archives/horde/attachments/20151102/98d95b49/attachment.bin>
More information about the horde
mailing list