IMP 2.2.4 (SECURITY) released
Brent J. Nordquist
bjn@horde.org
Thu, 1 Feb 2001 16:18:47 -0600 (CST)
The Horde team announces the availability of IMP 2.2.4 -- this version
improves IMP's filtering of malicious HTML scripting constructs in HTML
attachments, which can be used by an attacker to run scripting code in
the user's browser. Administrators of IMP 2.2.x production systems are
encouraged to upgrade to prevent this kind of attack against your users.
This release also contains a long list of bug fixes and minor improvements,
most notably the fix for attachment downloading for IE 5.5 users. For a
complete list of changes in this release, please consult the docs/CHANGES
files.
Credits:
Thanks to Nick Cleaton <nick@cleaton.net> for reporting the HTML scripting
vulnerability. A specific exploit for this problem is known, but at
his request we are not providing details at this time. Other webmail
products are also vulnerable to a similar attack, and this will give
their developers a little more time to implement a fix.
Please notify <security@horde.org> of security issues related to Horde
and IMP.
Download:
This release can be downloaded from the following locations:
ftp://ftp.horde.org/pub/horde/
ftp://ftp.horde.org/pub/imp/
MD5 checksums:
34c4dad1b7d4f7043e5cd8fc0e1b8eba horde-1.2.4.tar.gz
2c13da892a0d9bc16b328b834453908c imp-2.2.4.tar.gz
739355e33c23cdd8a53ff2347d7c6d99 patch-horde-1.2.3-1.2.4.gz
f657510902217046a892f3e03ae418a6 patch-imp-2.2.3-2.2.4.gz
--
Brent J. Nordquist <bjn@horde.org>
Yahoo!: Brent_Nordquist / AIM: BrentJNordquist / ICQ: 76158942