[imp] IMP 2.2.4 (SECURITY) released
Darron Froese
darron@froese.org
Fri, 02 Feb 2001 11:03:52 -0700
> The Horde team announces the availability of IMP 2.2.4 -- this version
> improves IMP's filtering of malicious HTML scripting constructs in HTML
> attachments, which can be used by an attacker to run scripting code in
> the user's browser. Administrators of IMP 2.2.x production systems are
> encouraged to upgrade to prevent this kind of attack against your users.
>
> This release also contains a long list of bug fixes and minor improvements,
> most notably the fix for attachment downloading for IE 5.5 users. For a
> complete list of changes in this release, please consult the docs/CHANGES
> files.
>
> Credits:
>
> Thanks to Nick Cleaton <nick@cleaton.net> for reporting the HTML scripting
> vulnerability. A specific exploit for this problem is known, but at
> his request we are not providing details at this time. Other webmail
> products are also vulnerable to a similar attack, and this will give
> their developers a little more time to implement a fix.
It appears that the file:
imp/templates/menu/main.inc
has mysteriously changed its name from imp 2.2.3 to 2.2.4 to:
imp/templates/menu/menu.inc.
That's causing a little havoc with the imp patch not working too well - at
least on my default 2.2.3 install. ;-)
If you're having problems with the patch, just rename that file and it
should work just fine - it worked for me.
--
darron
darron@froese.org