===================================================================== CERT-Renater Note d'Information No. 2006/VULN123 _____________________________________________________________________ DATE : 31/03/2006 HARDWARE PLATFORM(S) : / OPERATING SYSTEM(S) : Systems running Horde versions 3.0 and above. ====================================================================== http://lists.horde.org/archives/announce/2006/000271.html http://lists.horde.org/archives/announce/2006/000272.html ********************************************************************* Horde 3.1.1 (final) The Horde Team is releasing a critical security fix for the Horde Application Framework versions 3.0 and above. Version 2.x and earlier releases are not affected. The Horde Application Framework is a modular, general-purpose web application framework written in PHP. It provides an extensive array of classes that are targeted at the common problems and tasks involved in developing modern web applications. Major changes compared to Horde 3.1 are: * Security Fixes - Fix for remote code execution vulnerability in the help viewer, discovered by Jan Schneider from the Horde team. * Small bugfixes and improvements - Fixed export and synchronization of events across daylight saving time changes. - Improved mysql session handler. - Improved support for Internet Explorer 7 and Opera Mini browsers. - Fixed quota support for some VFS drivers. - Fixed menu wrapping with Kolab and Purple theme. The full list of changes (from version 3.1) can be viewed here: http://cvs.horde.org/diff.php/horde/docs/CHANGES?r1=1.515.2.222&r2=1.515.2.231&ty=h The Horde 3.1.1 distribution is available from the following locations: ftp://ftp.horde.org/pub/horde/horde-3.1.1.tar.gz http://ftp.horde.org/pub/horde/horde-3.1.1.tar.gz Patches against version 3.1 are available at: ftp://ftp.horde.org/pub/horde/patches/patch-horde-3.1-3.1.1.gz http://ftp.horde.org/pub/horde/patches/patch-horde-3.1-3.1.1.gz Or, for quicker access, download from your nearest mirror: http://www.horde.org/mirrors.php MD5 sums for the packages are as follows: MD5 (horde-3.1.1.tar.gz) = ef5001144b80422b71454d285056e90a MD5 (patch-horde-3.1-3.1.1.gz) = 69d1e51cbe3fa919d102f9a1ba2ebc47 Have fun! The Horde Team. -------------------------------------------------------------------------------------- Horde 3.0.10 (final) The Horde Team is releasing a critical security fix for the Horde Application Framework versions 3.0 and above. Version 2.x and earlier releases are not affected. The Horde Application Framework is a modular, general-purpose web application framework written in PHP. It provides an extensive array of classes that are targeted at the common problems and tasks involved in developing modern web applications. Changes compared to Horde 3.0.9 are: * Fix for remote code execution vulnerability in the help viewer, discovered by Jan Schneider from the Horde team. * Fixed a few minor bugs. The full list of changes (from version 3.0.9) can be viewed here: http://cvs.horde.org/diff.php/horde/docs/CHANGES?r1=1.515.2.167.2.16&r2=1.515.2.167.2.18&ty=h The Horde 3.0.10 distribution is available from the following locations: ftp://ftp.horde.org/pub/horde/horde-3.0.10.tar.gz http://ftp.horde.org/pub/horde/horde-3.0.10.tar.gz Patches against version 3.0.9 are available at: ftp://ftp.horde.org/pub/horde/patches/patch-horde-3.0.9-3.0.10.gz http://ftp.horde.org/pub/horde/patches/patch-horde-3.0.9-3.0.10.gz Or, for quicker access, download from your nearest mirror: http://www.horde.org/mirrors.php MD5 sums for the packages are as follows: MD5 (horde-3.0.10.tar.gz) = c6f9fd0e2e4d9898d31d2fcf8a2fe4c8 MD5 (patch-horde-3.0.9-3.0.10.gz) = 071223bacc083ba62bdd30c32f964c54 Have fun! The Horde Team. ====================================================================== ========================================================= Les serveurs de référence du CERT-Renater http://www.urec.fr/securite http://www.cru.fr/securite http://www.renater.fr ========================================================= + CERT-RENATER | tel : 01-53-94-20-44 + + 151 bd de l'Hopital | fax : 01-53-94-20-41 + + 75013 Paris | email: certsvp@renater.fr + =========================================================