=====================================================================
                                   CERT-Renater

                        Note d'Information No. 2006/VULN387
_____________________________________________________________________

DATE                      : 07/07/2006

HARDWARE PLATFORM(S)      : /

OPERATING SYSTEM(S)       : Systems running Horde versions 3.0 and above.

======================================================================

http://lists.horde.org/archives/announce/2006/000287.html
http://lists.horde.org/archives/announce/2006/000288.html
______________________________________________________________________

The Horde Team is pleased to announce the final release of the Horde
Application Framework version 3.0.11.

This is a security release that fixes cross site scripting vulnerabilities in
three places and removes some unused proxy code.

Many thanks to Moritz Naumann for reporting these problems and working with us
to test the fixes.

The Horde Application Framework is a modular, general-purpose web application
framework written in PHP.  It provides an extensive array of classes that are
targeted at the common problems and tasks involved in developing modern web
applications.

Changes compared to Horde 3.0.10 are:
     * Closed XSS problems in dereferrer (IE only), help viewer and problem
       reporting screen.
     * Removed unused image proxy code from dereferrer.

The full list of changes (from version 3.0.10) can be viewed here:

http://cvs.horde.org/diff.php/horde/docs/CHANGES?r1=1.515.2.167.2.18&r2=1.515.2.167.2.22&ty=h

The Horde 3.0.11 distribution is available from the following locations:

     ftp://ftp.horde.org/pub/horde/horde-3.0.11.tar.gz
     http://ftp.horde.org/pub/horde/horde-3.0.11.tar.gz

Patches against version 3.0.10 are available at:

     ftp://ftp.horde.org/pub/horde/patches/patch-horde-3.0.10-3.0.11.gz
     http://ftp.horde.org/pub/horde/patches/patch-horde-3.0.10-3.0.11.gz

Or, for quicker access, download from your nearest mirror:

     http://www.horde.org/mirrors.php

MD5 sums for the packages are as follows:

     0bcc14dad2457fd1383c54df326a6d69  horde-3.0.11.tar.gz
     1c93d771a3875a55c002ae0811835bd9  patch-horde-3.0.10-3.0.11.gz

Have fun!

The Horde Team.

------------------------------------------------------------------------

The Horde Team is pleased to announce the final release of the Horde
Application Framework version 3.1.2.

This is a bugfix release that also fixes cross site scripting vulnerabilities
in three places and removes some unused proxy code.

Many thanks to Moritz Naumann for reporting these problems and working with us
to test the fixes.

The Horde Application Framework is a modular, general-purpose web application
framework written in PHP.  It provides an extensive array of classes that are
targeted at the common problems and tasks involved in developing modern web
applications.

Major changes compared to Horde 3.1.1 are:
     * Security Fixes
       - Closed XSS problems in dereferrer (IE only), help viewer and problem
         reporting screen.
       - Removed unused image proxy code from dereferrer.
     * Bugfixes and improvements
       - Added configuration option to disable GET-based sessions.
       - Added Oracle and generic SQL upgrade scripts.
       - Improved default charset support.
       - Improved API and RPC interface.
       - Fixed the preference cache.

The full list of changes (from version 3.1.1) can be viewed here:

http://cvs.horde.org/diff.php/horde/docs/CHANGES?r1=1.515.2.231&r2=1.515.2.252&ty=h

The Horde 3.1.2 distribution is available from the following locations:

     ftp://ftp.horde.org/pub/horde/horde-3.1.2.tar.gz
     http://ftp.horde.org/pub/horde/horde-3.1.2.tar.gz

Patches against version 3.1.1 are available at:

     ftp://ftp.horde.org/pub/horde/patches/patch-horde-3.1.1-3.1.2.gz
     http://ftp.horde.org/pub/horde/patches/patch-horde-3.1.1-3.1.2.gz

Or, for quicker access, download from your nearest mirror:

     http://www.horde.org/mirrors.php

MD5 sums for the packages are as follows:

     2c1f3e5759fa6bca07483d584151771f  horde-3.1.2.tar.gz
     9150eb94c0c059232039083abf36d787  patch-horde-3.1.1-3.1.2.gz

Have fun!

The Horde Team.

======================================================================

          =========================================================
          Les serveurs de référence du CERT-Renater
          http://www.urec.fr/securite
          http://www.cru.fr/securite
          http://www.renater.fr
          =========================================================
          + CERT-RENATER          | tel : 01-53-94-20-44          +
          + 151 bd de l'Hopital   | fax : 01-53-94-20-41          +
          + 75013 Paris           | email: certsvp@renater.fr     +
          =========================================================