===================================================================== CERT-Renater Note d'Information No. 2009/VULN540 _____________________________________________________________________ DATE : 17/12/2009 HARDWARE PLATFORM(S) : / OPERATING SYSTEM(S) : Systems running Horde Groupware, Horde Groupware Webmail Edition. ====================================================================== http://marc.info/?l=horde-announce&m=126100750018478&w=2 http://marc.info/?l=horde-announce&m=126101076422179&w=2 ______________________________________________________________________ The Horde Team is pleased to announce the final release of the Horde Groupware version 1.2.5. This is a bugfix release that also fixes an XSS vulnerability in the administration interface and improves the XSS filter to work around an XSS vulnerability in Firefox browsers. Thanks to Juan Galiana Lara and Daniel Fernández Bleda from Internet Security Auditors for finding the XSS vulnerability in the administration interface. Horde Groupware is a free, enterprise ready, browser based collaboration suite. Users can manage and share calendars, contacts, tasks and notes with the standards compliant components from the Horde Project. The major changes compared to the Horde Groupware version 1.2.4 are: * Fixed XSS vulnerability in administrator scripts. * Several synchronization improvements. * Improved Oracle and MSSQL compatibility. * Fixed access keys on Mac browsers. * Fixed "white screen" issue with Internet Explorer. * Added preference for the name format to use for sorting contacts. * Support X-ANNIVERSARY, X-CHILDREN, and X-SPOUSE vCard fields. * Correctly track contact deletions during synchronization. * Fixed edge cases of weekly recurring events. * Fixed editing URLs of remote calendars. * Some speed improvements in the calendar. * Fixed importing task due dates. * Added Croatian translation. * Many further bug fixes and feature enhancements. The full list of changes (from version 1.2.4) can be viewed here: http://cvs.horde.org/diff.php/groupware/docs/groupware/CHANGES?r1=1.38.2.7&r2=1.38.2.9&ty=h The Horde Groupware 1.2.5 distribution is available from the following locations: ftp://ftp.horde.org/pub/horde-groupware/horde-groupware-1.2.5.tar.gz http://ftp.horde.org/pub/horde-groupware/horde-groupware-1.2.5.tar.gz Patches against version 1.2.4 are available at: ftp://ftp.horde.org/pub/horde-groupware/patches/patch-horde-groupware-1.2.4-1.2.5.gz http://ftp.horde.org/pub/horde-groupware/patches/patch-horde-groupware-1.2.4-1.2.5.gz Or, for quicker access, download from your nearest mirror: http://www.horde.org/mirrors.php MD5 sums for the packages are as follows: f4953165d90a73135904531807895481 horde-groupware-1.2.5.tar.gz 7c794a211c6261e6705bbad732fab2f7 patch-horde-groupware-1.2.4-1.2.5.gz Have fun! The Horde Team. ______________________________________________________________________________ The Horde Team is pleased to announce the final release of the Horde Groupware Webmail Edition version 1.2.5. This is a bugfix release that also fixes an XSS vulnerability in the administration interface and improves the XSS filter to work around an XSS vulnerability in Firefox browsers. Thanks to Juan Galiana Lara and Daniel Fernández Bleda from Internet Security Auditors for finding the XSS vulnerability in the administration interface. Horde Groupware Webmail Edition is a free, enterprise ready, browser based communication suite. Users can read, send and organize email messages with three different webmail interfaces and manage and share calendars, contacts, tasks and notes with the standards compliant components from the Horde Project. The major changes compared to the Horde Groupware Webmail Edition version 1.2.4 are: * Fixed XSS vulnerability in administrator scripts. * Improved XSS filter for HTML messages. * Several synchronization improvements. * Improved Oracle and MSSQL compatibility. * Fixed access keys on Mac browsers. * Fixed "white screen" issue with Internet Explorer. * Save References/In-Reply-To headers when saving a draft. * Fixed viewing certain S/MIME messages from Outlook (Express). * Fixed FCKEditor size in Internet Explorer. * Added preference for the name format to use for sorting contacts. * Support X-ANNIVERSARY, X-CHILDREN, and X-SPOUSE vCard fields. * Correctly track contact deletions during synchronization. * Improved/fixed vacation rules in maildrop and procmail drivers. * Fixed edge cases of weekly recurring events. * Fixed editing URLs of remote calendars. * Some speed improvements in the calendar. * Fixed importing task due dates. * Added Croatian translation. * Many further bug fixes and feature enhancements. The full list of changes (from version 1.2.4) can be viewed here: http://cvs.horde.org/diff.php/groupware/docs/webmail/CHANGES?r1=1.35.2.8&r2=1.35.2.9&ty=h The Horde Groupware Webmail Edition 1.2.5 distribution is available from the following locations: ftp://ftp.horde.org/pub/horde-webmail/horde-webmail-1.2.5.tar.gz http://ftp.horde.org/pub/horde-webmail/horde-webmail-1.2.5.tar.gz Patches against version 1.2.4 are available at: ftp://ftp.horde.org/pub/horde-webmail/patches/patch-horde-webmail-1.2.4-1.2.5.gz http://ftp.horde.org/pub/horde-webmail/patches/patch-horde-webmail-1.2.4-1.2.5.gz Or, for quicker access, download from your nearest mirror: http://www.horde.org/mirrors.php MD5 sums for the packages are as follows: afb0fb1e2bdc685eba0673a9752a9761 horde-webmail-1.2.5.tar.gz b9d2865e7fba014796693602c3350bd2 patch-horde-webmail-1.2.4-1.2.5.gz Have fun! The Horde Team. ====================================================================== ========================================================= Les serveurs de référence du CERT-Renater http://www.urec.fr/securite http://www.cru.fr/securite http://www.renater.fr ========================================================= + CERT-RENATER | tel : 01-53-94-20-44 + + 151 bd de l'Hopital | fax : 01-53-94-20-41 + + 75013 Paris | email: certsvp@renater.fr + =========================================================