=====================================================================
                                   CERT-Renater

                        Note d'Information No. 2011/VULN367
_____________________________________________________________________

DATE                      : 06/05/2011

HARDWARE PLATFORM(S)      : /

OPERATING SYSTEM(S)       : Systems running Horde version 4
                                         prior to 4.0.2.

======================================================================
http://lists.horde.org/archives/announce/2011/000621.html
http://www.horde.org/apps/horde/docs/CHANGES
______________________________________________________________________

The Horde Team is pleased to announce the final release of the Horde
Application Framework version 4.0.2.

The Horde Application Framework is a flexible, modular, general-purpose
web application framework written in PHP. It provides an extensive
array of components that are targeted at the common problems and tasks
involved in developing modern web applications. It is the basis for a
large number of production-level web applications, notably the Horde
Groupware suites.
For more information on Horde or the Horde Groupware suites, visit
http://www.horde.org.

To upgrade from earlier releases, you only have to run:

   pear upgrade -c horde

For detailed installation and configuration instructions, please see
http://www.horde.org/apps/horde/docs/INSTALL

The major changes compared to the Horde version 4.0.1 are:

     * Fixed permission checks of guest users on system shares.
     * Fixed incomplete XSS filtering.
     * Many small bugfixes and improvements.

The full list of changes can be viewed here:

https://github.com/horde/horde/blob/ce81de3e372f726bd2679d17f2e15f88d13203c5/horde/docs/CHANGES

Have fun!

The Horde Team.

_______________________________________________________________________

------
v4.0.2
------

[jan] SECURITY: Fix permission checks of guest users on system shares.
[mms] SECURITY: Fix deletion of unwanted HTML nodes in XSS filter.
[mms] Fix authentication failure when TOS is not accepted.
[jan] Don't show IMP compose link if user doesn't have permissions to
IMP (Bug #10016).
[mms] Fix issue causing slow syncs only in SyncML (Bug #10008).
[jan] Fix adding categories.
[jan] Fix listing users in Customsql driver (Bug #9963).
[jan] Fix calculation of last password change in LDAP account portal
block (Bug #9770).
[jan] Don't check for outdated DB schemas if database support is
disabled (Bug #9986).
[mjr] Fix editing settings of fixed portal blocks (Bug #9910).

======================================================================

          =========================================================
          Les serveurs de référence du CERT-Renater
          http://www.urec.fr/securite
          http://www.cru.fr/securite
          http://www.renater.fr
          =========================================================
          + CERT-RENATER          | tel : 01-53-94-20-44          +
          + 23 - 25 Rue Daviel    | fax : 01-53-94-20-41          +
          + 75013 Paris           | email: certsvp@renater.fr     +
          =========================================================