Horde Application Framework 3.1.4 (RC1) fixes XSS issue
Friday, 16 March 2007
The Horde Team is pleased to announce the final release of the Horde
Application Framework version 3.1.4.
This is a bugfix release that also fixes an arbitrary file deletion
vulnerability exploitable by local system (not Horde) users on systems using
the example cron cleanup script.
Many thanks to the iDefense Vulnerability Contributor Program for reporting
these problems and working with us to test the fixes.
The Horde Application Framework is a modular, general-purpose web application
framework written in PHP. It provides an extensive array of libraries that are
targeted at the common problems and tasks involved in developing modern web
Major changes compared to Horde 3.1.4-RC1 are:
* Correctly quote file names in cleanup script for temporary files.
* Detect unencrypted PGP messages.
Major changes compared to Horde 3.1.3 are:
* Rewritten Oracle session handler.
* Added vTimezone support to iCalendar API and ORG support to vCard API.
* Improved virtual domain support for Cyrus SQL authentication driver.
* Improved Samba authentication driver.
* Improved automatic webroot detection.
* Improved signature dimming.
* Improved compatibility of generated ZIP files.
* Fixed an XSS vulnerability in the language selection.
* Fixed validation of some email distribution lists.
* Several Kolab related fixes.
* Lots of small fixes and improvements.
* Updated Brazilian Portuguese, Catalan, Dutch, French, German, Portuguese
and Traditional Chinese translations.
The full list of changes (from version 3.1.3) can be viewed here:
The Horde 3.1.4 distribution is available from the following locations:
Patches against version 3.1.3 are available at:
Or, for quicker access, download from your nearest mirror:
MD5 sums for the packages are as follows:
The Horde Team.
Share this content: