IMP 3.2.6 released
IMP 3.2.6 has been released containing three security fixes in the HTML MIME viewer, used to view HTML messages, and a few updated translations.
These fixes don't really plug holes in the HTML viewer but are catching edge cases where stuffing javascript code into tag attributes causes this code to be executed in certain browsers. In all cases this is caused by browser behaviour or features not covered by any standard. Thus we will probably see more of such fixes while browsers get new features or new browser misbehaviours are discovered.
Client version 3.2.6.
IMP is the Internet Messaging Program. IMP allows universal, Web-based access
to IMAP and POP3 servers and provides full support for sending and receiving
attachments, and many other features normally only found in desktop email
clients.
Changes in this release:
- SECURITY: Removed tags with -moz-binding: styles in the HTML MIME viewer.
- SECURITY: Removed scripts from <base> tags in the HTML MIME viewer.
- SECURITY: Removed scripts from obfuscated "on..." attributes in the HTML MIME viewer.
- Updated translations: Slovak and Slovenian.
The script vulnerabilities can only be exposed with certain browsers and allow
XSS attacks when viewing HTML messages with the HTML MIME viewer.
Thanks to Martijn Brinkers and Jan Moesen for reporting the script
vulnerabilities.
The full list of changes (from version 3.2.5) can be viewed here:
The IMP 3.2.6 distribution is available from the following locations:
ftp://ftp.horde.org/pub/imp/imp-3.2.6.tar.gz
http://ftp.horde.org/pub/imp/imp-3.2.6.tar.gz
Patches against version 3.2.5 are available at:
ftp://ftp.horde.org/pub/imp/patches/patch-imp-3.2.5-3.2.6.gz
http://ftp.horde.org/pub/imp/patches/patch-imp-3.2.5-3.2.6.gz
Or, for quicker access, download from your nearest mirror:
http://www.horde.org/mirrors.php
MD5 sums for the packages are as follows:
0a12763bef44a1928f59cc72da7d854d imp-3.2.6.tar.gz
0b45780a98c5483eb9cba296bdfdc029 patch-imp-3.2.5-3.2.6.gz
Have fun!
The Horde Team.
