Security releases for Horde 3.0.x and Horde 3.1
During a security audit I discovered a flaw in Horde's help viewer that allows remote command execution on the web server. All versions since Horde 3.0 are affected, and all Horde users are strongly encouraged to upgrade their Horde installations to Horde 3.0.10 or Horde 3.1.1. You should be able to apply the patch from 3.0.9 to 3.0.10 on most 3.0.x versions older than 3.0.9. We decided to wait for public disclosure and new releases until this Tuesday noon (European time) to not collide with the weekend and give European administrators the chance to update in the afternoon and American admins to update in the morning.
Official release announcements:
The Horde Team is releasing a critical security fix for the Horde Application Framework versions 3.0 and above. Version 2.x and earlier releases are not affected.
The Horde Application Framework is a modular, general-purpose web application framework written in PHP. It provides an extensive array of classes that are targeted at the common problems and tasks involved in developing modern web applications.
Major changes compared to Horde 3.1 are:
- Security Fixes
- Fix for remote code execution vulnerability in the help viewer, discovered by Jan Schneider from the Horde team.
- Small bugfixes and improvements
- Fixed export and synchronization of events across daylight saving time changes.
- Improved mysql session handler.
- Improved support for Internet Explorer 7 and Opera Mini browsers.
- Fixed quota support for some VFS drivers.
- Fixed menu wrapping with Kolab and Purple theme.
Changes compared to Horde 3.0.9 are:
- Fix for remote code execution vulnerability in the help viewer, discovered by Jan Schneider from the Horde team.
- Fixed a few minor bugs.