New security releases for the old version branches released
Horde 2.2.8, IMP 3.2.8, Turba 1.2.5, Kronolith 1.1.4, Nag 1.1.3, Mnemo 1.1.4, Chora 1.2.3, Accounts 2.1.2, Forwards 2.2.2, Passwd 2.2.2, and Vacation 2.2.2 have been released to close a minor XSS vulnerability in all Horde applications.
This XSS bug has already been fixed in the H3 versions earlier and can be used to execute JavaScript in the context of the user's session. To trigger an exploit, the user is required to click on a prepared link while being logged in to Horde. Such a link would only work outside of Horde, e.g. on an external site, because JavaScript is filtered out in links being displayed inside of Horde, e.g. in HTML mails viewed with IMP. Thus we consider the threat as low.
These are the other changes released with these versions:
IMP:
- Fixed display of small MIME parts with some translations.
- Fixed "Save as" link to save message sources.
- Updated Arabic (Syria) translation.
Turba:
- Fixed a warning with the LDAP driver.
- Updated Galician translation.
Chora:
- Fixed diffs on Windows systems.
- Updated German translation.
Accounts:
- Added Polish translation.
- Updated German translation.
Forwards:
- Added Polish translation.
- Updated German translation.
Passwd:
- Added configuration option to change user name.
- Allow to set LDAP protocol version.
- Added Estonian translation.
- Updated German and Traditional Chinese translations.
Vacation:
- Fixed VFS support in qmail driver.
- Added Polish translation.
- Updated German translation.
