EGroupware SECURITY and bugfix release 1.8.004

classic Classic list List threaded Threaded
1 message Options
Ralf Becker Stylite AG Ralf Becker Stylite AG
Reply | Threaded
Open this post in threaded view

EGroupware SECURITY and bugfix release 1.8.004

This release contains a fix for a XSS (cross-site-scripting)
vulnerability, it is recommended to update ASAP!

Thanks to Marcos M Garcia <> for discovering and
reporting the problem to us.

The release contains a couple of database schema updates, unlike regular
minor version updates. Unfortunately this cant be helped for the

The new version contains 4 major parts:

a) already mentioned fix for a XSS (cross-site-scripting) vulnerability

b) backported security features from Trunk:
- more secure password hashing types: sha512_crypt, sha256_crypt
- enable automatic migration to sha512_crypt, if accounts in SQL or LDAP
(but only on Linux, as OpenLDAP has not native support for it)
- session listing without the need of a listable (less secure) session

c) numerous CalDAV and CardDAV fixes (EGroupware 1.8.004 is now far more
standard compliant then 1.8.002!)
- show calendars and addressbooks selected to sync under user calendar-
or addressbook-home-set allowing clients to automatic detect them
- CalDAV scheduling support allows clients eg. to show free busy status
of invited participants
- client can choose the url for new events or contacts (standard
- allow clients to store attributes (eg. calendar colors) via PROPPATCH
- store unknown attributes (eg. location based alarms) in custom fields
in InfoLog
- CardDAV works now with LDAP backend
- ability to log and display CalDAV/CardDAV traffic without access to
commandline of server

--> CalDAV/CardDAV is now recommended over SyncML, which will be no
longer supported in the next major release!

d) many bugfixes in all modules since 1.8.002 see

Thanks to everyone who helped testing this release.

Ralf Becker
Director Software Development

Stylite AG

Morschheimer Strasse 15 | Tel. +49 6352 70629 0
D-67292 Kirchheimbolanden | Fax. +49 6352 70629 30

Email: [hidden email] |

Managing Directors: Andre Keller | Ralf Becker | Gudrun Mueller
Chairman of the supervisory board: Prof. Dr. Birger Leon Kropshofer

VAT DE214280951 | Registered HRB 31158 Kaiserslautern Germany

Better than sec? Nothing is better than sec when it comes to
monitoring Big Data applications. Try Boundary one-second
resolution app monitoring today. Free.
eGroupWare-announcement mailing list
[hidden email]