EGroupware SECURITY and bugfix release 1.8.005

classic Classic list List threaded Threaded
1 message Options
Ralf Becker Stylite AG Ralf Becker Stylite AG
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

EGroupware SECURITY and bugfix release 1.8.005

This release contains a fix for a remove code execution vulnerability.
It is recommended to update ASAP!

Thanks to Marcel Mangold <[hidden email]>, Pascal Uter
<[hidden email]> from SySS GmbH for discovering and reporting the
problem to us.

The new version contains 3 major parts:

a) already mentioned fix for remove code execution vulnerability

b) further security hardening of EGroupware as recommended by SySS GmbH:
- using now httponly and secure cookies (secure only if https is used to
login)
- header.inc.php uses for new installations or on update now secure
password hashes like they were used for accounts since some time now
- setup uses now a session instead of storing credentials in a cookie
- html downloads from Filemanager now either force a download or - if
brower supports - use a content-security-policiy header to mitigate risk
of session hijacking
- blowfish_crypt is now marked as most secure hashing algorithmus for
passwords and used by default on new installations

c) regular bugfixes in all modules since 1.8.004 see

        http://www.egroupware.org/changelog

Thanks to everyone who helped with this release.

We are currently working on a new shared community and EPL release
expected later this year. It will contain exicting new features, a
complete new look and some previous EPL-only features will become
available to the whole EGroupware comunity.

Ralf
--
Ralf Becker
Director Software Development

Stylite AG

Morschheimer Strasse 15 | Tel. +49 6352 70629 0
D-67292 Kirchheimbolanden | Fax. +49 6352 70629 30

Email: [hidden email]

www.stylite.de | www.egroupware.org

Managing Directors: Andre Keller | Ralf Becker | Gudrun Mueller
Chairman of the supervisory board: Prof. Dr. Birger Leon Kropshofer

VAT DE214280951 | Registered HRB 31158 Kaiserslautern Germany

------------------------------------------------------------------------------
October Webinars: Code for Performance
Free Intel webinars can help you accelerate application performance.
Explore tips for MPI, OpenMP, advanced profiling, and more. Get the most from
the latest Intel processors and coprocessors. See abstracts and register >
http://pubads.g.doubleclick.net/gampad/clk?id=60134791&iu=/4140/ostg.clktrk
_______________________________________________
eGroupWare-announcement mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/egroupware-announcement
Loading...