new EGroupware SECURITY & maintenance release

classic Classic list List threaded Threaded
1 message Options
Ralf Becker Stylite AG Ralf Becker Stylite AG
Reply | Threaded
Open this post in threaded view

new EGroupware SECURITY & maintenance release

Stylite EGroupware software news - information for administrators

Security and bugfix update for the following EGroupware versions:

1. EGroupware Enterprise Line (EPL) 11.1 and 10.1
2. EGroupware Community Edition 1.8


Stylite recommends to update your EGroupware system urgently due to the
included security fixes.


The update packages contain in particular, besides plenty of bug fixes:

1. Fixes regarding security issues like 'local file inclusion', 'sql
injection', 'reflected xss' and 'open redirect'.

2. CalDAV/CardDAV redirect for iOS 4.3.1+ regarding automatic account
registration (manual modification of groupdav.htaccess and apache.conf
may occur, in case of previous adjustments differing from standard
installation routines).

Further information about the package content:

EGroupware EPL versions:
Community Edition:

EPL customers using Stylite Managed EGroupware Hosting are unaffected.
All Stylite computing center systems are operated on actual EGroupware
software release level.

Kind Regards


   * Security issues fixed: local file inclusion, sql injection,
refelected xss and open redirect
   --> we recommend to update ASAP
   * PostgreSQL/EMailAdmin: fixed not storable EMailAdmin profiles
   * Addressbook/LDAP: fixed lettersearch by backporting LDAP class from
   * Setup: making SSHA (salted sha1) hashes the default password hash
for SQL and LDAP
   * setup/login: fixed not working password (hash) migration
   * InfoLog: fixed not working link-search (Parameter 2 to
infolog_bo::link_query() expected to be a reference)
   * Calendar/CalDAV: fixed SQL error on ctag generation, if no ACL
rights for requested group calendar exists
   * Calendar/CalDAV: fixed wrong line-defolding, if folding occured in
   * Calendar/CalDAV: use X-EGROUPWARE-UID only, if it resolves to same
email (otherwise we are in trouble if different EGw installs talk to
each other)
   * Calendar: fixed not included organizer in meeting request
   * Calendar: fixed not working freetime search caused by not
mbstring.func_overload supporting xajax libary
   * Manual: use https for accessing to not get
page contains unsave content warnings
   * IE9: enable IE dropdown menu hack only for IE<9, as it stalls IE9 bug #1722
   * workaround for Fennec bug 
window.(outerHeight|outerWidth|screenX|screenY) throw exception
   * eMail: fixed bug for not getting multiple unnamed attachments,
while saving a mail to infolog or tracker
   * eMail: improving of the fetching of cids; match cid to filename if
the attempt to match the cid failed
   * eMail: match cid to filename if the attempt to match the cid failed
-> extending the fetch attempt even for non cid attachments, when
nothing is found within the previous loops
   * Admin/VFS/LDAP: on saving a group, check if group directory exists
and create it if not
   * CalDAV/GroupDAV/KDE Akonadi seems to require redundant namespaces,
see KDE bug #265096
   * eMail: regard addressbook preference to hide accounts or not in
ajax search for emailadresses while composing messages
   * eMail: fix for displayed message body  is null: if charset reported
is reported not correctly, converting to utf-8 may not succeed as
expected, leaving some non utf-8 chars which may lead to problems with
   * Fix RRULE parser (UTC fix) - Bug#[hidden email]
   * Calendar: fixed not working accept/reject of invitations, if
participant is in a group with only a freebusy grant
   * Generate well-formed XML for Funambol and SyncEvolution clients
(community bug#2975)
   * Improved support for new SyncML clients/client versions
   * Calendar: fixed in readonly events custom fields were still editable
   * notification/email: support filter since (only check unseen mails
for the last 14 days) when notify for unseen mails
   * CalDAV: user agent detection of OS X 10.7 Lion iCal app (CoreDav
instead of DavKit)
   * CalDAV/CardDAV redirect for iOS 4.3.1+ to autodetect accounts
   * Calendar: show status set for the whole series at recurrences too,
unless they have an individual status
   * Calendar: fixed typo in merge, denying implicit participants rights
eg. required to accept a meeting
   * NTLM authentication: limit redirect, if NTLM auth could not be
performed, to same domain, EGroupware domain, or explicitly whitelisted
   * Filemanager popup: fixed sometimes missing first directory, eg. in
   * API fix PHP fatal error wakeup2 is no method ..., when comming from
   * API fix webserver_url of just a domain eg. gives
PHP Warning empty delimiter ...
   * PEAR: automatic upgrade or install of required PEAR packages via
package post_instal.php (only package installs!)

Ralf Becker
Director Software Development

Stylite AG

Morschheimer Strasse 15 | Tel. +49 6352 70629 0
D-67292 Kirchheimbolanden | Fax. +49 6352 70629 30

Email: [hidden email] |

Managing Directors: Andre Keller | Ralf Becker | Gudrun Mueller
Chairman of the supervisory board: Prof. Dr. Birger Leon Kropshofer

Commerzbank BLZ 55040022 | Account 218111300
IBAN DE33 5504 0022 0218 1113 00 | BIC COBADEFFXXX
VAT DE214280951 | Registered HRB 31158 Kaiserslautern Germany

BlackBerry&reg; DevCon Americas, Oct. 18-20, San Francisco, CA
The must-attend event for mobile developers. Connect with experts.
Get tools for creating Super Apps. See the latest technologies.
Sessions, hands-on labs, demos & much more. Register early & save!
eGroupWare-announcement mailing list
[hidden email]