This release contains a fix for a remove code execution vulnerability.
It is recommended to update ASAP!
Thanks to Marcel Mangold <marcel.mangold@...>, Pascal Uter
<pascal.uter@...> from SySS GmbH for discovering and reporting the
problem to us.
The new version contains 3 major parts:
a) already mentioned fix for remove code execution vulnerability
b) further security hardening of EGroupware as recommended by SySS GmbH:
- using now httponly and secure cookies (secure only if https is used to
- header.inc.php uses for new installations or on update now secure
password hashes like they were used for accounts since some time now
- setup uses now a session instead of storing credentials in a cookie
- html downloads from Filemanager now either force a download or - if
brower supports - use a content-security-policiy header to mitigate risk
of session hijacking
- blowfish_crypt is now marked as most secure hashing algorithmus for
passwords and used by default on new installations
c) regular bugfixes in all modules since 1.8.004 see
Thanks to everyone who helped with this release.
We are currently working on a new shared community and EPL release
expected later this year. It will contain exicting new features, a
complete new look and some previous EPL-only features will become
available to the whole EGroupware comunity.
Director Software Development
Morschheimer Strasse 15 | Tel. +49 6352 70629 0
D-67292 Kirchheimbolanden | Fax. +49 6352 70629 30
http://www.stylite.de | http://www.egroupware.org
Managing Directors: Andre Keller | Ralf Becker | Gudrun Mueller
Chairman of the supervisory board: Prof. Dr. Birger Leon Kropshofer
VAT DE214280951 | Registered HRB 31158 Kaiserslautern Germany