From: Ralf B. <rb...@st...> - 2013-10-01 16:39:01
|
This release contains a fix for a remove code execution vulnerability. It is recommended to update ASAP! Thanks to Marcel Mangold <mar...@sy...>, Pascal Uter <pas...@sy...> from SySS GmbH for discovering and reporting the problem to us. The new version contains 3 major parts: a) already mentioned fix for remove code execution vulnerability b) further security hardening of EGroupware as recommended by SySS GmbH: - using now httponly and secure cookies (secure only if https is used to login) - header.inc.php uses for new installations or on update now secure password hashes like they were used for accounts since some time now - setup uses now a session instead of storing credentials in a cookie - html downloads from Filemanager now either force a download or - if brower supports - use a content-security-policiy header to mitigate risk of session hijacking - blowfish_crypt is now marked as most secure hashing algorithmus for passwords and used by default on new installations c) regular bugfixes in all modules since 1.8.004 see http://www.egroupware.org/changelog Thanks to everyone who helped with this release. We are currently working on a new shared community and EPL release expected later this year. It will contain exicting new features, a complete new look and some previous EPL-only features will become available to the whole EGroupware comunity. Ralf -- Ralf Becker Director Software Development Stylite AG Morschheimer Strasse 15 | Tel. +49 6352 70629 0 D-67292 Kirchheimbolanden | Fax. +49 6352 70629 30 Email: rb...@st... www.stylite.de | www.egroupware.org Managing Directors: Andre Keller | Ralf Becker | Gudrun Mueller Chairman of the supervisory board: Prof. Dr. Birger Leon Kropshofer VAT DE214280951 | Registered HRB 31158 Kaiserslautern Germany |