EGroupware SECURITY and bugfix release 1.8.004

Ralf_Becker_Stylite 2012-04-05 17:27:51 UTC #1

This release contains a fix for a XSS (cross-site-scripting)
vulnerability, it is recommended to update ASAP!

Thanks to Marcos M Garcia <marcositu-at-gmail.com> for discovering and
reporting the problem to us.

The release contains a couple of database schema updates, unlike regular
minor version updates. Unfortunately this cant be helped for the
intended fixes to work. SO YOU HAVE TO VISIT SETUP AND RUN THE OFFERED
UPDATES!

The new version contains 4 major parts:

a) already mentioned fix for a XSS (cross-site-scripting) vulnerability

b) backported security features from Trunk:

more secure password hashing types: sha512_crypt, sha256_crypt
enable automatic migration to sha512_crypt, if accounts in SQL or LDAP
(but only on Linux, as OpenLDAP has not native support for it)
session listing without the need of a listable (less secure) session
directory

c) numerous CalDAV and CardDAV fixes (EGroupware 1.8.004 is now far more
standard compliant then 1.8.002!)

show calendars and addressbooks selected to sync under user calendar-
or addressbook-home-set allowing clients to automatic detect them
CalDAV scheduling support allows clients eg. to show free busy status
of invited participants
client can choose the url for new events or contacts (standard
requirement!)
allow clients to store attributes (eg. calendar colors) via PROPPATCH
store unknown attributes (eg. location based alarms) in custom fields
in InfoLog
CardDAV works now with LDAP backend
ability to log and display CalDAV/CardDAV traffic without access to
commandline of server

–> CalDAV/CardDAV is now recommended over SyncML, which will be no
longer supported in the next major release!

d) many bugfixes in all modules since 1.8.002 see

http://www.egroupware.org/changelog

Thanks to everyone who helped testing this release.

Ralf

Ralf Becker
Director Software Development

Stylite AG

Morschheimer Strasse 15 | Tel. +49 6352 70629 0
D-67292 Kirchheimbolanden | Fax. +49 6352 70629 30

Email: rb@stylite.de

www.stylite.de | www.egroupware.org

Managing Directors: Andre Keller | Ralf Becker | Gudrun Mueller
Chairman of the supervisory board: Prof. Dr. Birger Leon Kropshofer

VAT DE214280951 | Registered HRB 31158 Kaiserslautern Germany

Better than sec? Nothing is better than sec when it comes to
monitoring Big Data applications. Try Boundary one-second
resolution app monitoring today. Free.
http://p.sf.net/sfu/Boundary-dev2dev

eGroupWare-developers mailing list
eGroupWare-developers@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/egroupware-developers

el_es 2012-04-10 09:05:21 UTC #2

This release contains a fix for a XSS (cross-site-scripting)
vulnerability, it is recommended to update ASAP!

Thanks to Marcos M Garcia <marcositu-at-gmail.com> for discovering and
reporting the problem to us.

The release contains a couple of database schema updates, unlike regular
minor version updates. Unfortunately this cant be helped for the
intended fixes to work. SO YOU HAVE TO VISIT SETUP AND RUN THE OFFERED
UPDATES!

The new version contains 4 major parts:

a) already mentioned fix for a XSS (cross-site-scripting) vulnerability

b) backported security features from Trunk:

more secure password hashing types: sha512_crypt, sha256_crypt

enable automatic migration to sha512_crypt, if accounts in SQL or LDAP
(but only on Linux, as OpenLDAP has not native support for it)

session listing without the need of a listable (less secure) session
directory

c) numerous CalDAV and CardDAV fixes (EGroupware 1.8.004 is now far more
standard compliant then 1.8.002!)

show calendars and addressbooks selected to sync under user calendar-
or addressbook-home-set allowing clients to automatic detect them

CalDAV scheduling support allows clients eg. to show free busy status
of invited participants

client can choose the url for new events or contacts (standard
requirement!)

allow clients to store attributes (eg. calendar colors) via PROPPATCH

store unknown attributes (eg. location based alarms) in custom fields
in InfoLog

CardDAV works now with LDAP backend

ability to log and display CalDAV/CardDAV traffic without access to
commandline of server

–> CalDAV/CardDAV is now recommended over SyncML, which will be no
longer supported in the next major release!

d) many bugfixes in all modules since 1.8.002 see

http://www.egroupware.org/changelog

Thanks to everyone who helped testing this release.

Ralf

Hi Ralf & All !
Updated through the repos for Ubuntu 11.04, worked without visiting setup.
(seems that sudo apt-get upgrade/dist-upgrade did this - kudos to packager(s)!)

Cheers,
L.

Better than sec? Nothing is better than sec when it comes to
monitoring Big Data applications. Try Boundary one-second
resolution app monitoring today. Free.
http://p.sf.net/sfu/Boundary-dev2dev

eGroupWare-developers mailing list
eGroupWare-developers@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/egroupware-developers

Hans-Jurgen_Tappe-2 2012-04-11 19:27:36 UTC #3

Hi Ralf!

–> CalDAV/CardDAV is now recommended over SyncML, which will be no
longer supported in the next major release!

Does CalDAV/CardDAV work on mobile devices?
Will activesync be the replacement for SyncML for mobile devices in the
next major release?

Thanks for the information and best regards,
Hans-Jürgen

Better than sec? Nothing is better than sec when it comes to
monitoring Big Data applications. Try Boundary one-second
resolution app monitoring today. Free.
http://p.sf.net/sfu/Boundary-dev2dev

eGroupWare-developers mailing list
eGroupWare-developers@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/egroupware-developers

Ralf_Becker_Stylite 2012-04-11 20:13:01 UTC #4

Hi Hans-Jürgen,

Hi Ralf!

–> CalDAV/CardDAV is now recommended over SyncML, which will be no
longer supported in the next major release!

Does CalDAV/CardDAV work on mobile devices?

Depends on the device

iPhone/iPad: yes incl. in iOS
Android: needs extra app: http://dmfs.org/
old Nokia phones or Windows Mobile: not to my knowledge

Will activesync be the replacement for SyncML for mobile devices in the
next major release?

Yes, that’s the plan.

Thanks for the information and best regards,

You’re welcome

Ralf

Ralf Becker
Director Software Development

Stylite AG

Morschheimer Strasse 15 | Tel. +49 6352 70629 0
D-67292 Kirchheimbolanden | Fax. +49 6352 70629 30

Email: rb@stylite.de

www.stylite.de | www.egroupware.org

Managing Directors: Andre Keller | Ralf Becker | Gudrun Mueller
Chairman of the supervisory board: Prof. Dr. Birger Leon Kropshofer

VAT DE214280951 | Registered HRB 31158 Kaiserslautern Germany

Better than sec? Nothing is better than sec when it comes to
monitoring Big Data applications. Try Boundary one-second
resolution app monitoring today. Free.
http://p.sf.net/sfu/Boundary-dev2dev

eGroupWare-developers mailing list
eGroupWare-developers@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/egroupware-developers

Hans-Jurgen_Tappe-2 2012-04-12 11:02:54 UTC #5

Hi!

Yes, especially oldish Windows mobile devices (is Nokia already dead?
). But these should work with activeSync, then.

Best regards,
Hans-Jürgen

Hi Hans-Jürgen,

Hi Ralf!

–> CalDAV/CardDAV is now recommended over SyncML, which will be no
longer supported in the next major release!

Does CalDAV/CardDAV work on mobile devices?

Depends on the device

iPhone/iPad: yes incl. in iOS
Android: needs extra app: http://dmfs.org/
old Nokia phones or Windows Mobile: not to my knowledge

Will activesync be the replacement for SyncML for mobile devices in the
next major release?

Yes, that’s the plan.

Thanks for the information and best regards,

You’re welcome

Ralf

For Developers, A Lot Can Happen In A Second.
Boundary is the first to Know…and Tell You.
Monitor Your Applications in Ultra-Fine Resolution. Try it FREE!
http://p.sf.net/sfu/Boundary-d2dvs2

eGroupWare-developers mailing list
eGroupWare-developers@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/egroupware-developers