This release contains a fix for a remove code execution vulnerability.
It is recommended to update ASAP!
Thanks to Marcel Mangold marcel.mangold@syss.de, Pascal Uter
pascal.uter@syss.de from SySS GmbH for discovering and reporting the
problem to us.
The new version contains 3 major parts:
a) already mentioned fix for remove code execution vulnerability
b) further security hardening of EGroupware as recommended by SySS GmbH:
- using now httponly and secure cookies (secure only if https is used to
login)
- header.inc.php uses for new installations or on update now secure
password hashes like they were used for accounts since some time now
- setup uses now a session instead of storing credentials in a cookie
- html downloads from Filemanager now either force a download or - if
brower supports - use a content-security-policiy header to mitigate risk
of session hijacking
- blowfish_crypt is now marked as most secure hashing algorithmus for
passwords and used by default on new installations
c) regular bugfixes in all modules since 1.8.004 see
http://www.egroupware.org/changelog
Thanks to everyone who helped with this release.
We are currently working on a new shared community and EPL release
expected later this year. It will contain exicting new features, a
complete new look and some previous EPL-only features will become
available to the whole EGroupware comunity.
Ralf
Ralf Becker
Director Software Development
Stylite AG
Morschheimer Strasse 15 | Tel. +49 6352 70629 0
D-67292 Kirchheimbolanden | Fax. +49 6352 70629 30
Email: rb@stylite.de
www.stylite.de | www.egroupware.org
Managing Directors: Andre Keller | Ralf Becker | Gudrun Mueller
Chairman of the supervisory board: Prof. Dr. Birger Leon Kropshofer
VAT DE214280951 | Registered HRB 31158 Kaiserslautern Germany
October Webinars: Code for Performance
Free Intel webinars can help you accelerate application performance.
Explore tips for MPI, OpenMP, advanced profiling, and more. Get the most from
the latest Intel processors and coprocessors. See abstracts and register >
http://pubads.g.doubleclick.net/gampad/clk?id=60134791&iu=/4140/ostg.clktrk
eGroupWare-developers mailing list
eGroupWare-developers@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/egroupware-developers