This release contains security fixes for:
a) remote command execution (with rights of webserver user) for logged
in users with administrative privileges
b) cross site request forgery allowing to create new admin users or run
above commands
It is recommended to update ASAP!
Thanks to High-Tech Bridge Security Research Lab for discovering and
reporting above problems to us. See their advisory:
https://www.htbridge.com/advisory/HTB23212
Please see change-log for other fixes contained in this release:
http://www.egroupware.org/changelog
Thanks to everyone who helped with this release.
Problems are also fixed for EPL-11.1 (from 11.1.20140505 on) and current
14.1 beta (thought parts were already fixed with admin rewrite).
Please participate in 14.1 beta to ensure your instance will update
painless, when 14.1 got finally released.
Ralf
Ralf Becker
Director Software Development
Stylite AG
Morschheimer Strasse 15 | Tel. +49 6352 70629 0
D-67292 Kirchheimbolanden | Fax. +49 6352 70629 30
Email: rb@stylite.de
www.stylite.de | www.egroupware.org
Managing Directors: Andre Keller | Ralf Becker | Gudrun Mueller
Chairman of the supervisory board: Prof. Dr. Birger Leon Kropshofer
VAT DE214280951 | Registered HRB 31158 Kaiserslautern Germany
