On Mon, Dec 03, 2001 at 11:08:09AM -0000, Brandon Friedman <[EMAIL PROTECTED]> wrote: > > I noticed that there is ANOTHER upgrade of IMP and Horde in the SME3 update. > > There seems to be a security problem with IMP every few weeks???? (hmmmm > sound similar to this OTHER software company I know..?) > > Are Mitel looking at a possible replacement?
I've been part of the core team of Horde, who produce IMP, for about a year and a half, and that's certainly news to me. There's only been one security update to IMP since SME Server 5.0 was released, against cross-site scripting vulnerabilities discovered during a code audit. That was 2.2.7, which appeared in Update3. Prior to that, there was IMP 2.2.6 released in July (19 weeks ago), which fixed a problem in a third-party library that IMP uses by including a modified version of that library; 2.2.5 in May (5 weeks prior) which fixed a local vulnerability (i.e., where users must have an account on the system, and access to the shell, to exploit the vulnerability), and 2.2.4 in February (17 weeks prior) which protected users from execution of javascript when they clicked on an HTML attachment that contained some. While it might seem suspect that all of the releases of IMP have been security-related, keep in mind that feature development on IMP has been targeted at IMP 3 for nearly two years; Horde essentially lets security-related updates dictate 2.2's release schedule, as there are few functionality-related updates that warrant pushing a release. Exposure is a bit of an issue as well -- since IMP is one of the more widely-deployed webmail systems out there, there are a lot more people eyeballing the code and finding these problems. (This is an advantage.) Speaking of which, I'm very excited about IMP 3.0, which is currently in the release-candidate stage. It won't be available in time for 5.1, alas. (There's a demo at <http://www.horde.org/demo/> if you'd like to poke around.) -Rich -- ------------------------------ Rich Lafferty --------------------------- Technical Support Engineer, Network Server Solutions Group Mitel Networks, Ottawa, ON (613) 751-4404 ---------------------------- [EMAIL PROTECTED] ------------------------ -- Please report bugs to [EMAIL PROTECTED] Please mail [EMAIL PROTECTED] (only) to discuss security issues Support for registered customers and partners to [EMAIL PROTECTED] To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] Archives by mail and http://www.mail-archive.com/devinfo%40lists.e-smith.org
