EGroupware

Full timezone support including recurring events, visualisation of participant status of events, an email three pane view with a folder tree in the side box, the ability to import from iCal and vCard, a print view and copying of InfoLogs, address book merge-print support for Microsoft and OpenOffice XML formats, and support for Joomla! 1.5 templates in SiteMgr, and a new default Web site, including a SiteMgr tutorial. There were many useful extensions and adaptations as well as bugfixes in all modules. A postinstall script from EPL was included.

The new release fixes two serious security problems and many bugs and implements SyncML 1.2. One security problem is a serious remote command execution hole that allows arbitrary commands to be run on the Web server by simply issuing a HTTP request. The other is a reflected cross-site scripting (XSS) flaw. Both do not require a valid EGroupware account and work without being logged in. The older branches have also been fixed in SVN. It is recommended that all users update as soon as possible.

This release fixes 3 security problems in FCKeditor (remote file upload), Tracker (an XSS problem), and Knowledgebase (an SQL injection). Everyone should update as soon as possible. HTML Purifier has been added as a preventive measure for FCKeditor content. There are many bugfixes since 1.6.001. There is CalDAV support for iPhone OS 3; see the test report.

A complete rewrite of file manager DMS by means of streamwrapper and WebDAV. ACL control on directories and files, which allows uploads of big files. Multiple mail accounts and many bugfixes. Tracker has an escalation matrix for tickets and automatic mail conversion. Calendar has improved functions for recurring events. Addressbook has appointment-view, custom fields, and distribution lists shown in contact view and list. The project manager has improved template functionality. A new default theme for 1.6. Massive bugfixes for SyncML. Many useful extensions and bugfixes in all modules.

Everyone should update as soon as possible. The update includes all previous 1.4 updates, and requires no schema update (if you upgrade within the 1.4 release). The fixed security problems are grave if you have directories writable by the Web server in your document root (in most Windows servers, the complete docroot is writable by default, but many Linux servers are also set up that way). Please note: as FCK contains many static Javascript and CSS files, you and your users might have to delete the browser cache after the update.