<?php
/**
 * Release focus. Possible values:
 * 0 - N/A
 * 1 - Initial freshmeat announcement
 * 2 - Documentation
 * 3 - Code cleanup
 * 4 - Minor feature enhancements
 * 5 - Major feature enhancements
 * 6 - Minor bugfixes
 * 7 - Major bugfixes
 * 8 - Minor security fixes
 * 9 - Major security fixes
 */
$this->notes['fm']['focus'] = 9;

/* Mailing list release notes. */
$this->notes['ml']['changes'] = <<<ML
The Horde Team is pleased to announce the final release of the Horde
Application Framework version 3.0.7.

This is a security release that fixes cross site scripting vulnerabilities in
two of Horde's MIME viewers. These holes could for example be exploited by an
attacker sending specially crafted emails to Horde's webmail client IMP. The
attack could be used to steal users' identity information, taking over users'
sessions, or changing users' settings.

As a hotfix the css and tgz MIME drivers can be disabled by removing their
entries from the \$mime_drivers_map['horde']['registered'] list in
horde/config/mime_drivers.php. Alternatively these two patches could be
applied to lib/Horde/MIME/Viewer/tgz.php and lib/Horde/MIME/Viewer/css.php:
http://cvs.horde.org/diff.php/framework/MIME/MIME/Viewer/tgz.php?r1=1.37.10.9&r2=1.37.10.9.2.1&ty=u
http://cvs.horde.org/diff.php/framework/MIME/MIME/Viewer/css.php?r1=1.1.10.3&r2=1.1.10.3.2.1&ty=u

Many thanks to Daniel Schreckling who discovered this vulnerability.

The Horde Application Framework is a modular, general-purpose web application
framework written in PHP.  It provides an extensive array of classes that are
targeted at the common problems and tasks involved in developing modern web
applications.

Major changes compared to the Horde version 3.0.6 are:
    * Fixed cross site scripting vulnerabilities in the gzip/tar and css MIME
      viewers.
    * Fixed MySQL session handler.
ML;

/* Freshmeat release notes, not more than 600 characters. */
$this->notes['fm']['changes'] = <<<FM
Cross site scripting vulnerabilities in the gzip/tar and css MIME viewers have
been fixed.
The MySQL session handler has been fixed.
FM;

$this->notes['name'] = 'Horde';
$this->notes['fm']['project'] = 'horde';
$this->notes['fm']['branch'] = 'Horde 3';
