Mailing List Archive

Release of DAViCal 1.1.9
Just now, I pushed some fixes and tagged DAViCal version 1.1.9

This fixes several security-related issues in DAViCal. We strongly
recommend that all DAViCal installations upgrade to the new version
ASAP. A few smaller fixes contributed over the past year are included as
well.

Release notes can be found on the wiki at
https://wiki.davical.org/index.php/Release_Notes/1.1.9 . There is no
change to AWL associated with this release (still 0.60).

The DAViCal Project greatly appreciates the efforts of HackDefense,
specifically Rick Verdoes for finding the vulnerabilities and verifying
the fix, Niels van Gijzen for developing the fix, and Danny de Weille
for verifying and helping with the fix and correcting the vulnerabilities.

HackDefense Advisories for the vulnerabilities will soon be available at:

https://hackdefense.com/publications/cve-2019-18345-davical-caldav-server-vulnerability
https://hackdefense.com/publications/cve-2019-18346-davical-caldav-server-vulnerability
https://hackdefense.com/publications/cve-2019-18347-davical-caldav-server-vulnerability

We don't have tarballs with the new version available on the davical.org
website quite yet, so in the meanwhile I suggest getting the code
directly from GitLab:
https://gitlab.com/davical-project/davical/-/archive/r1.1.9/davical-r1.1.9.tar.gz

We hope to have updated Debian packages for this release in the near future.

The commit associated with the release is
https://gitlab.com/davical-project/davical/commit/e2070c9b7a65f5d53fa27959a43a287c43463c35

-Jim