Home Download News FAQ / Knowledge Base Screenshots Documentation Support
philosophical imaginary
Table of Contents

Current Citadel news

Citadel is moving to a "rolling release" model

We don't announce every release, which is why the “news” section of this web site can occasionally appear outdated. Check the “Download” section for the latest releases.

Citadel will shortly be moving to a “rolling release” model. Because of this, the version numbers will no longer have decimal points in them. For example, the next version after 9.01 will be 902, followed by 903, 904, etc. There will no longer be any such thing as a “major release” or a “minor release” – instead, all bug fixes, security patches, and new functionality will simply appear in new releases as they are published.

Packagers for various operating systems may choose to cherry-pick updates for “stable versions” as per each publisher's individual policy. However, the upstream Citadel releases will proceed incrementally, and all releases will be considered suitable for general availability.

FLOSS Weekly talks Citadel

This week on FLOSS Weekly, Randall Schwartz and Simon Phipps chat with Art Cancro, lead developer of the Citadel system, and chat about Citadel's history as a BBS platform and the modern groupware platform it offers today. Check it out!

· %2012/%05/%04 %12:%May · Art Cancro

Data management changes in Citadel 7

There are two important data management changes starting with Citadel 7.60.

The first one is a big change to how Citadel uses LDAP. You might know that prior to Citadel 7.50, we had the ability to populate an external LDAP address book with the contents of Citadel's global address book. As it turned out, this was not very useful. It was deprecated in 7.50 and has been removed in 7.60. We were fairly certain that nobody was using this feature, and the fact that no one has complained about its deprecation seems to confirm this.

Instead, Citadel 7.60 has the ability to authenticate against an external LDAP directory, which seems to be what most people wanted in the first place. We've supported authentication via the host system for a long time, and in practice most sites seem to combine this with pam_ldap and nss_ldap to allow Citadel to participate in “single sign on” at organizations which use LDAP. So why not make it easy? Citadel 7.60 speaks directly to your LDAP server, and the configuration consists of entering a few simple configuration items instead of all that tedious mucking about in the /etc directory. We support both the industry-standard LDAP schema (RFC 2307) and the most commonly deployed nonstandard schema (Microsoft Active Directory).

The other big change is a complete rewrite of the import/export module. The old way was usable but fairly clumsy. In Citadel 7.60, the database dump format is XML based, and the import/export operations run much faster. And beginning now, we are making the dump format upward compatible, so the target system can be running a newer version of Citadel than the source system. You will not have to upgrade the source system in order to migrate it.

To make this even more useful, we've written an “over the wire” migration utility. When you want to migrate Citadel to a new host system, even one with a different CPU architecture, you just run the migrate utility on the target host, and point it at the source host. The migrate utility will do all of the work for you automatically, producing a perfect clone of your Citadel installation. OpenSSH and rsync are used to copy the parts of your Citadel data that are not stored in the database, such as user profiles (bios), photos and other images, etc. This utility will do for migrations what Easy Install did for installations.

These changes were frequently requested, and we are happy to announce that they are now available.

· %2009/%05/%03 %00:%May · Art Cancro

Citadel.org security advisory - 2009-march-23


WebCit is a middleware application which provides a web based user interface for the Citadel groupware system. More information may be found at the project's site at the following URL:



WebCit uses a weak encoding for remote provided data to build up a local string. Exploitation of a format string vulnerability could allow a remote attacker to perform an unauthorized privilege escalation.


Citadel.org has confirmed the existence of this vulnerability in version 7.22 of WebCit. Other components of the Citadel system are not affected.


If you are unable to upgrade your system to a non-vulnerable version of WebCit at this time, you may also choose to block access to the following URL's using your site's existing edge security tools:



This will prohibit remote exploit of this vulnerability, at the expense of reduced functionality of the program.


Citadel.org has confirmed that this vulnerability has been fixed.

If you are using source code downloads, please upgrade to version 7.39 (or later).

If you are using the Easy Install system or the VMware appliance, please run a normal update in order to receive the patch.

If you are using Debian or Ubuntu packages, please upgrade to version 7.38-37 (or later).

Please be advised that you may also be required to upgrade the Citadel server in order to maintain compatibility with a new version of WebCit.


2009-02-13 - discovery of vulnerability

2009-02-13 - fix implemented

2009-03-23 - coordinated public disclosure


This vulnerability was discovered internally by Wilfried Goesgens dothebart@uncensored.citadel.org and patched prior to disclosure.


Copyright © Citadel.org

Permission is granted for unlimited redistribution of this alert. The information in this advisory is believed to be accurate at the time of publishing based on currently available information, and is provided “as is” with no warranties as to its accuracy or applicability. The publisher does not accept liability for any direct, indirect, or consequential loss or damage arising from use of, or reliance on, this information.

OpenSSL vulnerability in Debian Etch and Ubuntu

A vulnerability involving predictable random numbers has been discovered in the OpenSSL packages included with Debian Etch and Ubuntu systems. This vulnerability affects all software which makes use of SSL/TLS encrypted connections, including Citadel.

Please see http://lists.debian.org/debian-security-announce/2008/msg00152.html for more detailed information.

In order to patch the OpenSSL vulnerability, issue this command:

apt-get update; apt-get upgrade

Afterwards, you should regenerate your private keys in SSL/TLS enabled applications, such as Citadel. The procedure for doing so on a Citadel installation using the Debian package is:

rm -f /etc/ssl/citadel/*

For an Easy Install system, it is:

rm -f /usr/local/citadel/keys/*

Then restart Citadel to make it generate new keys. If you are making use of certificates signed by a certificate authority, you will need to submit a new CSR to them for re-signing.

Naturally, if you are also running OpenSSH on your server, you will need to regenerate keys for that as well.

Citadel reviewed by Enterprise Networking Planet

Carla Schroder of Enterprise Networking Planet has written a nice two-part review of the Citadel system. In this review she praises Citadel's intuitive user-focused user interface and its easy system administration, going as far as to declare it her favorite groupware and messaging server.

Read both parts of the article here:

Part 1 - "Citadel: A Bastion of Groupware Functionality"

Part 2 - "Set Up Basic Groupware With Citadel"

Thanks for the kind words, Carla!

Microsoft Outlook is now supported!

We are pleased to announce that Outlook Connector product is now available that allows Microsoft Outlook to seamlessly and effortlessly access many of Citadel's groupware and collaboration functions, including not only email but also server-side calendars and address books, tasks, notes, and more.

This product has been built by Bynari, Inc. with a large amount of collaboration and input from the Citadel project and other groupware projects. All data is stored on the server in open standard formats.

We hope that this new development eliminates the perceived need for Microsoft Exchange in many organizations and will allow them to migrate to Citadel.

· %2008/%03/%16 %23:%Mar · Art Cancro

Citadel adopted by packet radio network

Just after 9/11/01, some of the 11,000 FCC licensed volunteer Amateur Radio operators in Minnesota decided they could build a radio based data network covering the region. This network would provide a reliable “last ditch” email and data capability in the event of an emergency that disabled or overloaded normal communications channels. They passed the hat and collected enough funds and donated equipment to complete the first phase of the network using AX.25 packet radio technology, which has been running to commercial reliability standards since 2002.

Citadel was chosen as the email and conferencing system for this network, due to its compact size and versatile client options – including its text-mode client, which turned out to be perfect for 100 Kbps packet radio connections.

Read more about it at the group's own web site.

Citadel adopts GPLv3

The developers of the Citadel messaging and collaboration system are pleased to announce that we are now releasing all of our software under version 3 of the GNU General Public License.

There has been an intentional effort by a particular producer of non-free software to subvert, erode, circumvent, and otherwise undermine the spirit of free software. In the light of recent events, it has become clear to us that GPLv3 will provide stronger protection from patent problems and license circumvention.

Citadel remains the only messaging and collaboration system offering end-to-end GPL across the entire code base, and we continue to lead in this area by being the first to adopt GPLv3. Furthermore, when compared with other systems in its category, Citadel remains the only one that is comprised of end-to-end free software at all. Others offer a feature-limited free version but require a paid license in order to use the “enterprise” or “network” edition. Citadel has no such limitation; we make our very best work available to everyone on the same terms.

· %2007/%07/%30 %17:%Jul · Art Cancro

GroupDAV: Standardizing Groupware

Read the Slashdot article that caused a stir in the OSS Groupware community.

· %2007/%07/%02 %17:%Jul

Older entries >>

Older news...

Citadel is moving to a "rolling release" model%2014/%12/%15 %16:%DecArt Cancro
FLOSS Weekly talks Citadel%2012/%05/%04 %12:%MayArt Cancro
Data management changes in Citadel 7%2009/%05/%03 %00:%MayArt Cancro
Citadel.org security advisory - 2009-march-23%2009/%03/%23 %12:%MarArt Cancro
OpenSSL vulnerability in Debian Etch and Ubuntu%2008/%05/%13 %10:%MayArt Cancro
Citadel reviewed by Enterprise Networking Planet%2008/%04/%21 %16:%AprArt Cancro
Microsoft Outlook is now supported!%2008/%03/%16 %23:%MarArt Cancro
Citadel adopted by packet radio network%2007/%11/%28 %16:%NovArt Cancro
Citadel adopts GPLv3%2007/%07/%30 %17:%JulArt Cancro
GroupDAV: Standardizing Groupware%2007/%07/%02 %17:%Jul 
Access your Citadel calendar and contacts from Thunderbird%2007/%07/%02 %16:%Jul 
Calendar library update for 2007 DST changes%2007/%02/%27 %18:%FebArt Cancro
Citadel featured in Linux Journal%2007/%02/%08 %09:%FebArt Cancro
Copyright © 1987-2018 Uncensored Communications Group. All rights reserved.     Login (site admin)