Your message dated Thu, 21 Apr 2005 12:02:35 -0400
with message-id <[EMAIL PROTECTED]>
and subject line Bug#305576: fixed in egroupware 1.0.0.007-2.dfsg-1
has caused the attached Bug report to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what I am
talking about this indicates a serious mail system misconfiguration
somewhere. Please contact me immediately.)
Debian bug tracking system administrator
(administrator, Debian Bugs database)
--------------------------------------
Received: (at submit) by bugs.debian.org; 20 Apr 2005 21:24:59 +0000
>From [EMAIL PROTECTED] Wed Apr 20 14:24:59 2005
Return-path: <[EMAIL PROTECTED]>
Received: from inutil.org (vserver151.vserver151.serverflex.de)
[193.22.164.111]
by spohr.debian.org with esmtp (Exim 3.35 1 (Debian))
id 1DOMgt-00023g-00; Wed, 20 Apr 2005 14:24:59 -0700
Received: from p548972e8.dip.t-dialin.net ([84.137.114.232]
helo=localhost.localdomain)
by vserver151.vserver151.serverflex.de with esmtpsa
(TLS-1.0:RSA_AES_256_CBC_SHA:32)
(Exim 4.50)
id 1DOMgr-0000uo-PX
for [EMAIL PROTECTED]; Wed, 20 Apr 2005 23:24:58 +0200
Received: from jmm by localhost.localdomain with local (Exim 4.50)
id 1DOMgm-0001zS-Qe; Wed, 20 Apr 2005 23:24:52 +0200
Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
From: Moritz Muehlenhoff <[EMAIL PROTECTED]>
To: Debian Bug Tracking System <[EMAIL PROTECTED]>
Subject: Multiple security issues in egroupware
X-Mailer: reportbug 3.9
Date: Wed, 20 Apr 2005 23:24:52 +0200
Message-Id: <[EMAIL PROTECTED]>
X-SA-Exim-Connect-IP: 84.137.114.232
X-SA-Exim-Mail-From: [EMAIL PROTECTED]
X-SA-Exim-Scanned: No (on vserver151.vserver151.serverflex.de); SAEximRunCond
expanded to false
Delivered-To: [EMAIL PROTECTED]
X-Spam-Checker-Version: SpamAssassin 2.60-bugs.debian.org_2005_01_02
(1.212-2003-09-23-exp) on spohr.debian.org
X-Spam-Status: No, hits=-5.5 required=4.0 tests=BAYES_30,HAS_PACKAGE
autolearn=no version=2.60-bugs.debian.org_2005_01_02
X-Spam-Level:
Package: egroupware
Severity: grave
Tags: security
Justification: user security hole
Multiple security issues have been reported for egroupware that
have been adressed in the new 1.0.0.007 release. See this advisory
for full details:
Cheers,
Moritz
From: GulfTech Security Research <[EMAIL PROTECTED]>
Subject: Multiple eGroupware Vulnerabilities
Date: Tue, 19 Apr 2005 21:55:05 -0500
##########################################################
# GulfTech Security Research April 20th, 2005
##########################################################
# Vendor : eGroupware
# URL : http://www.egroupware.org/
# Version : Versions Prior To 1.0.0.007
# Risk : Multiple Vulnerabilities
##########################################################
Description:
eGroupware is a very popular open source web based collaboration
software that can be used within an intranet, or externally via
the internet to build a community and/or help coordinate large
projects. eGroupware also comes pre packaged in some linux
distributions. GulfTech Security Research has found a few high
risk SQL Injection vulnerabilities as well as Cross Site Scripting
vulnerabilities. A new version of eGroupware is now available and
all eGroupware users should upgrade immediately. Not only does the
new eGroupware release address these security issues, but it also
includes a number of important bugfixes!
Cross Site Scripting:
Cross site scripting exists in eGroupware. This vulnerability
exists due to user supplied input not being checked properly.
Below are examples that can be used for reference.
http://egroupware/index.php?menuaction=addressbook.uiaddressbook.edit&ab_id=
11[XSS]
http://egroupware/index.php?menuaction=manual.uimanual.view&page=ManualAddre
ssbook[XSS]
http://egroupware/index.php?menuaction=forum.uiforum.post&type=new[XSS]
http://egroupware/wiki/index.php?page=RecentChanges[XSS]
http://egroupware/wiki/index.php?action=history&page=WikkiTikkiTavi&lang=en[
XSS]
http://egroupware/index.php?menuaction=wiki.uiwiki.edit&page=setup[XSS]
http://egroupware/sitemgr/sitemgr-site/?category_id=4[XSS]
This vulnerability could be used to steal cookie based authentication
credentials within the scope of the current domain, or render hostile
code in a victim's browser.
SQL Injection:
There are a number of SQL Injection vulnerabilities in eGroupware.
These issues can be used by an attacker to retrieve sensitive
information from the underlying database and aid in further attacks.
Examples below
http://egroupware/tts/index.php?filter=u99[SQL]
http://egroupware/tts/index.php?filter=c99[SQL]
http://egroupware/index.php?menuaction=preferences.uicategories.index&cats_a
pp=foobar[SQL]
We will not be releasing any exploited code as requested by the
developers but these issues are not hard to exploit and all users
should upgrade immediately.
Solution:
eGroupware 1.0.0.007 has been released to address these issues, and
users can finfd the updated packages at the following location.
http://sourceforge.net/project/showfiles.php?group_id=78745
Special thanks to Mr Ralf Becker and the rest of the eGroupware team
for addressing these issues fairly quickly despite the recent constitution
and admin elections etc.
Related Info:
The original advisory can be found at the following location
http://www.gulftech.org/?node=research&article_id=00069-04202005
Credits:
James Bercegay of the GulfTech Security Research Team
-- System Information:
Debian Release: 3.1
APT prefers unstable
APT policy: (500, 'unstable')
Architecture: i386 (i686)
Kernel: Linux 2.6.11
Locale: LANG=C, [EMAIL PROTECTED] (charmap=ISO-8859-15)
---------------------------------------
Received: (at 305576-close) by bugs.debian.org; 21 Apr 2005 16:11:26 +0000
>From [EMAIL PROTECTED] Thu Apr 21 09:11:26 2005
Return-path: <[EMAIL PROTECTED]>
Received: from newraff.debian.org [208.185.25.31] (mail)
by spohr.debian.org with esmtp (Exim 3.35 1 (Debian))
id 1DOeH0-0008J6-00; Thu, 21 Apr 2005 09:11:26 -0700
Received: from katie by newraff.debian.org with local (Exim 3.35 1 (Debian))
id 1DOe8R-00046a-00; Thu, 21 Apr 2005 12:02:35 -0400
From: Peter Eisentraut <[EMAIL PROTECTED]>
To: [EMAIL PROTECTED]
X-Katie: $Revision: 1.55 $
Subject: Bug#305576: fixed in egroupware 1.0.0.007-2.dfsg-1
Message-Id: <[EMAIL PROTECTED]>
Sender: Archive Administrator <[EMAIL PROTECTED]>
Date: Thu, 21 Apr 2005 12:02:35 -0400
Delivered-To: [EMAIL PROTECTED]
X-Spam-Checker-Version: SpamAssassin 2.60-bugs.debian.org_2005_01_02
(1.212-2003-09-23-exp) on spohr.debian.org
X-Spam-Status: No, hits=-6.0 required=4.0 tests=BAYES_00,HAS_BUG_NUMBER
autolearn=no version=2.60-bugs.debian.org_2005_01_02
X-Spam-Level:
Source: egroupware
Source-Version: 1.0.0.007-2.dfsg-1
We believe that the bug you reported is fixed in the latest version of
egroupware, which is due to be installed in the Debian FTP archive:
egroupware-addressbook_1.0.0.007-2.dfsg-1_all.deb
to pool/main/e/egroupware/egroupware-addressbook_1.0.0.007-2.dfsg-1_all.deb
egroupware-bookmarks_1.0.0.007-2.dfsg-1_all.deb
to pool/main/e/egroupware/egroupware-bookmarks_1.0.0.007-2.dfsg-1_all.deb
egroupware-calendar_1.0.0.007-2.dfsg-1_all.deb
to pool/main/e/egroupware/egroupware-calendar_1.0.0.007-2.dfsg-1_all.deb
egroupware-comic_1.0.0.007-2.dfsg-1_all.deb
to pool/main/e/egroupware/egroupware-comic_1.0.0.007-2.dfsg-1_all.deb
egroupware-core_1.0.0.007-2.dfsg-1_all.deb
to pool/main/e/egroupware/egroupware-core_1.0.0.007-2.dfsg-1_all.deb
egroupware-developer-tools_1.0.0.007-2.dfsg-1_all.deb
to
pool/main/e/egroupware/egroupware-developer-tools_1.0.0.007-2.dfsg-1_all.deb
egroupware-email_1.0.0.007-2.dfsg-1_all.deb
to pool/main/e/egroupware/egroupware-email_1.0.0.007-2.dfsg-1_all.deb
egroupware-emailadmin_1.0.0.007-2.dfsg-1_all.deb
to pool/main/e/egroupware/egroupware-emailadmin_1.0.0.007-2.dfsg-1_all.deb
egroupware-etemplate_1.0.0.007-2.dfsg-1_all.deb
to pool/main/e/egroupware/egroupware-etemplate_1.0.0.007-2.dfsg-1_all.deb
egroupware-felamimail_1.0.0.007-2.dfsg-1_all.deb
to pool/main/e/egroupware/egroupware-felamimail_1.0.0.007-2.dfsg-1_all.deb
egroupware-filemanager_1.0.0.007-2.dfsg-1_all.deb
to pool/main/e/egroupware/egroupware-filemanager_1.0.0.007-2.dfsg-1_all.deb
egroupware-forum_1.0.0.007-2.dfsg-1_all.deb
to pool/main/e/egroupware/egroupware-forum_1.0.0.007-2.dfsg-1_all.deb
egroupware-ftp_1.0.0.007-2.dfsg-1_all.deb
to pool/main/e/egroupware/egroupware-ftp_1.0.0.007-2.dfsg-1_all.deb
egroupware-fudforum_1.0.0.007-2.dfsg-1_all.deb
to pool/main/e/egroupware/egroupware-fudforum_1.0.0.007-2.dfsg-1_all.deb
egroupware-headlines_1.0.0.007-2.dfsg-1_all.deb
to pool/main/e/egroupware/egroupware-headlines_1.0.0.007-2.dfsg-1_all.deb
egroupware-infolog_1.0.0.007-2.dfsg-1_all.deb
to pool/main/e/egroupware/egroupware-infolog_1.0.0.007-2.dfsg-1_all.deb
egroupware-jinn_1.0.0.007-2.dfsg-1_all.deb
to pool/main/e/egroupware/egroupware-jinn_1.0.0.007-2.dfsg-1_all.deb
egroupware-ldap_1.0.0.007-2.dfsg-1_all.deb
to pool/main/e/egroupware/egroupware-ldap_1.0.0.007-2.dfsg-1_all.deb
egroupware-manual_1.0.0.007-2.dfsg-1_all.deb
to pool/main/e/egroupware/egroupware-manual_1.0.0.007-2.dfsg-1_all.deb
egroupware-messenger_1.0.0.007-2.dfsg-1_all.deb
to pool/main/e/egroupware/egroupware-messenger_1.0.0.007-2.dfsg-1_all.deb
egroupware-news-admin_1.0.0.007-2.dfsg-1_all.deb
to pool/main/e/egroupware/egroupware-news-admin_1.0.0.007-2.dfsg-1_all.deb
egroupware-phpbrain_1.0.0.007-2.dfsg-1_all.deb
to pool/main/e/egroupware/egroupware-phpbrain_1.0.0.007-2.dfsg-1_all.deb
egroupware-phpldapadmin_1.0.0.007-2.dfsg-1_all.deb
to pool/main/e/egroupware/egroupware-phpldapadmin_1.0.0.007-2.dfsg-1_all.deb
egroupware-phpsysinfo_1.0.0.007-2.dfsg-1_all.deb
to pool/main/e/egroupware/egroupware-phpsysinfo_1.0.0.007-2.dfsg-1_all.deb
egroupware-polls_1.0.0.007-2.dfsg-1_all.deb
to pool/main/e/egroupware/egroupware-polls_1.0.0.007-2.dfsg-1_all.deb
egroupware-projects_1.0.0.007-2.dfsg-1_all.deb
to pool/main/e/egroupware/egroupware-projects_1.0.0.007-2.dfsg-1_all.deb
egroupware-registration_1.0.0.007-2.dfsg-1_all.deb
to pool/main/e/egroupware/egroupware-registration_1.0.0.007-2.dfsg-1_all.deb
egroupware-sitemgr_1.0.0.007-2.dfsg-1_all.deb
to pool/main/e/egroupware/egroupware-sitemgr_1.0.0.007-2.dfsg-1_all.deb
egroupware-stocks_1.0.0.007-2.dfsg-1_all.deb
to pool/main/e/egroupware/egroupware-stocks_1.0.0.007-2.dfsg-1_all.deb
egroupware-tts_1.0.0.007-2.dfsg-1_all.deb
to pool/main/e/egroupware/egroupware-tts_1.0.0.007-2.dfsg-1_all.deb
egroupware-wiki_1.0.0.007-2.dfsg-1_all.deb
to pool/main/e/egroupware/egroupware-wiki_1.0.0.007-2.dfsg-1_all.deb
egroupware_1.0.0.007-2.dfsg-1.diff.gz
to pool/main/e/egroupware/egroupware_1.0.0.007-2.dfsg-1.diff.gz
egroupware_1.0.0.007-2.dfsg-1.dsc
to pool/main/e/egroupware/egroupware_1.0.0.007-2.dfsg-1.dsc
egroupware_1.0.0.007-2.dfsg-1_all.deb
to pool/main/e/egroupware/egroupware_1.0.0.007-2.dfsg-1_all.deb
egroupware_1.0.0.007-2.dfsg.orig.tar.gz
to pool/main/e/egroupware/egroupware_1.0.0.007-2.dfsg.orig.tar.gz
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [EMAIL PROTECTED],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Peter Eisentraut <[EMAIL PROTECTED]> (supplier of updated egroupware package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [EMAIL PROTECTED])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.7
Date: Thu, 21 Apr 2005 11:11:11 +0200
Source: egroupware
Binary: egroupware-news-admin egroupware-felamimail egroupware-projects
egroupware-polls egroupware-jinn egroupware-calendar egroupware-messenger
egroupware egroupware-bookmarks egroupware-wiki egroupware-filemanager
egroupware-ldap egroupware-addressbook egroupware-headlines egroupware-tts
egroupware-etemplate egroupware-registration egroupware-comic
egroupware-emailadmin egroupware-ftp egroupware-developer-tools
egroupware-phpldapadmin egroupware-phpsysinfo egroupware-stocks
egroupware-manual egroupware-infolog egroupware-core egroupware-email
egroupware-fudforum egroupware-sitemgr egroupware-phpbrain egroupware-forum
Architecture: source all
Version: 1.0.0.007-2.dfsg-1
Distribution: unstable
Urgency: high
Maintainer: Peter Eisentraut <[EMAIL PROTECTED]>
Changed-By: Peter Eisentraut <[EMAIL PROTECTED]>
Description:
egroupware - web-based groupware suite
egroupware-addressbook - eGroupWare addressbook management application
egroupware-bookmarks - eGroupWare bookmark management application
egroupware-calendar - eGroupWare calendar management application
egroupware-comic - eGroupWare comic strip application
egroupware-core - eGroupWare core modules
egroupware-developer-tools - eGroupWare developer tools
egroupware-email - eGroupWare E-mail client application
egroupware-emailadmin - eGroupWare E-mail user administration application
egroupware-etemplate - widget-based template system for eGroupWare
egroupware-felamimail - eGroupWare FeLaMiMail application
egroupware-filemanager - eGroupWare file manager application
egroupware-forum - eGroupWare forum application
egroupware-ftp - eGroupWare FTP application
egroupware-fudforum - eGroupWare FUDforum application
egroupware-headlines - eGroupWare headlines catcher application
egroupware-infolog - eGroupWare infolog application
egroupware-jinn - content management system for eGroupWare
egroupware-ldap - eGroupware LDAP support files
egroupware-manual - eGroupWare manual
egroupware-messenger - eGroupWare messenger application
egroupware-news-admin - eGroupWare news administration interface
egroupware-phpbrain - eGroupWare phpbrain application
egroupware-phpldapadmin - eGroupWare phpLDAPadmin application
egroupware-phpsysinfo - eGroupWare phpSysInfo application
egroupware-polls - eGroupWare polling application
egroupware-projects - eGroupWare projects management application
egroupware-registration - eGroupWare registration application
egroupware-sitemgr - eGroupWare site manager application
egroupware-stocks - eGroupWare stock management application
egroupware-tts - eGroupWare trouble ticket system application
egroupware-wiki - eGroupWare wiki application
Closes: 302341 304496 305576
Changes:
egroupware (1.0.0.007-2.dfsg-1) unstable; urgency=high
.
* New upstream version
- fixes several security problems (closes: #304496, #305576)
- fixes SQL error in calendar matrix view (closes: #302341)
- skel application removed
* Added php4-cli to dependencies of -fudforum
* Made Apache 2 the preferred web server alternative in dependencies and
debconf question, adjusted debconf translations manually
* Added setup instructions for MySQL (thanks to Christian Motschke)
Files:
8c825a91c5ef1fd1bc23ac0863d8d034 1273 web optional
egroupware_1.0.0.007-2.dfsg-1.dsc
462f5ea377c4d0c04f16ffe8037b9d6a 12699187 web optional
egroupware_1.0.0.007-2.dfsg.orig.tar.gz
9f832ecd5b08e2987420054cbc03b481 31063 web optional
egroupware_1.0.0.007-2.dfsg-1.diff.gz
ae8a05a6c9262345e8c1d325ce520437 4116 web optional
egroupware_1.0.0.007-2.dfsg-1_all.deb
746a0ee3a9f124a0e95346119f50f89a 3771618 web optional
egroupware-core_1.0.0.007-2.dfsg-1_all.deb
2751de6dc1c0fe02c0f7372c47d63e7b 6826 web optional
egroupware-ldap_1.0.0.007-2.dfsg-1_all.deb
2b5d387ee7b14e02f091277e17184066 148698 web optional
egroupware-addressbook_1.0.0.007-2.dfsg-1_all.deb
0daf08ec8c1f9f7b427776248b002816 124830 web optional
egroupware-bookmarks_1.0.0.007-2.dfsg-1_all.deb
b3eafc7170a3e6e27d5428beb5889b0a 381984 web optional
egroupware-calendar_1.0.0.007-2.dfsg-1_all.deb
e90c80c3c6d41c7e57fff37879778c61 255770 web optional
egroupware-comic_1.0.0.007-2.dfsg-1_all.deb
49c2666ad25ae2c604630c274d109023 53136 web optional
egroupware-developer-tools_1.0.0.007-2.dfsg-1_all.deb
3a4f7f098fe23d7d1fa952fa790dedfb 1243538 web optional
egroupware-email_1.0.0.007-2.dfsg-1_all.deb
93606a0536000055fd93b785ec51e3c1 37816 web optional
egroupware-emailadmin_1.0.0.007-2.dfsg-1_all.deb
d4ee0943d3a90ce8ebd1c87fd45f6bf2 1362938 web optional
egroupware-etemplate_1.0.0.007-2.dfsg-1_all.deb
a55afb0b15510075633a1b9e552c2b48 275094 web optional
egroupware-felamimail_1.0.0.007-2.dfsg-1_all.deb
bc48b76d5229a13f50a1ecf2bf3a4b31 172558 web optional
egroupware-filemanager_1.0.0.007-2.dfsg-1_all.deb
25f4339585d46cf71cf2c3acc7fa43a8 51022 web optional
egroupware-forum_1.0.0.007-2.dfsg-1_all.deb
71f162e3cdc228deafb5e49fb759d44e 37750 web optional
egroupware-ftp_1.0.0.007-2.dfsg-1_all.deb
6609d0506b77dfa05aa0f33fd416905e 1486228 web optional
egroupware-fudforum_1.0.0.007-2.dfsg-1_all.deb
eb3127f25abb9a747380ab182ae5af3d 74630 web optional
egroupware-headlines_1.0.0.007-2.dfsg-1_all.deb
f93cc771c905727389d487c99a78afa3 201970 web optional
egroupware-infolog_1.0.0.007-2.dfsg-1_all.deb
0145b58b2bf906521b3eaf5e887200f7 204730 web optional
egroupware-jinn_1.0.0.007-2.dfsg-1_all.deb
a2311e4a3d00cae591a2ba5ca89aee0d 16990 web optional
egroupware-manual_1.0.0.007-2.dfsg-1_all.deb
0eaf458f60817a78a4566cf7fe074a6c 31864 web optional
egroupware-messenger_1.0.0.007-2.dfsg-1_all.deb
587763bbd1436475e130ae87a473dfb7 50426 web optional
egroupware-news-admin_1.0.0.007-2.dfsg-1_all.deb
dba4b8e8d2659c33bd6fdd47aeff019e 118968 web optional
egroupware-phpbrain_1.0.0.007-2.dfsg-1_all.deb
d0482796063cb9441ed2cc536fd7e1da 139270 web optional
egroupware-phpldapadmin_1.0.0.007-2.dfsg-1_all.deb
1e577fa7147e096429d5c2b7bb46f74b 115664 web optional
egroupware-phpsysinfo_1.0.0.007-2.dfsg-1_all.deb
22c550aa5ad9145bebef946232076ee0 35784 web optional
egroupware-polls_1.0.0.007-2.dfsg-1_all.deb
89b0b21fe62a8bdc88e3112a1f1a3455 301934 web optional
egroupware-projects_1.0.0.007-2.dfsg-1_all.deb
8e2c4877416ec1808df5a6a9307a8c56 99522 web optional
egroupware-registration_1.0.0.007-2.dfsg-1_all.deb
b00b5e935383cd7f4803bd75602ba5da 486236 web optional
egroupware-sitemgr_1.0.0.007-2.dfsg-1_all.deb
b1fcabbe136706c22a02ea368e2dcaf6 26236 web optional
egroupware-stocks_1.0.0.007-2.dfsg-1_all.deb
385f1304543d92cbac38c9695c1fec09 92354 web optional
egroupware-tts_1.0.0.007-2.dfsg-1_all.deb
ac389e8599dc79db6a6080dad5cbb5a7 92304 web optional
egroupware-wiki_1.0.0.007-2.dfsg-1_all.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.5 (GNU/Linux)
iD8DBQFCZ7XaTTx8oVVPtMYRAq7kAJ0Uqlg1h+F4s8mVRkvVfXGCdOQsPACeM3Hw
BzcOqq4rE6mP4h9D1ANsQeg=
=3pJD
-----END PGP SIGNATURE-----
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
