[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

[SECURITY] [DSA 419-1] New phpgroupware packages fix unintended PHP execution and SQL injection



-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

- --------------------------------------------------------------------------
Debian Security Advisory DSA 419-1                     security@debian.org
http://www.debian.org/security/                             Martin Schulze
January 9th, 2003                       http://www.debian.org/security/faq
- --------------------------------------------------------------------------

Package        : phpgroupware
Vulnerability  : missing filename sanitising, SQL injection
Problem-Type   : remote
Debian-specific: no
CVE ID         : CAN-2004-0016 CAN-2004-0017

The authors of phpgroupware, a web based groupware system written in
PHP, discovered several vulnerabilities.  The Common Vulnerabilities
and Exposures project identifies the following problems:

CAN-2004-0016

  In the "calendar" module, "save extension" was not enforced for
  holiday files.  As a result, server-side php scripts may be placed
  in directories that then could be accessed remotely and cause the
  webserver to execute those.  This was resolved by enforcing the
  extension ".txt" for holiday files.

CAN-2004-0017

  Some SQL injection problems (non-escaping of values used in SQL
  strings) the "calendar" and "infolog" modules.

Additionally, the Debian maintainer adjusted the permissions on world
writable directories that were accidently created by former postinst
during the installation.

For the stable distribution (woody) this problem has been fixed in
version 0.9.14-0.RC3.2.woody3.

For the unstable distribution (sid) this problem has been fixed in
version 0.9.14.007-4.

We recommend that you upgrade your phpgroupware, phpgroupware-calendar
and phpgroupware-infolog packages.


Upgrade Instructions
- --------------------

wget url
        will fetch the file for you
dpkg -i file.deb
        will install the referenced file.

If you are using the apt-get package manager, use the line for
sources.list as given below:

apt-get update
        will update the internal database
apt-get upgrade
        will install corrected packages

You may use an automated update by adding the resources from the
footer to the proper configuration.


Debian GNU/Linux 3.0 alias woody
- --------------------------------

  Source archives:

    http://security.debian.org/pool/updates/main/p/phpgroupware/phpgroupware_0.9.14-0.RC3.2.woody3.dsc
      Size/MD5 checksum:     1648 fe062b1bf8877932bb2470e38d911514
    http://security.debian.org/pool/updates/main/p/phpgroupware/phpgroupware_0.9.14-0.RC3.2.woody3.diff.gz
      Size/MD5 checksum:   450361 75e7f22c764901a55fdd512c00ad9403
    http://security.debian.org/pool/updates/main/p/phpgroupware/phpgroupware_0.9.14.orig.tar.gz
      Size/MD5 checksum:  8356188 22e715d0884d09aa848d694701a85b6b

  Architecture independent components:

    http://security.debian.org/pool/updates/main/p/phpgroupware/phpgroupware-addressbook_0.9.14-0.RC3.2.woody3_all.deb
      Size/MD5 checksum:    81236 56a2974de3da55bd5790071ce3e2d878
    http://security.debian.org/pool/updates/main/p/phpgroupware/phpgroupware-admin_0.9.14-0.RC3.2.woody3_all.deb
      Size/MD5 checksum:   143570 9362f1a084d918afd8411ad478463a9c
    http://security.debian.org/pool/updates/main/p/phpgroupware/phpgroupware-api-doc_0.9.14-0.RC3.2.woody3_all.deb
      Size/MD5 checksum:   283302 e6d43729c8ca9b200718b90ebfe80b5c
    http://security.debian.org/pool/updates/main/p/phpgroupware/phpgroupware-api_0.9.14-0.RC3.2.woody3_all.deb
      Size/MD5 checksum:  2118350 59d03db385d1bbb59ad3dfb7e57bb8e2
    http://security.debian.org/pool/updates/main/p/phpgroupware/phpgroupware-bookkeeping_0.9.14-0.RC3.2.woody3_all.deb
      Size/MD5 checksum:    41680 58b563e77f3d22c966fc41f1fc8c87a0
    http://security.debian.org/pool/updates/main/p/phpgroupware/phpgroupware-bookmarks_0.9.14-0.RC3.2.woody3_all.deb
      Size/MD5 checksum:   118658 427879de1ab1ce71efc4661d0a5d1ee9
    http://security.debian.org/pool/updates/main/p/phpgroupware/phpgroupware-brewer_0.9.14-0.RC3.2.woody3_all.deb
      Size/MD5 checksum:    62866 8cde7024b9ad933a5b8516e663c3c2a6
    http://security.debian.org/pool/updates/main/p/phpgroupware/phpgroupware-calendar_0.9.14-0.RC3.2.woody3_all.deb
      Size/MD5 checksum:   227778 dafa81279a94e830061a45dc27aa1561
    http://security.debian.org/pool/updates/main/p/phpgroupware/phpgroupware-chat_0.9.14-0.RC3.2.woody3_all.deb
      Size/MD5 checksum:    19354 5db6b3131d3d8a38612a56e00dd5693f
    http://security.debian.org/pool/updates/main/p/phpgroupware/phpgroupware-chora_0.9.14-0.RC3.2.woody3_all.deb
      Size/MD5 checksum:    60394 2f53b3a6515668bc50f6c44b37d84a75
    http://security.debian.org/pool/updates/main/p/phpgroupware/phpgroupware-comic_0.9.14-0.RC3.2.woody3_all.deb
      Size/MD5 checksum:   327606 5e0ed4e69ddab084c54c61a1f1ec1185
    http://security.debian.org/pool/updates/main/p/phpgroupware/phpgroupware-core-doc_0.9.14-0.RC3.2.woody3_all.deb
      Size/MD5 checksum:    90754 526677d3294e950846f73f5224872379
    http://security.debian.org/pool/updates/main/p/phpgroupware/phpgroupware-core_0.9.14-0.RC3.2.woody3_all.deb
      Size/MD5 checksum:    19104 b57bb2ffd6924b326d535fe040b93b95
    http://security.debian.org/pool/updates/main/p/phpgroupware/phpgroupware-developer-tools_0.9.14-0.RC3.2.woody3_all.deb
      Size/MD5 checksum:    41528 953bfd91bea52f00705b3fd4f0415ec1
    http://security.debian.org/pool/updates/main/p/phpgroupware/phpgroupware-dj_0.9.14-0.RC3.2.woody3_all.deb
      Size/MD5 checksum:    46096 e1b5108e23bee2e2305cdb031fea4c58
    http://security.debian.org/pool/updates/main/p/phpgroupware/phpgroupware-eldaptir_0.9.14-0.RC3.2.woody3_all.deb
      Size/MD5 checksum:    50910 f742bfd791e4351004cfb8315c4b392a
    http://security.debian.org/pool/updates/main/p/phpgroupware/phpgroupware-email_0.9.14-0.RC3.2.woody3_all.deb
      Size/MD5 checksum:   320926 02533f8e4d00569faae3d12104342e9d
    http://security.debian.org/pool/updates/main/p/phpgroupware/phpgroupware-filemanager_0.9.14-0.RC3.2.woody3_all.deb
      Size/MD5 checksum:    37878 446001e9d4dad5ed52c0431e6b2f7184
    http://security.debian.org/pool/updates/main/p/phpgroupware/phpgroupware-forum_0.9.14-0.RC3.2.woody3_all.deb
      Size/MD5 checksum:    48984 d9e0460cab85338cec380a03d1d55c48
    http://security.debian.org/pool/updates/main/p/phpgroupware/phpgroupware-ftp_0.9.14-0.RC3.2.woody3_all.deb
      Size/MD5 checksum:    40024 5a4e2d552559efc9c82c3ac19399f8fc
    http://security.debian.org/pool/updates/main/p/phpgroupware/phpgroupware-headlines_0.9.14-0.RC3.2.woody3_all.deb
      Size/MD5 checksum:    59460 97ca00d28d3d08c1963293bc188bf73a
    http://security.debian.org/pool/updates/main/p/phpgroupware/phpgroupware-hr_0.9.14-0.RC3.2.woody3_all.deb
      Size/MD5 checksum:    23696 b003552af5ac215ea5698b18975325eb
    http://security.debian.org/pool/updates/main/p/phpgroupware/phpgroupware-img_0.9.14-0.RC3.2.woody3_all.deb
      Size/MD5 checksum:    38914 81f8c2b52ba8d700bb061544432f7b01
    http://security.debian.org/pool/updates/main/p/phpgroupware/phpgroupware-infolog_0.9.14-0.RC3.2.woody3_all.deb
      Size/MD5 checksum:    94250 d5c04f7fd9ef850dcb01760e548dffd7
    http://security.debian.org/pool/updates/main/p/phpgroupware/phpgroupware-inv_0.9.14-0.RC3.2.woody3_all.deb
      Size/MD5 checksum:    93962 4e8ce2091f40a0e7ed4a7e42c5f13556
    http://security.debian.org/pool/updates/main/p/phpgroupware/phpgroupware-manual_0.9.14-0.RC3.2.woody3_all.deb
      Size/MD5 checksum:    87432 0f64fe97a9d86389219079d3daf0183a
    http://security.debian.org/pool/updates/main/p/phpgroupware/phpgroupware-messenger_0.9.14-0.RC3.2.woody3_all.deb
      Size/MD5 checksum:    29808 b4e8141b97df11359349a825a45f5461
    http://security.debian.org/pool/updates/main/p/phpgroupware/phpgroupware-napster_0.9.14-0.RC3.2.woody3_all.deb
      Size/MD5 checksum:    25512 c27b435b115eb5b45574766dabcafb11
    http://security.debian.org/pool/updates/main/p/phpgroupware/phpgroupware-news-admin_0.9.14-0.RC3.2.woody3_all.deb
      Size/MD5 checksum:    31410 b3706db963a475e39d3b1fc736102a22
    http://security.debian.org/pool/updates/main/p/phpgroupware/phpgroupware-nntp_0.9.14-0.RC3.2.woody3_all.deb
      Size/MD5 checksum:    42500 344a15932f0d627ba21c285df1a6279d
    http://security.debian.org/pool/updates/main/p/phpgroupware/phpgroupware-notes_0.9.14-0.RC3.2.woody3_all.deb
      Size/MD5 checksum:    27426 15eb78a12b9a1c8a8fbfc7c78f1064ac
    http://security.debian.org/pool/updates/main/p/phpgroupware/phpgroupware-phonelog_0.9.14-0.RC3.2.woody3_all.deb
      Size/MD5 checksum:    21638 999028c0af8d28fb9ea05567afaeacd8
    http://security.debian.org/pool/updates/main/p/phpgroupware/phpgroupware-phpsysinfo_0.9.14-0.RC3.2.woody3_all.deb
      Size/MD5 checksum:    35616 f45af6b8ce3131c26000918b890e0cbf
    http://security.debian.org/pool/updates/main/p/phpgroupware/phpgroupware-phpwebhosting_0.9.14-0.RC3.2.woody3_all.deb
      Size/MD5 checksum:    62188 e9a60c036da4b519b579e7f29b1f2f92
    http://security.debian.org/pool/updates/main/p/phpgroupware/phpgroupware-polls_0.9.14-0.RC3.2.woody3_all.deb
      Size/MD5 checksum:    29494 e3fc876b3b0cea434e586665f8be3ace
    http://security.debian.org/pool/updates/main/p/phpgroupware/phpgroupware-preferences_0.9.14-0.RC3.2.woody3_all.deb
      Size/MD5 checksum:    46086 84928cb89947883658d0c2251b95a2c5
    http://security.debian.org/pool/updates/main/p/phpgroupware/phpgroupware-projects_0.9.14-0.RC3.2.woody3_all.deb
      Size/MD5 checksum:    91414 b6a52fa388dbc09c0d7ff554cfbf5c56
    http://security.debian.org/pool/updates/main/p/phpgroupware/phpgroupware-registration_0.9.14-0.RC3.2.woody3_all.deb
      Size/MD5 checksum:    35600 bd6f66dd3ce33125f6f0282f6ad7fbef
    http://security.debian.org/pool/updates/main/p/phpgroupware/phpgroupware-setup_0.9.14-0.RC3.2.woody3_all.deb
      Size/MD5 checksum:   278684 ab4dc26916fc11187c0c70da92b48700
    http://security.debian.org/pool/updates/main/p/phpgroupware/phpgroupware-skel_0.9.14-0.RC3.2.woody3_all.deb
      Size/MD5 checksum:    30940 766d5112eefd0ff8c5fdb4ca21435e69
    http://security.debian.org/pool/updates/main/p/phpgroupware/phpgroupware-soap_0.9.14-0.RC3.2.woody3_all.deb
      Size/MD5 checksum:    22656 3a0f2075d13f923b12c28ea864a627ad
    http://security.debian.org/pool/updates/main/p/phpgroupware/phpgroupware-stocks_0.9.14-0.RC3.2.woody3_all.deb
      Size/MD5 checksum:    26770 5a756d5dcb59404af3f3beb16dbcb994
    http://security.debian.org/pool/updates/main/p/phpgroupware/phpgroupware-todo_0.9.14-0.RC3.2.woody3_all.deb
      Size/MD5 checksum:    43872 44f36dc391a31256697788dc64b51316
    http://security.debian.org/pool/updates/main/p/phpgroupware/phpgroupware-tts_0.9.14-0.RC3.2.woody3_all.deb
      Size/MD5 checksum:    46916 879ff4be6ee9b095d75132f92cae68da
    http://security.debian.org/pool/updates/main/p/phpgroupware/phpgroupware-wap_0.9.14-0.RC3.2.woody3_all.deb
      Size/MD5 checksum:    27532 c7ce0209ee04edbccf1adbf4f9afe807
    http://security.debian.org/pool/updates/main/p/phpgroupware/phpgroupware-weather_0.9.14-0.RC3.2.woody3_all.deb
      Size/MD5 checksum:   490010 6a6a85ca7dfa510c4a676f478c84ee67
    http://security.debian.org/pool/updates/main/p/phpgroupware/phpgroupware-xmlrpc_0.9.14-0.RC3.2.woody3_all.deb
      Size/MD5 checksum:    74822 249a47e63d59c1026fd3f02b854b8d32
    http://security.debian.org/pool/updates/main/p/phpgroupware/phpgroupware_0.9.14-0.RC3.2.woody3_all.deb
      Size/MD5 checksum:    25608 7ca156a941abae77bc8699b860d4f818


  These files will probably be moved into the stable distribution on
  its next revision.

- ---------------------------------------------------------------------------------
For apt-get: deb http://security.debian.org/ stable/updates main
For dpkg-ftp: ftp://security.debian.org/debian-security dists/stable/updates/main
Mailing list: debian-security-announce@lists.debian.org
Package info: `apt-cache show <pkg>' and http://packages.debian.org/<pkg>

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.3 (GNU/Linux)

iD8DBQE//mjTW5ql+IAeqTIRArcGAKCoiOTnYdxogjr2t2NDf+lAjzFn8QCgjRdr
lzJyiVYY+5hpSntKb6diMpI=
=vfhg
-----END PGP SIGNATURE-----



Reply to: