[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: [SECURITY] [DSA 798-1] New phproupware packages fix several vulnerabilities

Recordes si en tens algun repartit pel món ?

El dv 02 de 09 del 2005 a les 13:05 +0200, en/na Martin Schulze va
escriure:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> 
> - --------------------------------------------------------------------------
> Debian Security Advisory DSA 798-1                     security@debian.org
> http://www.debian.org/security/                             Martin Schulze
> September 2nd, 2005                     http://www.debian.org/security/faq
> - --------------------------------------------------------------------------
> 
> Package        : phpgroupware
> Vulnerability  : several
> Problem-Type   : remote
> Debian-specific: no
> CVE ID         : CAN-2005-2498 CAN-2005-2600 CAN-2005-2761
> 
> Several vulnerabilities have been discovered in phpgroupware, a web
> based groupware system written in PHP.  The Common Vulnerabilities and
> Exposures project identifies the following problems:
> 
> CAN-2005-2498
> 
>     Stefan Esser discovered another vulnerability in the XML-RPC
>     libraries that allows injection of arbitrary PHP code into eval()
>     statements.  The XMLRPC component has been disabled.
> 
> CAN-2005-2600
> 
>     Alexander Heidenreich discovered a cross-site scriptiong problem
>     in the tree view of FUD Forum Bulletin Board Software, which is
>     also present in phpgroupware.
> 
> CAN-2005-2761
> 
>     A global cross-site scripting fix has also been included that
>     protects against potential malicious scripts embedded in CSS and
>     xmlns in various parts of the application and modules.
> 
> This update also contains a postinst bugfix that has been approved for
> the next update to the stable release.
> 
> For the old stable distribution (woody) these problems don't apply.
> 
> For the stable distribution (sarge) these problems have been fixed in
> version 0.9.16.005-3.sarge2.
> 
> For the unstable distribution (sid) these problems have been fixed in
> version 0.9.16.008.
> 
> We recommend that you upgrade your phpgroupware packages.
> 
> 
> Upgrade Instructions
> - --------------------
> 
> wget url
>         will fetch the file for you
> dpkg -i file.deb
>         will install the referenced file.
> 
> If you are using the apt-get package manager, use the line for
> sources.list as given below:
> 
> apt-get update
>         will update the internal database
> apt-get upgrade
>         will install corrected packages
> 
> You may use an automated update by adding the resources from the
> footer to the proper configuration.
> 
> 
> Debian GNU/Linux 3.1 alias sarge
> - --------------------------------
> 
>   Source archives:
> 
>     http://security.debian.org/pool/updates/main/p/phpgroupware/phpgroupware_0.9.16.005-3.sarge2.dsc
>       Size/MD5 checksum:     1665 e10b74698fb0ccd70d9960c4e9745224
>     http://security.debian.org/pool/updates/main/p/phpgroupware/phpgroupware_0.9.16.005-3.sarge2.diff.gz
>       Size/MD5 checksum:    36212 ce2653530ea7790676d68687ac9ab89a
>     http://security.debian.org/pool/updates/main/p/phpgroupware/phpgroupware_0.9.16.005.orig.tar.gz
>       Size/MD5 checksum: 19442629 5edd5518e8f77174c12844f9cfad6ac4
> 
>   Architecture independent components:
> 
>     http://security.debian.org/pool/updates/main/p/phpgroupware/phpgroupware-addressbook_0.9.16.005-3.sarge2_all.deb
>       Size/MD5 checksum:   176408 e62845031a7af8182d876d93ce3a653d
>     http://security.debian.org/pool/updates/main/p/phpgroupware/phpgroupware-admin_0.9.16.005-3.sarge2_all.deb
>       Size/MD5 checksum:   186202 70608b587089d644a3c2ff787f6ef3a0
>     http://security.debian.org/pool/updates/main/p/phpgroupware/phpgroupware-bookmarks_0.9.16.005-3.sarge2_all.deb
>       Size/MD5 checksum:   100830 97695db70fdda862347531f7b22b40cd
>     http://security.debian.org/pool/updates/main/p/phpgroupware/phpgroupware-calendar_0.9.16.005-3.sarge2_all.deb
>       Size/MD5 checksum:   323858 db8259d262257e59a620113a97dc5a75
>     http://security.debian.org/pool/updates/main/p/phpgroupware/phpgroupware-chat_0.9.16.005-3.sarge2_all.deb
>       Size/MD5 checksum:    23068 57ecbc9bed7823851eef44102e59e36d
>     http://security.debian.org/pool/updates/main/p/phpgroupware/phpgroupware-comic_0.9.16.005-3.sarge2_all.deb
>       Size/MD5 checksum:   434086 f8c1e175ab1b1dc0b337ca47f3670f30
>     http://security.debian.org/pool/updates/main/p/phpgroupware/phpgroupware-core_0.9.16.005-3.sarge2_all.deb
>       Size/MD5 checksum:     6388 690fb88e32c50d3d00f440362c27dc78
>     http://security.debian.org/pool/updates/main/p/phpgroupware/phpgroupware-developer-tools_0.9.16.005-3.sarge2_all.deb
>       Size/MD5 checksum:    33196 dab4c5133ea41f23a8752d93e8bd9786
>     http://security.debian.org/pool/updates/main/p/phpgroupware/phpgroupware-dj_0.9.16.005-3.sarge2_all.deb
>       Size/MD5 checksum:    42654 9db6fec8e4687d8fe6099a467a8246db
>     http://security.debian.org/pool/updates/main/p/phpgroupware/phpgroupware-eldaptir_0.9.16.005-3.sarge2_all.deb
>       Size/MD5 checksum:    50302 f4aeb63d1aeaa72c2bbfa6a5c0f8f247
>     http://security.debian.org/pool/updates/main/p/phpgroupware/phpgroupware-email_0.9.16.005-3.sarge2_all.deb
>       Size/MD5 checksum:  1117628 e467218f15060c0edbabaa85cc6d561e
>     http://security.debian.org/pool/updates/main/p/phpgroupware/phpgroupware-etemplate_0.9.16.005-3.sarge2_all.deb
>       Size/MD5 checksum:  1329298 95e88686c6212b6b1fcbfe404aef76ea
>     http://security.debian.org/pool/updates/main/p/phpgroupware/phpgroupware-felamimail_0.9.16.005-3.sarge2_all.deb
>       Size/MD5 checksum:   180022 5930fda4d00b9814600dd3164243e678
>     http://security.debian.org/pool/updates/main/p/phpgroupware/phpgroupware-filemanager_0.9.16.005-3.sarge2_all.deb
>       Size/MD5 checksum:    91478 d2bd73cc22569c599fcadbedcfe1abb6
>     http://security.debian.org/pool/updates/main/p/phpgroupware/phpgroupware-folders_0.9.16.005-3.sarge2_all.deb
>       Size/MD5 checksum:   166208 3b310fc7dedb0c055e1bbb451b61edd8
>     http://security.debian.org/pool/updates/main/p/phpgroupware/phpgroupware-forum_0.9.16.005-3.sarge2_all.deb
>       Size/MD5 checksum:    45422 37e0f53559aa145decf9ee82906f6225
>     http://security.debian.org/pool/updates/main/p/phpgroupware/phpgroupware-ftp_0.9.16.005-3.sarge2_all.deb
>       Size/MD5 checksum:    36296 e196baee2c1c89fc3872ea91b4046845
>     http://security.debian.org/pool/updates/main/p/phpgroupware/phpgroupware-fudforum_0.9.16.005-3.sarge2_all.deb
>       Size/MD5 checksum:  1355378 5453aa07a4c4372f247a994d7122170d
>     http://security.debian.org/pool/updates/main/p/phpgroupware/phpgroupware-headlines_0.9.16.005-3.sarge2_all.deb
>       Size/MD5 checksum:    63786 533a084f5b12d9471fd0bf8e7eb471a1
>     http://security.debian.org/pool/updates/main/p/phpgroupware/phpgroupware-hr_0.9.16.005-3.sarge2_all.deb
>       Size/MD5 checksum:    18712 feaa03f55c431cb7265c98dd5ea3ccbb
>     http://security.debian.org/pool/updates/main/p/phpgroupware/phpgroupware-img_0.9.16.005-3.sarge2_all.deb
>       Size/MD5 checksum:     8472 4595ab292c8139cbe4596754403a471a
>     http://security.debian.org/pool/updates/main/p/phpgroupware/phpgroupware-infolog_0.9.16.005-3.sarge2_all.deb
>       Size/MD5 checksum:   136256 9f5270506681b88bc7b55c459e7c6ab6
>     http://security.debian.org/pool/updates/main/p/phpgroupware/phpgroupware-manual_0.9.16.005-3.sarge2_all.deb
>       Size/MD5 checksum:    90472 8a82ed20e8bb22e098610bf988338966
>     http://security.debian.org/pool/updates/main/p/phpgroupware/phpgroupware-messenger_0.9.16.005-3.sarge2_all.deb
>       Size/MD5 checksum:    25864 fe33aebc1fe6887b3a36624139216092
>     http://security.debian.org/pool/updates/main/p/phpgroupware/phpgroupware-news-admin_0.9.16.005-3.sarge2_all.deb
>       Size/MD5 checksum:    41170 971b81d589f9ec41661260c666d7b0ac
>     http://security.debian.org/pool/updates/main/p/phpgroupware/phpgroupware-nntp_0.9.16.005-3.sarge2_all.deb
>       Size/MD5 checksum:    46804 749dcf3257343b66b0d866fdfee0a933
>     http://security.debian.org/pool/updates/main/p/phpgroupware/phpgroupware-notes_0.9.16.005-3.sarge2_all.deb
>       Size/MD5 checksum:    34828 4135f525d65dafde78ab72da65e84ab7
>     http://security.debian.org/pool/updates/main/p/phpgroupware/phpgroupware-phonelog_0.9.16.005-3.sarge2_all.deb
>       Size/MD5 checksum:    20566 cca6d535bd572adb89be5337c2ea4081
>     http://security.debian.org/pool/updates/main/p/phpgroupware/phpgroupware-phpbrain_0.9.16.005-3.sarge2_all.deb
>       Size/MD5 checksum:    40058 e4fd11ffcc187d218e8e761443210de2
>     http://security.debian.org/pool/updates/main/p/phpgroupware/phpgroupware-phpgwapi_0.9.16.005-3.sarge2_all.deb
>       Size/MD5 checksum:  9677508 a2e03ccffbc07f28b7e40610a223173b
>     http://security.debian.org/pool/updates/main/p/phpgroupware/phpgroupware-phpsysinfo_0.9.16.005-3.sarge2_all.deb
>       Size/MD5 checksum:   116316 ea045a4a3bc0b30fefa3105d781f1e6b
>     http://security.debian.org/pool/updates/main/p/phpgroupware/phpgroupware-polls_0.9.16.005-3.sarge2_all.deb
>       Size/MD5 checksum:    31390 42add8aa672fcbad2bc45bcc86de345f
>     http://security.debian.org/pool/updates/main/p/phpgroupware/phpgroupware-preferences_0.9.16.005-3.sarge2_all.deb
>       Size/MD5 checksum:    59496 907318b665a238d7d272125377e786ff
>     http://security.debian.org/pool/updates/main/p/phpgroupware/phpgroupware-projects_0.9.16.005-3.sarge2_all.deb
>       Size/MD5 checksum:   120176 6d4c7741a3706276da2e67f76ccda644
>     http://security.debian.org/pool/updates/main/p/phpgroupware/phpgroupware-qmailldap_0.9.16.005-3.sarge2_all.deb
>       Size/MD5 checksum:    23352 8d9360711e849414a9e331b820a06e7e
>     http://security.debian.org/pool/updates/main/p/phpgroupware/phpgroupware-registration_0.9.16.005-3.sarge2_all.deb
>       Size/MD5 checksum:    29810 c1414f1646c86cc9548cd21091b9402d
>     http://security.debian.org/pool/updates/main/p/phpgroupware/phpgroupware-setup_0.9.16.005-3.sarge2_all.deb
>       Size/MD5 checksum:   267152 dc7418b235702e20c9c746116a41cd0b
>     http://security.debian.org/pool/updates/main/p/phpgroupware/phpgroupware-sitemgr_0.9.16.005-3.sarge2_all.deb
>       Size/MD5 checksum:   902332 d18c60e4a310be6a8079659d9edb1ef3
>     http://security.debian.org/pool/updates/main/p/phpgroupware/phpgroupware-skel_0.9.16.005-3.sarge2_all.deb
>       Size/MD5 checksum:    19062 5c21d71782cb4790f0037ae7358c6366
>     http://security.debian.org/pool/updates/main/p/phpgroupware/phpgroupware-soap_0.9.16.005-3.sarge2_all.deb
>       Size/MD5 checksum:    23888 001d27f63b54f9a60788b0512f3b0315
>     http://security.debian.org/pool/updates/main/p/phpgroupware/phpgroupware-stocks_0.9.16.005-3.sarge2_all.deb
>       Size/MD5 checksum:    21842 20bdf757aa0ba7d6e7ddd64454af89c5
>     http://security.debian.org/pool/updates/main/p/phpgroupware/phpgroupware-todo_0.9.16.005-3.sarge2_all.deb
>       Size/MD5 checksum:    50120 825d4e389401fe8d3ed3cc4f5bad71ed
>     http://security.debian.org/pool/updates/main/p/phpgroupware/phpgroupware-tts_0.9.16.005-3.sarge2_all.deb
>       Size/MD5 checksum:    55662 7594f3210ebd11e91f483aac7cc9c20b
>     http://security.debian.org/pool/updates/main/p/phpgroupware/phpgroupware-wiki_0.9.16.005-3.sarge2_all.deb
>       Size/MD5 checksum:    70170 01379389b829ca8fc81f820df5ba0f76
>     http://security.debian.org/pool/updates/main/p/phpgroupware/phpgroupware-xmlrpc_0.9.16.005-3.sarge2_all.deb
>       Size/MD5 checksum:    62818 303dbc331b9bdab5e476a6dacfe08a87
>     http://security.debian.org/pool/updates/main/p/phpgroupware/phpgroupware_0.9.16.005-3.sarge2_all.deb
>       Size/MD5 checksum:   156040 b02eea4ffa8eac66bab0e673df7a5afa
> 
> 
>   These files will probably be moved into the stable distribution on
>   its next update.
> 
> - ---------------------------------------------------------------------------------
> For apt-get: deb http://security.debian.org/ stable/updates main
> For dpkg-ftp: ftp://security.debian.org/debian-security dists/stable/updates/main
> Mailing list: debian-security-announce@lists.debian.org
> Package info: `apt-cache show <pkg>' and http://packages.debian.org/<pkg>
> 
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.1 (GNU/Linux)
> 
> iD8DBQFDGDHkW5ql+IAeqTIRAgjKAJ0ZQXrESKCx66FOz2YV+Rkz0503aQCeLPqe
> Jol2uYCvFJbwPaWvi2tinCg=
> =lz87
> -----END PGP SIGNATURE-----
> 
>
Reply to: