[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

[Correction] [SECURITY] [DSA 746-1] New packages fix remote command execution in phpgroupware

On Thu, Jul 14, 2005 at 03:17:31AM +0200, Michael Stone wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> 
> - ------------------------------------------------------------------------
> Debian Security Advisory DSA 746-1                   security@debian.org
> http://www.debian.org/security/                            Michael Stone
> July 13, 2005                         http://www.debian.org/security/faq
> - ------------------------------------------------------------------------
> 
> Package        : phpgroupware
> Vulnerability  : remote command execution
> Problem type   : input validation error
> Debian-specific: no
> CVE Id(s)      : CAN-2005-1921
> 
> A vulnerability had been identified in the xmlrpc library included with
> phpgroupware, a web-based application including email, calendar and
> other groupware functionality. This vulnerability could lead to the
> execution of arbitrary commands on the server running phpgroupware.
> 
> The security team is continuing to investigate the version of
> phpgroupware included with the old stable distribution (sarge). At this
                                                          ^^^^^ woody? 
> time we recommend disabling phpgroupware or upgrading to the current
> stable distribution (sarge).
> 
> For the current stable distribution (sarge) this problem has been fixed
> in version 0.9.16.005-3.sarge0.
> 
> For the unstable distribution (sid) this problem has been fixed in
> version 0.9.16.006-1.
> 
> We recommend that you upgrade your phpgroupware package.
> 
> Upgrade instructions
> - --------------------
> 
> wget url
>         will fetch the file for you
> dpkg -i file.deb
>         will install the referenced file.
> 
> If you are using the apt-get package manager, use the line for
> sources.list as given below:
> 
> apt-get update
>         will update the internal database
> apt-get upgrade
>         will install corrected packages
> 
> You may use an automated update by adding the resources from the
> footer to the proper configuration.
> 
> 
> Debian 3.1 (sarge)
> - ------------------
> 
>   sarge was released for alpha, arm, hppa, i386, ia64, m68k, mips, mipsel, powerpc, s390 and sparc.
> 
>   Source archives:
> 
>     http://security.debian.org/pool/updates/main/p/phpgroupware/phpgroupware_0.9.16.005-3.sarge0.dsc
>       Size/MD5 checksum:     1665 6b60af214470336fb8dd24d029ab6326
>     http://security.debian.org/pool/updates/main/p/phpgroupware/phpgroupware_0.9.16.005-3.sarge0.diff.gz
>       Size/MD5 checksum:    31814 f9f0fdb982212255037d4129736e7c21
>     http://security.debian.org/pool/updates/main/p/phpgroupware/phpgroupware_0.9.16.005.orig.tar.gz
>       Size/MD5 checksum: 19442629 5edd5518e8f77174c12844f9cfad6ac4
> 
>   Architecture independent packages:
> 
>     http://security.debian.org/pool/updates/main/p/phpgroupware/phpgroupware-ftp_0.9.16.005-3.sarge0_all.deb
>       Size/MD5 checksum:    35984 4a87585b9a1c5f7ac32cd6a7fb217242
>     http://security.debian.org/pool/updates/main/p/phpgroupware/phpgroupware-admin_0.9.16.005-3.sarge0_all.deb
>       Size/MD5 checksum:   185894 c33f2c74c3df4d7ecaba47499adfcfc2
>     http://security.debian.org/pool/updates/main/p/phpgroupware/phpgroupware-phpgwapi_0.9.16.005-3.sarge0_all.deb
>       Size/MD5 checksum:  9674304 8f9bc38f2610d7aeeab769f6571f8ce6
>     http://security.debian.org/pool/updates/main/p/phpgroupware/phpgroupware-infolog_0.9.16.005-3.sarge0_all.deb
>       Size/MD5 checksum:   135960 bbc1ca292006147f097cc79396de8808
>     http://security.debian.org/pool/updates/main/p/phpgroupware/phpgroupware-registration_0.9.16.005-3.sarge0_all.deb
>       Size/MD5 checksum:    29534 ed73d7edab4ceae62b2b2bde8d279387
>     http://security.debian.org/pool/updates/main/p/phpgroupware/phpgroupware-addressbook_0.9.16.005-3.sarge0_all.deb
>       Size/MD5 checksum:   176070 29005653b28191bc31f2f09b49e4b681
>     http://security.debian.org/pool/updates/main/p/phpgroupware/phpgroupware-news-admin_0.9.16.005-3.sarge0_all.deb
>       Size/MD5 checksum:    40858 18b367628b687ae793281ddb6399aa0a
>     http://security.debian.org/pool/updates/main/p/phpgroupware/phpgroupware-fudforum_0.9.16.005-3.sarge0_all.deb
>       Size/MD5 checksum:  1355020 ebe912a08a7b8721d21b98b95cd0eda2
>     http://security.debian.org/pool/updates/main/p/phpgroupware/phpgroupware-preferences_0.9.16.005-3.sarge0_all.deb
>       Size/MD5 checksum:    59198 f7d81622bd273a1bb7aa2ff227f2c007
>     http://security.debian.org/pool/updates/main/p/phpgroupware/phpgroupware-nntp_0.9.16.005-3.sarge0_all.deb
>       Size/MD5 checksum:    46498 565979513780536ee9cc6573728cea48
>     http://security.debian.org/pool/updates/main/p/phpgroupware/phpgroupware-sitemgr_0.9.16.005-3.sarge0_all.deb
>       Size/MD5 checksum:   902042 fe53830690ad59fd3711b156260f39ad
>     http://security.debian.org/pool/updates/main/p/phpgroupware/phpgroupware-chat_0.9.16.005-3.sarge0_all.deb
>       Size/MD5 checksum:    22760 d40b76c6cfde48dc863eb07fa68f618c
>     http://security.debian.org/pool/updates/main/p/phpgroupware/phpgroupware-phpbrain_0.9.16.005-3.sarge0_all.deb
>       Size/MD5 checksum:    39746 0a0e1480285d96d2b9cf175df30284a8
>     http://security.debian.org/pool/updates/main/p/phpgroupware/phpgroupware-phonelog_0.9.16.005-3.sarge0_all.deb
>       Size/MD5 checksum:    20272 f9b8d9bd93eb716f1ff689eea0307038
>     http://security.debian.org/pool/updates/main/p/phpgroupware/phpgroupware-wiki_0.9.16.005-3.sarge0_all.deb
>       Size/MD5 checksum:    69878 cafaf90a5c9053ba36614fd9140d2dec
>     http://security.debian.org/pool/updates/main/p/phpgroupware/phpgroupware-bookmarks_0.9.16.005-3.sarge0_all.deb
>       Size/MD5 checksum:   100516 67d9c3435e6b55f7f5961772267ca1ad
>     http://security.debian.org/pool/updates/main/p/phpgroupware/phpgroupware-developer-tools_0.9.16.005-3.sarge0_all.deb
>       Size/MD5 checksum:    32896 1e2af590a4887c3ba471930d6eb99128
>     http://security.debian.org/pool/updates/main/p/phpgroupware/phpgroupware-skel_0.9.16.005-3.sarge0_all.deb
>       Size/MD5 checksum:    18770 1c69b89be7e3cdf5003b3d6e4b7eb1d8
>     http://security.debian.org/pool/updates/main/p/phpgroupware/phpgroupware-calendar_0.9.16.005-3.sarge0_all.deb
>       Size/MD5 checksum:   323552 22390645056bcb021c2e608644f4f591
>     http://security.debian.org/pool/updates/main/p/phpgroupware/phpgroupware-folders_0.9.16.005-3.sarge0_all.deb
>       Size/MD5 checksum:   166002 f7a6ba93175803e7de9517698397cb90
>     http://security.debian.org/pool/updates/main/p/phpgroupware/phpgroupware-etemplate_0.9.16.005-3.sarge0_all.deb
>       Size/MD5 checksum:  1328904 4c2982ec97a5b08f6d2d83fafbdbbe43
>     http://security.debian.org/pool/updates/main/p/phpgroupware/phpgroupware-felamimail_0.9.16.005-3.sarge0_all.deb
>       Size/MD5 checksum:   179716 0706f78f53596f7adeddda57a6977a09
>     http://security.debian.org/pool/updates/main/p/phpgroupware/phpgroupware-filemanager_0.9.16.005-3.sarge0_all.deb
>       Size/MD5 checksum:    91192 f49356e1ba4540c657ff64ebbca6ce62
>     http://security.debian.org/pool/updates/main/p/phpgroupware/phpgroupware-todo_0.9.16.005-3.sarge0_all.deb
>       Size/MD5 checksum:    49828 3001c35e7b6780a063a1c6dc74a7785d
>     http://security.debian.org/pool/updates/main/p/phpgroupware/phpgroupware-projects_0.9.16.005-3.sarge0_all.deb
>       Size/MD5 checksum:   119876 21d5eb594517b56f348186189292a0dc
>     http://security.debian.org/pool/updates/main/p/phpgroupware/phpgroupware-xmlrpc_0.9.16.005-3.sarge0_all.deb
>       Size/MD5 checksum:    62508 922fe6644df12d786b2500eb07bd5523
>     http://security.debian.org/pool/updates/main/p/phpgroupware/phpgroupware-email_0.9.16.005-3.sarge0_all.deb
>       Size/MD5 checksum:  1117384 b7f5819fed77a668023204786ec00d68
>     http://security.debian.org/pool/updates/main/p/phpgroupware/phpgroupware-comic_0.9.16.005-3.sarge0_all.deb
>       Size/MD5 checksum:   433776 0ddc8573dff45912049bb3c516889f4c
>     http://security.debian.org/pool/updates/main/p/phpgroupware/phpgroupware-dj_0.9.16.005-3.sarge0_all.deb
>       Size/MD5 checksum:    42338 4a17fcf60a2575be7182ffa780a7eb0e
>     http://security.debian.org/pool/updates/main/p/phpgroupware/phpgroupware-setup_0.9.16.005-3.sarge0_all.deb
>       Size/MD5 checksum:   266852 2e05a4e8f1dea399e5b8ddc99322d2d1
>     http://security.debian.org/pool/updates/main/p/phpgroupware/phpgroupware-stocks_0.9.16.005-3.sarge0_all.deb
>       Size/MD5 checksum:    21542 2beb7d5a99acdc2a33c8fe672574d025
>     http://security.debian.org/pool/updates/main/p/phpgroupware/phpgroupware-core_0.9.16.005-3.sarge0_all.deb
>       Size/MD5 checksum:     6092 cb1f96251a63d5fadba172f648f7f909
>     http://security.debian.org/pool/updates/main/p/phpgroupware/phpgroupware-hr_0.9.16.005-3.sarge0_all.deb
>       Size/MD5 checksum:    18390 95374052008b852fbea203d3f6fd1d75
>     http://security.debian.org/pool/updates/main/p/phpgroupware/phpgroupware_0.9.16.005-3.sarge0_all.deb
>       Size/MD5 checksum:   155778 b1e8dc55d9e5a4ed9d868750957babb7
>     http://security.debian.org/pool/updates/main/p/phpgroupware/phpgroupware-headlines_0.9.16.005-3.sarge0_all.deb
>       Size/MD5 checksum:    63476 3bc0223e4550a7a56295017885f07998
>     http://security.debian.org/pool/updates/main/p/phpgroupware/phpgroupware-phpsysinfo_0.9.16.005-3.sarge0_all.deb
>       Size/MD5 checksum:   116012 bdffce5b093fb41e0429a7d4eee8ea93
>     http://security.debian.org/pool/updates/main/p/phpgroupware/phpgroupware-img_0.9.16.005-3.sarge0_all.deb
>       Size/MD5 checksum:     8272 f4649ebb3b674661a1a172d1f503a673
>     http://security.debian.org/pool/updates/main/p/phpgroupware/phpgroupware-eldaptir_0.9.16.005-3.sarge0_all.deb
>       Size/MD5 checksum:    49984 0ba721f8a669b6b6338ae90c7bb9070f
>     http://security.debian.org/pool/updates/main/p/phpgroupware/phpgroupware-messenger_0.9.16.005-3.sarge0_all.deb
>       Size/MD5 checksum:    25578 461e9804f5ce01b332cbe6569529bdc9
>     http://security.debian.org/pool/updates/main/p/phpgroupware/phpgroupware-soap_0.9.16.005-3.sarge0_all.deb
>       Size/MD5 checksum:    23596 2e3454fa36009152beb0695c80a238ec
>     http://security.debian.org/pool/updates/main/p/phpgroupware/phpgroupware-forum_0.9.16.005-3.sarge0_all.deb
>       Size/MD5 checksum:    45118 996eebff648f4b688403cfb00255b924
>     http://security.debian.org/pool/updates/main/p/phpgroupware/phpgroupware-manual_0.9.16.005-3.sarge0_all.deb
>       Size/MD5 checksum:    90172 2196aa43de438b0a5d3754ba0b4f8089
>     http://security.debian.org/pool/updates/main/p/phpgroupware/phpgroupware-qmailldap_0.9.16.005-3.sarge0_all.deb
>       Size/MD5 checksum:    23050 02ed1690b4d3547dbbcfe8145d234062
>     http://security.debian.org/pool/updates/main/p/phpgroupware/phpgroupware-tts_0.9.16.005-3.sarge0_all.deb
>       Size/MD5 checksum:    55322 9f8ddccce78aa7ac488d6bd965bb2732
>     http://security.debian.org/pool/updates/main/p/phpgroupware/phpgroupware-notes_0.9.16.005-3.sarge0_all.deb
>       Size/MD5 checksum:    34538 0de0c8c676a0e1efca8845c78d0ae201
>     http://security.debian.org/pool/updates/main/p/phpgroupware/phpgroupware-polls_0.9.16.005-3.sarge0_all.deb
>       Size/MD5 checksum:    31116 2b7e22a553c0bc0457757993dda7cfe8
> 
> - -------------------------------------------------------------------------------
> For apt-get: deb http://security.debian.org/ stable/updates main
> For dpkg-ftp: ftp://security.debian.org/debian-security dists/stable/updates/main
> Mailing list: debian-security-announce@lists.debian.org
> Package info: `apt-cache show <pkg>' and http://packages.debian.org/<pkg>
> 
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.1 (GNU/Linux)
> 
> iQCVAwUBQtW8Wg0hVr09l8FJAQK5JQP/SVcL2ww+8zgxzUgT3MqEAv6kZVu12S7T
> Z9viSjPPoaUcSNm4OJnxF1gLlm6iTf6om77hJY54Uxx1Izl+50IT7Gj/qEwZTH2K
> CZyggChONLcqRvh0D0/2CNx787qO+PnqkJFC6Ij6be9Ex1bK+cpBhfy5yO1oWX+V
> KUj+1lyGHPY=
> =L7Ey
> -----END PGP SIGNATURE-----
Reply to: