Re: [SECURITY] [DSA 798-1] New phproupware packages fix several vulnerabilities
Recordes si en tens algun repartit pel món ?
El dv 02 de 09 del 2005 a les 13:05 +0200, en/na Martin Schulze va
escriure:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> - --------------------------------------------------------------------------
> Debian Security Advisory DSA 798-1 security@debian.org
> http://www.debian.org/security/ Martin Schulze
> September 2nd, 2005 http://www.debian.org/security/faq
> - --------------------------------------------------------------------------
>
> Package : phpgroupware
> Vulnerability : several
> Problem-Type : remote
> Debian-specific: no
> CVE ID : CAN-2005-2498 CAN-2005-2600 CAN-2005-2761
>
> Several vulnerabilities have been discovered in phpgroupware, a web
> based groupware system written in PHP. The Common Vulnerabilities and
> Exposures project identifies the following problems:
>
> CAN-2005-2498
>
> Stefan Esser discovered another vulnerability in the XML-RPC
> libraries that allows injection of arbitrary PHP code into eval()
> statements. The XMLRPC component has been disabled.
>
> CAN-2005-2600
>
> Alexander Heidenreich discovered a cross-site scriptiong problem
> in the tree view of FUD Forum Bulletin Board Software, which is
> also present in phpgroupware.
>
> CAN-2005-2761
>
> A global cross-site scripting fix has also been included that
> protects against potential malicious scripts embedded in CSS and
> xmlns in various parts of the application and modules.
>
> This update also contains a postinst bugfix that has been approved for
> the next update to the stable release.
>
> For the old stable distribution (woody) these problems don't apply.
>
> For the stable distribution (sarge) these problems have been fixed in
> version 0.9.16.005-3.sarge2.
>
> For the unstable distribution (sid) these problems have been fixed in
> version 0.9.16.008.
>
> We recommend that you upgrade your phpgroupware packages.
>
>
> Upgrade Instructions
> - --------------------
>
> wget url
> will fetch the file for you
> dpkg -i file.deb
> will install the referenced file.
>
> If you are using the apt-get package manager, use the line for
> sources.list as given below:
>
> apt-get update
> will update the internal database
> apt-get upgrade
> will install corrected packages
>
> You may use an automated update by adding the resources from the
> footer to the proper configuration.
>
>
> Debian GNU/Linux 3.1 alias sarge
> - --------------------------------
>
> Source archives:
>
> http://security.debian.org/pool/updates/main/p/phpgroupware/phpgroupware_0.9.16.005-3.sarge2.dsc
> Size/MD5 checksum: 1665 e10b74698fb0ccd70d9960c4e9745224
> http://security.debian.org/pool/updates/main/p/phpgroupware/phpgroupware_0.9.16.005-3.sarge2.diff.gz
> Size/MD5 checksum: 36212 ce2653530ea7790676d68687ac9ab89a
> http://security.debian.org/pool/updates/main/p/phpgroupware/phpgroupware_0.9.16.005.orig.tar.gz
> Size/MD5 checksum: 19442629 5edd5518e8f77174c12844f9cfad6ac4
>
> Architecture independent components:
>
> http://security.debian.org/pool/updates/main/p/phpgroupware/phpgroupware-addressbook_0.9.16.005-3.sarge2_all.deb
> Size/MD5 checksum: 176408 e62845031a7af8182d876d93ce3a653d
> http://security.debian.org/pool/updates/main/p/phpgroupware/phpgroupware-admin_0.9.16.005-3.sarge2_all.deb
> Size/MD5 checksum: 186202 70608b587089d644a3c2ff787f6ef3a0
> http://security.debian.org/pool/updates/main/p/phpgroupware/phpgroupware-bookmarks_0.9.16.005-3.sarge2_all.deb
> Size/MD5 checksum: 100830 97695db70fdda862347531f7b22b40cd
> http://security.debian.org/pool/updates/main/p/phpgroupware/phpgroupware-calendar_0.9.16.005-3.sarge2_all.deb
> Size/MD5 checksum: 323858 db8259d262257e59a620113a97dc5a75
> http://security.debian.org/pool/updates/main/p/phpgroupware/phpgroupware-chat_0.9.16.005-3.sarge2_all.deb
> Size/MD5 checksum: 23068 57ecbc9bed7823851eef44102e59e36d
> http://security.debian.org/pool/updates/main/p/phpgroupware/phpgroupware-comic_0.9.16.005-3.sarge2_all.deb
> Size/MD5 checksum: 434086 f8c1e175ab1b1dc0b337ca47f3670f30
> http://security.debian.org/pool/updates/main/p/phpgroupware/phpgroupware-core_0.9.16.005-3.sarge2_all.deb
> Size/MD5 checksum: 6388 690fb88e32c50d3d00f440362c27dc78
> http://security.debian.org/pool/updates/main/p/phpgroupware/phpgroupware-developer-tools_0.9.16.005-3.sarge2_all.deb
> Size/MD5 checksum: 33196 dab4c5133ea41f23a8752d93e8bd9786
> http://security.debian.org/pool/updates/main/p/phpgroupware/phpgroupware-dj_0.9.16.005-3.sarge2_all.deb
> Size/MD5 checksum: 42654 9db6fec8e4687d8fe6099a467a8246db
> http://security.debian.org/pool/updates/main/p/phpgroupware/phpgroupware-eldaptir_0.9.16.005-3.sarge2_all.deb
> Size/MD5 checksum: 50302 f4aeb63d1aeaa72c2bbfa6a5c0f8f247
> http://security.debian.org/pool/updates/main/p/phpgroupware/phpgroupware-email_0.9.16.005-3.sarge2_all.deb
> Size/MD5 checksum: 1117628 e467218f15060c0edbabaa85cc6d561e
> http://security.debian.org/pool/updates/main/p/phpgroupware/phpgroupware-etemplate_0.9.16.005-3.sarge2_all.deb
> Size/MD5 checksum: 1329298 95e88686c6212b6b1fcbfe404aef76ea
> http://security.debian.org/pool/updates/main/p/phpgroupware/phpgroupware-felamimail_0.9.16.005-3.sarge2_all.deb
> Size/MD5 checksum: 180022 5930fda4d00b9814600dd3164243e678
> http://security.debian.org/pool/updates/main/p/phpgroupware/phpgroupware-filemanager_0.9.16.005-3.sarge2_all.deb
> Size/MD5 checksum: 91478 d2bd73cc22569c599fcadbedcfe1abb6
> http://security.debian.org/pool/updates/main/p/phpgroupware/phpgroupware-folders_0.9.16.005-3.sarge2_all.deb
> Size/MD5 checksum: 166208 3b310fc7dedb0c055e1bbb451b61edd8
> http://security.debian.org/pool/updates/main/p/phpgroupware/phpgroupware-forum_0.9.16.005-3.sarge2_all.deb
> Size/MD5 checksum: 45422 37e0f53559aa145decf9ee82906f6225
> http://security.debian.org/pool/updates/main/p/phpgroupware/phpgroupware-ftp_0.9.16.005-3.sarge2_all.deb
> Size/MD5 checksum: 36296 e196baee2c1c89fc3872ea91b4046845
> http://security.debian.org/pool/updates/main/p/phpgroupware/phpgroupware-fudforum_0.9.16.005-3.sarge2_all.deb
> Size/MD5 checksum: 1355378 5453aa07a4c4372f247a994d7122170d
> http://security.debian.org/pool/updates/main/p/phpgroupware/phpgroupware-headlines_0.9.16.005-3.sarge2_all.deb
> Size/MD5 checksum: 63786 533a084f5b12d9471fd0bf8e7eb471a1
> http://security.debian.org/pool/updates/main/p/phpgroupware/phpgroupware-hr_0.9.16.005-3.sarge2_all.deb
> Size/MD5 checksum: 18712 feaa03f55c431cb7265c98dd5ea3ccbb
> http://security.debian.org/pool/updates/main/p/phpgroupware/phpgroupware-img_0.9.16.005-3.sarge2_all.deb
> Size/MD5 checksum: 8472 4595ab292c8139cbe4596754403a471a
> http://security.debian.org/pool/updates/main/p/phpgroupware/phpgroupware-infolog_0.9.16.005-3.sarge2_all.deb
> Size/MD5 checksum: 136256 9f5270506681b88bc7b55c459e7c6ab6
> http://security.debian.org/pool/updates/main/p/phpgroupware/phpgroupware-manual_0.9.16.005-3.sarge2_all.deb
> Size/MD5 checksum: 90472 8a82ed20e8bb22e098610bf988338966
> http://security.debian.org/pool/updates/main/p/phpgroupware/phpgroupware-messenger_0.9.16.005-3.sarge2_all.deb
> Size/MD5 checksum: 25864 fe33aebc1fe6887b3a36624139216092
> http://security.debian.org/pool/updates/main/p/phpgroupware/phpgroupware-news-admin_0.9.16.005-3.sarge2_all.deb
> Size/MD5 checksum: 41170 971b81d589f9ec41661260c666d7b0ac
> http://security.debian.org/pool/updates/main/p/phpgroupware/phpgroupware-nntp_0.9.16.005-3.sarge2_all.deb
> Size/MD5 checksum: 46804 749dcf3257343b66b0d866fdfee0a933
> http://security.debian.org/pool/updates/main/p/phpgroupware/phpgroupware-notes_0.9.16.005-3.sarge2_all.deb
> Size/MD5 checksum: 34828 4135f525d65dafde78ab72da65e84ab7
> http://security.debian.org/pool/updates/main/p/phpgroupware/phpgroupware-phonelog_0.9.16.005-3.sarge2_all.deb
> Size/MD5 checksum: 20566 cca6d535bd572adb89be5337c2ea4081
> http://security.debian.org/pool/updates/main/p/phpgroupware/phpgroupware-phpbrain_0.9.16.005-3.sarge2_all.deb
> Size/MD5 checksum: 40058 e4fd11ffcc187d218e8e761443210de2
> http://security.debian.org/pool/updates/main/p/phpgroupware/phpgroupware-phpgwapi_0.9.16.005-3.sarge2_all.deb
> Size/MD5 checksum: 9677508 a2e03ccffbc07f28b7e40610a223173b
> http://security.debian.org/pool/updates/main/p/phpgroupware/phpgroupware-phpsysinfo_0.9.16.005-3.sarge2_all.deb
> Size/MD5 checksum: 116316 ea045a4a3bc0b30fefa3105d781f1e6b
> http://security.debian.org/pool/updates/main/p/phpgroupware/phpgroupware-polls_0.9.16.005-3.sarge2_all.deb
> Size/MD5 checksum: 31390 42add8aa672fcbad2bc45bcc86de345f
> http://security.debian.org/pool/updates/main/p/phpgroupware/phpgroupware-preferences_0.9.16.005-3.sarge2_all.deb
> Size/MD5 checksum: 59496 907318b665a238d7d272125377e786ff
> http://security.debian.org/pool/updates/main/p/phpgroupware/phpgroupware-projects_0.9.16.005-3.sarge2_all.deb
> Size/MD5 checksum: 120176 6d4c7741a3706276da2e67f76ccda644
> http://security.debian.org/pool/updates/main/p/phpgroupware/phpgroupware-qmailldap_0.9.16.005-3.sarge2_all.deb
> Size/MD5 checksum: 23352 8d9360711e849414a9e331b820a06e7e
> http://security.debian.org/pool/updates/main/p/phpgroupware/phpgroupware-registration_0.9.16.005-3.sarge2_all.deb
> Size/MD5 checksum: 29810 c1414f1646c86cc9548cd21091b9402d
> http://security.debian.org/pool/updates/main/p/phpgroupware/phpgroupware-setup_0.9.16.005-3.sarge2_all.deb
> Size/MD5 checksum: 267152 dc7418b235702e20c9c746116a41cd0b
> http://security.debian.org/pool/updates/main/p/phpgroupware/phpgroupware-sitemgr_0.9.16.005-3.sarge2_all.deb
> Size/MD5 checksum: 902332 d18c60e4a310be6a8079659d9edb1ef3
> http://security.debian.org/pool/updates/main/p/phpgroupware/phpgroupware-skel_0.9.16.005-3.sarge2_all.deb
> Size/MD5 checksum: 19062 5c21d71782cb4790f0037ae7358c6366
> http://security.debian.org/pool/updates/main/p/phpgroupware/phpgroupware-soap_0.9.16.005-3.sarge2_all.deb
> Size/MD5 checksum: 23888 001d27f63b54f9a60788b0512f3b0315
> http://security.debian.org/pool/updates/main/p/phpgroupware/phpgroupware-stocks_0.9.16.005-3.sarge2_all.deb
> Size/MD5 checksum: 21842 20bdf757aa0ba7d6e7ddd64454af89c5
> http://security.debian.org/pool/updates/main/p/phpgroupware/phpgroupware-todo_0.9.16.005-3.sarge2_all.deb
> Size/MD5 checksum: 50120 825d4e389401fe8d3ed3cc4f5bad71ed
> http://security.debian.org/pool/updates/main/p/phpgroupware/phpgroupware-tts_0.9.16.005-3.sarge2_all.deb
> Size/MD5 checksum: 55662 7594f3210ebd11e91f483aac7cc9c20b
> http://security.debian.org/pool/updates/main/p/phpgroupware/phpgroupware-wiki_0.9.16.005-3.sarge2_all.deb
> Size/MD5 checksum: 70170 01379389b829ca8fc81f820df5ba0f76
> http://security.debian.org/pool/updates/main/p/phpgroupware/phpgroupware-xmlrpc_0.9.16.005-3.sarge2_all.deb
> Size/MD5 checksum: 62818 303dbc331b9bdab5e476a6dacfe08a87
> http://security.debian.org/pool/updates/main/p/phpgroupware/phpgroupware_0.9.16.005-3.sarge2_all.deb
> Size/MD5 checksum: 156040 b02eea4ffa8eac66bab0e673df7a5afa
>
>
> These files will probably be moved into the stable distribution on
> its next update.
>
> - ---------------------------------------------------------------------------------
> For apt-get: deb http://security.debian.org/ stable/updates main
> For dpkg-ftp: ftp://security.debian.org/debian-security dists/stable/updates/main
> Mailing list: debian-security-announce@lists.debian.org
> Package info: `apt-cache show <pkg>' and http://packages.debian.org/<pkg>
>
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.1 (GNU/Linux)
>
> iD8DBQFDGDHkW5ql+IAeqTIRAgjKAJ0ZQXrESKCx66FOz2YV+Rkz0503aQCeLPqe
> Jol2uYCvFJbwPaWvi2tinCg=
> =lz87
> -----END PGP SIGNATURE-----
>
>
Reply to: