--- Begin Message ---
- From: Matt Zimmerman <mdz@debian.org>
- Subject: [SECURITY] [DSA-365-1] New phpgroupware package fix several vulnerabilities
- Date: Tue, 5 Aug 2003 22:56:22 -0400
- Content-disposition: inline
- List-archive: <http://lists.debian.org/debian-security-announce/>
- List-help: <mailto:debian-security-announce-request@lists.debian.org?subject=help>
- List-id: <debian-security-announce.lists.debian.org>
- List-post: <mailto:debian-security-announce@lists.debian.org>
- List-subscribe: <mailto:debian-security-announce-request@lists.debian.org?subject=subscribe>
- List-unsubscribe: <mailto:debian-security-announce-request@lists.debian.org?subject=unsubscribe>
- Old-return-path: <mdz@xxxxxxxxxxx>
- Priority: urgent
- Resent-date: Tue, 5 Aug 2003 21:56:30 -0500 (CDT)
- Resent-from: debian-security-announce@lists.debian.org
- Resent-message-id: <5dk0SC.A.RTH.d5GM_@murphy>
- Resent-sender: debian-security-announce-request@lists.debian.org
- X-bogosity: No, tests=bogofilter, spamicity=0.000000, version=0.14.2
- X-debian: PGP check passed for security officers
- X-loop: debian-security-announce@lists.debian.org
- X-mailing-list: <debian-security-announce@lists.debian.org>
- X-original-to: kmuto@xxxxxxxxxxxxxxx
- X-spam-checker-version: SpamAssassin 2.55 (1.174.2.19-2003-05-19-exp)
- X-spam-level:
- X-spam-status: No, hits=-110.5 required=10.0 tests=BAYES_01,PGP_SIGNATURE,USER_AGENT_MUTT,USER_IN_WHITELIST, X_LOOP,X_MAILING_LIST autolearn=ham version=2.55
- X-virus-scanned: by amavisd-new-20030616-p3 (Debian) at topstudio.co.jp
- Message-id: <20030806025622.GB25407@xxxxxxxxx>
- User-agent: Mutt/1.5.4i
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
- --------------------------------------------------------------------------
Debian Security Advisory DSA 365-1 security@debian.org
http://www.debian.org/security/ Matt Zimmerman
August 5th, 2003 http://www.debian.org/security/faq
- --------------------------------------------------------------------------
Package : phpgroupware
Vulnerability : several
Problem-Type : remote
Debian-specific: no
CVE Ids : CAN-2003-0504, CAN-2003-0599, CAN-2003-0657
Several vulnerabilities have been discovered in phpgroupware:
- - CAN-2003-0504: Multiple cross-site scripting (XSS) vulnerabilities
in Phpgroupware 0.9.14.003 (aka webdistro) allow remote attackers to
insert arbitrary HTML or web script, as demonstrated with a request
to index.php in the addressbook module.
- - CAN-2003-0599: Unknown vulnerability in the Virtual File System
(VFS) capability for phpGroupWare 0.9.16preRC and versions before
0.9.14.004 with unknown implications, related to the VFS path being
under the web document root.
- - CAN-2003-0657: Multiple SQL injection vulnerabilities in the infolog
module of phpgroupware could allow remote attackers to execute
arbitrary SQL statements.
For the stable distribution (woody), these problems have been fixed in
version 0.9.14-0.RC3.2.woody2.
For the unstable distribution (sid), these problems will be fixed
soon. Refer to Debian bug #201980.
We recommend that you update your phpgroupware package.
Upgrade Instructions
- --------------------
wget url
will fetch the file for you
dpkg -i file.deb
will install the referenced file.
If you are using the apt-get package manager, use the line for
sources.list as given below:
apt-get update
will update the internal database
apt-get upgrade
will install corrected packages
You may use an automated update by adding the resources from the
footer to the proper configuration.
Debian GNU/Linux 3.0 alias woody
- --------------------------------
Source archives:
http://security.debian.org/pool/updates/main/p/phpgroupware/phpgroupware_0.9.14-0.RC3.2.woody2.dsc
Size/MD5 checksum: 1648 93a22cf33766d0da16e471ce32c7f213
http://security.debian.org/pool/updates/main/p/phpgroupware/phpgroupware_0.9.14-0.RC3.2.woody2.diff.gz
Size/MD5 checksum: 450742 fb1dc330a0811f186c1e03bc91c20ce7
http://security.debian.org/pool/updates/main/p/phpgroupware/phpgroupware_0.9.14.orig.tar.gz
Size/MD5 checksum: 8356188 22e715d0884d09aa848d694701a85b6b
Architecture independent components:
http://security.debian.org/pool/updates/main/p/phpgroupware/phpgroupware-addressbook_0.9.14-0.RC3.2.woody2_all.deb
Size/MD5 checksum: 78752 d825eaa68b15d1c7d7f67c9365ac7c48
http://security.debian.org/pool/updates/main/p/phpgroupware/phpgroupware-admin_0.9.14-0.RC3.2.woody2_all.deb
Size/MD5 checksum: 142068 c7a17b0e79a8b4d5a4792df7f5f11241
http://security.debian.org/pool/updates/main/p/phpgroupware/phpgroupware-api-doc_0.9.14-0.RC3.2.woody2_all.deb
Size/MD5 checksum: 283128 3b037f7a52c34a89ff70734746983fee
http://security.debian.org/pool/updates/main/p/phpgroupware/phpgroupware-api_0.9.14-0.RC3.2.woody2_all.deb
Size/MD5 checksum: 2112084 ac91891afd802b09fdc00be19cbd6088
http://security.debian.org/pool/updates/main/p/phpgroupware/phpgroupware-bookkeeping_0.9.14-0.RC3.2.woody2_all.deb
Size/MD5 checksum: 40128 e118ec41df6369ce6315584d11c2d37b
http://security.debian.org/pool/updates/main/p/phpgroupware/phpgroupware-bookmarks_0.9.14-0.RC3.2.woody2_all.deb
Size/MD5 checksum: 121132 ef1b1ab9cb60201e8c3735a913967242
http://security.debian.org/pool/updates/main/p/phpgroupware/phpgroupware-brewer_0.9.14-0.RC3.2.woody2_all.deb
Size/MD5 checksum: 63446 c17d2fe4803b325f83c4ffbcdf2d291d
http://security.debian.org/pool/updates/main/p/phpgroupware/phpgroupware-calendar_0.9.14-0.RC3.2.woody2_all.deb
Size/MD5 checksum: 223392 f20a9d4ea0f0b25312139a981d745d75
http://security.debian.org/pool/updates/main/p/phpgroupware/phpgroupware-chat_0.9.14-0.RC3.2.woody2_all.deb
Size/MD5 checksum: 18964 1c2a1ee3ff2a21148e791b0cd19ca8a3
http://security.debian.org/pool/updates/main/p/phpgroupware/phpgroupware-chora_0.9.14-0.RC3.2.woody2_all.deb
Size/MD5 checksum: 59788 ab5a2baa28d1ab14f7129ce656649b44
http://security.debian.org/pool/updates/main/p/phpgroupware/phpgroupware-comic_0.9.14-0.RC3.2.woody2_all.deb
Size/MD5 checksum: 326248 7c4e63e419dd152886a92c5c09d5b3ab
http://security.debian.org/pool/updates/main/p/phpgroupware/phpgroupware-core-doc_0.9.14-0.RC3.2.woody2_all.deb
Size/MD5 checksum: 89112 a0e6a3c0c7ecf74cc244924d2ecf4f55
http://security.debian.org/pool/updates/main/p/phpgroupware/phpgroupware-core_0.9.14-0.RC3.2.woody2_all.deb
Size/MD5 checksum: 18902 35099021465ab7ebb2b7ee760e6b70f4
http://security.debian.org/pool/updates/main/p/phpgroupware/phpgroupware-developer-tools_0.9.14-0.RC3.2.woody2_all.deb
Size/MD5 checksum: 40780 151e36e027b09e2ae2978a8fc8ebb628
http://security.debian.org/pool/updates/main/p/phpgroupware/phpgroupware-dj_0.9.14-0.RC3.2.woody2_all.deb
Size/MD5 checksum: 45410 48471bd170e7b5ee355925264b77eb4f
http://security.debian.org/pool/updates/main/p/phpgroupware/phpgroupware-eldaptir_0.9.14-0.RC3.2.woody2_all.deb
Size/MD5 checksum: 47028 a27eb8411e2d41e8f18d6a9af0a864de
http://security.debian.org/pool/updates/main/p/phpgroupware/phpgroupware-email_0.9.14-0.RC3.2.woody2_all.deb
Size/MD5 checksum: 313264 626a400affcfcd69e4ee9450d09f2a0c
http://security.debian.org/pool/updates/main/p/phpgroupware/phpgroupware-filemanager_0.9.14-0.RC3.2.woody2_all.deb
Size/MD5 checksum: 37432 fef58c4c16d52f85c9992d1c97d2df7d
http://security.debian.org/pool/updates/main/p/phpgroupware/phpgroupware-forum_0.9.14-0.RC3.2.woody2_all.deb
Size/MD5 checksum: 47750 0b387b72c9e3d8515ca1dd628e9deff3
http://security.debian.org/pool/updates/main/p/phpgroupware/phpgroupware-ftp_0.9.14-0.RC3.2.woody2_all.deb
Size/MD5 checksum: 39450 eb0b97624c8cd153273f4b49560eb17b
http://security.debian.org/pool/updates/main/p/phpgroupware/phpgroupware-headlines_0.9.14-0.RC3.2.woody2_all.deb
Size/MD5 checksum: 59416 9d524b292991a8f7340300572f1a5efc
http://security.debian.org/pool/updates/main/p/phpgroupware/phpgroupware-hr_0.9.14-0.RC3.2.woody2_all.deb
Size/MD5 checksum: 23774 9bf313b7b7e411ccbfecbcb5a6befed7
http://security.debian.org/pool/updates/main/p/phpgroupware/phpgroupware-img_0.9.14-0.RC3.2.woody2_all.deb
Size/MD5 checksum: 38654 af5425ba4df22d7bd089bc5e19721a7b
http://security.debian.org/pool/updates/main/p/phpgroupware/phpgroupware-infolog_0.9.14-0.RC3.2.woody2_all.deb
Size/MD5 checksum: 92774 dec62996133857d906fe5c7b7f7bb026
http://security.debian.org/pool/updates/main/p/phpgroupware/phpgroupware-inv_0.9.14-0.RC3.2.woody2_all.deb
Size/MD5 checksum: 89368 d680c096b16299f7f37b9b87adb21bb8
http://security.debian.org/pool/updates/main/p/phpgroupware/phpgroupware-manual_0.9.14-0.RC3.2.woody2_all.deb
Size/MD5 checksum: 92564 5ea8b1fd199767f7c37f1dc28c13962f
http://security.debian.org/pool/updates/main/p/phpgroupware/phpgroupware-messenger_0.9.14-0.RC3.2.woody2_all.deb
Size/MD5 checksum: 29702 e30218b43262f531bbdd76123af55e24
http://security.debian.org/pool/updates/main/p/phpgroupware/phpgroupware-napster_0.9.14-0.RC3.2.woody2_all.deb
Size/MD5 checksum: 26126 b3777f397897fc821dc4031075afc5ff
http://security.debian.org/pool/updates/main/p/phpgroupware/phpgroupware-news-admin_0.9.14-0.RC3.2.woody2_all.deb
Size/MD5 checksum: 31534 2cbeb9e702f9082beae4e70069cfd541
http://security.debian.org/pool/updates/main/p/phpgroupware/phpgroupware-nntp_0.9.14-0.RC3.2.woody2_all.deb
Size/MD5 checksum: 44502 5ee3c873c1497dbf6443611b8d7c195a
http://security.debian.org/pool/updates/main/p/phpgroupware/phpgroupware-notes_0.9.14-0.RC3.2.woody2_all.deb
Size/MD5 checksum: 27194 38155a1f43abdaee60edb232c938e781
http://security.debian.org/pool/updates/main/p/phpgroupware/phpgroupware-phonelog_0.9.14-0.RC3.2.woody2_all.deb
Size/MD5 checksum: 21706 aaabc4a558f38ef95219ba2cbdca72b9
http://security.debian.org/pool/updates/main/p/phpgroupware/phpgroupware-phpsysinfo_0.9.14-0.RC3.2.woody2_all.deb
Size/MD5 checksum: 34984 a6a24cf61f28f903b26f21d5579e62b5
http://security.debian.org/pool/updates/main/p/phpgroupware/phpgroupware-phpwebhosting_0.9.14-0.RC3.2.woody2_all.deb
Size/MD5 checksum: 61690 2789e986ec5553158bcfa061f439a016
http://security.debian.org/pool/updates/main/p/phpgroupware/phpgroupware-polls_0.9.14-0.RC3.2.woody2_all.deb
Size/MD5 checksum: 29644 8915e9e52820c03d53c3abcd90fdd8e1
http://security.debian.org/pool/updates/main/p/phpgroupware/phpgroupware-preferences_0.9.14-0.RC3.2.woody2_all.deb
Size/MD5 checksum: 45586 170eaa764caed9fd4df57fbef1f08a8c
http://security.debian.org/pool/updates/main/p/phpgroupware/phpgroupware-projects_0.9.14-0.RC3.2.woody2_all.deb
Size/MD5 checksum: 86298 000b2cb49d1befdd8c5d224a2e6a80d0
http://security.debian.org/pool/updates/main/p/phpgroupware/phpgroupware-registration_0.9.14-0.RC3.2.woody2_all.deb
Size/MD5 checksum: 35896 b2f0aad62202ed20be87f58e2f308483
http://security.debian.org/pool/updates/main/p/phpgroupware/phpgroupware-setup_0.9.14-0.RC3.2.woody2_all.deb
Size/MD5 checksum: 272394 9b4cbea2aa72d25aa39f66283d9cca9a
http://security.debian.org/pool/updates/main/p/phpgroupware/phpgroupware-skel_0.9.14-0.RC3.2.woody2_all.deb
Size/MD5 checksum: 30894 2ed102a96f56e4ad712c457eba20cc3f
http://security.debian.org/pool/updates/main/p/phpgroupware/phpgroupware-soap_0.9.14-0.RC3.2.woody2_all.deb
Size/MD5 checksum: 22530 18261fb8b7e3edb8954db7fe2f9188a5
http://security.debian.org/pool/updates/main/p/phpgroupware/phpgroupware-stocks_0.9.14-0.RC3.2.woody2_all.deb
Size/MD5 checksum: 26644 c253f429544d85128f18c5b5f78683d7
http://security.debian.org/pool/updates/main/p/phpgroupware/phpgroupware-todo_0.9.14-0.RC3.2.woody2_all.deb
Size/MD5 checksum: 43124 1d526e61157760f0363f230fede803ee
http://security.debian.org/pool/updates/main/p/phpgroupware/phpgroupware-tts_0.9.14-0.RC3.2.woody2_all.deb
Size/MD5 checksum: 46140 9f7147cb2da079c4e15343ae7044c9f2
http://security.debian.org/pool/updates/main/p/phpgroupware/phpgroupware-wap_0.9.14-0.RC3.2.woody2_all.deb
Size/MD5 checksum: 27570 3f10b7ce2ea59162bbe48de3a6ba5a14
http://security.debian.org/pool/updates/main/p/phpgroupware/phpgroupware-weather_0.9.14-0.RC3.2.woody2_all.deb
Size/MD5 checksum: 498274 9cdf6321099ce4870fe2f70ae722986a
http://security.debian.org/pool/updates/main/p/phpgroupware/phpgroupware-xmlrpc_0.9.14-0.RC3.2.woody2_all.deb
Size/MD5 checksum: 74426 50076afe3bd152ae3c8282f2f795b6ae
http://security.debian.org/pool/updates/main/p/phpgroupware/phpgroupware_0.9.14-0.RC3.2.woody2_all.deb
Size/MD5 checksum: 25652 5dc38752cd0a47e16a213de78524e1de
These files will probably be moved into the stable distribution on
its next revision.
- ---------------------------------------------------------------------------------
For apt-get: deb http://security.debian.org/ stable/updates main
For dpkg-ftp: ftp://security.debian.org/debian-security dists/stable/updates/main
Mailing list: debian-security-announce@lists.debian.org
Package info: `apt-cache show <pkg>' and http://packages.debian.org/<pkg>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.2 (GNU/Linux)
iD8DBQE/MG4oArxCt0PiXR4RAkwAAJ9ZSa4f39+K1ArRIUO5q/xcjHZe2wCfUrOu
Q8CSYCWQ0O6ysQ6ODMd5oek=
=XAuw
-----END PGP SIGNATURE-----
--
To UNSUBSCRIBE, email to debian-security-announce-request@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
--- End Message ---