97651 2005-07-01 13:26 0000 www-apps/egroupware is affected by XML_RPC PHP flaw (CAN-2005-1921) 2005-07-10 12:35:32 0000 1 1 1 Unclassified Gentoo Security Vulnerabilities unspecified All Linux RESOLVED FIXED B1 [glsa] P2 major --- 1 koon@gentoo.org security@gentoo.org web-apps@gentoo.org koon@gentoo.org 2005-07-01 13:26:58 0000 According to GulfTech advisory egroupware is also affected. koon@gentoo.org 2005-07-04 13:21:31 0000 egroupware uses a really old version of what has finally become phpxmlrpc (in phpgwapi/inc/xml_functions.inc.php). Needs a careful backport too :/ koon@gentoo.org 2005-07-04 13:37:14 0000 Created an attachment (id=62618) egroupware.patch Backported patch from PEAR fix koon@gentoo.org 2005-07-04 13:49:22 0000 web-apps: please bump with patch... and test a little (I didn't) stuart@gentoo.org 2005-07-05 17:08:26 0000 Patched and rev-bumped. Best regards, Stu koon@gentoo.org 2005-07-06 01:17:07 0000 alpha amd64 ppc x86 : please mark stable, this is a really minor (but needed) bump that shouldn't break anything. hansmi@gentoo.org 2005-07-06 12:57:31 0000 Stable on ppc. koon@gentoo.org 2005-07-07 09:48:17 0000 Arches: please mark stable so that the GLSA on this exploited vuln can go out. vorlon@gentoo.org 2005-07-08 04:27:16 0000 stable on alpha, thanks kloeri amd64/x86/web-apps, pls test and mark stable rl03@gentoo.org 2005-07-09 07:26:53 0000 Stuart - why is the epatch line in the ebuild commented out? # epatch ${FILESDIR}/${PN}-1.0.0.007-xmlrpc.patch vorlon@gentoo.org 2005-07-09 07:37:36 0000 back to ebuild status, until the issue in comment #9 is fixed rl03@gentoo.org 2005-07-09 19:02:06 0000 Upstream released a new version. 1.0.0.008 in Portage, marked stable on x86. dercorny@gentoo.org 2005-07-09 19:10:28 0000 Recalling alpha and ppc. Arches, please test 1.0.0.008 and mark stable. Note that this one is late and it's already being exploited + blocks another GLSA, so don't wait too long. Thanks everbody! dercorny@gentoo.org 2005-07-09 21:37:32 0000 alpha, ppc, x86: i just noticed that you are already marked stable, sorry to annoy you :( only amd64 left to go. kugelfang@gentoo.org 2005-07-10 12:02:39 0000 Sorry for the delay Stefan. amd64 is stable now. kugelfang@gentoo.org 2005-07-10 12:03:10 0000 Should remove us from CC as well :-) dercorny@gentoo.org 2005-07-10 12:05:48 0000 Ready for GLSA vorlon@gentoo.org 2005-07-10 12:35:32 0000 GLSA 200507-08 thanks everyone 62618 2005-07-04 13:37 0000 egroupware.patch egroupware.patch text/plain LS0tIGVncm91cHdhcmUvcGhwZ3dhcGkvaW5jL3htbF9mdW5jdGlvbnMuaW5jLnBocC5vbGQJMjAw NS0wNy0wNCAyMjozNTozOS4wMDAwMDAwMDAgKzAyMDAKKysrIGVncm91cHdhcmUvcGhwZ3dhcGkv aW5jL3htbF9mdW5jdGlvbnMuaW5jLnBocAkyMDA0LTAzLTA3IDEwOjU1OjQzLjAwMDAwMDAwMCAr MDEwMApAQCAtMTg5LDcgKzE4OSw3IEBACiAJCQkJJEdMT0JBTFNbJ194aCddWyRwYXJzZXJdWydx dCddPTA7CiAJCQkJYnJlYWs7CiAJCQljYXNlICdOQU1FJzoKLQkJCQkkR0xPQkFMU1snX3hoJ11b JHBhcnNlcl1bJ3N0J10gLj0gJyInOworCQkJCSRHTE9CQUxTWydfeGgnXVskcGFyc2VyXVsnc3Qn XSAuPSAiJyI7CiAJCQkJJEdMT0JBTFNbJ194aCddWyRwYXJzZXJdWydhYyddID0gJyc7CiAJCQkJ YnJlYWs7CiAJCQljYXNlICdGQVVMVCc6CkBAIC0yNjUsNyArMjY1LDcgQEAKIAkJCQkkR0xPQkFM U1snX3hoJ11bJHBhcnNlcl1bJ2NtJ10tLTsKIAkJCQlicmVhazsKIAkJCWNhc2UgJ05BTUUnOgot CQkJCSRHTE9CQUxTWydfeGgnXVskcGFyc2VyXVsnc3QnXS49ICRHTE9CQUxTWydfeGgnXVskcGFy c2VyXVsnYWMnXSAuICciID0+ICc7CisJCQkJJEdMT0JBTFNbJ194aCddWyRwYXJzZXJdWydzdCdd Lj0gJEdMT0JBTFNbJ194aCddWyRwYXJzZXJdWydhYyddIC4gIicgPT4gIjsKIAkJCQlicmVhazsK IAkJCWNhc2UgJ0JPT0xFQU4nOgogCQkJCS8vIHNwZWNpYWwgY2FzZSBoZXJlOiB3ZSB0cmFuc2xh dGUgYm9vbGVhbiAxIG9yIDAgaW50byBQSFAKQEAgLTI5Myw3ICsyOTMsNyBAQAogCQkJCX0KIAkJ CQllbHNlaWYgKCRHTE9CQUxTWydfeGgnXVskcGFyc2VyXVsncXQnXT09MikKIAkJCQl7Ci0JCQkJ CSRHTE9CQUxTWydfeGgnXVskcGFyc2VyXVsnc3QnXS49J2Jhc2U2NF9kZWNvZGUoIicuICRHTE9C QUxTWydfeGgnXVskcGFyc2VyXVsnYWMnXSAuICciKSc7CisJCQkJCSRHTE9CQUxTWydfeGgnXVsk cGFyc2VyXVsnc3QnXS49ImJhc2U2NF9kZWNvZGUoJyIuICRHTE9CQUxTWydfeGgnXVskcGFyc2Vy XVsnYWMnXSAuICInKSI7IAogCQkJCX0KIAkJCQllbHNlaWYgKCRuYW1lPT0nQk9PTEVBTicpCiAJ CQkJewo=