Bug 97651 - www-apps/egroupware is affected by XML_RPC PHP flaw (CAN-2005-1921)
Bug#: 97651 Product:  Gentoo Security Version: unspecified Platform: All
OS/Version: Linux Status: RESOLVED Severity: major Priority: P2
Resolution: FIXED Assigned To: security@gentoo.org Reported By: koon@gentoo.org
Component: Vulnerabilities
URL: 
Summary: www-apps/egroupware is affected by XML_RPC PHP flaw (CAN-2005-1921)
Keywords:  
Status Whiteboard: B1 [glsa]
Opened: 2005-07-01 13:26 0000
Description:   Opened: 2005-07-01 13:26 0000 
According to GulfTech advisory egroupware is also affected.

------- Comment #1 From Thierry Carrez (RETIRED) 2005-07-04 13:21:31 0000 ------- 
egroupware uses a really old version of what has finally become phpxmlrpc (in
phpgwapi/inc/xml_functions.inc.php). Needs a careful backport too :/

------- Comment #2 From Thierry Carrez (RETIRED) 2005-07-04 13:37:14 0000 ------- 
Created an attachment (id=62618) [details]
egroupware.patch

Backported patch from PEAR fix

------- Comment #3 From Thierry Carrez (RETIRED) 2005-07-04 13:49:22 0000 ------- 
web-apps: please bump with patch... and test a little (I didn't)

------- Comment #4 From Stuart Herbert (RETIRED) 2005-07-05 17:08:26 0000 ------- 
Patched and rev-bumped.

Best regards,
Stu

------- Comment #5 From Thierry Carrez (RETIRED) 2005-07-06 01:17:07 0000 ------- 
alpha amd64 ppc x86 : please mark stable, this is a really minor (but needed)
bump that shouldn't break anything.

------- Comment #6 From Michael Hanselmann (hansmi) (RETIRED) 2005-07-06 12:57:31 0000 ------- 
Stable on ppc.

------- Comment #7 From Thierry Carrez (RETIRED) 2005-07-07 09:48:17 0000 ------- 
Arches: please mark stable so that the GLSA on this exploited vuln can go out.

------- Comment #8 From Matthias Geerdsen 2005-07-08 04:27:16 0000 ------- 
stable on alpha, thanks kloeri

amd64/x86/web-apps, pls test and mark stable

------- Comment #9 From Renat Lumpau 2005-07-09 07:26:53 0000 ------- 
Stuart - why is the epatch line in the ebuild commented out?

#   epatch ${FILESDIR}/${PN}-1.0.0.007-xmlrpc.patch

------- Comment #10 From Matthias Geerdsen 2005-07-09 07:37:36 0000 ------- 
back to ebuild status, until the issue in comment #9 is fixed

------- Comment #11 From Renat Lumpau 2005-07-09 19:02:06 0000 ------- 
Upstream released a new version. 1.0.0.008 in Portage, marked stable on x86.

------- Comment #12 From Stefan Cornelius (RETIRED) 2005-07-09 19:10:28 0000 ------- 
Recalling alpha and ppc. Arches, please test 1.0.0.008 and mark stable. Note
that this one is late and it's already being exploited + blocks another GLSA, so
don't wait too long. Thanks everbody!

------- Comment #13 From Stefan Cornelius (RETIRED) 2005-07-09 21:37:32 0000 ------- 
alpha, ppc, x86: i just noticed that you are already marked stable, sorry to
annoy you :( only amd64 left to go.

------- Comment #14 From Danny van Dyk (RETIRED) 2005-07-10 12:02:39 0000 ------- 
Sorry for the delay Stefan. amd64 is stable now.

------- Comment #15 From Danny van Dyk (RETIRED) 2005-07-10 12:03:10 0000 ------- 
Should remove us from CC as well :-)

------- Comment #16 From Stefan Cornelius (RETIRED) 2005-07-10 12:05:48 0000 ------- 
Ready for GLSA

------- Comment #17 From Matthias Geerdsen 2005-07-10 12:35:32 0000 ------- 
GLSA 200507-08

thanks everyone