see bug #102324
Now see bug #102576 instead.
Nothing from upstream yet. Patch may need to be adapted.
Hi, phpgroupware uses PHP's built-in XMLRPC support. It doesn't appear to be vulnerable to the exploit - unless you have more information? Best regards, Stu
No we don't. Bug was opened because it was vulnerable to the previous XML-RPC thing. Closing, reopen if you think it is indeed affected.
phpGroupWare 0.9.16.007 Security Fix Release ======================================================================= This new release fixes several security issues within phpGroupWare. The fixes include: * Global anti-XSS changes, related to savannah bug #13863 * FUDForum Information Disclosure - CAN-2005-2600 * Disabled XMLRPC until more resources are available - CAN-2005-2498 Disabling of XMLRPC is regrettable but unavoidable. phpGroupWare's XMLRPC code is a bastardized version of phpxmlrpc. Our XMLRPC code is currently unmaintained and we did not have the resources available to merge and test the changes require. Instead of delaying the release any more we chose to disable functionality. If you wish to contribute to fixing our XMLRPC support please contact me directly. As always grab it from our download section - http://download.phpgroupware.org/now ======================================================================= web-apps: please bump
bumped
Stuart please confirm that our phpgroupware does not use the bundled phpxml-rpc script so we do not include the information in a GLSA.
From upstream maintainer: There is a problem with the anti XSS code in 007. This has now been fixed in CVS. I will be preparing a new release in the next 24hours. Back to upstream status.
From upstream: phpGW 0.9.16.008 is out, it fixes a problem with array handling in the anti XSS code added in 0.9.16.007. Please grab an update from CVS or http://download.phpgroupware.org/now
ppc, amd64: please test 008 and mark stable
Marked Stable on AMD64.
Stable on ppc.
stable, ready for glsa
Hi, I was wrong in my initial assessment. The phpgwapi component uses the vulnerable XML-RPC library. Best regards, Stu
Maybe I'm missing something here but, why we haven't included the rest of arches to mark the ebuild stable? Actually, ppc and amd64 are in stable and alpha, hppa, sparc and x86 in testing.
Argggh ... Holidays have kicked my head in a very bad way. Rest of arches are free since they don't have an stable version. Sorry about the noise.
GLSA 200508-20