Bug List: (This bug is not in your last search results)   Show last search results      Search page      Enter new bug
Bug#: 102379
Alias:
Product:
Component:
Status: RESOLVED
Resolution: FIXED
Assigned To: Gentoo Security <security@gentoo.org>
Hardware:
OS:
Version:
Priority:
Severity:
Reporter: Sune Kloppenborg Jeppesen <jaervosz@gentoo.org>
Add CC:
CC:
Remove selected CCs
URL:
Summary:
Status Whiteboard:
Keywords:
Flags: Requestee:
 
 
  ()

Filename Description Type Creator Created Size Actions
Create a New Attachment (proposed patch, testcase, etc.) View All

Bug 102379 depends on: Show dependency tree
Bug 102379 blocks:

Additional Comments: (this is where you put emerge --info)


Not eligible to see or edit group visibility for this bug.






View Bug Activity   |   Format For Printing   |   XML   |   Clone This Bug

Description:   Opened: 2005-08-13 07:37 0000 
see bug #102324

------- Comment #1 From Sune Kloppenborg Jeppesen 2005-08-14 22:11:16 0000 ------- 
Now see bug #102576 instead.

------- Comment #2 From Thierry Carrez (RETIRED) 2005-08-21 08:48:59 0000 ------- 
Nothing from upstream yet. Patch may need to be adapted.

------- Comment #3 From Stuart Herbert (RETIRED) 2005-08-24 00:47:08 0000 ------- 
Hi,

phpgroupware uses PHP's built-in XMLRPC support.  It doesn't appear to be
vulnerable to the exploit - unless you have more information?

Best regards,
Stu

------- Comment #4 From Thierry Carrez (RETIRED) 2005-08-24 07:15:01 0000 ------- 
No we don't. Bug was opened because it was vulnerable to the previous XML-RPC
thing. Closing, reopen if you think it is indeed affected.

------- Comment #5 From Thierry Carrez (RETIRED) 2005-08-24 10:28:33 0000 ------- 
phpGroupWare 0.9.16.007 Security Fix Release
=======================================================================
This new release fixes several security issues within phpGroupWare. The
fixes include:

      * Global anti-XSS changes, related to savannah bug #13863
      * FUDForum Information Disclosure - CAN-2005-2600
      * Disabled XMLRPC until more resources are available -
        CAN-2005-2498

Disabling of XMLRPC is regrettable but unavoidable. phpGroupWare's
XMLRPC code is a bastardized version of phpxmlrpc. Our XMLRPC code is
currently unmaintained and we did not have the resources available to
merge and test the changes require. Instead of delaying the release any
more we chose to disable functionality. If you wish to contribute to
fixing our XMLRPC support please contact me directly.

As always grab it from our download section -
http://download.phpgroupware.org/now
=======================================================================

web-apps: please bump

------- Comment #6 From Renat Lumpau 2005-08-24 13:32:45 0000 ------- 
bumped

------- Comment #7 From Sune Kloppenborg Jeppesen 2005-08-24 21:42:11 0000 ------- 
Stuart please confirm that our phpgroupware does not use the bundled 
phpxml-rpc script so we do not include the information in a GLSA.

------- Comment #8 From Thierry Carrez (RETIRED) 2005-08-26 00:28:33 0000 ------- 
From upstream maintainer:
There is a problem with the anti XSS code in 007.  This has now been
fixed in CVS.  I will be preparing a new release in the next 24hours.

Back to upstream status.

------- Comment #9 From Thierry Carrez (RETIRED) 2005-08-27 01:27:13 0000 ------- 
From upstream:

phpGW 0.9.16.008 is out, it fixes a problem with array handling in the anti XSS
code added in 0.9.16.007.
Please grab an update from CVS or http://download.phpgroupware.org/now

------- Comment #10 From Renat Lumpau 2005-08-27 06:22:14 0000 ------- 
bumped

------- Comment #11 From Thierry Carrez (RETIRED) 2005-08-27 10:20:02 0000 ------- 
ppc, amd64: please test 008 and mark stable

------- Comment #12 From Luis Medinas (RETIRED) 2005-08-27 20:51:19 0000 ------- 
Marked Stable on AMD64.

------- Comment #13 From Michael Hanselmann (hansmi) (RETIRED) 2005-08-28 11:45:15 0000 ------- 
Stable on ppc.

------- Comment #14 From Stefan Cornelius (RETIRED) 2005-08-28 11:51:06 0000 ------- 
stable, ready for glsa

------- Comment #15 From Stuart Herbert (RETIRED) 2005-08-29 07:12:57 0000 ------- 
Hi,

I was wrong in my initial assessment.  The phpgwapi component uses the 
vulnerable XML-RPC library.

Best regards,
Stu

------- Comment #16 From Jose Luis Rivero (yoswink) 2005-08-30 05:15:33 0000 ------- 
Maybe I'm missing something here but, why we haven't included the rest of
arches
to mark the ebuild stable?

Actually, ppc and amd64 are in stable and alpha, hppa, sparc and x86 in
testing.

------- Comment #17 From Jose Luis Rivero (yoswink) 2005-08-30 05:45:23 0000 ------- 
Argggh ...

Holidays have kicked my head in a very bad way. 
Rest of arches are free since they don't have an stable version. 

Sorry about the noise.

------- Comment #18 From Thierry Carrez (RETIRED) 2005-08-30 08:16:56 0000 ------- 
GLSA 200508-20
Bug List: (This bug is not in your last search results)   Show last search results      Search page      Enter new bug