From http://egroupware.org : News 12. Sep. + 16. Aug. 2005: Again new xmlrpc security fixes in release 1.0.0.009-2 The new 1.0.0.009-2 release contains the security fixes related to xmlrpc from the 16. August 2005. Plus a new preventiv fix, which allows to enable or disable (default) the xmlrpc and soap subsystem. With the 1.0.0.009-2 release all package formats (incl. rpm's and signed packages) are avalible again. We recommend everyone to update to this release asap. Download them here.
egroupware-1.0.0.009_p2 in CVS.
Arches please test and mark stable. Not sure what they fixed this time though.
"The new 1.0.0.009-2 release contains the security fixes related to xmlrpc from the 16. August 2005. Plus a new preventiv fix, which allows to enable or disable (default) the xmlrpc and soap subsystem." So it contains the original fixes we already provided in 200508-14 + it disables by default the xmlrpc and soap subsystems. This is not a new vulnerability. Moving to default config... but we could invalidate the bug as well.
Stable on ppc.
Stable on x86
amd64 done
Stable on alpha.
Emm a little note about all this process: I was testing egroupware for alpha and saw some problems when i tried to compile it: Calculating dependencies ...done! >>> emerge (1 of 1) www-apps/egroupware-1.0.0.009_p2 to / >>> md5 src_uri ;-) eGroupWare-1.0.0.009-2.tar.bz2 !!! ERROR: www-apps/egroupware-1.0.0.009_p2 failed. !!! Function has_php, Line 213, Exitcode 1 !!! Unable to find an installed dev-lang/php package !!! If you need support, post the topmost build error, NOT this status message. In this version egroupware ebuild has changed the inherit section from eutils to depend.php. "require_php_with_use" depend.php's function use "has_php" and "has_php" use dev-lang/php-* testing. dev-lang/php (currently) hasn't got any stable version in any arch so ...
hrm. i had checked with the php folks and was told that require_php_with_use is the way to go. I guess for the time being we can comment out the require_... stuff and drop the depend.php part. my dev machine is down atm, could someone else fix this?
Removed alpha keyword again until the dev-lang/php issue is fixed.
I've removed the depend.php inherit until dev-lang/php goes stable in early October.
Don't you think we need to CC'ed arches again? They have marked an ebuild stable and, now, it has suffered some "heavy changes". I suppose they marked it stable due to *it works*, so, at least for me (as arch tester) i wouldn't like to see an ebuild with my stable keyword after the maintainer has done important changes. Also reporting to them, we could see what kind of test they do and may help people to fix their system (if needed), since the inherit depend.php was broken and magically worked. This is what happened to kloeri who likes to install/uninstall/downgrade/upgrade apache and php stuff due to his work as apache lead ;)
Arches - please take a look at the ebuild one more time. The "heavy changes" amount to commenting out depend.php and replacing require_php_with_use with einfo warnings.
Alpha stable again.
ppc's fine
still seems to work fine
Thx everyone.