23962 – phpGroupWare several vulnerabilities

Bug 23962 - phpGroupWare several vulnerabilities

Summary: phpGroupWare several vulnerabilities

Status:	RESOLVED FIXED

Alias:	None

Product:	Gentoo Linux
Classification:	Unclassified
Component:	Current packages (show other bugs)
Hardware:	All Linux

Importance:	High critical (vote)
Assignee:	Gentoo Security

URL:	http://www.security-corporation.com/a...
Whiteboard:
Keywords:

Depends on:
Blocks:

Reported:	2003-07-05 04:42 UTC by Martin Holzer (RETIRED)
Modified:	2003-08-08 01:43 UTC (History)
CC List:	0 users

See Also:
Package list:
Runtime testing required:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Martin Holzer (RETIRED) gentoo-dev

2003-07-05 04:42:56 UTC

phpGroupWare 0.9.14.004 - Security and Bug Fix Release
All users should install this version.  There have been several vulnerabilities 
discovered in previous versions of phpGroupWare.  One is a Cross Site Scripting 
exploit - see http://www.security-corporation.com/articles-20030702-005.html.  
The other unreported issue relates the Virtual File System being in the 
document root - as of this release the vfs root must be out of the webroot.

Due to these security issues no previous versions of phpGroupWare will be 
officially supported by the phpGroupWare crew.

There are some general bug fixes also included in this release.

Cheers

phpGroupWare Development Crew.

Comment 1 Martin Holzer (RETIRED) gentoo-dev

2003-07-05 05:06:27 UTC

0.9.14.004 is in cvs

Comment 2 Martin Holzer (RETIRED) gentoo-dev

2003-07-09 00:14:38 UTC

0.9.14.005 is in cvs, has some php3 fixes

please send out glsa

Comment 3 Martin Holzer (RETIRED) gentoo-dev

2003-07-21 12:01:23 UTC

todo:
Mark stable
send out GLSA

Comment 4 Martin Holzer (RETIRED) gentoo-dev

2003-08-08 01:43:12 UTC

old