Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 284536 - <www-apps/egroupware-1.8.004.20120613 multiple vulnerabilities
Summary: <www-apps/egroupware-1.8.004.20120613 multiple vulnerabilities
Status: RESOLVED FIXED
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: High major
Assignee: Gentoo Security
URL: http://www.egroupware.org/
Whiteboard: B1 [glsa]
Keywords:
Depends on: 258604 270109 CVE-2012-3313
Blocks: 342003
  Show dependency tree
 
Reported: 2009-09-10 22:16 UTC by Arno Ekkes
Modified: 2014-12-12 00:39 UTC (History)
6 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments
1.6.002 ebuild with a few improvements (egroupware-1.6.002.ebuild,1.99 KB, text/plain)
2009-11-05 02:00 UTC, Maciej Mrozowski
no flags Details
1.6.003 (egroupware-1.6.003.ebuild,1.99 KB, text/plain)
2010-04-28 17:03 UTC, Maciej Mrozowski
no flags Details
[www-apps/egroupware] version bump to 1.6.003-2 (egroupware-1.6.003-r2.ebuild,1.99 KB, text/plain)
2010-06-24 21:57 UTC, mike
no flags Details

Note You need to log in before you can comment on or make changes to this bug.
Description Arno Ekkes 2009-09-10 22:16:52 UTC
There is a new version of egroupware available. This version solves 3 security problems.
    *  FCKeditor (remote file upload)
    *  Tracker (XSS problem)
    *  Knowledgebase (SQL injection)
Comment 1 Wormo (RETIRED) gentoo-dev 2009-09-11 06:59:20 UTC
Thanks for the release notification, and for pointing out the security implications!
Comment 2 Maciej Mrozowski gentoo-dev 2009-11-04 23:15:29 UTC
Just to let you know, simple revbump from 1.6.001 works.

Also, to make it fully functional, egroupware needs PEAR-XML_Feed_Parser from bug 258604, please add this ebuild to tree.
Comment 3 Maciej Mrozowski gentoo-dev 2009-11-05 02:00:43 UTC
Created attachment 209300 [details]
1.6.002 ebuild with a few improvements

Ebuild changes from 1.6.001:
- moved to EAPI-2 (USE deps) - no longer horrible mess with rebuilding php several times until all requirements met
- added required deps: dev-php/PEAR-Auth_SASL and dev-php/PEAR-XML_Feed_Parser to RDEPEND (ebuild for the latter is in bug 258604)
- added 'pdo' php requirement that will fix bug 270109
Comment 4 Maciej Mrozowski gentoo-dev 2009-11-05 02:03:54 UTC
Oh, added 'ctype' that is requirement for php as well.
Comment 5 Maciej Mrozowski gentoo-dev 2009-11-28 05:49:45 UTC
So.. anyone feeling like commiting mentioned ebuilds (dev-php/PEAR-XML_Feed_Parser needs a bit QA, nothing noteworthy) and fixing this security bug?
Comment 6 Robert Buchholz (RETIRED) gentoo-dev 2009-11-28 12:50:59 UTC
(In reply to comment #5)
> So.. anyone feeling like commiting mentioned ebuilds
> (dev-php/PEAR-XML_Feed_Parser needs a bit QA, nothing noteworthy) and fixing
> this security bug?

If you are aware of QA issues in the ebuild of bug 258604, please fix them and attach your ebuild to the bug. Thanks.
Comment 7 Maciej Mrozowski gentoo-dev 2009-11-28 16:44:03 UTC
(In reply to comment #6)
> If you are aware of QA issues in the ebuild of bug 258604, please fix them and attach your ebuild to the bug. Thanks.

Done
Comment 8 Oliver Knodel 2010-03-24 10:13:10 UTC
EGroupware 1.6.003 security and bugfix release is available.
The new release fixes 2 serious security problems, many bugs and implements SyncML 1.2. (http://www.egroupware.org/Home?category_id=95&item=93)
Comment 9 Johannes Ruthmair 2010-04-06 14:27:16 UTC
is anyone able to create a new ebuild?
Comment 10 Maciej Mrozowski gentoo-dev 2010-04-06 15:10:16 UTC
I'll commit new version in a few days, seems like nobody is really interested.
Comment 11 Johannes Ruthmair 2010-04-28 15:44:03 UTC
(In reply to comment #10)
> I'll commit new version in a few days, seems like nobody is really interested.
> 

I am interested in a updated ebuild. would you please?!
Comment 12 Maciej Mrozowski gentoo-dev 2010-04-28 17:03:42 UTC
Created attachment 229547 [details]
1.6.003
Comment 13 Maciej Mrozowski gentoo-dev 2010-04-28 17:07:42 UTC
I mean, no developer is interested in maintaining this package apparently.

Your attitude won't get you anywhere, instead - especially when you're using said package, you could help with maintenance.

I've attached updated ebuild for 1.6.003. You can place it in your overlay (along with ebuild from bug 258604) and use.
If nobody steps up to the plate, egroupware will be subject of removal from tree.
Comment 14 Johannes Ruthmair 2010-04-28 17:43:41 UTC
Maybe I'll maintain it. What do I have to do, to become a maintainer?
Comment 15 Johannes Ruthmair 2010-04-28 17:51:08 UTC
thanks, by the way.
Comment 16 Maciej Mrozowski gentoo-dev 2010-04-28 18:08:32 UTC
Well, you can help by using this software, spotting issues, filling bugs and submitting possible ebuild improvements/patches as attachments to said bugs. I (or some other developer) could verify and commit them to portage.
Comment 17 mike 2010-06-24 21:57:39 UTC
Created attachment 236451 [details]
[www-apps/egroupware] version bump to 1.6.003-2

need dev-php/PEAR-XML_Feed_Parser-1.0.3.ebuild (see http://bugs.gentoo.org/show_bug.cgi?id=258604)
Comment 18 Maciej Mrozowski gentoo-dev 2010-06-25 14:10:54 UTC
Just a note, it's not really -r2 (which would be Gentoo second release), but 1.6.003-2 (second upstream release). Therefore just renamed 1.6.003 ebuild should work.
Comment 19 Tim Sammut (RETIRED) gentoo-dev 2010-09-20 18:00:39 UTC
http://www.egroupware.org/news?item=93 describes one of these flaws as "remote command execution".

This should be Sev: Major with a Whiteboard: of B1 [ebuild].
Comment 20 Matti Bickel (RETIRED) gentoo-dev 2012-07-02 08:47:16 UTC
Should this bug be merged with bug #372905? If not, please adjust Product and Summary fields accordingly.
Comment 21 Thomas Raschbacher gentoo-dev 2012-09-05 18:58:29 UTC
egroupware-1.8.004.20120613 is in the tree already thanks to mabi
Comment 22 Sean Amoss (RETIRED) gentoo-dev Security 2012-09-08 18:44:57 UTC
(In reply to comment #21)
> egroupware-1.8.004.20120613 is in the tree already thanks to mabi

Thanks, but please do not close security bugs.
Comment 23 Thomas Raschbacher gentoo-dev 2012-09-10 09:54:26 UTC
ah sorry my mistake. will be careful not to close security bugs anymore.
Comment 24 Sean Amoss (RETIRED) gentoo-dev Security 2012-10-15 01:07:39 UTC
Thanks, everyone.

Filing a new GLSA request with bug 372905.
Comment 25 J. Roeleveld 2014-07-30 06:36:04 UTC
This version is obsolete and no longer maintained by upstream.
Comment 26 GLSAMaker/CVETool Bot gentoo-dev 2014-12-12 00:39:48 UTC
This issue was resolved and addressed in
 GLSA 201412-10 at http://security.gentoo.org/glsa/glsa-201412-10.xml
by GLSA coordinator Sean Amoss (ackle).