There is a new version of egroupware available. This version solves 3 security problems. * FCKeditor (remote file upload) * Tracker (XSS problem) * Knowledgebase (SQL injection)
Thanks for the release notification, and for pointing out the security implications!
Just to let you know, simple revbump from 1.6.001 works. Also, to make it fully functional, egroupware needs PEAR-XML_Feed_Parser from bug 258604, please add this ebuild to tree.
Created attachment 209300 [details] 1.6.002 ebuild with a few improvements Ebuild changes from 1.6.001: - moved to EAPI-2 (USE deps) - no longer horrible mess with rebuilding php several times until all requirements met - added required deps: dev-php/PEAR-Auth_SASL and dev-php/PEAR-XML_Feed_Parser to RDEPEND (ebuild for the latter is in bug 258604) - added 'pdo' php requirement that will fix bug 270109
Oh, added 'ctype' that is requirement for php as well.
So.. anyone feeling like commiting mentioned ebuilds (dev-php/PEAR-XML_Feed_Parser needs a bit QA, nothing noteworthy) and fixing this security bug?
(In reply to comment #5) > So.. anyone feeling like commiting mentioned ebuilds > (dev-php/PEAR-XML_Feed_Parser needs a bit QA, nothing noteworthy) and fixing > this security bug? If you are aware of QA issues in the ebuild of bug 258604, please fix them and attach your ebuild to the bug. Thanks.
(In reply to comment #6) > If you are aware of QA issues in the ebuild of bug 258604, please fix them and attach your ebuild to the bug. Thanks. Done
EGroupware 1.6.003 security and bugfix release is available. The new release fixes 2 serious security problems, many bugs and implements SyncML 1.2. (http://www.egroupware.org/Home?category_id=95&item=93)
is anyone able to create a new ebuild?
I'll commit new version in a few days, seems like nobody is really interested.
(In reply to comment #10) > I'll commit new version in a few days, seems like nobody is really interested. > I am interested in a updated ebuild. would you please?!
Created attachment 229547 [details] 1.6.003
I mean, no developer is interested in maintaining this package apparently. Your attitude won't get you anywhere, instead - especially when you're using said package, you could help with maintenance. I've attached updated ebuild for 1.6.003. You can place it in your overlay (along with ebuild from bug 258604) and use. If nobody steps up to the plate, egroupware will be subject of removal from tree.
Maybe I'll maintain it. What do I have to do, to become a maintainer?
thanks, by the way.
Well, you can help by using this software, spotting issues, filling bugs and submitting possible ebuild improvements/patches as attachments to said bugs. I (or some other developer) could verify and commit them to portage.
Created attachment 236451 [details] [www-apps/egroupware] version bump to 1.6.003-2 need dev-php/PEAR-XML_Feed_Parser-1.0.3.ebuild (see http://bugs.gentoo.org/show_bug.cgi?id=258604)
Just a note, it's not really -r2 (which would be Gentoo second release), but 1.6.003-2 (second upstream release). Therefore just renamed 1.6.003 ebuild should work.
http://www.egroupware.org/news?item=93 describes one of these flaws as "remote command execution". This should be Sev: Major with a Whiteboard: of B1 [ebuild].
Should this bug be merged with bug #372905? If not, please adjust Product and Summary fields accordingly.
egroupware-1.8.004.20120613 is in the tree already thanks to mabi
(In reply to comment #21) > egroupware-1.8.004.20120613 is in the tree already thanks to mabi Thanks, but please do not close security bugs.
ah sorry my mistake. will be careful not to close security bugs anymore.
Thanks, everyone. Filing a new GLSA request with bug 372905.
This version is obsolete and no longer maintained by upstream.
This issue was resolved and addressed in GLSA 201412-10 at http://security.gentoo.org/glsa/glsa-201412-10.xml by GLSA coordinator Sean Amoss (ackle).