Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 97651 - www-apps/egroupware is affected by XML_RPC PHP flaw (CAN-2005-1921)
Summary: www-apps/egroupware is affected by XML_RPC PHP flaw (CAN-2005-1921)
Status: RESOLVED FIXED
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: High major (vote)
Assignee: Gentoo Security
URL:
Whiteboard: B1 [glsa]
Keywords:
Depends on:
Blocks:
 
Reported: 2005-07-01 13:26 UTC by Thierry Carrez (RETIRED)
Modified: 2005-07-10 12:35 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---

Attachments
egroupware.patch (egroupware.patch,1.06 KB, patch)
2005-07-04 13:37 UTC, Thierry Carrez (RETIRED) 		no flags Details | Diff
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Thierry Carrez (RETIRED) gentoo-dev 2005-07-01 13:26:58 UTC 
According to GulfTech advisory egroupware is also affected.
Comment 1 Thierry Carrez (RETIRED) gentoo-dev 2005-07-04 13:21:31 UTC 
egroupware uses a really old version of what has finally become phpxmlrpc (in
phpgwapi/inc/xml_functions.inc.php). Needs a careful backport too :/
Comment 2 Thierry Carrez (RETIRED) gentoo-dev 2005-07-04 13:37:14 UTC 
Created attachment 62618 [details, diff]
egroupware.patch

Backported patch from PEAR fix
Comment 3 Thierry Carrez (RETIRED) gentoo-dev 2005-07-04 13:49:22 UTC 
web-apps: please bump with patch... and test a little (I didn't)
Comment 4 Stuart Herbert (RETIRED) gentoo-dev 2005-07-05 17:08:26 UTC 
Patched and rev-bumped.

Best regards,
Stu
Comment 5 Thierry Carrez (RETIRED) gentoo-dev 2005-07-06 01:17:07 UTC 
alpha amd64 ppc x86 : please mark stable, this is a really minor (but needed)
bump that shouldn't break anything.
Comment 6 Michael Hanselmann (hansmi) (RETIRED) gentoo-dev 2005-07-06 12:57:31 UTC 
Stable on ppc.
Comment 7 Thierry Carrez (RETIRED) gentoo-dev 2005-07-07 09:48:17 UTC 
Arches: please mark stable so that the GLSA on this exploited vuln can go out.
Comment 8 Matthias Geerdsen (RETIRED) gentoo-dev 2005-07-08 04:27:16 UTC 
stable on alpha, thanks kloeri

amd64/x86/web-apps, pls test and mark stable
Comment 9 Renat Lumpau (RETIRED) gentoo-dev 2005-07-09 07:26:53 UTC 
Stuart - why is the epatch line in the ebuild commented out?

#   epatch ${FILESDIR}/${PN}-1.0.0.007-xmlrpc.patch
Comment 10 Matthias Geerdsen (RETIRED) gentoo-dev 2005-07-09 07:37:36 UTC 
back to ebuild status, until the issue in comment #9 is fixed
Comment 11 Renat Lumpau (RETIRED) gentoo-dev 2005-07-09 19:02:06 UTC 
Upstream released a new version. 1.0.0.008 in Portage, marked stable on x86.
Comment 12 Stefan Cornelius (RETIRED) gentoo-dev 2005-07-09 19:10:28 UTC 
Recalling alpha and ppc. Arches, please test 1.0.0.008 and mark stable. Note
that this one is late and it's already being exploited + blocks another GLSA, so
don't wait too long. Thanks everbody!
Comment 13 Stefan Cornelius (RETIRED) gentoo-dev 2005-07-09 21:37:32 UTC 
alpha, ppc, x86: i just noticed that you are already marked stable, sorry to
annoy you :( only amd64 left to go.
Comment 14 Danny van Dyk (RETIRED) gentoo-dev 2005-07-10 12:02:39 UTC 
Sorry for the delay Stefan. amd64 is stable now.
Comment 15 Danny van Dyk (RETIRED) gentoo-dev 2005-07-10 12:03:10 UTC 
Should remove us from CC as well :-)
Comment 16 Stefan Cornelius (RETIRED) gentoo-dev 2005-07-10 12:05:48 UTC 
Ready for GLSA
Comment 17 Matthias Geerdsen (RETIRED) gentoo-dev 2005-07-10 12:35:32 UTC 
GLSA 200507-08

thanks everyone