Summary: | www-apps/egroupware: Cross-Site Request Forgery Vulnerability (CVE-2014-{2987,2988}) | ||
---|---|---|---|
Product: | Gentoo Security | Reporter: | Agostino Sarubbo <ago> |
Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
Status: | RESOLVED FIXED | ||
Severity: | minor | CC: | joost, web-apps |
Priority: | Normal | ||
Version: | unspecified | ||
Hardware: | All | ||
OS: | Linux | ||
URL: | https://secunia.com/advisories/58346/ | ||
Whiteboard: | B4 [noglsa cve] | ||
Package list: | Runtime testing required: | --- | |
Deadline: | 2017-07-05 |
Description
Agostino Sarubbo
2014-05-09 15:30:19 UTC
CVE-2014-2988 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-2988): EGroupware Enterprise Line (EPL) before 1.1.20140505, EGroupware Community Edition before 1.8.007.20140506, and EGroupware before 14.1 beta allows remote authenticated administrators to execute arbitrary PHP code via crafted callback values to the call_user_func PHP function, as demonstrated using the newsettings[system] parameter. NOTE: this can be exploited by remote attackers by leveraging CVE-2014-2987. CVE-2014-2987 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-2987): Multiple cross-site request forgery (CSRF) vulnerabilities in EGroupware Enterprise Line (EPL) before 1.1.20140505, EGroupware Community Edition before 1.8.007.20140506, and EGroupware before 14.1 beta allow remote attackers to hijack the authentication of administrators for requests that (1) create an administrator user via an admin.uiaccounts.add_user action to index.php or (2) modify settings via the newsettings parameter in an admin.uiconfig.index action to index.php. NOTE: vector 2 can be used to execute arbitrary PHP code by leveraging CVE-2014-2988. The mentioned version is not available in Portage. Also: 1.8 is old and EOL. 14.1 has been out for a while and 14.2 RC1 has just been released. # Aaron Bauman <bman@gentoo.org> (30 Jun 2016) # Unpatched security vulnerability per bug #509920. # Removal in 30 days www-apps/egroupware Why are ALL egroupware versions now masked and marked for removal? What is the reason for simply treecleaning egroupware when multiple version-bumps have been ignored for the past few years? I stopped adding new versions to bug 461212 as there wasn't a single developer interested in adding them to the tree or even responding. No longer masked for removal, but retaining security mask. No response from media-video project for updated ebuild or patches. (In reply to Aaron Bauman from comment #5) > No longer masked for removal, but retaining security mask. No response from > media-video project for updated ebuild or patches. web-apps project that is. (In reply to J. Roeleveld from comment #4) > Why are ALL egroupware versions now masked and marked for removal? > > What is the reason for simply treecleaning egroupware when multiple > version-bumps have been ignored for the past few years? > > I stopped adding new versions to bug 461212 as there wasn't a single > developer interested in adding them to the tree or even responding. Please have a look at the proxy-maintainer project. https://wiki.gentoo.org/wiki/Project:Proxy_Maintainers # Michał Górny <mgorny@gentoo.org> (05 Jun 2017) # (on behalf of Treecleaner project) # Unmaintained in Gentoo. Multiple versions behind upstream. Multiple # security vulnerabilities. Removal in 30 days. Bug #509920. www-apps/egroupware commit 828139076827f50e43b62a88d038d1b092371618 Author: Michał Górny <mgorny@gentoo.org> AuthorDate: Wed Jul 5 12:23:14 2017 Commit: Michał Górny <mgorny@gentoo.org> CommitDate: Wed Jul 5 12:35:17 2017 www-apps/egroupware: Remove last-rited pkg, #509920 Nothing more for us to do here, unCC-ing to avoid cluttering search results. GLSA Vote: No |