Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 102379 - www-apps/phpgroupware: Multiple vulnerabilities
Summary: www-apps/phpgroupware: Multiple vulnerabilities
Status: RESOLVED FIXED
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: High major (vote)
Assignee: Gentoo Security
URL:
Whiteboard: B1 [glsa] jaervosz
Keywords:
Depends on:
Blocks:
 
Reported: 2005-08-13 07:37 UTC by Sune Kloppenborg Jeppesen
Modified: 2005-08-30 08:16 UTC (History)
2 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Sune Kloppenborg Jeppesen gentoo-dev 2005-08-13 07:37:27 UTC
see bug #102324
Comment 1 Sune Kloppenborg Jeppesen gentoo-dev 2005-08-14 22:11:16 UTC
Now see bug #102576 instead. 
Comment 2 Thierry Carrez (RETIRED) gentoo-dev 2005-08-21 08:48:59 UTC
Nothing from upstream yet. Patch may need to be adapted.
Comment 3 Stuart Herbert (RETIRED) gentoo-dev 2005-08-24 00:47:08 UTC
Hi,

phpgroupware uses PHP's built-in XMLRPC support.  It doesn't appear to be
vulnerable to the exploit - unless you have more information?

Best regards,
Stu
Comment 4 Thierry Carrez (RETIRED) gentoo-dev 2005-08-24 07:15:01 UTC
No we don't. Bug was opened because it was vulnerable to the previous XML-RPC
thing. Closing, reopen if you think it is indeed affected.
Comment 5 Thierry Carrez (RETIRED) gentoo-dev 2005-08-24 10:28:33 UTC
phpGroupWare 0.9.16.007 Security Fix Release
=======================================================================
This new release fixes several security issues within phpGroupWare. The
fixes include:

      * Global anti-XSS changes, related to savannah bug #13863
      * FUDForum Information Disclosure - CAN-2005-2600
      * Disabled XMLRPC until more resources are available -
        CAN-2005-2498

Disabling of XMLRPC is regrettable but unavoidable. phpGroupWare's
XMLRPC code is a bastardized version of phpxmlrpc. Our XMLRPC code is
currently unmaintained and we did not have the resources available to
merge and test the changes require. Instead of delaying the release any
more we chose to disable functionality. If you wish to contribute to
fixing our XMLRPC support please contact me directly.

As always grab it from our download section -
http://download.phpgroupware.org/now
=======================================================================

web-apps: please bump
Comment 6 Renat Lumpau (RETIRED) gentoo-dev 2005-08-24 13:32:45 UTC
bumped
Comment 7 Sune Kloppenborg Jeppesen gentoo-dev 2005-08-24 21:42:11 UTC
Stuart please confirm that our phpgroupware does not use the bundled 
phpxml-rpc script so we do not include the information in a GLSA. 
Comment 8 Thierry Carrez (RETIRED) gentoo-dev 2005-08-26 00:28:33 UTC
From upstream maintainer:
There is a problem with the anti XSS code in 007.  This has now been
fixed in CVS.  I will be preparing a new release in the next 24hours.

Back to upstream status.
Comment 9 Thierry Carrez (RETIRED) gentoo-dev 2005-08-27 01:27:13 UTC
From upstream:

phpGW 0.9.16.008 is out, it fixes a problem with array handling in the anti XSS
code added in 0.9.16.007.
Please grab an update from CVS or http://download.phpgroupware.org/now
Comment 10 Renat Lumpau (RETIRED) gentoo-dev 2005-08-27 06:22:14 UTC
bumped
Comment 11 Thierry Carrez (RETIRED) gentoo-dev 2005-08-27 10:20:02 UTC
ppc, amd64: please test 008 and mark stable
Comment 12 Luis Medinas (RETIRED) gentoo-dev 2005-08-27 20:51:19 UTC
Marked Stable on AMD64.
Comment 13 Michael Hanselmann (hansmi) (RETIRED) gentoo-dev 2005-08-28 11:45:15 UTC
Stable on ppc.
Comment 14 Stefan Cornelius (RETIRED) gentoo-dev 2005-08-28 11:51:06 UTC
stable, ready for glsa
Comment 15 Stuart Herbert (RETIRED) gentoo-dev 2005-08-29 07:12:57 UTC
Hi,

I was wrong in my initial assessment.  The phpgwapi component uses the 
vulnerable XML-RPC library.

Best regards,
Stu
Comment 16 Jose Luis Rivero (yoswink) (RETIRED) gentoo-dev 2005-08-30 05:15:33 UTC
Maybe I'm missing something here but, why we haven't included the rest of arches
to mark the ebuild stable?

Actually, ppc and amd64 are in stable and alpha, hppa, sparc and x86 in testing.
Comment 17 Jose Luis Rivero (yoswink) (RETIRED) gentoo-dev 2005-08-30 05:45:23 UTC
Argggh ...

Holidays have kicked my head in a very bad way. 
Rest of arches are free since they don't have an stable version. 

Sorry about the noise.
Comment 18 Thierry Carrez (RETIRED) gentoo-dev 2005-08-30 08:16:56 UTC
GLSA 200508-20