From ${URL} : Description A vulnerability has been reported in eGroupWare, which can be exploited by malicious people to conduct cross-site request forgery attacks. The application allows users to perform certain actions via HTTP requests without performing proper validity checks to verify the requests. This can be exploited to e.g. create new admin users when a logged-in administrator visits a specially crafted web page. Note: This further can be exploited to execute arbitrary commands. The vulnerability is reported in versions prior to 1.8.007.20140506. Solution: Update to version 1.8.007.20140506. Provided and/or discovered by: The vendor credits High-Tech Bridge SA. Original Advisory: http://www.egroupware.org/changelog @maintainer(s): after the bump, in case we need to stabilize the package, please let us know if it is ready for the stabilization or not.
CVE-2014-2988 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-2988): EGroupware Enterprise Line (EPL) before 1.1.20140505, EGroupware Community Edition before 1.8.007.20140506, and EGroupware before 14.1 beta allows remote authenticated administrators to execute arbitrary PHP code via crafted callback values to the call_user_func PHP function, as demonstrated using the newsettings[system] parameter. NOTE: this can be exploited by remote attackers by leveraging CVE-2014-2987. CVE-2014-2987 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-2987): Multiple cross-site request forgery (CSRF) vulnerabilities in EGroupware Enterprise Line (EPL) before 1.1.20140505, EGroupware Community Edition before 1.8.007.20140506, and EGroupware before 14.1 beta allow remote attackers to hijack the authentication of administrators for requests that (1) create an administrator user via an admin.uiaccounts.add_user action to index.php or (2) modify settings via the newsettings parameter in an admin.uiconfig.index action to index.php. NOTE: vector 2 can be used to execute arbitrary PHP code by leveraging CVE-2014-2988.
The mentioned version is not available in Portage. Also: 1.8 is old and EOL. 14.1 has been out for a while and 14.2 RC1 has just been released.
# Aaron Bauman <bman@gentoo.org> (30 Jun 2016) # Unpatched security vulnerability per bug #509920. # Removal in 30 days www-apps/egroupware
Why are ALL egroupware versions now masked and marked for removal? What is the reason for simply treecleaning egroupware when multiple version-bumps have been ignored for the past few years? I stopped adding new versions to bug 461212 as there wasn't a single developer interested in adding them to the tree or even responding.
No longer masked for removal, but retaining security mask. No response from media-video project for updated ebuild or patches.
(In reply to Aaron Bauman from comment #5) > No longer masked for removal, but retaining security mask. No response from > media-video project for updated ebuild or patches. web-apps project that is.
(In reply to J. Roeleveld from comment #4) > Why are ALL egroupware versions now masked and marked for removal? > > What is the reason for simply treecleaning egroupware when multiple > version-bumps have been ignored for the past few years? > > I stopped adding new versions to bug 461212 as there wasn't a single > developer interested in adding them to the tree or even responding. Please have a look at the proxy-maintainer project. https://wiki.gentoo.org/wiki/Project:Proxy_Maintainers
# Michał Górny <mgorny@gentoo.org> (05 Jun 2017) # (on behalf of Treecleaner project) # Unmaintained in Gentoo. Multiple versions behind upstream. Multiple # security vulnerabilities. Removal in 30 days. Bug #509920. www-apps/egroupware
commit 828139076827f50e43b62a88d038d1b092371618 Author: Michał Górny <mgorny@gentoo.org> AuthorDate: Wed Jul 5 12:23:14 2017 Commit: Michał Górny <mgorny@gentoo.org> CommitDate: Wed Jul 5 12:35:17 2017 www-apps/egroupware: Remove last-rited pkg, #509920
Nothing more for us to do here, unCC-ing to avoid cluttering search results.
GLSA Vote: No