Debian Bug report logs - #323350
egroupware: Another XMLRPC vulnerability

version graph

Package: egroupware-core; Maintainer for egroupware-core is (unknown);

Reported by: Moritz Muehlenhoff <jmm@inutil.org>

Date: Tue, 16 Aug 2005 08:03:03 UTC

Severity: grave

Tags: etch, fixed, sarge, security, sid

Fixed in versions egroupware/1.0.0.009.dfsg-1, 1.0.0.007-2.dfsg-2sarge2

Done: Peter Eisentraut <peter_e@gmx.net>

Bug is archived. No further changes may be made.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox


Report forwarded to debian-bugs-dist@lists.debian.org, Peter Eisentraut <petere@debian.org>:
Bug#323350; Package egroupware. Full text and rfc822 format available.

Acknowledgement sent to Moritz Muehlenhoff <jmm@inutil.org>:
New Bug report received and forwarded. Copy sent to Peter Eisentraut <petere@debian.org>. Full text and rfc822 format available.

Message #5 received at submit@bugs.debian.org (full text, mbox):

From: Moritz Muehlenhoff <jmm@inutil.org>
To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: egroupware: Another XMLRPC vulnerability
Date: Tue, 16 Aug 2005 09:52:10 +0200
Package: egroupware
Severity: grave
Tags: security
Justification: user security hole

Hi,
another vulnerability has been found in the XMLRPC code. Please
see http://www.hardened-php.net/advisory_142005.66.html for
more information. egroupware was affected by July's vulnerability,
so it might now be affected as well (haven't verified that myself).

Cheers,
        Moritz

-- System Information:
Debian Release: testing/unstable
  APT prefers unstable
  APT policy: (500, 'unstable')
Architecture: i386 (i686)
Shell:  /bin/sh linked to /bin/bash
Kernel: Linux 2.6.12-rc5
Locale: LANG=C, LC_CTYPE=de_DE.ISO-8859-15@euro (charmap=ISO-8859-15)



Information forwarded to debian-bugs-dist@lists.debian.org, Peter Eisentraut <petere@debian.org>:
Bug#323350; Package egroupware. Full text and rfc822 format available.

Acknowledgement sent to Gregory Colpart <reg@evolix.fr>:
Extra info received and forwarded to list. Copy sent to Peter Eisentraut <petere@debian.org>. Full text and rfc822 format available.

Message #10 received at 323350@bugs.debian.org (full text, mbox):

From: Gregory Colpart <reg@evolix.fr>
To: 323350@bugs.debian.org
Cc: Peter Eisentraut <petere@debian.org>
Subject: Re: #323350: egroupware: Another XMLRPC vulnerability
Date: Tue, 30 Aug 2005 10:18:22 +0200
Hi,

This security bug seems not too hard to fix.
Egroupware project gives a patch : egw_1.0.9xmlrpcfix2.tgz

http://sourceforge.net/project/shownotes.php?release_id=350039

It only changes class.xmlrpc.*.php files

A patch for this bug :
http://www.evolix.org/debian/egroupware-1.0.0.007-2.dfsg.patch
84f23e68ad3cdecabcefb63edf13405b

Thanks,
-- 
Gregory Colpart <reg@evolix.fr>  GnuPG:1024D/C1027A0E
Evolix - Informatique et Logiciels Libres http://www.evolix.fr




Tags added: sarge, etch, sid Request was from Peter Eisentraut <peter_e@gmx.net> to control@bugs.debian.org. Full text and rfc822 format available.

Bug reassigned from package `egroupware' to `egroupware-core'. Request was from Peter Eisentraut <peter_e@gmx.net> to control@bugs.debian.org. Full text and rfc822 format available.

Reply sent to Peter Eisentraut <petere@debian.org>:
You have taken responsibility. Full text and rfc822 format available.

Notification sent to Moritz Muehlenhoff <jmm@inutil.org>:
Bug acknowledged by developer. Full text and rfc822 format available.

Message #19 received at 323350-close@bugs.debian.org (full text, mbox):

From: Peter Eisentraut <petere@debian.org>
To: 323350-close@bugs.debian.org
Subject: Bug#323350: fixed in egroupware 1.0.0.009.dfsg-1
Date: Thu, 01 Sep 2005 09:02:11 -0700
Source: egroupware
Source-Version: 1.0.0.009.dfsg-1

We believe that the bug you reported is fixed in the latest version of
egroupware, which is due to be installed in the Debian FTP archive:

egroupware-addressbook_1.0.0.009.dfsg-1_all.deb
  to pool/main/e/egroupware/egroupware-addressbook_1.0.0.009.dfsg-1_all.deb
egroupware-bookmarks_1.0.0.009.dfsg-1_all.deb
  to pool/main/e/egroupware/egroupware-bookmarks_1.0.0.009.dfsg-1_all.deb
egroupware-calendar_1.0.0.009.dfsg-1_all.deb
  to pool/main/e/egroupware/egroupware-calendar_1.0.0.009.dfsg-1_all.deb
egroupware-comic_1.0.0.009.dfsg-1_all.deb
  to pool/main/e/egroupware/egroupware-comic_1.0.0.009.dfsg-1_all.deb
egroupware-core_1.0.0.009.dfsg-1_all.deb
  to pool/main/e/egroupware/egroupware-core_1.0.0.009.dfsg-1_all.deb
egroupware-developer-tools_1.0.0.009.dfsg-1_all.deb
  to pool/main/e/egroupware/egroupware-developer-tools_1.0.0.009.dfsg-1_all.deb
egroupware-email_1.0.0.009.dfsg-1_all.deb
  to pool/main/e/egroupware/egroupware-email_1.0.0.009.dfsg-1_all.deb
egroupware-emailadmin_1.0.0.009.dfsg-1_all.deb
  to pool/main/e/egroupware/egroupware-emailadmin_1.0.0.009.dfsg-1_all.deb
egroupware-etemplate_1.0.0.009.dfsg-1_all.deb
  to pool/main/e/egroupware/egroupware-etemplate_1.0.0.009.dfsg-1_all.deb
egroupware-felamimail_1.0.0.009.dfsg-1_all.deb
  to pool/main/e/egroupware/egroupware-felamimail_1.0.0.009.dfsg-1_all.deb
egroupware-filemanager_1.0.0.009.dfsg-1_all.deb
  to pool/main/e/egroupware/egroupware-filemanager_1.0.0.009.dfsg-1_all.deb
egroupware-forum_1.0.0.009.dfsg-1_all.deb
  to pool/main/e/egroupware/egroupware-forum_1.0.0.009.dfsg-1_all.deb
egroupware-ftp_1.0.0.009.dfsg-1_all.deb
  to pool/main/e/egroupware/egroupware-ftp_1.0.0.009.dfsg-1_all.deb
egroupware-fudforum_1.0.0.009.dfsg-1_all.deb
  to pool/main/e/egroupware/egroupware-fudforum_1.0.0.009.dfsg-1_all.deb
egroupware-headlines_1.0.0.009.dfsg-1_all.deb
  to pool/main/e/egroupware/egroupware-headlines_1.0.0.009.dfsg-1_all.deb
egroupware-infolog_1.0.0.009.dfsg-1_all.deb
  to pool/main/e/egroupware/egroupware-infolog_1.0.0.009.dfsg-1_all.deb
egroupware-jinn_1.0.0.009.dfsg-1_all.deb
  to pool/main/e/egroupware/egroupware-jinn_1.0.0.009.dfsg-1_all.deb
egroupware-ldap_1.0.0.009.dfsg-1_all.deb
  to pool/main/e/egroupware/egroupware-ldap_1.0.0.009.dfsg-1_all.deb
egroupware-manual_1.0.0.009.dfsg-1_all.deb
  to pool/main/e/egroupware/egroupware-manual_1.0.0.009.dfsg-1_all.deb
egroupware-messenger_1.0.0.009.dfsg-1_all.deb
  to pool/main/e/egroupware/egroupware-messenger_1.0.0.009.dfsg-1_all.deb
egroupware-news-admin_1.0.0.009.dfsg-1_all.deb
  to pool/main/e/egroupware/egroupware-news-admin_1.0.0.009.dfsg-1_all.deb
egroupware-phpbrain_1.0.0.009.dfsg-1_all.deb
  to pool/main/e/egroupware/egroupware-phpbrain_1.0.0.009.dfsg-1_all.deb
egroupware-phpldapadmin_1.0.0.009.dfsg-1_all.deb
  to pool/main/e/egroupware/egroupware-phpldapadmin_1.0.0.009.dfsg-1_all.deb
egroupware-phpsysinfo_1.0.0.009.dfsg-1_all.deb
  to pool/main/e/egroupware/egroupware-phpsysinfo_1.0.0.009.dfsg-1_all.deb
egroupware-polls_1.0.0.009.dfsg-1_all.deb
  to pool/main/e/egroupware/egroupware-polls_1.0.0.009.dfsg-1_all.deb
egroupware-projects_1.0.0.009.dfsg-1_all.deb
  to pool/main/e/egroupware/egroupware-projects_1.0.0.009.dfsg-1_all.deb
egroupware-registration_1.0.0.009.dfsg-1_all.deb
  to pool/main/e/egroupware/egroupware-registration_1.0.0.009.dfsg-1_all.deb
egroupware-sitemgr_1.0.0.009.dfsg-1_all.deb
  to pool/main/e/egroupware/egroupware-sitemgr_1.0.0.009.dfsg-1_all.deb
egroupware-stocks_1.0.0.009.dfsg-1_all.deb
  to pool/main/e/egroupware/egroupware-stocks_1.0.0.009.dfsg-1_all.deb
egroupware-tts_1.0.0.009.dfsg-1_all.deb
  to pool/main/e/egroupware/egroupware-tts_1.0.0.009.dfsg-1_all.deb
egroupware-wiki_1.0.0.009.dfsg-1_all.deb
  to pool/main/e/egroupware/egroupware-wiki_1.0.0.009.dfsg-1_all.deb
egroupware_1.0.0.009.dfsg-1.diff.gz
  to pool/main/e/egroupware/egroupware_1.0.0.009.dfsg-1.diff.gz
egroupware_1.0.0.009.dfsg-1.dsc
  to pool/main/e/egroupware/egroupware_1.0.0.009.dfsg-1.dsc
egroupware_1.0.0.009.dfsg-1_all.deb
  to pool/main/e/egroupware/egroupware_1.0.0.009.dfsg-1_all.deb
egroupware_1.0.0.009.dfsg.orig.tar.gz
  to pool/main/e/egroupware/egroupware_1.0.0.009.dfsg.orig.tar.gz



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 323350@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Peter Eisentraut <petere@debian.org> (supplier of updated egroupware package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.7
Date: Thu,  1 Sep 2005 11:11:11 +0200
Source: egroupware
Binary: egroupware-news-admin egroupware-felamimail egroupware-projects egroupware-polls egroupware-jinn egroupware-calendar egroupware-messenger egroupware egroupware-bookmarks egroupware-wiki egroupware-filemanager egroupware-ldap egroupware-addressbook egroupware-headlines egroupware-tts egroupware-etemplate egroupware-registration egroupware-comic egroupware-emailadmin egroupware-ftp egroupware-developer-tools egroupware-phpldapadmin egroupware-phpsysinfo egroupware-stocks egroupware-manual egroupware-infolog egroupware-core egroupware-email egroupware-fudforum egroupware-sitemgr egroupware-phpbrain egroupware-forum
Architecture: source all
Version: 1.0.0.009.dfsg-1
Distribution: unstable
Urgency: high
Maintainer: Peter Eisentraut <petere@debian.org>
Changed-By: Peter Eisentraut <petere@debian.org>
Description: 
 egroupware - web-based groupware suite
 egroupware-addressbook - eGroupWare addressbook management application
 egroupware-bookmarks - eGroupWare bookmark management application
 egroupware-calendar - eGroupWare calendar management application
 egroupware-comic - eGroupWare comic strip application
 egroupware-core - eGroupWare core modules
 egroupware-developer-tools - eGroupWare developer tools
 egroupware-email - eGroupWare E-mail client application
 egroupware-emailadmin - eGroupWare E-mail user administration application
 egroupware-etemplate - widget-based template system for eGroupWare
 egroupware-felamimail - eGroupWare FeLaMiMail application
 egroupware-filemanager - eGroupWare file manager application
 egroupware-forum - eGroupWare forum application
 egroupware-ftp - eGroupWare FTP application
 egroupware-fudforum - eGroupWare FUDforum application
 egroupware-headlines - eGroupWare headlines catcher application
 egroupware-infolog - eGroupWare infolog application
 egroupware-jinn - content management system for eGroupWare
 egroupware-ldap - eGroupware LDAP support files
 egroupware-manual - eGroupWare manual
 egroupware-messenger - eGroupWare messenger application
 egroupware-news-admin - eGroupWare news administration interface
 egroupware-phpbrain - eGroupWare phpbrain application
 egroupware-phpldapadmin - eGroupWare phpLDAPadmin application
 egroupware-phpsysinfo - eGroupWare phpSysInfo application
 egroupware-polls - eGroupWare polling application
 egroupware-projects - eGroupWare projects management application
 egroupware-registration - eGroupWare registration application
 egroupware-sitemgr - eGroupWare site manager application
 egroupware-stocks - eGroupWare stock management application
 egroupware-tts - eGroupWare trouble ticket system application
 egroupware-wiki - eGroupWare wiki application
Closes: 323350
Changes: 
 egroupware (1.0.0.009.dfsg-1) unstable; urgency=high
 .
   * New upstream release
     - Includes fix for (another) XML-RPC remote execution security problem
       (CAN-2005-2498) (closes: #323350)
Files: 
 ba90aad27bde538f05b0a0eef271741c 1269 web optional egroupware_1.0.0.009.dfsg-1.dsc
 b03b60f40d768d7798b65d2d2cb165b9 12704499 web optional egroupware_1.0.0.009.dfsg.orig.tar.gz
 d7bee93fee94af2f81df6d815ec6104a 33014 web optional egroupware_1.0.0.009.dfsg-1.diff.gz
 f7659fcc4c9ad6d78b0bad16bfdc6626 4474 web optional egroupware_1.0.0.009.dfsg-1_all.deb
 bca92a864787083eab5ff95cb9a0bbd8 3777366 web optional egroupware-core_1.0.0.009.dfsg-1_all.deb
 890d665990a050ab679444a74f961fc4 7212 web optional egroupware-ldap_1.0.0.009.dfsg-1_all.deb
 4497b423d80640873da1cb3291a17c38 149058 web optional egroupware-addressbook_1.0.0.009.dfsg-1_all.deb
 714101d8a65c0269b3034e2bbfbc82eb 125170 web optional egroupware-bookmarks_1.0.0.009.dfsg-1_all.deb
 573238c953798dd52bdbe4b0885d7d39 382722 web optional egroupware-calendar_1.0.0.009.dfsg-1_all.deb
 af69678ea8971f321867682a680ef726 256112 web optional egroupware-comic_1.0.0.009.dfsg-1_all.deb
 bd8494a2d53eec1688c9b9ed442f5829 53498 web optional egroupware-developer-tools_1.0.0.009.dfsg-1_all.deb
 176bcd4c974d2a8bf04a296bdb85b892 1243980 web optional egroupware-email_1.0.0.009.dfsg-1_all.deb
 d240698b03f5b723fd0316fbf2f22963 38174 web optional egroupware-emailadmin_1.0.0.009.dfsg-1_all.deb
 63049594a92994afc6344b629b278a2b 1363302 web optional egroupware-etemplate_1.0.0.009.dfsg-1_all.deb
 e8a7b98c1e5f1b5d744b9aa905c79cf9 275460 web optional egroupware-felamimail_1.0.0.009.dfsg-1_all.deb
 1e88537311f71c451804578a6dbb299f 172890 web optional egroupware-filemanager_1.0.0.009.dfsg-1_all.deb
 66565de0c0dd1ad25ed650f4f8c15b6d 51398 web optional egroupware-forum_1.0.0.009.dfsg-1_all.deb
 ada18874052233a122d014c5b3c6b5ab 38098 web optional egroupware-ftp_1.0.0.009.dfsg-1_all.deb
 cc7efe4b17567b2478a39dc702dd4606 1486540 web optional egroupware-fudforum_1.0.0.009.dfsg-1_all.deb
 5727c23181d88985e46d34c7b4afa7e5 74974 web optional egroupware-headlines_1.0.0.009.dfsg-1_all.deb
 babe359fdb81d717e81ef015ea631457 202354 web optional egroupware-infolog_1.0.0.009.dfsg-1_all.deb
 5c29933a09bd9191fae0897111a46fe1 205066 web optional egroupware-jinn_1.0.0.009.dfsg-1_all.deb
 df67282b44045f0ccd4e94efac8301ca 17364 web optional egroupware-manual_1.0.0.009.dfsg-1_all.deb
 8fc951211de76b301678631f5150c75e 32212 web optional egroupware-messenger_1.0.0.009.dfsg-1_all.deb
 b49c12c195c31923873d1417f637d38e 50780 web optional egroupware-news-admin_1.0.0.009.dfsg-1_all.deb
 69fc4022e58f03983f13fca7afac52a1 119342 web optional egroupware-phpbrain_1.0.0.009.dfsg-1_all.deb
 26c11dc4e6316f919687cf9c71c2b54b 139632 web optional egroupware-phpldapadmin_1.0.0.009.dfsg-1_all.deb
 121829c7b8643e3b19457d9dac707628 116020 web optional egroupware-phpsysinfo_1.0.0.009.dfsg-1_all.deb
 4508f086048a118684991c439e7da6a8 36138 web optional egroupware-polls_1.0.0.009.dfsg-1_all.deb
 dbfa84cb7a0bafa0a8b13f213dafe130 302572 web optional egroupware-projects_1.0.0.009.dfsg-1_all.deb
 e3f2fdba8ebcc02cfa64c1ebf60dc16d 99894 web optional egroupware-registration_1.0.0.009.dfsg-1_all.deb
 699bfff6fd1eefe95935c1b4ca77316c 486570 web optional egroupware-sitemgr_1.0.0.009.dfsg-1_all.deb
 ebd2f10ad0ca564aad7610c9a64cf2b8 26580 web optional egroupware-stocks_1.0.0.009.dfsg-1_all.deb
 43489f82121818a4b1d092317a08073e 93792 web optional egroupware-tts_1.0.0.009.dfsg-1_all.deb
 ddf502a593176f0c9ecf0388c65d0230 92672 web optional egroupware-wiki_1.0.0.009.dfsg-1_all.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (GNU/Linux)

iD8DBQFDFxNWTTx8oVVPtMYRAryCAKC19YkHFUIv59+sF1aFDBU8k1FdugCgvBPD
OBNTZxXu33Gb89oqYVaclXU=
=95Cq
-----END PGP SIGNATURE-----




Tags added: fixed Request was from Peter Eisentraut <peter_e@gmx.net> to control@bugs.debian.org. Full text and rfc822 format available.

Reply sent to Peter Eisentraut <peter_e@gmx.net>:
You have taken responsibility. Full text and rfc822 format available.

Notification sent to Moritz Muehlenhoff <jmm@inutil.org>:
Bug acknowledged by developer. Full text and rfc822 format available.

Message #26 received at 323350-done@bugs.debian.org (full text, mbox):

From: Peter Eisentraut <peter_e@gmx.net>
To: 323350-done@bugs.debian.org
Date: Tue, 4 Oct 2005 17:59:20 +0200
Version: 1.0.0.007-2.dfsg-2sarge2



Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Mon, 25 Jun 2007 13:42:59 GMT) Full text and rfc822 format available.

Send a report that this bug log contains spam.


Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Fri Apr 18 19:42:17 2014; Machine Name: beach.debian.org

Debian Bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.