Debian Bug report logs - #573279
egroupware: 2 critial security bugs - remotely exploitable - without login

version graph

Package: egroupware; Maintainer for egroupware is (unknown);

Reported by: Eneko Lacunza <elacunza@binovo.es>

Date: Wed, 10 Mar 2010 09:45:05 UTC

Severity: critical

Tags: security

Found in version 1.6.002+dfsg-1~bpo50+1

Fixed in version 1.6.002+dfsg-1+rm

Done: Sandro Tosi <morph@debian.org>

Bug is archived. No further changes may be made.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox


Report forwarded to debian-bugs-dist@lists.debian.org, elacunza@binovo.es, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Debian QA Group <packages@qa.debian.org>:
Bug#573279; Package egroupware. (Wed, 10 Mar 2010 09:45:08 GMT) Full text and rfc822 format available.

Acknowledgement sent to Eneko Lacunza <elacunza@binovo.es>:
New Bug report received and forwarded. Copy sent to elacunza@binovo.es, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Debian QA Group <packages@qa.debian.org>. (Wed, 10 Mar 2010 09:45:09 GMT) Full text and rfc822 format available.

Message #5 received at submit@bugs.debian.org (full text, mbox):

From: Eneko Lacunza <elacunza@binovo.es>
To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: egroupware: 2 critial security bugs - remotely exploitable - without login
Date: Wed, 10 Mar 2010 10:33:37 +0100
Package: egroupware
Version: 1.6.002+dfsg-1~bpo50+1
Severity: critical
Tags: security
Justification: -1


1.6.003 has been published fixing 2 critical security bugs:
http://www.egroupware.org/Home?category_id=95&item=93

In a debian-standard apache setup, "only" www-data user/group accesible files and commands are compromised.

Update fixes a load of other non-security bugs and adds some new features too.

Affected versions include all < 1.6.003 .


-- System Information:
Debian Release: 5.0.4
  APT prefers stable
  APT policy: (500, 'stable')
Architecture: amd64 (x86_64)

Kernel: Linux 2.6.26-2-amd64 (SMP w/1 CPU core)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/bash

Versions of packages egroupware depends on:
ii  egroupware-addres 1.6.002+dfsg-1~bpo50+1 web-based groupware suite - addres
ii  egroupware-bookma 1.6.002+dfsg-1~bpo50+1 web-based groupware suite - bookma
ii  egroupware-calend 1.6.002+dfsg-1~bpo50+1 web-based groupware suite - calend
ii  egroupware-core   1.6.002+dfsg-1~bpo50+1 web-based groupware suite - core m
ii  egroupware-develo 1.6.002+dfsg-1~bpo50+1 web-based groupware suite - develo
ii  egroupware-emaila 1.6.002+dfsg-1~bpo50+1 web-based groupware suite - e-mail
ii  egroupware-etempl 1.6.002+dfsg-1~bpo50+1 web-based groupware suite - widget
ii  egroupware-felami 1.6.002+dfsg-1~bpo50+1 web-based groupware suite - e-mail
ii  egroupware-filema 1.6.002+dfsg-1~bpo50+1 web-based groupware suite - file m
ii  egroupware-infolo 1.6.002+dfsg-1~bpo50+1 web-based groupware suite - infolo
ii  egroupware-manual 1.6.002+dfsg-1~bpo50+1 web-based groupware suite - manual
ii  egroupware-news-a 1.6.002+dfsg-1~bpo50+1 web-based groupware suite - news a
ii  egroupware-notifi 1.6.002+dfsg-1~bpo50+1 web-based groupware suite - notifi
ii  egroupware-phpbra 1.6.002+dfsg-1~bpo50+1 web-based groupware suite - phpbra
ii  egroupware-phpsys 1.6.002+dfsg-1~bpo50+1 web-based groupware suite - phpSys
ii  egroupware-polls  1.6.002+dfsg-1~bpo50+1 web-based groupware suite - pollin
ii  egroupware-projec 1.6.002+dfsg-1~bpo50+1 web-based groupware suite - projec
ii  egroupware-regist 1.6.002+dfsg-1~bpo50+1 web-based groupware suite - regist
ii  egroupware-resour 1.6.002+dfsg-1~bpo50+1 web-based groupware suite - resour
ii  egroupware-sambaa 1.6.002+dfsg-1~bpo50+1 web-based groupware suite - Samba 
ii  egroupware-sitemg 1.6.002+dfsg-1~bpo50+1 web-based groupware suite - site m
ii  egroupware-timesh 1.6.002+dfsg-1~bpo50+1 web-based groupware suite - timesh
ii  egroupware-tracke 1.6.002+dfsg-1~bpo50+1 web-based groupware suite - tracke
ii  egroupware-wiki   1.6.002+dfsg-1~bpo50+1 web-based groupware suite - wiki a

egroupware recommends no packages.

egroupware suggests no packages.

-- no debconf information




Information forwarded to debian-bugs-dist@lists.debian.org, Debian QA Group <packages@qa.debian.org>:
Bug#573279; Package egroupware. (Wed, 10 Mar 2010 10:33:06 GMT) Full text and rfc822 format available.

Acknowledgement sent to Eneko Lacunza <elacunza@binovo.es>:
Extra info received and forwarded to list. Copy sent to Debian QA Group <packages@qa.debian.org>. (Wed, 10 Mar 2010 10:33:06 GMT) Full text and rfc822 format available.

Message #10 received at 573279@bugs.debian.org (full text, mbox):

From: Eneko Lacunza <elacunza@binovo.es>
To: 573279@bugs.debian.org
Subject: Re: Bug#573279: egroupware: 2 critial security bugs - remotely exploitable - without login
Date: Wed, 10 Mar 2010 11:30:08 +0100
Looking closely at apache configuration
file /etc/apache/conf.d/egroupware, seems that access is restricted to
egroupware program and data files.

-- 
Zuzendari Teknikoa / Director T├ęcnico
Binovo IT Human Project, S.L.
Telf. 943493611
Astigarraga bidea 2, planta 2, Derecha, Oficina 6; 20180 Oiartzun
www.binovo.es





Reply sent to Sandro Tosi <morph@debian.org>:
You have taken responsibility. (Sun, 27 Mar 2011 11:27:41 GMT) Full text and rfc822 format available.

Notification sent to Eneko Lacunza <elacunza@binovo.es>:
Bug acknowledged by developer. (Sun, 27 Mar 2011 11:27:41 GMT) Full text and rfc822 format available.

Message #15 received at 573279-done@bugs.debian.org (full text, mbox):

From: Sandro Tosi <morph@debian.org>
To: 525657-done@bugs.debian.org, 559422-done@bugs.debian.org, 521555-done@bugs.debian.org, 573279-done@bugs.debian.org, 546369-done@bugs.debian.org, 585010-done@bugs.debian.org, 603024-done@bugs.debian.org, 520847-done@bugs.debian.org, 538323-done@bugs.debian.org, 512652-done@bugs.debian.org, 518274-done@bugs.debian.org, 540792-done@bugs.debian.org
Cc: Sandro Tosi <morph@debian.org>
Subject: egroupware removed from Debian unstable
Version: 1.6.002+dfsg-1+rm

egroupware has been removed from Debian unstable: http://bugs.debian.org/574186

Closing its bugs with a Version higher than the last unstable upload.

More information about this script at:
  http://git.debian.org/?p=users/morph/mass-bugs-close.git;a=blob_plain;f=README;hb=HEAD




Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Mon, 25 Apr 2011 07:49:50 GMT) Full text and rfc822 format available.

Send a report that this bug log contains spam.


Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Sun Apr 20 09:16:13 2014; Machine Name: beach.debian.org

Debian Bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.