Your message dated Sun, 10 Jul 2005 08:17:31 -0400
with message-id <[EMAIL PROTECTED]>
and subject line Bug#317263: fixed in egroupware 1.0.0.007-2.dfsg-2sarge1
has caused the attached Bug report to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what I am
talking about this indicates a serious mail system misconfiguration
somewhere. Please contact me immediately.)
Debian bug tracking system administrator
(administrator, Debian Bugs database)
--------------------------------------
Received: (at submit) by bugs.debian.org; 7 Jul 2005 07:45:29 +0000
>From [EMAIL PROTECTED] Thu Jul 07 00:45:29 2005
Return-path: <[EMAIL PROTECTED]>
Received: from inutil.org (vserver151.vserver151.serverflex.de)
[193.22.164.111]
by spohr.debian.org with esmtp (Exim 3.35 1 (Debian))
id 1DqR4a-0005FG-00; Thu, 07 Jul 2005 00:45:29 -0700
Received: from wlan-client-015.informatik.uni-bremen.de ([134.102.116.16]
helo=localhost.localdomain)
by vserver151.vserver151.serverflex.de with esmtpsa
(TLS-1.0:RSA_AES_256_CBC_SHA:32)
(Exim 4.50)
id 1DqQyJ-0007fX-Pb
for [EMAIL PROTECTED]; Thu, 07 Jul 2005 09:38:59 +0200
Received: from jmm by localhost.localdomain with local (Exim 4.52)
id 1DqR4Z-0001cq-63; Thu, 07 Jul 2005 09:45:27 +0200
Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
From: Moritz Muehlenhoff <[EMAIL PROTECTED]>
To: Debian Bug Tracking System <[EMAIL PROTECTED]>
Subject: egroupware: XMLRPC parsing flaw allows execution of arbitrary PHP code
X-Mailer: reportbug 3.15
Date: Thu, 07 Jul 2005 09:45:27 +0200
X-Debbugs-Cc: [EMAIL PROTECTED]
Message-Id: <[EMAIL PROTECTED]>
X-SA-Exim-Connect-IP: 134.102.116.16
X-SA-Exim-Mail-From: [EMAIL PROTECTED]
X-SA-Exim-Scanned: No (on vserver151.vserver151.serverflex.de); SAEximRunCond
expanded to false
Delivered-To: [EMAIL PROTECTED]
X-Spam-Checker-Version: SpamAssassin 2.60-bugs.debian.org_2005_01_02
(1.212-2003-09-23-exp) on spohr.debian.org
X-Spam-Status: No, hits=-11.0 required=4.0 tests=BAYES_00,HAS_PACKAGE,
X_DEBBUGS_CC autolearn=ham version=2.60-bugs.debian.org_2005_01_02
X-Spam-Level:
Package: egroupware
Severity: grave
Tags: security
Justification: user security hole
egroupware ships a local copy of the vulnerable XMLRPC code, as discovered
by GulfTech Security Research. The new upstream release 1.0.0.007-3 fixes
this issue.
Cheers,
Moritz
-- System Information:
Debian Release: testing/unstable
APT prefers unstable
APT policy: (500, 'unstable')
Architecture: i386 (i686)
Shell: /bin/sh linked to /bin/bash
Kernel: Linux 2.6.12-rc5
Locale: LANG=C, [EMAIL PROTECTED] (charmap=ISO-8859-15)
---------------------------------------
Received: (at 317263-close) by bugs.debian.org; 10 Jul 2005 12:25:19 +0000
>From [EMAIL PROTECTED] Sun Jul 10 05:25:19 2005
Return-path: <[EMAIL PROTECTED]>
Received: from newraff.debian.org [208.185.25.31] (mail)
by spohr.debian.org with esmtp (Exim 3.35 1 (Debian))
id 1Dras3-0000R9-00; Sun, 10 Jul 2005 05:25:19 -0700
Received: from katie by newraff.debian.org with local (Exim 3.35 1 (Debian))
id 1DrakV-0002eA-00; Sun, 10 Jul 2005 08:17:31 -0400
From: Peter Eisentraut <[EMAIL PROTECTED]>
To: [EMAIL PROTECTED]
X-Katie: $Revision: 1.56 $
Subject: Bug#317263: fixed in egroupware 1.0.0.007-2.dfsg-2sarge1
Message-Id: <[EMAIL PROTECTED]>
Sender: Archive Administrator <[EMAIL PROTECTED]>
Date: Sun, 10 Jul 2005 08:17:31 -0400
Delivered-To: [EMAIL PROTECTED]
X-Spam-Checker-Version: SpamAssassin 2.60-bugs.debian.org_2005_01_02
(1.212-2003-09-23-exp) on spohr.debian.org
X-Spam-Status: No, hits=-6.0 required=4.0 tests=BAYES_00,HAS_BUG_NUMBER
autolearn=no version=2.60-bugs.debian.org_2005_01_02
X-Spam-Level:
Source: egroupware
Source-Version: 1.0.0.007-2.dfsg-2sarge1
We believe that the bug you reported is fixed in the latest version of
egroupware, which is due to be installed in the Debian FTP archive:
egroupware-addressbook_1.0.0.007-2.dfsg-2sarge1_all.deb
to
pool/main/e/egroupware/egroupware-addressbook_1.0.0.007-2.dfsg-2sarge1_all.deb
egroupware-bookmarks_1.0.0.007-2.dfsg-2sarge1_all.deb
to
pool/main/e/egroupware/egroupware-bookmarks_1.0.0.007-2.dfsg-2sarge1_all.deb
egroupware-calendar_1.0.0.007-2.dfsg-2sarge1_all.deb
to pool/main/e/egroupware/egroupware-calendar_1.0.0.007-2.dfsg-2sarge1_all.deb
egroupware-comic_1.0.0.007-2.dfsg-2sarge1_all.deb
to pool/main/e/egroupware/egroupware-comic_1.0.0.007-2.dfsg-2sarge1_all.deb
egroupware-core_1.0.0.007-2.dfsg-2sarge1_all.deb
to pool/main/e/egroupware/egroupware-core_1.0.0.007-2.dfsg-2sarge1_all.deb
egroupware-developer-tools_1.0.0.007-2.dfsg-2sarge1_all.deb
to
pool/main/e/egroupware/egroupware-developer-tools_1.0.0.007-2.dfsg-2sarge1_all.deb
egroupware-email_1.0.0.007-2.dfsg-2sarge1_all.deb
to pool/main/e/egroupware/egroupware-email_1.0.0.007-2.dfsg-2sarge1_all.deb
egroupware-emailadmin_1.0.0.007-2.dfsg-2sarge1_all.deb
to
pool/main/e/egroupware/egroupware-emailadmin_1.0.0.007-2.dfsg-2sarge1_all.deb
egroupware-etemplate_1.0.0.007-2.dfsg-2sarge1_all.deb
to
pool/main/e/egroupware/egroupware-etemplate_1.0.0.007-2.dfsg-2sarge1_all.deb
egroupware-felamimail_1.0.0.007-2.dfsg-2sarge1_all.deb
to
pool/main/e/egroupware/egroupware-felamimail_1.0.0.007-2.dfsg-2sarge1_all.deb
egroupware-filemanager_1.0.0.007-2.dfsg-2sarge1_all.deb
to
pool/main/e/egroupware/egroupware-filemanager_1.0.0.007-2.dfsg-2sarge1_all.deb
egroupware-forum_1.0.0.007-2.dfsg-2sarge1_all.deb
to pool/main/e/egroupware/egroupware-forum_1.0.0.007-2.dfsg-2sarge1_all.deb
egroupware-ftp_1.0.0.007-2.dfsg-2sarge1_all.deb
to pool/main/e/egroupware/egroupware-ftp_1.0.0.007-2.dfsg-2sarge1_all.deb
egroupware-fudforum_1.0.0.007-2.dfsg-2sarge1_all.deb
to pool/main/e/egroupware/egroupware-fudforum_1.0.0.007-2.dfsg-2sarge1_all.deb
egroupware-headlines_1.0.0.007-2.dfsg-2sarge1_all.deb
to
pool/main/e/egroupware/egroupware-headlines_1.0.0.007-2.dfsg-2sarge1_all.deb
egroupware-infolog_1.0.0.007-2.dfsg-2sarge1_all.deb
to pool/main/e/egroupware/egroupware-infolog_1.0.0.007-2.dfsg-2sarge1_all.deb
egroupware-jinn_1.0.0.007-2.dfsg-2sarge1_all.deb
to pool/main/e/egroupware/egroupware-jinn_1.0.0.007-2.dfsg-2sarge1_all.deb
egroupware-ldap_1.0.0.007-2.dfsg-2sarge1_all.deb
to pool/main/e/egroupware/egroupware-ldap_1.0.0.007-2.dfsg-2sarge1_all.deb
egroupware-manual_1.0.0.007-2.dfsg-2sarge1_all.deb
to pool/main/e/egroupware/egroupware-manual_1.0.0.007-2.dfsg-2sarge1_all.deb
egroupware-messenger_1.0.0.007-2.dfsg-2sarge1_all.deb
to
pool/main/e/egroupware/egroupware-messenger_1.0.0.007-2.dfsg-2sarge1_all.deb
egroupware-news-admin_1.0.0.007-2.dfsg-2sarge1_all.deb
to
pool/main/e/egroupware/egroupware-news-admin_1.0.0.007-2.dfsg-2sarge1_all.deb
egroupware-phpbrain_1.0.0.007-2.dfsg-2sarge1_all.deb
to pool/main/e/egroupware/egroupware-phpbrain_1.0.0.007-2.dfsg-2sarge1_all.deb
egroupware-phpldapadmin_1.0.0.007-2.dfsg-2sarge1_all.deb
to
pool/main/e/egroupware/egroupware-phpldapadmin_1.0.0.007-2.dfsg-2sarge1_all.deb
egroupware-phpsysinfo_1.0.0.007-2.dfsg-2sarge1_all.deb
to
pool/main/e/egroupware/egroupware-phpsysinfo_1.0.0.007-2.dfsg-2sarge1_all.deb
egroupware-polls_1.0.0.007-2.dfsg-2sarge1_all.deb
to pool/main/e/egroupware/egroupware-polls_1.0.0.007-2.dfsg-2sarge1_all.deb
egroupware-projects_1.0.0.007-2.dfsg-2sarge1_all.deb
to pool/main/e/egroupware/egroupware-projects_1.0.0.007-2.dfsg-2sarge1_all.deb
egroupware-registration_1.0.0.007-2.dfsg-2sarge1_all.deb
to
pool/main/e/egroupware/egroupware-registration_1.0.0.007-2.dfsg-2sarge1_all.deb
egroupware-sitemgr_1.0.0.007-2.dfsg-2sarge1_all.deb
to pool/main/e/egroupware/egroupware-sitemgr_1.0.0.007-2.dfsg-2sarge1_all.deb
egroupware-stocks_1.0.0.007-2.dfsg-2sarge1_all.deb
to pool/main/e/egroupware/egroupware-stocks_1.0.0.007-2.dfsg-2sarge1_all.deb
egroupware-tts_1.0.0.007-2.dfsg-2sarge1_all.deb
to pool/main/e/egroupware/egroupware-tts_1.0.0.007-2.dfsg-2sarge1_all.deb
egroupware-wiki_1.0.0.007-2.dfsg-2sarge1_all.deb
to pool/main/e/egroupware/egroupware-wiki_1.0.0.007-2.dfsg-2sarge1_all.deb
egroupware_1.0.0.007-2.dfsg-2sarge1.diff.gz
to pool/main/e/egroupware/egroupware_1.0.0.007-2.dfsg-2sarge1.diff.gz
egroupware_1.0.0.007-2.dfsg-2sarge1.dsc
to pool/main/e/egroupware/egroupware_1.0.0.007-2.dfsg-2sarge1.dsc
egroupware_1.0.0.007-2.dfsg-2sarge1_all.deb
to pool/main/e/egroupware/egroupware_1.0.0.007-2.dfsg-2sarge1_all.deb
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [EMAIL PROTECTED],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Peter Eisentraut <[EMAIL PROTECTED]> (supplier of updated egroupware package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [EMAIL PROTECTED])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.7
Date: Thu, 7 Jul 2005 11:55:00 +0200
Source: egroupware
Binary: egroupware-news-admin egroupware-felamimail egroupware-projects
egroupware-polls egroupware-jinn egroupware-calendar egroupware-messenger
egroupware egroupware-bookmarks egroupware-wiki egroupware-filemanager
egroupware-ldap egroupware-addressbook egroupware-headlines egroupware-tts
egroupware-etemplate egroupware-registration egroupware-comic
egroupware-emailadmin egroupware-ftp egroupware-developer-tools
egroupware-phpldapadmin egroupware-phpsysinfo egroupware-stocks
egroupware-manual egroupware-infolog egroupware-core egroupware-email
egroupware-fudforum egroupware-sitemgr egroupware-phpbrain egroupware-forum
Architecture: source all
Version: 1.0.0.007-2.dfsg-2sarge1
Distribution: stable-security
Urgency: high
Maintainer: Peter Eisentraut <[EMAIL PROTECTED]>
Changed-By: Peter Eisentraut <[EMAIL PROTECTED]>
Description:
egroupware - web-based groupware suite
egroupware-addressbook - eGroupWare addressbook management application
egroupware-bookmarks - eGroupWare bookmark management application
egroupware-calendar - eGroupWare calendar management application
egroupware-comic - eGroupWare comic strip application
egroupware-core - eGroupWare core modules
egroupware-developer-tools - eGroupWare developer tools
egroupware-email - eGroupWare E-mail client application
egroupware-emailadmin - eGroupWare E-mail user administration application
egroupware-etemplate - widget-based template system for eGroupWare
egroupware-felamimail - eGroupWare FeLaMiMail application
egroupware-filemanager - eGroupWare file manager application
egroupware-forum - eGroupWare forum application
egroupware-ftp - eGroupWare FTP application
egroupware-fudforum - eGroupWare FUDforum application
egroupware-headlines - eGroupWare headlines catcher application
egroupware-infolog - eGroupWare infolog application
egroupware-jinn - content management system for eGroupWare
egroupware-ldap - eGroupware LDAP support files
egroupware-manual - eGroupWare manual
egroupware-messenger - eGroupWare messenger application
egroupware-news-admin - eGroupWare news administration interface
egroupware-phpbrain - eGroupWare phpbrain application
egroupware-phpldapadmin - eGroupWare phpLDAPadmin application
egroupware-phpsysinfo - eGroupWare phpSysInfo application
egroupware-polls - eGroupWare polling application
egroupware-projects - eGroupWare projects management application
egroupware-registration - eGroupWare registration application
egroupware-sitemgr - eGroupWare site manager application
egroupware-stocks - eGroupWare stock management application
egroupware-tts - eGroupWare trouble ticket system application
egroupware-wiki - eGroupWare wiki application
Closes: 317263
Changes:
egroupware (1.0.0.007-2.dfsg-2sarge1) stable-security; urgency=high
.
* Fixed XML-RPC remote execution security problem (CAN-2005-1921)
(closes: #317263)
Files:
1849e8a4639068df7ac9f8f72272ef86 1285 web optional
egroupware_1.0.0.007-2.dfsg-2sarge1.dsc
462f5ea377c4d0c04f16ffe8037b9d6a 12699187 web optional
egroupware_1.0.0.007-2.dfsg.orig.tar.gz
2ae91aca7f89d1f3d5f725fa09384ed8 33321 web optional
egroupware_1.0.0.007-2.dfsg-2sarge1.diff.gz
6edb07699896314d8c0ce641e2228cc5 4212 web optional
egroupware_1.0.0.007-2.dfsg-2sarge1_all.deb
078dcb7065c3ced38e7e837d15003dde 3771642 web optional
egroupware-core_1.0.0.007-2.dfsg-2sarge1_all.deb
2504ff9fa488181edfd5484ebab583b0 6942 web optional
egroupware-ldap_1.0.0.007-2.dfsg-2sarge1_all.deb
d96b5a43c0a29dd8dbc13d001831a45c 148770 web optional
egroupware-addressbook_1.0.0.007-2.dfsg-2sarge1_all.deb
bfdacc1755efb6e43133808bf77a1200 124930 web optional
egroupware-bookmarks_1.0.0.007-2.dfsg-2sarge1_all.deb
4725c5ad39c9abf8ab116f8a5dd0bb57 382010 web optional
egroupware-calendar_1.0.0.007-2.dfsg-2sarge1_all.deb
b00219a9f18f65b56cde18564dbcdfc6 255838 web optional
egroupware-comic_1.0.0.007-2.dfsg-2sarge1_all.deb
de815addc18f090c263b582db7025af3 53220 web optional
egroupware-developer-tools_1.0.0.007-2.dfsg-2sarge1_all.deb
14104d7117c1ddcfe4013e64cdf4f427 1243590 web optional
egroupware-email_1.0.0.007-2.dfsg-2sarge1_all.deb
a0c6fc6f8c2138e8377dc24933a45772 37916 web optional
egroupware-emailadmin_1.0.0.007-2.dfsg-2sarge1_all.deb
bdc3797f41136a032488e458e090b729 1363034 web optional
egroupware-etemplate_1.0.0.007-2.dfsg-2sarge1_all.deb
361b4166509e4dd861c907c2f9f846f5 275144 web optional
egroupware-felamimail_1.0.0.007-2.dfsg-2sarge1_all.deb
e35d2a3af12432147711a39e31d0a194 172670 web optional
egroupware-filemanager_1.0.0.007-2.dfsg-2sarge1_all.deb
e611af77c5bd0c4b75cd9227ca50e115 51144 web optional
egroupware-forum_1.0.0.007-2.dfsg-2sarge1_all.deb
78e388f8967593e544992cc18fc47096 37840 web optional
egroupware-ftp_1.0.0.007-2.dfsg-2sarge1_all.deb
7b8b470bf2a5f2279a322723ff74d031 1486218 web optional
egroupware-fudforum_1.0.0.007-2.dfsg-2sarge1_all.deb
2a08f46a7af3a0084426e317ffacf083 74732 web optional
egroupware-headlines_1.0.0.007-2.dfsg-2sarge1_all.deb
ef4836ce08f0edfba3d7d2dee6f13225 202082 web optional
egroupware-infolog_1.0.0.007-2.dfsg-2sarge1_all.deb
0f4c3f9ce74980dc5102bbabb2909b49 204810 web optional
egroupware-jinn_1.0.0.007-2.dfsg-2sarge1_all.deb
2b837171f92886b79dab136b4cbed1b0 17100 web optional
egroupware-manual_1.0.0.007-2.dfsg-2sarge1_all.deb
3f1306aa4e31ce8518a967d5b6c8de23 31966 web optional
egroupware-messenger_1.0.0.007-2.dfsg-2sarge1_all.deb
d9407cff76325b2e597d30b16b55f35b 50530 web optional
egroupware-news-admin_1.0.0.007-2.dfsg-2sarge1_all.deb
6588409cc9526dca31479a4d1a464cb6 119060 web optional
egroupware-phpbrain_1.0.0.007-2.dfsg-2sarge1_all.deb
664038c40ad93e64daf975e5e50d3550 139354 web optional
egroupware-phpldapadmin_1.0.0.007-2.dfsg-2sarge1_all.deb
d94de6dbaf9135a6fb45a1f01ffc09f4 115750 web optional
egroupware-phpsysinfo_1.0.0.007-2.dfsg-2sarge1_all.deb
069b89e524f57fff58dfa91e19380ee0 35878 web optional
egroupware-polls_1.0.0.007-2.dfsg-2sarge1_all.deb
275669f1b8eae13a4fa091423506aa65 302036 web optional
egroupware-projects_1.0.0.007-2.dfsg-2sarge1_all.deb
264116d3f03eddeae48e2ac1b5e74bb0 99618 web optional
egroupware-registration_1.0.0.007-2.dfsg-2sarge1_all.deb
ff7956754ab17b48938bc290171ab6c6 486306 web optional
egroupware-sitemgr_1.0.0.007-2.dfsg-2sarge1_all.deb
88c9d54ae0e23842f0b59b3cdc3de55f 26322 web optional
egroupware-stocks_1.0.0.007-2.dfsg-2sarge1_all.deb
a1e6eacb42d3cf26bc2fe22086ee2332 92442 web optional
egroupware-tts_1.0.0.007-2.dfsg-2sarge1_all.deb
18e426330d98178d6acf7b1f04e7a616 92404 web optional
egroupware-wiki_1.0.0.007-2.dfsg-2sarge1_all.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (GNU/Linux)
iD8DBQFC0NorTTx8oVVPtMYRAoPDAKCBynGSnTtAypWwIeIdzUYK7W2OzwCZAeR/
3ZOrqMqJG4MJOpg94ClVNUo=
=5Rfb
-----END PGP SIGNATURE-----
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
