On Thu Feb 21, 2008 at 02:41:41 +0100, Gregory Colpart wrote:
> The package turba2 has vulnerabilities (See CVE-2008-0807, bug
> #464058 and changelogs of fixed sarge/etch packages).
A shining example of how to handle security updates. Thanks very
very much for the fixed packages, and the clea
Hello,
The package turba2 has vulnerabilities (See CVE-2008-0807, bug
#464058 and changelogs of fixed sarge/etch packages).
I prepared fixed packages:
- Sarge version (source package and debdiff):
http://gcolpart.evolix.net/debian/turba2/turba2_2.0.2-1sarge1.dsc
http://gcolpart.evolix.net/debian
Quoting Gregory Colpart <[EMAIL PROTECTED]>:
I apologize because this patch includes *two* security patches:
- [jan] SECURITY: Fix privilege escalation in Horde API => from 2.1.6
- [cjh] SECURITY: Fix unchecked access to contacts in the same
SQL table (Bug #6208). => from 2.1.7 (patch spoken i
Hi,
On Mon, Feb 18, 2008 at 06:26:38PM -0500, Chuck Hagenbuch wrote:
> The 2.1.4 patch seems to have a bunch of extra stuff in it - I would
> just do the changes to Group.php, sql.php, and browse.php. If you're
> also including different fixes those would have to be reviewed
> separately -
Quoting Gregory Colpart <[EMAIL PROTECTED]>:
Thanks a lot for your final patches. Turba 2.1.7 is already in
Debian unstable distribution. But for Debian stable and
oldstable, I can't upload version 2.1.7: I need backport
security changes. Could you review my backported patches?
- Patch for Turb
Hi Chuck,
On Fri, Feb 15, 2008 at 12:42:56AM -0500, Chuck Hagenbuch wrote:
>
> Finally, these should be the patches for the upcoming Turba 2.1.7 and
> Turba 2.2-RC3 releases. I plan to roll them tomorrow (Friday) morning,
> U.S Eastern time. I'm also attaching a patch for HEAD for anyone who
Quoting Chuck Hagenbuch <[EMAIL PROTECTED]>:
I agree it would be nice, but that's more in the realm of an
enhancement than a security fix. We'll consider it for Turba 2.2, but
I'd like to get 2.1.7 out with the fixes now.
Finally, these should be the patches for the upcoming Turba 2.1.7 and
Quoting Peter Paul Elfferich <[EMAIL PROTECTED]>:
I tested Rubinsky's patch and it seems to work fine. I'd still prefer to be
able to find who I'd have to contact to be able to see these invisible
entries though. I already know I'm going to get support requests about this
and right now the only
Sorry, got a little sidetracked with other stuff.
I tested Rubinsky's patch and it seems to work fine. I'd still prefer to be
able to find who I'd have to contact to be able to see these invisible
entries though. I already know I'm going to get support requests about this
and right now the only wa
Quoting Gregory Colpart <[EMAIL PROTECTED]>:
I don't use use_shares anywhere then I can't do a fast test now.
I was waiting a feedback from Peter, original bug submitter.
If not, I will test your patch, but probably not before thursday.
Okay, well, let us know.
-chuck
--
To UNSUBSCRIBE, em
Hi Chuck,
On Mon, Feb 11, 2008 at 04:47:25PM -0500, Chuck Hagenbuch wrote:
> Hi Peter - any feedback on the latest patch? Or Gregory, any feedback
> from the debian team? I'd like to get this resolved soon.
I don't use use_shares anywhere then I can't do a fast test now.
I was waiting a feedbac
Hi Peter - any feedback on the latest patch? Or Gregory, any feedback
from the debian team? I'd like to get this resolved soon.
Quoting Peter Paul Elfferich <[EMAIL PROTECTED]>:
It's not so much the list's owner as the entry's owner, which could be
another shared address book, so that would t
Quoting Peter Paul Elfferich <[EMAIL PROTECTED]>:
It's not so much the list's owner as the entry's owner, which could be
another shared address book, so that would turn into:
"This list contains X1 contacts from address book 'Y1' that you do not have
permission to view. Contact the owner (Z1) if
It's not so much the list's owner as the entry's owner, which could be
another shared address book, so that would turn into:
"This list contains X1 contacts from address book 'Y1' that you do not have
permission to view. Contact the owner (Z1) if you have questions." And so
forth for X2, Y2 and Z2
That would perhaps be a simpler fix, but I think it will be confusing to
users.
If you really want to allow this cross-address-book adding then I'd suggest
showing warning messages detailing why a number of contacts could not be
displayed. Or, at the moment of adding an entry to a list in another a
Hey,
We just use a single, default, 'localsql' configuration (with use_shares =>
true).
Steps to reproduce this:
- Login as user A
- Select an entry from your private address book
- Select a contact list that is stored in a shared address book and click
'Add'
- You can view the contact list to ch
Quoting Peter Paul Elfferich <[EMAIL PROTECTED]>:
That would perhaps be a simpler fix, but I think it will be confusing to
users.
If you really want to allow this cross-address-book adding then I'd suggest
showing warning messages detailing why a number of contacts could not be
displayed.
That
Quoting Peter Paul Elfferich <[EMAIL PROTECTED]>:
We just use a single, default, 'localsql' configuration (with use_shares =>
true).
Steps to reproduce this:
- Login as user A
- Select an entry from your private address book
- Select a contact list that is stored in a shared address book and cl
Hi,
On Thu, Feb 07, 2008 at 12:32:06PM +0100, Peter Paul Elfferich wrote:
>
> I've also tested the patch. It successfully secures the data, but it also
> silently removes the non editable contacts from contact lists as the list is
> viewed. Are you or are you not supposed to be able to add conta
Hey Chuck, Gregory,
I've also tested the patch. It successfully secures the data, but it also
silently removes the non editable contacts from contact lists as the list is
viewed. Are you or are you not supposed to be able to add contacts from one
address book to a contact list in another address
20 matches
Mail list logo
