From debian-security-announce@lists.debian.org Wed Aug 6 02:35:24 2003 From: debian-security-announce@lists.debian.org Resent-From: list@murphy.debian.org (SmartList) To: full-disclosure@lists.netsys.com Date: Tue, 5 Aug 2003 22:56:22 -0400 Reply-To: full-disclosure@lists.netsys.com Subject: [Full-Disclosure] [SECURITY] [DSA-365-1] New phpgroupware package fix several vulnerabilities -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 - -------------------------------------------------------------------------- Debian Security Advisory DSA 365-1 security@debian.org http://www.debian.org/security/ Matt Zimmerman August 5th, 2003 http://www.debian.org/security/faq - -------------------------------------------------------------------------- Package : phpgroupware Vulnerability : several Problem-Type : remote Debian-specific: no CVE Ids : CAN-2003-0504, CAN-2003-0599, CAN-2003-0657 Several vulnerabilities have been discovered in phpgroupware: - - CAN-2003-0504: Multiple cross-site scripting (XSS) vulnerabilities in Phpgroupware 0.9.14.003 (aka webdistro) allow remote attackers to insert arbitrary HTML or web script, as demonstrated with a request to index.php in the addressbook module. - - CAN-2003-0599: Unknown vulnerability in the Virtual File System (VFS) capability for phpGroupWare 0.9.16preRC and versions before 0.9.14.004 with unknown implications, related to the VFS path being under the web document root. - - CAN-2003-0657: Multiple SQL injection vulnerabilities in the infolog module of phpgroupware could allow remote attackers to execute arbitrary SQL statements. For the stable distribution (woody), these problems have been fixed in version 0.9.14-0.RC3.2.woody2. For the unstable distribution (sid), these problems will be fixed soon. Refer to Debian bug #201980. We recommend that you update your phpgroupware package. Upgrade Instructions - -------------------- wget url will fetch the file for you dpkg -i file.deb will install the referenced file. If you are using the apt-get package manager, use the line for sources.list as given below: apt-get update will update the internal database apt-get upgrade will install corrected packages You may use an automated update by adding the resources from the footer to the proper configuration. Debian GNU/Linux 3.0 alias woody - -------------------------------- Source archives: http://security.debian.org/pool/updates/main/p/phpgroupware/phpgroupware_0.9.14-0.RC3.2.woody2.dsc Size/MD5 checksum: 1648 93a22cf33766d0da16e471ce32c7f213 http://security.debian.org/pool/updates/main/p/phpgroupware/phpgroupware_0.9.14-0.RC3.2.woody2.diff.gz Size/MD5 checksum: 450742 fb1dc330a0811f186c1e03bc91c20ce7 http://security.debian.org/pool/updates/main/p/phpgroupware/phpgroupware_0.9.14.orig.tar.gz Size/MD5 checksum: 8356188 22e715d0884d09aa848d694701a85b6b Architecture independent components: http://security.debian.org/pool/updates/main/p/phpgroupware/phpgroupware-addressbook_0.9.14-0.RC3.2.woody2_all.deb Size/MD5 checksum: 78752 d825eaa68b15d1c7d7f67c9365ac7c48 http://security.debian.org/pool/updates/main/p/phpgroupware/phpgroupware-admin_0.9.14-0.RC3.2.woody2_all.deb Size/MD5 checksum: 142068 c7a17b0e79a8b4d5a4792df7f5f11241 http://security.debian.org/pool/updates/main/p/phpgroupware/phpgroupware-api-doc_0.9.14-0.RC3.2.woody2_all.deb Size/MD5 checksum: 283128 3b037f7a52c34a89ff70734746983fee http://security.debian.org/pool/updates/main/p/phpgroupware/phpgroupware-api_0.9.14-0.RC3.2.woody2_all.deb Size/MD5 checksum: 2112084 ac91891afd802b09fdc00be19cbd6088 http://security.debian.org/pool/updates/main/p/phpgroupware/phpgroupware-bookkeeping_0.9.14-0.RC3.2.woody2_all.deb Size/MD5 checksum: 40128 e118ec41df6369ce6315584d11c2d37b http://security.debian.org/pool/updates/main/p/phpgroupware/phpgroupware-bookmarks_0.9.14-0.RC3.2.woody2_all.deb Size/MD5 checksum: 121132 ef1b1ab9cb60201e8c3735a913967242 http://security.debian.org/pool/updates/main/p/phpgroupware/phpgroupware-brewer_0.9.14-0.RC3.2.woody2_all.deb Size/MD5 checksum: 63446 c17d2fe4803b325f83c4ffbcdf2d291d http://security.debian.org/pool/updates/main/p/phpgroupware/phpgroupware-calendar_0.9.14-0.RC3.2.woody2_all.deb Size/MD5 checksum: 223392 f20a9d4ea0f0b25312139a981d745d75 http://security.debian.org/pool/updates/main/p/phpgroupware/phpgroupware-chat_0.9.14-0.RC3.2.woody2_all.deb Size/MD5 checksum: 18964 1c2a1ee3ff2a21148e791b0cd19ca8a3 http://security.debian.org/pool/updates/main/p/phpgroupware/phpgroupware-chora_0.9.14-0.RC3.2.woody2_all.deb Size/MD5 checksum: 59788 ab5a2baa28d1ab14f7129ce656649b44 http://security.debian.org/pool/updates/main/p/phpgroupware/phpgroupware-comic_0.9.14-0.RC3.2.woody2_all.deb Size/MD5 checksum: 326248 7c4e63e419dd152886a92c5c09d5b3ab http://security.debian.org/pool/updates/main/p/phpgroupware/phpgroupware-core-doc_0.9.14-0.RC3.2.woody2_all.deb Size/MD5 checksum: 89112 a0e6a3c0c7ecf74cc244924d2ecf4f55 http://security.debian.org/pool/updates/main/p/phpgroupware/phpgroupware-core_0.9.14-0.RC3.2.woody2_all.deb Size/MD5 checksum: 18902 35099021465ab7ebb2b7ee760e6b70f4 http://security.debian.org/pool/updates/main/p/phpgroupware/phpgroupware-developer-tools_0.9.14-0.RC3.2.woody2_all.deb Size/MD5 checksum: 40780 151e36e027b09e2ae2978a8fc8ebb628 http://security.debian.org/pool/updates/main/p/phpgroupware/phpgroupware-dj_0.9.14-0.RC3.2.woody2_all.deb Size/MD5 checksum: 45410 48471bd170e7b5ee355925264b77eb4f http://security.debian.org/pool/updates/main/p/phpgroupware/phpgroupware-eldaptir_0.9.14-0.RC3.2.woody2_all.deb Size/MD5 checksum: 47028 a27eb8411e2d41e8f18d6a9af0a864de http://security.debian.org/pool/updates/main/p/phpgroupware/phpgroupware-email_0.9.14-0.RC3.2.woody2_all.deb Size/MD5 checksum: 313264 626a400affcfcd69e4ee9450d09f2a0c http://security.debian.org/pool/updates/main/p/phpgroupware/phpgroupware-filemanager_0.9.14-0.RC3.2.woody2_all.deb Size/MD5 checksum: 37432 fef58c4c16d52f85c9992d1c97d2df7d http://security.debian.org/pool/updates/main/p/phpgroupware/phpgroupware-forum_0.9.14-0.RC3.2.woody2_all.deb Size/MD5 checksum: 47750 0b387b72c9e3d8515ca1dd628e9deff3 http://security.debian.org/pool/updates/main/p/phpgroupware/phpgroupware-ftp_0.9.14-0.RC3.2.woody2_all.deb Size/MD5 checksum: 39450 eb0b97624c8cd153273f4b49560eb17b http://security.debian.org/pool/updates/main/p/phpgroupware/phpgroupware-headlines_0.9.14-0.RC3.2.woody2_all.deb Size/MD5 checksum: 59416 9d524b292991a8f7340300572f1a5efc http://security.debian.org/pool/updates/main/p/phpgroupware/phpgroupware-hr_0.9.14-0.RC3.2.woody2_all.deb Size/MD5 checksum: 23774 9bf313b7b7e411ccbfecbcb5a6befed7 http://security.debian.org/pool/updates/main/p/phpgroupware/phpgroupware-img_0.9.14-0.RC3.2.woody2_all.deb Size/MD5 checksum: 38654 af5425ba4df22d7bd089bc5e19721a7b http://security.debian.org/pool/updates/main/p/phpgroupware/phpgroupware-infolog_0.9.14-0.RC3.2.woody2_all.deb Size/MD5 checksum: 92774 dec62996133857d906fe5c7b7f7bb026 http://security.debian.org/pool/updates/main/p/phpgroupware/phpgroupware-inv_0.9.14-0.RC3.2.woody2_all.deb Size/MD5 checksum: 89368 d680c096b16299f7f37b9b87adb21bb8 http://security.debian.org/pool/updates/main/p/phpgroupware/phpgroupware-manual_0.9.14-0.RC3.2.woody2_all.deb Size/MD5 checksum: 92564 5ea8b1fd199767f7c37f1dc28c13962f http://security.debian.org/pool/updates/main/p/phpgroupware/phpgroupware-messenger_0.9.14-0.RC3.2.woody2_all.deb Size/MD5 checksum: 29702 e30218b43262f531bbdd76123af55e24 http://security.debian.org/pool/updates/main/p/phpgroupware/phpgroupware-napster_0.9.14-0.RC3.2.woody2_all.deb Size/MD5 checksum: 26126 b3777f397897fc821dc4031075afc5ff http://security.debian.org/pool/updates/main/p/phpgroupware/phpgroupware-news-admin_0.9.14-0.RC3.2.woody2_all.deb Size/MD5 checksum: 31534 2cbeb9e702f9082beae4e70069cfd541 http://security.debian.org/pool/updates/main/p/phpgroupware/phpgroupware-nntp_0.9.14-0.RC3.2.woody2_all.deb Size/MD5 checksum: 44502 5ee3c873c1497dbf6443611b8d7c195a http://security.debian.org/pool/updates/main/p/phpgroupware/phpgroupware-notes_0.9.14-0.RC3.2.woody2_all.deb Size/MD5 checksum: 27194 38155a1f43abdaee60edb232c938e781 http://security.debian.org/pool/updates/main/p/phpgroupware/phpgroupware-phonelog_0.9.14-0.RC3.2.woody2_all.deb Size/MD5 checksum: 21706 aaabc4a558f38ef95219ba2cbdca72b9 http://security.debian.org/pool/updates/main/p/phpgroupware/phpgroupware-phpsysinfo_0.9.14-0.RC3.2.woody2_all.deb Size/MD5 checksum: 34984 a6a24cf61f28f903b26f21d5579e62b5 http://security.debian.org/pool/updates/main/p/phpgroupware/phpgroupware-phpwebhosting_0.9.14-0.RC3.2.woody2_all.deb Size/MD5 checksum: 61690 2789e986ec5553158bcfa061f439a016 http://security.debian.org/pool/updates/main/p/phpgroupware/phpgroupware-polls_0.9.14-0.RC3.2.woody2_all.deb Size/MD5 checksum: 29644 8915e9e52820c03d53c3abcd90fdd8e1 http://security.debian.org/pool/updates/main/p/phpgroupware/phpgroupware-preferences_0.9.14-0.RC3.2.woody2_all.deb Size/MD5 checksum: 45586 170eaa764caed9fd4df57fbef1f08a8c http://security.debian.org/pool/updates/main/p/phpgroupware/phpgroupware-projects_0.9.14-0.RC3.2.woody2_all.deb Size/MD5 checksum: 86298 000b2cb49d1befdd8c5d224a2e6a80d0 http://security.debian.org/pool/updates/main/p/phpgroupware/phpgroupware-registration_0.9.14-0.RC3.2.woody2_all.deb Size/MD5 checksum: 35896 b2f0aad62202ed20be87f58e2f308483 http://security.debian.org/pool/updates/main/p/phpgroupware/phpgroupware-setup_0.9.14-0.RC3.2.woody2_all.deb Size/MD5 checksum: 272394 9b4cbea2aa72d25aa39f66283d9cca9a http://security.debian.org/pool/updates/main/p/phpgroupware/phpgroupware-skel_0.9.14-0.RC3.2.woody2_all.deb Size/MD5 checksum: 30894 2ed102a96f56e4ad712c457eba20cc3f http://security.debian.org/pool/updates/main/p/phpgroupware/phpgroupware-soap_0.9.14-0.RC3.2.woody2_all.deb Size/MD5 checksum: 22530 18261fb8b7e3edb8954db7fe2f9188a5 http://security.debian.org/pool/updates/main/p/phpgroupware/phpgroupware-stocks_0.9.14-0.RC3.2.woody2_all.deb Size/MD5 checksum: 26644 c253f429544d85128f18c5b5f78683d7 http://security.debian.org/pool/updates/main/p/phpgroupware/phpgroupware-todo_0.9.14-0.RC3.2.woody2_all.deb Size/MD5 checksum: 43124 1d526e61157760f0363f230fede803ee http://security.debian.org/pool/updates/main/p/phpgroupware/phpgroupware-tts_0.9.14-0.RC3.2.woody2_all.deb Size/MD5 checksum: 46140 9f7147cb2da079c4e15343ae7044c9f2 http://security.debian.org/pool/updates/main/p/phpgroupware/phpgroupware-wap_0.9.14-0.RC3.2.woody2_all.deb Size/MD5 checksum: 27570 3f10b7ce2ea59162bbe48de3a6ba5a14 http://security.debian.org/pool/updates/main/p/phpgroupware/phpgroupware-weather_0.9.14-0.RC3.2.woody2_all.deb Size/MD5 checksum: 498274 9cdf6321099ce4870fe2f70ae722986a http://security.debian.org/pool/updates/main/p/phpgroupware/phpgroupware-xmlrpc_0.9.14-0.RC3.2.woody2_all.deb Size/MD5 checksum: 74426 50076afe3bd152ae3c8282f2f795b6ae http://security.debian.org/pool/updates/main/p/phpgroupware/phpgroupware_0.9.14-0.RC3.2.woody2_all.deb Size/MD5 checksum: 25652 5dc38752cd0a47e16a213de78524e1de These files will probably be moved into the stable distribution on its next revision. - --------------------------------------------------------------------------------- For apt-get: deb http://security.debian.org/ stable/updates main For dpkg-ftp: ftp://security.debian.org/debian-security dists/stable/updates/main Mailing list: debian-security-announce@lists.debian.org Package info: `apt-cache show ' and http://packages.debian.org/ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.2 (GNU/Linux) iD8DBQE/MG4oArxCt0PiXR4RAkwAAJ9ZSa4f39+K1ArRIUO5q/xcjHZe2wCfUrOu Q8CSYCWQ0O6ysQ6ODMd5oek= =XAuw -----END PGP SIGNATURE----- _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html