On Wed, Apr 03, 2002 at 04:08:36PM +0200, Matthias Jordan wrote: > + Problem > > PHPGroupware 0.9.12 (the current release version) is vulnerable > to SQL injection. This enables each attacker who can access the > login page of PHPGroupware to take over the database. This is > true in particular for the Debian package phpgroupware > (0.9.12-3.2) that has been tested. ... > Solution involving more work: upgrade to 0.9.14 RC2. The problem > seems to be fixed there, but neither is there a Debian package > for it, yet, nor a statement that this bug has been fixed and to > what extent nor is it a release version. I'm having trouble figuring out why Debian is singled out in your post. It doesn't appear as though you e-mailed security@debian.org regarding this problem, nor did you file any bugs against the package in question, at least according to http://bugs.debian.org/cgi-bin/pkgreport.cgi?pkg=phpgroupware Also, FWIW, the latest version of this software in Debian Unstable, according to packages.debian.org, is 0.9.14-0.RC2.1. The package is not present in the stable version of Debian. --Adam -- Adam McKenna <adam@debian.org> <adam@flounder.net>
